You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Sep 17, 2024. It is now read-only.
After reviewing the text version of the validation report I noticed that the report flagged the following resources for non-compliance with the "Audit diagnostic setting" policy:
A cosmos DB
A container Instance
Both of these resources are logging to a log analytics workspace, which is kind of what the policy is meant to check (I believe, from looking at the policy JSON). I think the policy is looking for microsoft.insights/diagnosticSettings but these resources do not have this? I am not an expert.
The container instance does not support a complete diagnostic setting but at this time you can specify a log analytics workspace to log to at creation time, which we do at line 93.
I wanted to highlight this so that perhaps you want to tailor your validation so that you can validate these types of resources correctly. I'm willing to help answer any questions you have.
The text was updated successfully, but these errors were encountered:
Hi David, the "Audit diagnostic setting" policy definition in this case is a built-in Azure policy. The reporting tool is simply obtaining the compliance data for that policy assignment from Azure.
To achieve what you indicated with respect to checking diagnostic settings for other types of Azure resources not supported by the built-in policy, you would need to create a custom Azure policy to do that.
You could either create a custom policy that checks audit diagnostic configuration settings for all types of resources, or have separate custom policies for each type.
Regardless, the current PBMM guardrail framework doesn't support creation of custom Azure policies as part of the blueprint and would need to be extended.
On second thought David, it's probably better to just have Microsoft change their built-in policy to support the additional resource types rather than us going the custom policy route.
I assume it would need to be raised to MS as a feature request.
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
After reviewing the text version of the validation report I noticed that the report flagged the following resources for non-compliance with the "Audit diagnostic setting" policy:
A cosmos DB
A container Instance
Both of these resources are logging to a log analytics workspace, which is kind of what the policy is meant to check (I believe, from looking at the policy JSON). I think the policy is looking for microsoft.insights/diagnosticSettings but these resources do not have this? I am not an expert.
The cosmos DB was created using https://github.com/cds-snc/report-a-cybercrime/blob/master/utils/azurescript.sh and near line 153 you can see that we create the diagnostic setting.
The container instance does not support a complete diagnostic setting but at this time you can specify a log analytics workspace to log to at creation time, which we do at line 93.
I wanted to highlight this so that perhaps you want to tailor your validation so that you can validate these types of resources correctly. I'm willing to help answer any questions you have.
The text was updated successfully, but these errors were encountered: