Azure policy not targetting Windows VM's correctly - azure

I'm in the middle of writing an Azure Policy to check if hybrid use benefits are enabled. Microsoft provides a built-in policy that will target all virtual machines based on image offerings that are available from the Azure platform. However, some VM's in my subscription are based on migrated VM's and therefor have no link to existing image offerings.
I've found a blog post (https://artisticcheese.wordpress.com/2019/07/04/proper-azure-policy-to-verify-azure-hybrid-benefit-enabled/) that explains how to target virtual machines based on configured OS type rather then image offering.
I've started out small and created the following policy setting:
"if": {
"allOf":[
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType",
"equals": "Windows"
}
]
},
"then": {
"effect": "audit"
}
These settings however show all my Windows VM's as non-compliant with the following result:
Reason for non-compliance:
Current value must not be equal to the target value.
Field
Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType
Path
properties.storageProfile.osDisk.osType
Current value
"Windows"
Target value
"Windows"
Am I interpreting the "equals" operator wrong here? I would have expected this to turn out as compliant for all Windows-based virtual machines.

If you want to mark resources that are not Windows as noncompliant, you have to change your equals to a not equals. So it would be if it does not equal Windows then it should be non-compliant hence audit.

Related

Need to deploy the Azure Policy for the Tags only for the VM

I am deploying the Azure policy for the Recommended Tags that need to be applied when anyone creates the new VM.
I found one in-built policy: Require a tag on resources
But when I deployed, it will be applied to all the resources and I need a policy for only VM resources.
Also how I can use more than one tag in a single policy?
In your policy rule, you must indicate that the policy is just for VMs
For example:
...
"policyRule": {
"if": {
"field": "type",
"in": [
"Microsoft.Compute/virtualMachines",
"Microsoft.ClassicCompute/virtualMachines"
]
},
"then": {
...
}
}
...
Hope this helps!

wanna enable audit diagnostics settings of aks node resource group resources NSG and virtual machine scale set using ARM template

I am able to enable audit diagnostic settings for aks using arm(below snippet inside arm )but the same way have enable the same in all resources in node resource group like network security group and vitual machine scale set.
"resources": [
{
"condition": "[parameters('audit_enable')]",
"type": "Microsoft.ContainerService/managedClusters/providers/diagnosticSettings",
"apiVersion": "2021-05-01-preview",
"name": "[clustername]",
"dependsOn": [
"[resourceId('Microsoft.ContainerService/managedClusters', clutername)]"
],
"properties": {
"storageAccountId": "[variables('storageAccountId')]",
"logs": [
{
"categoryGroup": "allLogs",
"enabled": true,
"retentionPolicy": {
"days": 30,
"enabled": true
}
}
],
"metrics": [
{
"category": "AllMetrics",
"enabled": true,
"retentionPolicy": {
"days": 30,
"enabled": true
}
}
]
}
}
]
Below statements are based on our observations & Azure Documentations. We have tested in our local environment by creating a virtual machine scale set & tried enabling the diagnostic setting for it Unfortunately we dont have diagnostics setting feature for virtual machine scale sets.
Here is the output screenshot for reference:
As per the Azure documentation, Azure Diagnostics agent is available for virtual Machine only.
Azure Diagnostics extension collects monitoring data from the guest operating system and workloads of Azure virtual machines and other compute resources. It primarily collects data into Azure Storage but also allows you to define data sinks to also send data to other destinations such as Azure Monitor Metrics and Azure Event Hubs.
Here is the reference documentation to create the diagnostics setting for a virtual machine using arm template.
We tried searching for sample arm templates to create the diagnosticsetting for network security group unfortunately we didnt found any Would suggest you to go this documentation of basic arm template to create the diagnostic settings & make the changes accordingly to your requirement.
You can also refer the ARM templates samples for diagnostic settings in Azure monitor.

Is it possible to find the available location for existing virtual machine using azure rest api?

Hi everyone please help me . I want to get available location based on my existing virtual machine configuration using azure rest api.
You can get the location where your VM exists from the Virtual Machines - Get API.
GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/virtualMachines/{vmName}?api-version=2020-12-01
Sample response:
{
"name": "MyVM",
"id": "/subscriptions/***/resourceGroups/***/providers/Microsoft.Compute/virtualMachines/MyVM",
"type": "Microsoft.Compute/virtualMachines",
"location": "centralus",
"tags": {
...
},
"properties": {
...
},
...
}
Web: This page lists the availability of Azure Virtual Machines by region: Products available by region
REST API: The collection of locations where a certain resource type can be created can be fetched from the Providers - List API from ProviderResourceType property in the response.
PowerShell: An easier alternative is to use the following command to get the supported locations for Azure VMs:
((Get-AzResourceProvider -ProviderNamespace Microsoft.Compute).ResourceTypes | Where-Object ResourceTypeName -eq virtualMachines).Locations
Note that some services or VM features are only available in certain regions, such as specific VM sizes. To determine which SKUs are available in a region/zone, use the Get-AzComputeResourceSku cmdlet (or Resource Skus - List REST API). Filter the results by location.
Get-AzComputeResourceSku | where {$_.ResourceType.Contains("virtualMachines")}
Another great option you may want to explore to move Azure resources between Azure regions is the Azure Resource Mover service. Resource Mover provides a simple and consistent experience with reduced move time and complexity. Checkout this tutorial to move Azure VMs across regions.

