Enterprise-Scale icon indicating copy to clipboard operation
Enterprise-Scale copied to clipboard
verified publisher icon Azure

Bug Report / The DeployIfNotExists policy Deploy-Diagnostics-Firewall will not get compliant

Open klausgh4836 opened this issue 3 years ago • 1 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Versions

terraform: v1.2.5

azure provider: >= 3.5.0

module: v2.1.2

Description

Describe the bug

The policy Deploy-Diagnostics-Firewall used by the policy set Deploy-Diagnostics-LogAnalytics does not get into the status compliant.

Steps to Reproduce

The reason is that the policy Deploy-Diagnostics-Firewall enables 3 azure firewall logging options of possible 13. Link to the relevant code line "logs": [ { "category": "AzureFirewallApplicationRule", "enabled": "[parameters('logsEnabled')]" }, { "category": "AzureFirewallNetworkRule", "enabled": "[parameters('logsEnabled')]" }, { "category": "AzureFirewallDnsProxy", "enabled": "[parameters('logsEnabled')]" } ]
The existenceCondition is checking whether all logging options are enabled. Link to the relevant code line. "existenceCondition": { "allOf": [ { "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", "equals": "true" },

Possible Solution

A possible solution is to add all logging options to the logs array at line 146.. "logs": [ { "category": "AzureFirewallApplicationRule", "enabled": "[parameters('logsEnabled')]" }, { "category": "AzureFirewallNetworkRule", "enabled": "[parameters('logsEnabled')]" }, { "category": "AzureFirewallDnsProxy", "enabled": "[parameters('logsEnabled')]" }, { "category": "AZFWApplicationRule", "enabled": "[parameters('logsEnabled')]" }, { "category": "AZFWNatRule", "enabled": "[parameters('logsEnabled')]" }, { "category": "AZFWThreatIntel", "enabled": "[parameters('logsEnabled')]" }, { "category": "AZFWIdpsSignature", "enabled": "[parameters('logsEnabled')]" }, { "category": "AZFWDnsQuery", "enabled": "[parameters('logsEnabled')]" }, { "category": "AZFWFqdnResolveFailure", "enabled": "[parameters('logsEnabled')]" }, { "category": "AZFWApplicationRuleAggregation", "enabled": "[parameters('logsEnabled')]" }, { "category": "AZFWNetworkRuleAggregation", "enabled": "[parameters('logsEnabled')]" }, { "category": "AZFWNatRuleAggregation", "enabled": "[parameters('logsEnabled')]" }, { "category": "AZFWNetworkRule", "enabled": "[parameters('logsEnabled')]" } ],

klausgh4836 avatar Aug 11 '22 09:08 klausgh4836

Thank you for raising this @klausgh4836 ... as this is policy related, I will move this issue to the upstream Azure/Enterprise-Scale repository where we source these policies from programmatically.

If you would like to implement a temporary work-around in your own environment, please use the custom library to implement a "fixed" copy of this policy. As long as the name matches, the version in your custom library will override the one included with the module.

For more information on how to do this, please see: [Examples] Create Custom Policies Policy Sets and Assignments

krowlandson avatar Aug 11 '22 09:08 krowlandson

This was fixed in #992

jtracey93 avatar Aug 23 '22 09:08 jtracey93