Enterprise-Scale icon indicating copy to clipboard operation
Enterprise-Scale copied to clipboard

Published 20 hours ago verified publisher icon Azure

Log Analytics policy has hardcoded location of West Central US

Open sshockley opened this issue 11 months ago • 2 comments

Describe the bug Azure built-in policy, 8e3e61b3-0b32-22d5-4edf-55f87fdb5955/Configure Log Analytics workspace and automation account to centralize logs and monitoring, has a hardcoded deployment location of "West Central US". This causes deployments to Azure Government to fail. The location should be paramaterized, not hardcoded.

Steps to reproduce

  1. Deploy DINE-LogAnalyticsPolicyAssignment.json via New-AzManagementGroupDeployment
  2. Create remediation task
  3. All sub-tasks fail, with error:
{
    "error": {
        "code": "LocationNotAvailableForDeployment",
        "target": "/subscriptions/92d2c390-1ca1-4c35-b5be-79ca28a1f82f/providers/Microsoft.Resources/deployments/PolicyDeployment_16785706964057898929",
        "message": "The provided location 'West Central US' is not available for deployment. List of available regions is 'usgovarizona,usgovvirginia,usgovtexas,usgoviowa,usdodeast,usdodcentral'."
    }
}

https://github.com/Azure/azure-policy/issues/960 is related, but it's been open since 2022 with no response.

Also see https://www.azadvertizer.net/azpolicyadvertizer/8e3e61b3-0b32-22d5-4edf-55f87fdb5955.html for policy definition.

This was a fun one, was wondering where the location was coming from when it's not in my code. Please let me know if there's a better place to report this, thanks.

sshockley avatar Dec 04 '24 22:12 sshockley

I created a PR in what seems to be the upstream repo. Hopefully someone takes a look at it, but based on the other PRs in that repo it looks like PRs only get closed when the submitter finally deletes their fork.

sshockley avatar Dec 06 '24 19:12 sshockley

@sshockley thanks for raising this issue. This is a sovereign cloud issue, which has been difficult for us to triage as getting access to those environments is challenging. We now have a team member with access, but as you can imagine we have to triage 2 years' worth of updates against USGov and China. Currently, we're prioritizing removing any policies from ALZ that are not supported in the sovereign cloud (US Gov, China) so that we can at least complete a landing zone deployment in that cloud, successfully. Can you confirm that the built-in policy 8e3e61b3-0b32-22d5-4edf-55f87fdb5955 is available in US Gov cloud?

Springstone avatar Dec 17 '24 07:12 Springstone