question

NaveenBegurnagaraj-6327 avatar image
0 Votes"
NaveenBegurnagaraj-6327 asked srbose-msft rolled back

Deployifnotexists vm bootdiagnostics enable using azure policies is failing

Written a code to DeployifNotExists for Vm bootdiagnostics enable, but it is not working as expected.

Please have a look on code and support me to resolve

code:
{
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Compute/virtualMachine"
},
"then": {
"effect": "DeployIfNotExists",
"details": {
"type": "Microsoft.Compute/virtualMachines/diagnosticsProfile.bootDiagnostics",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Compute/virtualMachines/diagnosticsProfile.bootDiagnostics.enabled",
"equals": "false"
}
]
},
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Compute/virtualMachines/diagnosticsProfile.bootDiagnostics",
"apiVersion": "2020-06-01",
"dependsOn": [],
"properties": {
"diagnosticsProfile": {
"bootDiagnostics": {
"enabled": true
}
}
}
}
],
"outputs": {}
}
}
}
}
}
}
}

azure-virtual-machines
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

NaveenBegurnagaraj-6327 avatar image
0 Votes"
NaveenBegurnagaraj-6327 answered srbose-msft rolled back

@srbose-msft,
Its working fine as of now, but only for existing resources some resources shows in remediate task and others not (even they are candidate for remediate).

Thank you very much for your quick support.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

srbose-msft avatar image
1 Vote"
srbose-msft answered srbose-msft edited

@NaveenBegurnagaraj-6327 , Thank you for your question.

Can you please check out if the following script serves your purpose?

  {
   "mode": "Indexed",
   "policyRule": {
     "if": {
       "allOf": [
         {
           "field": "type",
           "equals": "Microsoft.Compute/virtualMachines"
         },
         {
           "anyOf": [
             {
               "field": "Microsoft.Compute/virtualMachines/diagnosticsProfile.bootDiagnostics.enabled",
               "exists": "false"
             },
             {
               "field": "Microsoft.Compute/virtualMachines/diagnosticsProfile.bootDiagnostics.enabled",
               "equals": "false"
             }
           ]
         }
       ]
     },
     "then": {
       "effect": "modify",
       "details": {
         "operations": [
           {
             "operation": "add",
             "field": "Microsoft.Compute/virtualMachines/diagnosticsProfile",
             "value": {}
           },
           {
             "operation": "add",
             "field": "Microsoft.Compute/virtualMachines/diagnosticsProfile.bootDiagnostics",
             "value": {}
           },
           {
             "operation": "add",
             "field": "Microsoft.Compute/virtualMachines/diagnosticsProfile.bootDiagnostics.enabled",
             "value": true
           }
         ],
         "roleDefinitionIds": [
           "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
         ]
       }
     }
   },
   "parameters": {}
 }

This makes use of Modify effect instead of DeployIfNotExists.

DeployIfNotExists runs about 15 minutes after a Resource Provider has handled a create or update subscription or resource request and has returned a success status code. A template deployment occurs if there are no related resources or if the resources defined by ExistenceCondition don't evaluate to true. The duration of the deployment depends on the complexity of resources included in the template.

During an evaluation cycle, policy definitions with a DeployIfNotExists effect that match resources are marked as non-compliant, but no action is taken on that resource. Existing non-compliant resources can be remediated with a remediation task.



Modify is used to add, update, or remove properties or tags on a subscription or resource during creation or update. A common example is updating tags on resources such as costCenter. Existing non-compliant resources can be remediated with a remediation task. A single Modify rule can have any number of operations.


Hope this helps!

Please "Accept as Answer" if it helped, so that it can help others in the community looking for help on similar topics.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @srbose-msft,
Thank you very much for the answer.

Your script just enables the bootdiagnostics at the time of creation, but it is not checking for already available VM as a compliant or non-compliant.

What may be the issue.

Thanks in advance,

Regards,
Naveen BN


0 Votes 0 ·
srbose-msft avatar image srbose-msft NaveenBegurnagaraj-6327 ·

@NaveenBegurnagaraj-6327 , Thank you for your response.

104906-image.png

In this case, the Modify policy adds a property instead of a tag.

Resources that are non-compliant to a deployIfNotExists or modify policy can be put into a compliant state through Remediation. Remediation is accomplished by instructing Azure Policy to run the deployIfNotExists effect or the modify operations of the assigned policy on your existing resources and subscriptions, whether that assignment is to a management group, a subscription, a resource group, or an individual resource.. [Reference]

You can get on-demand compliance evaluation scan following any of the procedures shared here.



0 Votes 0 ·
image.png (22.3 KiB)