azure-policy icon indicating copy to clipboard operation
azure-policy copied to clipboard

Published 20 hours ago verified publisher icon Azure

[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines contains hardcoded location

Open neok-g opened this issue 2 years ago • 4 comments

The policies below contain a hardcoded location of 'EASTUS' which causes compliancy issues, because for some organisations this location might not be allowed. The location seems to be used amongst others for the resourcegroup that contains the userassigned identity.

[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines /providers/Microsoft.Authorization/policyDefinitions/d367bd60-64ca-4364-98ea-276775bddd94

[Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machine Scale Sets /providers/Microsoft.Authorization/policyDefinitions/516187d4-ef64-4a1b-ad6b-a7348502976c

Could you make the location configurable via a policy parameter in the policies above and in the initiative which use these policies such as:

Deploy Windows Azure Monitor Agent with user-assigned managed identity-based auth and associate with Data Collection Rule /providers/Microsoft.Authorization/policySetDefinitions/0d1b56c6-6d1f-4a5d-8695-b15efbea6b49

neok-g avatar Sep 01 '22 05:09 neok-g

According to the description of the parameter 'bringYourOwnUserAssignedManagedIdentity' a user assigned managed identity is created per resource:

"If not enabled, the policy will create per subscription, per resource user-assigned managed identities in a new resource group named 'Built-In-Identity-RG'."

However, the endresult is a single user assigned identity that is associated with all applicable resources.

sajwvanzundert avatar Jan 10 '23 12:01 sajwvanzundert

Is there an update on this as I am facing the same issue with the location being hard coded which conflicts with location policy restrictions.

If we used the bringyourownerusermanagedidentity option, we cannot seem to specify an identity in another subscription which is restrictive in it's own way.

Thanks

integyjc avatar Mar 30 '23 15:03 integyjc

I am confused on using resource type. assigning newly created built-in policy looks head breaking with options.

prashanthmiryala avatar May 26 '23 12:05 prashanthmiryala

Are there any updates on this? Facing this issue as well, we need to be able to control where our resource group metadata is stored.

abaddon82 avatar Mar 21 '24 08:03 abaddon82