Deploy Diagnostic Settings Policy - deployifnotexists fails on initial deployment #635
Comments
|
This is using terraform-azurerm-caf-enterprise-scale v2.4.0 |
|
Thanks for reporting @LouiseSimpson this is very likely not an issue with the ALZ Terraform module and sounds more like a platform/policy engine issue. Would you be able to open a Azure Support ticket (aka.ms/azuresupport) and share the ID with us here so we can track it's progress internally? We need the support teams to investigate why this isn't working properly. Sounds like RBAC isnt inheriting in the hierarchy fast enough possibly if you are changing nothing but it works after a while when you move the subscription in and out of the same Management Group |
jtracey93
added
bug
|
Related to #438 |
|
This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 7 days. It will be closed if no further activity occurs within 7 days of this comment. |
|
Azure Support ticket raised. |
ghost
added
Needs: Attention 👋
|
Upgraded to terraform-azurerm-caf-enterprise-scale v3.3.0 |
|
Thanks @LouiseSimpson tagging for auto closure |
matt-FFFFFF
added
Needs: Attention 👋
|
This issue has been automatically marked as stale because it has been marked as requiring author feedback but has not had any activity for 7 days. It will be closed if no further activity occurs within 7 days of this comment. |
ghost
locked as resolved and limited conversation to collaborators
Policy 'Deploy Diagnostic Settings for Activity Log to Log Analytics workspace'
On an initial deployment (when no Diagnostic settings for connectivity and management subscriptions exist), the Policy above fails to apply Diagnostic settings to the subscriptions.
An error is produced in the Subscription Activity Log:
Operation name 'deployIfNotExists' Policy action.
Event initiated by Microsoft Azure Policy Insights
"errorMessage": "Evaluation of DeployIfNotExists policy was unsuccessful. The policy assignment '/providers/Microsoft.Management/managementGroups/id/providers/Microsoft.Authorization/policyAssignments/Deploy-AzActivity-Log' resource identity does not have the necessary permissions to create deployment '/subscriptions/id/providers/Microsoft.Resources/deployments/PolicyDeployment_xxx'. Please see https://aka.ms/arm-policy-identity for usage details.",
If the subscription is subsequently moved out of its management group and then back in, the diagnostics settings are then applied correctly (triggered after 30 minutes).
The text was updated successfully, but these errors were encountered: