Skip to content

Commit

Permalink
Fixes bug with ama role assignments (#1593)
Browse files Browse the repository at this point in the history
Co-authored-by: Jack Tracey <[email protected]>
  • Loading branch information
arjenhuitema and jtracey93 authored Mar 8, 2024
1 parent cd5370b commit 59b2ca1
Show file tree
Hide file tree
Showing 9 changed files with 209 additions and 11 deletions.
16 changes: 16 additions & 0 deletions docs/wiki/Whats-new.md
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,22 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones:

- Add new Regulatory Compliance Policy Assignment flexibility feature
- Added ARM template to enable Microsoft Defender for Cloud as part of the deployment. Policies will still remediate additional subscriptions added to ALZ after deployment.
- Resolved an issue that prevented the policy remediation from working properly for VM Insights, Change Tracking, Azure Update Manager policies. The root cause was a too restrictive access configuration for the Managed Identity that performs the remediation tasks.
- **New deployments will now:**
- Add an additional role assignment for VMInsights Policies that are assigned at Landing Zone management group scope, granting the Managed Identity the Reader role on the Platform management group.
- Add an additional role assignment for ChangeTracking Policies that are assigned at Landing Zone management group scope, granting the Managed Identity the Reader role on the Platform management group.
- Add an additional role assignment to Azure Update Manger Policies, granting Managed Identity Operator at the same scope as the assignment.
- **To update an existing deployment:**
- For each of the VMInsights and ChangeTracking Initiative assignments:
- **Only required for the Initiatives assigned to Landing Zones Management group scope**
- Go to the Initiative assignment, go to the Managed Identity tab and copy the Principal ID
- Go to Management Groups, select the Platform Management group and go to Access control (IAM)
- Add a new role assignment and assign the Reader role the Principal ID that was copied in the first step.
- For each of the Azure Update Manger Initiative assignments:
- **Applies to the Initiatives assigned to both the Landing Zones and the Platform Management group scopes**
- Go to the Initiative assignment, go to the Managed Identity tab and copy the Principal ID
- Go to Management Groups, select the same management group as the assignment you copied the Principal ID from and go to Access control (IAM)
- Add a new role assignment and assign the Managed Identity Operator role the Principal ID that was copied in the first step.

