terraform-azurerm-caf-enterprise-scale icon indicating copy to clipboard operation
terraform-azurerm-caf-enterprise-scale copied to clipboard

Published 20 hours ago verified publisher icon Azure

Bug Report: Policy VM Monitoring fails, permission lacking for policy

Open steph409 opened this issue 7 months ago • 4 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Versions

terraform:

azure provider:

module: 6.0.0

Description

Initiative: Enable Azure Monitor for VMs

In there is a policy called: [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines

In the new policy sets, there is a policy to set up monitoring with a DCR and a user assigned managed identity. This gets deployed on the landing zones management group.

In the default terraform configuration, both the user assigned identity and the DCR which are passed in as parameters are in the Management Management-Group.

When remediating the policy, I get the following error:

The client 'FROM_POLICY' with object id 'FROM_POLICY' has permission to perform action 'Microsoft.Compute/virtualMachines/write' on scope '/subscriptions/LANDINGZONES/resourcegroups/TEST/providers/Microsoft.Compute/virtualMachines/TEST-linux'; however, it does not have permission to perform action(s) 'Microsoft.ManagedIdentity/userAssignedIdentities/assign/action' on the linked scope(s) '/subscriptions/MANAGEMENT-SUBSCRIPTION/resourceGroups/MYCORP/providers/Microsoft.ManagedIdentity/userAssignedIdentities/TEST-uami' (respectively) or the linked scope(s) are invalid. (Code: LinkedAuthorizationFailed)

Similar to the private DNS zone contributor, which is needed for the private DNS one policy, an additional role assignment is needed. This is implemented here.

Describe the bug

Steps to Reproduce

  1. deploy the v6.0.0 of the module. Create the DCR and UMI using the module in it's default configuration.
  2. Create a virtual machine in the landing zones folder.
  3. try to remediate the policy [Preview]: Assign Built-In User-Assigned Managed Identity to Virtual Machines from initiative Enable Azure Monitor for VMs
  4. watch the remediation fail with missing permission on management group

Screenshots

Additional context

steph409 avatar Jul 03 '24 12:07 steph409