question

nodeVar avatar image
0 Votes"
nodeVar asked nodeVar answered

Azure Policy - autoshutdown is not reenabled after its disabled by user

Hi

So i have deployed this azure policy azurepolicy.json and got quite a few questions.

  1. deployifnotexist works finde BUT, after i switch the settings to off via portal - the policy is not turning them back on as i expected. Why is this, or how can i evaluate "enabled". If somebody turns off the switch, i want this to be turned on automatically again.


  2. If you disable the Auto-shutdown settings, compliance Dashboard still thinks the vm is compliant, why?

To test the policy i did the following:

  1. Create a VM "VM01"

  2. Assign the policy to the scope

  3. Check Compliance Dashboard
    Dashboards says surprisingly "Compliant" to the new Assignemnt
    Click refresh, Dashboard says "Not started"

  4. Wait 15 minutes

  5. Dashboard says "Non-compliant" to VM01

  6. Create new remediation task

  7. Remediation task runs through and the vm is now configured with Aut-shutdown enabled, cool

  8. Check compliance dashboard
    This is still Non-compliant. I run Start-AzPolicyComplinaceScan for my RG and wait until it ends

  9. Check compliance Dashboard and it says "Compliant"

  10. On vm01 i set Auto-shutdown to off

  11. Run again Start-AzPolicyComplinceScan and wait until it ends

  12. Comliance Dashboard still says its compliant

  13. Create a 2nd VM in the same RG as vm02

  14. Check the dashboard
    Compliance State is still compliant.

  15. Run again Start-AzPolicyComplinceScan and wait until it ends

  16. Check the dashboard
    VM02 is not in the dashboard, even the settings are now there. Auto-Shutdown vor vm02 is enabled
    VM01 has still the settings Auto-Shutdown disabled


Im quite confused how slow and inaccurate Azure Policy service is. How do you guys test and evaluate new policies? Also, i understand that this is a part of the security framework. How can this be so clumsy, slow and inaccurate - this seems to be always out of sync...?







azure-policy
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

nodeVar avatar image
0 Votes"
nodeVar answered

Ok, after posting i realized that this code is not evaluating if the schedule is enabled or not. You can do this while adding the following in the existenceCondition:

  {
                 "field": "Microsoft.DevTestLab/schedules/status",
                 "equals": "Enabled"
               },


This will not resolve or enable the auto-shutdown again. You need to create a remediation task for this. Auto is planned tough: https://feedback.azure.com/forums/915958-azure-governance/suggestions/35897443-allow-automatic-remediation-of-deployifnotexists-t




5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.