Comments (3)
I'm just trying to reproduce this behaviour but don't seem to be able to. I'm not sure whether this is linked to the way you had your providers configured (ref. #102) but when I run the configuration changes you provided for configure_management_resources
, I get the following outcome when updating security_center.enabled
from false
to true
.
Terraform will perform the following actions:
# module.enterprise_scale.azurerm_policy_assignment.enterprise_scale["/providers/Microsoft.Management/managementGroups/sn/providers/Microsoft.Authorization/policyAssignments/Deploy-ASC-Defender"] will be updated in-place
~ resource "azurerm_policy_assignment" "enterprise_scale" {
~ enforcement_mode = false -> true
id = "/providers/Microsoft.Management/managementGroups/sn/providers/Microsoft.Authorization/policyAssignments/Deploy-ASC-Defender"
name = "Deploy-ASC-Defender"
# (8 unchanged attributes hidden)
# (1 unchanged block hidden)
}
Plan: 0 to add, 1 to change, 0 to destroy.
As you can see, this setting is toggling the enforcement_mode
on the Deploy-ASC-Defender
Policy Assignment.
As an FYI, the other settings within this config block are adjusting the parameter values sent to this Policy Assignment to control the Azure Defender pricing tier settings.
If you are still seeing no change when updating this setting, please let me know and we can try to work out what else might be causing this.
from terraform-azurerm-caf-enterprise-scale.
I figured it out... 🤦♂️
We have an archetype_exclusion_root.json
where we explicitly disabled all the ASC policy assignments, which of course, led to this case of Security Center not being deployed...
We thought that even with the excluded policies, the ASC would still be deployed... But I guess that from an ES perspective, it does not make sense to deploy ASC if we don't have the required policy assignment.
I tested the plan without the exclusion, and the result was as expected :)
For reference, this is our archetype_exclusion_root.json
:
{
"exclude_es_root": {
"policy_assignments": [
"Deploy-ASC-Monitoring",
"Deploy-ASC-Defender"
],
"policy_definitions": [],
"policy_set_definitions": [],
"role_definitions": [],
"archetype_config": {
"parameters": {},
"access_control": {}
}
}
}
You can close this :)
from terraform-azurerm-caf-enterprise-scale.
OK, great thank you. Yes, for ES we are very reliant on having those policies in place in order to configure and monitor compliance these settings 😄
from terraform-azurerm-caf-enterprise-scale.
Related Issues (20)
- Feature Request - On/Off switch to control policy assignments HOT 6
- use existing management group as a parent HOT 5
- How to change the default virtual hub attribute HOT 3
- How do I create a NSG and associate it with my Subnets in hub VNet? HOT 5
- ESLZ Pipeline plan throwing Graph error
- Bug Report bug: turn off "Allow 'hub' to receive forwarded traffic from 'vnet'"
- Bug Report: Policy VM Monitoring fails, permission lacking for policy HOT 4
- How do we perform a VNet Gateway connection with local n/w gateway using ALZ module? HOT 1
- Ability to rename AMA management resources HOT 4
- Unable to update module due to policy definition errors HOT 1
- Errors when upgrading from v5.0.0 to v5.2.0 HOT 3
- Bug Report : vWan - Virtual network connections breaking the other network resources during peering. HOT 1
- Invalid configuration when upgrading to v6.0.0
- "Enable allLogs category group resource logging for supported resources to Log Analytics" creates duplicate logs for Application Insights already using a Log Analytics Workspace HOT 4
- Bug Report: Customization of new management resources not working as expected HOT 1
- v6.0.0 has ContainerInsights log analytics solution being removed, which results in tables needed by current Container Insights deployments to be deleted HOT 1
- after upgrading to 6.0.0 terraform plan continually wants to update landing zones policy assignment config for Enforce-GR-KeyVault
- Importing Subscriptions into Management Groups HOT 2
- Bug Report : Unable to create policy for custom landing zone HOT 6
- Bug Report/ How to : Not able to create Custom Policy definition and assignment using Custom Landing Zones HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from terraform-azurerm-caf-enterprise-scale.