### February 2024

Expand Down
18 changes: 18 additions & 0 deletions eslzArm/eslzArm.json
Original file line number Diff line number Diff line change
Expand Up @@ -3226,6 +3226,9 @@
},
"scope": {
"value": "[variables('scopes').lzsManagementGroup]"
},
"platformScope": {
"value": "[variables('scopes').platformManagementGroup]"
}
}
}
Expand Down Expand Up @@ -3308,6 +3311,9 @@
},
"scope": {
"value": "[variables('scopes').lzsManagementGroup]"
},
"platformScope": {
"value": "[variables('scopes').platformManagementGroup]"
}
}
}
Expand Down Expand Up @@ -3376,6 +3382,9 @@
},
"scope": {
"value": "[variables('scopes').lzsManagementGroup]"
},
"platformScope": {
"value": "[variables('scopes').platformManagementGroup]"
}
}
}
Expand Down Expand Up @@ -3568,6 +3577,9 @@
},
"scope": {
"value": "[variables('scopes').lzsManagementGroup]"
},
"platformScope": {
"value": "[variables('scopes').platformManagementGroup]"
}
}
}
Expand Down Expand Up @@ -3650,6 +3662,9 @@
},
"scope": {
"value": "[variables('scopes').lzsManagementGroup]"
},
"platformScope": {
"value": "[variables('scopes').platformManagementGroup]"
}
}
}
Expand Down Expand Up @@ -3718,6 +3733,9 @@
},
"scope": {
"value": "[variables('scopes').lzsManagementGroup]"
},
"platformScope": {
"value": "[variables('scopes').platformManagementGroup]"
}
}
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,14 @@
"displayName": "Scope",
"description": "Scope of the policy assignment"
}
},
"platformScope": {
"type": "String",
"metadata": {
"displayName": "Platform Scope",
"description": "Scope of the reader role assignment"
},
"defaultValue": "[parameters('scope')]"
}
},
"variables": {
Expand All @@ -124,9 +132,11 @@
},
"rbacLogAnalyticsContributor": "92aaf0da-9dab-42b6-94a3-d43ce8d16293",
"rbacMonitoringContributor": "749f88d5-cbae-40b8-bcfc-e573ddc772fa",
"rbacReader": "acdd72a7-3385-48ef-bd42-f606fba81ae7",
"roleAssignmentNames": {
"roleAssignmentNameLogAnalyticsContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmArcChangeTracking,'-1',parameters('scope')))]",
"roleAssignmentNameMonitoringContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmArcChangeTracking,'-2',parameters('scope')))]"
"roleAssignmentNameMonitoringContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmArcChangeTracking,'-2',parameters('scope')))]",
"roleAssignmentNameReader": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmArcChangeTracking,'-3',parameters('scope')))]"
}
},
"resources": [
Expand Down Expand Up @@ -186,6 +196,21 @@
"roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacMonitoringContributor'))]",
"principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmArcChangeTracking), '2019-09-01', 'Full' ).identity.principalId)]"
}
},
{
"condition": "[not(equals(parameters('platformScope'), parameters('scope')))]",
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2022-04-01",
"name": "[variables('roleAssignmentNames').roleAssignmentNameReader]",
"scope": "[parameters('platformScope')]",
"dependsOn": [
"[variables('policyAssignmentNames').vmArcChangeTracking]"
],
"properties": {
"principalType": "ServicePrincipal",
"roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacReader'))]",
"principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmArcChangeTracking), '2019-09-01', 'Full' ).identity.principalId)]"
}
}
],
"outputs": {}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -125,6 +125,14 @@
"displayName": "Scope",
"description": "Scope of the policy assignment"
}
},
"platformScope": {
"type": "String",
"metadata": {
"displayName": "Platform Scope",
"description": "Scope of the reader role assignment"
},
"defaultValue": "[parameters('scope')]"
}
},
"variables": {
Expand All @@ -145,11 +153,13 @@
"rbacLogAnalyticsContributor": "92aaf0da-9dab-42b6-94a3-d43ce8d16293",
"rbacMonitoringContributor": "749f88d5-cbae-40b8-bcfc-e573ddc772fa",
"rbacManagedIdentityOperator": "f1a07417-d97a-45cb-824c-7a7467783830",
"rbacReader": "acdd72a7-3385-48ef-bd42-f606fba81ae7",
"roleAssignmentNames": {
"roleAssignmentNameLogAnalyticsContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmChangeTracking,parameters('scope')))]",
"roleAssignmentNameVmContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmChangeTracking,'-2',parameters('scope')))]",
"roleAssignmentNameMonitoringContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmChangeTracking,'-3',parameters('scope')))]",
"roleAssignmentNameManagedIdentityOperator": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmChangeTracking,'-4',parameters('scope')))]"
"roleAssignmentNameManagedIdentityOperator": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmChangeTracking,'-4',parameters('scope')))]",
"roleAssignmentNameReader": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmChangeTracking,'-5',parameters('scope')))]"
}
},
"resources": [
Expand Down Expand Up @@ -244,6 +254,21 @@
"roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacManagedIdentityOperator'))]",
"principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmChangeTracking), '2019-09-01', 'Full' ).identity.principalId)]"
}
},
{
