-
Notifications
You must be signed in to change notification settings - Fork 547
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Deploy Diagnostic Settings Policy - deployifnotexists fails on initial deployment #635
Comments
This is using terraform-azurerm-caf-enterprise-scale v2.4.0 |
Thanks for reporting @LouiseSimpson this is very likely not an issue with the ALZ Terraform module and sounds more like a platform/policy engine issue. Would you be able to open a Azure Support ticket (aka.ms/azuresupport) and share the ID with us here so we can track it's progress internally? We need the support teams to investigate why this isn't working properly. Sounds like RBAC isnt inheriting in the hierarchy fast enough possibly if you are changing nothing but it works after a while when you move the subscription in and out of the same Management Group |
Related to #438 |
This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 7 days. It will be closed if no further activity occurs within 7 days of this comment. |
Azure Support ticket raised. |
Upgraded to terraform-azurerm-caf-enterprise-scale v3.3.0 |
Thanks @LouiseSimpson tagging for auto closure |
This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 7 days. It will be closed if no further activity occurs within 7 days of this comment. |
Policy 'Deploy Diagnostic Settings for Activity Log to Log Analytics workspace'
On an initial deployment (when no Diagnostic settings for connectivity and management subscriptions exist), the Policy above fails to apply Diagnostic settings to the subscriptions.
An error is produced in the Subscription Activity Log:
Operation name 'deployIfNotExists' Policy action.
Event initiated by Microsoft Azure Policy Insights
"errorMessage": "Evaluation of DeployIfNotExists policy was unsuccessful. The policy assignment '/providers/Microsoft.Management/managementGroups/id/providers/Microsoft.Authorization/policyAssignments/Deploy-AzActivity-Log' resource identity does not have the necessary permissions to create deployment '/subscriptions/id/providers/Microsoft.Resources/deployments/PolicyDeployment_xxx'. Please see https://aka.ms/arm-policy-identity for usage details.",
If the subscription is subsequently moved out of its management group and then back in, the diagnostics settings are then applied correctly (triggered after 30 minutes).
The text was updated successfully, but these errors were encountered: