[Question/Feedback]: AMBA Services - Azure Policy definitions feedback & bugs

[riosengineer]

Check for previous/existing GitHub issues

• I have checked for previous/existing GitHub issues

Description

Hi AMBA team :)

This is following on from my last issue: #383 and it also follows on from: #364

For those of us who want to leverage services definitions in other ways outside of bicep build and loading individual definitions into loadDefinitions as outlined here, such as via Enterprise Policy as Code, we cannot currently. This is because (most, if not all?) definitions I have checked in the services area all seem to not be valid definitions for Azure Policy.

My example: https://azure.github.io/azure-monitor-baseline-alerts/services/ApiManagement/service/ UnauthorizedRequests - Metric Alert

I go to load this into Azure Policy but get this error:

 The inner exception 'Evaluation result of language expression '[[parameters('MonitorDisableTagValues')]' is type 'String', expected type is 'Array'.'.

To fix:

change from (removing double square brackets):

          {
            "field": "[[concat('tags[', parameters('MonitorDisableTagName'), ']')]",
            "notIn": "[[parameters('MonitorDisableTagValues')]"
          }

to

          {
            "field": "[concat('tags[', parameters('MonitorDisableTagName'), ']')]",
            "notIn": "[parameters('MonitorDisableTagValues')]"
          }

then I am presented with another error "The policy '1eea700e-f050-4eef-8517-78852495f79c' has defined parameters 'severity,windowSize,evaluationFrequency,autoMitigate,enabled,threshold,effect,MonitorDisableTagName' which are not used in the policy rule. Please either remove these parameters from the definition or ensure that they are used in the policy rule."

To fix: remove all double square brackets in the policyRule block. Now I can successfully load the definition into Azure Policy via the Portal.

I understand the idea of the pattern is, if you want custom definitions that you add them into the loadDefinitions and do a bicep build. But at the very least I would expect:

• all policy definitions on the https://azure.github.io/azure-monitor-baseline-alerts/services/ to be valid - can this be fixed?
• It seems even if I were to manually fix the definitions like above, they are not setup to work with AMBA out the box. I would have to modify them further, e.g. SQL CPU Percent Alert definition fails remediation due to Couldn't find a metric named master-app_cpu_percent.

If AMBA does not have any policySet initiatives for us to leverage on a per service basis, then at least, allow the community to take definitions and create our own initiatives to consume how we see fit (e.g. via EPAC). Otherwise, I am not sure what the point of those definitions are, unless I'm mistaken on their purpose?

Maybe thoughts from @jonnedev would be good on this too, given the issue they also rasied previously (now closed) is a similar ask.

[judyer28]

@riosengineer, thank you for your feedback and interest in AMBA. I agree that the policies under the services area of AMBA need to be updated to provide alternative ways to deploy other than including in a Bicep build. I am tagging this as an enhancement for now. We will investigate how AMBA can better handle deployment of policies for alerts when deploying for individual service alerts outside of patterns such as ALZ.