When deploying management resources, Security Center resources are not being deployed about terraform-azurerm-caf-enterprise-scale HOT 3 CLOSED

I'm just trying to reproduce this behaviour but don't seem to be able to. I'm not sure whether this is linked to the way you had your providers configured (ref. #102) but when I run the configuration changes you provided for configure_management_resources, I get the following outcome when updating security_center.enabled from false to true.

Terraform will perform the following actions:

  # module.enterprise_scale.azurerm_policy_assignment.enterprise_scale["/providers/Microsoft.Management/managementGroups/sn/providers/Microsoft.Authorization/policyAssignments/Deploy-ASC-Defender"] will be updated in-place
  ~ resource "azurerm_policy_assignment" "enterprise_scale" {
      ~ enforcement_mode     = false -> true
        id                   = "/providers/Microsoft.Management/managementGroups/sn/providers/Microsoft.Authorization/policyAssignments/Deploy-ASC-Defender"
        name                 = "Deploy-ASC-Defender"
        # (8 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

As you can see, this setting is toggling the enforcement_mode on the Deploy-ASC-Defender Policy Assignment.

As an FYI, the other settings within this config block are adjusting the parameter values sent to this Policy Assignment to control the Azure Defender pricing tier settings.

If you are still seeing no change when updating this setting, please let me know and we can try to work out what else might be causing this.

from terraform-azurerm-caf-enterprise-scale.

I figured it out... 🤦‍♂️
We have an archetype_exclusion_root.json where we explicitly disabled all the ASC policy assignments, which of course, led to this case of Security Center not being deployed...

We thought that even with the excluded policies, the ASC would still be deployed... But I guess that from an ES perspective, it does not make sense to deploy ASC if we don't have the required policy assignment.

I tested the plan without the exclusion, and the result was as expected :)

For reference, this is our archetype_exclusion_root.json:

{
  "exclude_es_root": {
    "policy_assignments": [
      "Deploy-ASC-Monitoring",
      "Deploy-ASC-Defender"
    ],
    "policy_definitions": [],
    "policy_set_definitions": [],
    "role_definitions": [],
    "archetype_config": {
      "parameters": {},
      "access_control": {}
    }
  }
}

You can close this :)

from terraform-azurerm-caf-enterprise-scale.

OK, great thank you. Yes, for ES we are very reliant on having those policies in place in order to configure and monitor compliance these settings 😄

from terraform-azurerm-caf-enterprise-scale.