question

bombbe avatar image
0 Votes"
bombbe asked SwathiDhanwada-MSFT answered

Azure policy Conflict

Hi,
I have policy that configures resource diagnostic setting on to Log Analytics Workspace. When I check resource compliance state from policy, it says "non-compliant" with following error message
89529-profilename.png


If I then try to create remediation task, it will also fail with following

 Failed to update diagnostics for 'monitoringdemo'.
 {
   "code":"Conflict",
   "message": "Data sink '/subscriptions/<id>/resourceGroups/<rg>/providers/Microsoft.EventHub/namespaces/<ns>/authorizationrules/RootManageSharedAccessKey'
   is already used in diagnostic setting 'monitoring' for category 'AppExceptions'.
   Data sinks can't be reused in different settings on the same category for the same resource."
 }.


I understand that it means that I cannot create multiple diagnostic settings with same category targeting same destination. And in event hub scenario it includes authorizationrules/<your access key> part.

In mine case someone has already enabled diagnostic settings (manually) for X resource but with wrong name but to right Log Analytics and because name is wrong, it is "non-compliant".

Could I maybe add something to the policy so it would overdrive existing name / settings to the right ones or can I delete something from policy that it check only that right Log Analytics is there without taking a notice for the name (so name could be XXXXX but it is compliant if the right Log Analytics is specified).

We can take as example build in policy (KeyVault_DeployDiagnosticLog_Deploy_LogAnalytics.json)

https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/KeyVault_DeployDiagnosticLog_Deploy_LogAnalytics.json







azure-policy
profilename.png (12.9 KiB)
· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@bombbe Normally when you try deploy diagnostic settings via ARM template to modify the existing name of already deployed diagnostic settings of resource, you are prompted with "Data sinks can't be reused in different settings on the same category for the same resource". In order to rectify this, you can either use PowerShell or CLI commands.

0 Votes 0 ·
bombbe avatar image bombbe SwathiDhanwada-MSFT ·

Hi,
when you said that I could try to use PowerShell or CLI commands do you mean that I should try to use PowerShell or CLI commands to create, assign or remediate policy (instead of Portal) or in what step should I try to use those commands?

0 Votes 0 ·

As you want to remediate the diagnostic settings via Azure Policy, I would suggest you to consider deployments scripts concept of ARM template where you can modify diagnostic settings using PowerShell in ARM Template. One such example I have come across is written in this blog. Kindly check it out and revert if you have further questions.


0 Votes 0 ·
bombbe avatar image bombbe SwathiDhanwada-MSFT ·

So by using deployment scripts I can run PS1 scripts when doing remediations allowing me modify diagnostic settings example name of setting which could not be done otherwise.

0 Votes 0 ·

1 Answer

SwathiDhanwada-MSFT avatar image
0 Votes"
SwathiDhanwada-MSFT answered

@bombbe Apologies for late response. AFAIK, updating existing diagnostic settings name using ARM template without changing the destination isn't possible. So I suggested you to use PowerShell or manually update via Portal. With similar inference, I have applied to azure policy where we try to remediate resources using ARM templates and will be prompted with error as you mentioned. In order to rectify this, I suggested to use deployment scripts feature of ARM template where we can update the resources using PowerShell scripts.

Here is a sample arm template using deployment scripts for updating diagnostic settings of app service. I haven't got to chance to check with Azure Policy yet. I will try out with Azure Policy as well. Meanwhile, kindly check it out from your end as well.

 {
     "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
     "contentVersion": "1.0.0.0",
     "parameters": {
         "workspaceId": {
             "type": "string"
         },
         "azDiagName": {
             "type": "string"
         },
         "utcValue": {
             "type": "string",
             "defaultValue": "[utcNow()]"
         },
         "identity": {
             "type": "string"
         }
     },
     "resources": [
         {
             "type": "Microsoft.Resources/deploymentScripts",
             "apiVersion": "2020-10-01",
             "name": "runPowerShellInlineWithOutput",
             "location": "[resourceGroup().location]",
             "kind": "AzurePowerShell",
             "identity": {
                 "type": "UserAssigned",
                 "userAssignedIdentities": {
                     "[parameters('identity')]": {
                     }
                 }
             },
             "properties": {
                 "forceUpdateTag": "[parameters('utcValue')]",
                 "azPowerShellVersion": "5.0",
                 "primaryScriptUri": "https://raw.githubusercontent.com/SwathiDhanwada-MSFT/Bumblebee/main/PowerShell%20Scripts/DiagnosticSettings.ps1",
                 "arguments": "[format(' -workspaceId {0} -azDiagName {1} ', parameters('workspaceId'), parameters('azDiagName'))]",
                 "timeout": "PT1H",
                 "cleanupPreference": "OnSuccess",
                 "retentionInterval": "P1D"
                 }
             }
     ],
     "outputs": {
     }
 }


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.