azure-policy icon indicating copy to clipboard operation
azure-policy copied to clipboard
verified publisher icon Azure

How do policies work with parameter listOfLinuxImageIdToInclude or listOfWindowsImageIdToInclude

Open neok-g opened this issue 3 years ago • 2 comments

There are several monitoring related policies which evaluate VM's or VMSS whether to install the dependency agent, log analytics monitoring agent or the new Azure Monitor agent. We currently use the policy initiatives:

  • Configure Linux machines to run Azure Monitor Agent and associate them to a Data Collection Rule (/providers/Microsoft.Authorization/policySetDefinitions/118f04da-0375-44d1-84e3-0fd9e1849403)
  • Configure Windows machines to run Azure Monitor Agent and associate them to a Data Collection Rule (/providers/Microsoft.Authorization/policySetDefinitions/9575b8b7-78ab-4281-b53b-d3c1ace2260b)

Both these initiatives contain 4 policies for instance Configure Linux Machines to be associated with a Data Collection Rule /providers/Microsoft.Authorization/policyDefinitions/2ea82cdd-f2e8-4500-af75-67a2e084ca74

The policy rule for this policy evaluates VM's based on their publisher, offer and SKU. However we are using CIS images from the Azure marketplace. So therefore I could pass these image ID's via the parameter listOfLinuxImageIdToInclude. If I query the Azure marketplace to get these image ID's I get the following result:

image

However when I query one of these VM's I notice that the image ID is always empty so it is not taken into evaluation by the policy rule:

image

I included the image ID's from the marketplace for the correct subscription and added them to the array parameter listOfLinuxImageIdToInclude but my VM is not included probably because it's image ID is empty see the policy fragment:

                "anyOf": [
                  {
                    "field": "Microsoft.Compute/imageId",
                    "in": "[parameters('listOfLinuxImageIdToInclude')]"
                  },

What am I doing wrong?

neok-g avatar Sep 20 '22 18:09 neok-g

So I saw this post: https://learn.microsoft.com/en-us/answers/questions/85811/virtual-machine-and-image-or-marketplace.html and it states that imageReference.Id is empty once it is from the marketplace? Can anyone confirm that and how should we use those images in this kind of policies with such a parameter as listOfLinuxImageIdToInclude or listOfWindowsImageIdToInclude?

neok-g avatar Sep 21 '22 05:09 neok-g

Anyone??

neok-g avatar Sep 26 '22 08:09 neok-g

Yes, it seems like this. image IDs are just used for custom images, see https://learn.microsoft.com/en-us/azure/virtual-machines/windows/policy#images-for-virtual-machines

steffenbeermann avatar Nov 22 '22 15:11 steffenbeermann