"condition": "[not(equals(parameters('platformScope'), parameters('scope')))]",
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2022-04-01",
"name": "[variables('roleAssignmentNames').roleAssignmentNameReader]",
"scope": "[parameters('platformScope')]",
"dependsOn": [
"[variables('policyAssignmentNames').vmChangeTracking]"
],
"properties": {
"principalType": "ServicePrincipal",
"roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacReader'))]",
"principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmChangeTracking), '2019-09-01', 'Full' ).identity.principalId)]"
}
}
],
"outputs": {}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -125,6 +125,14 @@
"displayName": "Scope",
"description": "Scope of the policy assignment"
}
},
"platformScope": {
"type": "String",
"metadata": {
"displayName": "Platform Scope",
"description": "Scope of the reader role assignment"
},
"defaultValue": "[parameters('scope')]"
}
},
"variables": {
Expand All @@ -145,11 +153,13 @@
"rbacLogAnalyticsContributor": "92aaf0da-9dab-42b6-94a3-d43ce8d16293",
"rbacMonitoringContributor": "749f88d5-cbae-40b8-bcfc-e573ddc772fa",
"rbacManagedIdentityOperator": "f1a07417-d97a-45cb-824c-7a7467783830",
"rbacReader": "acdd72a7-3385-48ef-bd42-f606fba81ae7",
"roleAssignmentNames": {
"roleAssignmentNameLogAnalyticsContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmssChangeTracking,'-1',parameters('scope')))]",
"roleAssignmentNameVmContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmssChangeTracking,'-2',parameters('scope')))]",
"roleAssignmentNameMonitoringContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmssChangeTracking,'-3',parameters('scope')))]",
"roleAssignmentNameManagedIdentityOperator": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmssChangeTracking,'-4',parameters('scope')))]"
"roleAssignmentNameManagedIdentityOperator": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmssChangeTracking,'-4',parameters('scope')))]",
"roleAssignmentNameReader": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmssChangeTracking,'-5',parameters('scope')))]"
}
},
"resources": [
Expand Down Expand Up @@ -244,6 +254,21 @@
"roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacManagedIdentityOperator'))]",
"principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmssChangeTracking), '2019-09-01', 'Full' ).identity.principalId)]"
}
},
{
"condition": "[not(equals(parameters('platformScope'), parameters('scope')))]",
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2022-04-01",
"name": "[variables('roleAssignmentNames').roleAssignmentNameReader]",
"scope": "[parameters('platformScope')]",
"dependsOn": [
"[variables('policyAssignmentNames').vmssChangeTracking]"
],
"properties": {
"principalType": "ServicePrincipal",
"roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacReader'))]",
"principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmssChangeTracking), '2019-09-01', 'Full' ).identity.principalId)]"
}
}
],
"outputs": {}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,14 @@
"displayName": "Scope",
"description": "Scope of the policy assignment"
}
},
"platformScope": {
"type": "String",
"metadata": {
"displayName": "Platform Scope",
"description": "Scope of the reader role assignment"
},
"defaultValue": "[parameters('scope')]"
}
},
"variables": {
Expand All @@ -58,9 +66,11 @@
},
"rbacLogAnalyticsContributor": "92aaf0da-9dab-42b6-94a3-d43ce8d16293",
"rbacMonitoringContributor": "749f88d5-cbae-40b8-bcfc-e573ddc772fa",
"rbacReader": "acdd72a7-3385-48ef-bd42-f606fba81ae7",
"roleAssignmentNames": {
"roleAssignmentNameLogAnalyticsContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmHybridMonitoring,'-1',parameters('scope')))]",
"roleAssignmentNameMonitoringContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmHybridMonitoring,'-2',parameters('scope')))]"
"roleAssignmentNameMonitoringContributor": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmHybridMonitoring,'-2',parameters('scope')))]",
"roleAssignmentNameReader": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmHybridMonitoring,'-3',parameters('scope')))]"
}
},
"resources": [
Expand Down Expand Up @@ -117,6 +127,21 @@
"roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacMonitoringContributor'))]",
"principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmHybridMonitoring), '2019-09-01', 'Full' ).identity.principalId)]"
}
},
{
"condition": "[not(equals(parameters('platformScope'), parameters('scope')))]",
"type": "Microsoft.Authorization/roleAssignments",
"apiVersion": "2022-04-01",
"name": "[variables('roleAssignmentNames').roleAssignmentNameReader]",
"scope": "[parameters('platformScope')]",
"dependsOn": [
"[variables('policyAssignmentNames').vmHybridMonitoring]"
],
"properties": {
"principalType": "ServicePrincipal",
"roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacReader'))]",
"principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmHybridMonitoring), '2019-09-01', 'Full' ).identity.principalId)]"
}
}
],
"outputs": {}
Expand Down
Loading

0 comments on commit 59b2ca1

Please sign in to comment.