Set-AzVMDiagnosticsExtension doesn't work work as expected across subscriptions

what I'm trying to is to enable VM Diagnostic extension to send Event logs (Application [1,2,3], Security [all], System [1,2,3]) to one unified storage account (let's call logs storage) where WADWindowsEventLogsTable is supposed to be created.
different scenarios I'm trying to implement :
VM is in the same resource group where logs storage is.
The result : works
VM in a different resource group where logs storage is.
The result : works
VM in a different subscription
The result : the extension will be enabled. However, when go to Agent tab, I'll get the error message "the value must not be empty" under Storage account section
agent tab, storage account section error
Environment
Windows
Powershell 7.0.2
DiagnosticsConfiguration.json
{
"PublicConfig": {
"WadCfg": {
"DiagnosticMonitorConfiguration": {
"overallQuotaInMB": 5120,
"WindowsEventLog": {
"scheduledTransferPeriod": "PT1M",
"DataSource": [
{
"name": "Application!*[System[(Level=1 or Level=2 or Level=3 or Level=4)]]"
},
{
"name": "Security!*"
},
{
"name": "System!*[System[(Level=1 or Level=2 or Level=3 or Level=4)]]"
}
]
}
}
},
"StorageAccount": "logsstorage",
"StorageType": "TableAndBlob"
},
"PrivateConfig": {
"storageAccountName": "logsstorage",
"storageAccountKey": "xxxxxxx",
"storageAccountEndPoint": "https://logsstorage.blob.core.windows.net"
}
}
Powershell commands :
Set-AzVMDiagnosticsExtension -ResourceGroupName "myvmresourcegroup" -VMName "myvm" -DiagnosticsConfigurationPath "DiagnosticsConfiguration.json"
I even tried to explicitly specifying account name and key as :
$storage_key = "xxxxxx"
Set-AzVMDiagnosticsExtension -ResourceGroupName "myvmresourcegroup" -VMName "myvm" -DiagnosticsConfigurationPath "DiagnosticsConfiguration.json" -StorageAccountName "logsstroage" -StorageAccountKey $storage_key
I've spent a lot of time trying to figure out the issue without luck.
The real issue here is that the extension doesn't create the expected table WADWindowsEventLogsTable (or write to it if it's already exist)
According to the official documentation I should be able to do this, example 3 :
https://learn.microsoft.com/en-us/powershell/module/az.compute/set-azvmdiagnosticsextension?view=azps-4.3.0
I've submitted an issue with the team on GitHub and gave more details, but still waiting for their input
https://github.com/Azure/azure-powershell/issues/12259
This is because the storage account "logsstorage" you specify is in another subscription.
You should have selected a different subscription to enable VM Diagnostic extension. So you also need to modify your DiagnosticsConfiguration.json file and specify a storage account which is in the current subscription.
I managed to get this fixed with some help from Microsoft engineer.
I've detailed the answer in this GitHub issue :
Set-AzVMDiagnosticsExtension doesn't seem working properly across subscriptions
The answer :
I managed to get this work, thanks for the help from #prernavashistha from Microsoft support it turned out there's some inconsistency in the documentations.
According to the documentation here :
https://learn.microsoft.com/en-us/azure/azure-monitor/platform/diagnostics-extension-windows-install#powershell-deployment
In PrivateConfig I should pass the storage URI to "storageAccountEndPoint" key :
"PrivateConfig": {
"storageAccountEndPoint": "https://logsstorage.blob.core.windows.net"}
However, according to another documentation reference :
https://learn.microsoft.com/en-us/azure/azure-monitor/platform/diagnostics-extension-schema-windows#json
I should pass the Azure storage endpoint :
"PrivateConfig": {
"storageAccountEndPoint": "https://core.windows.net"}
I can confirm that using Azure storage endpoint resolved the issue, and I can enable the extension across subscriptions, and I can see logs being written to the correct table as expected.
Thanks

Overwrite Azure resource values with Azure policy values

Is it possible to overwrite Azure resource values with Azure policy values? I am trying to fix the VM size/sku. I created the below Policy with an append effect which fails VM creation as it cannot overwrite the default/given VM size/sku.
{
"if": {
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
"then": {
"effect": "append",
"details": [{
"field": "Microsoft.Compute/virtualMachines/sku.name",
"value": "Standard_D4_v3"
}
]
}
}
No, it is not possible to overwrite a resource value using an ARM policy append effect. The behavior you are experiencing is by design as described here.
Since a VM's SKU is a single value vs. a collection/array of values, the only action you could hope to take is to overwrite the original value. But, as you are seeing, an ARM policy will revert to the deny effect instead in this case.

Resources