Azure Policy DeployIfNotExists fails to change values with Defender for Servers

Question

I'm currently creating an Azure Policy that (is supposed to) deploys Microsoft Defender for Servers with Plan P1 if the current plan is different. Many subscriptions that I have currently have Microsoft Defender for Servers enabled, but use plan P2 instead of P1, so I created a policy with DeployIfNotExists that should change the values to the correct one, but it is not working as expected.

The policy is as follows (I'm using Terraform):

resource "azurerm_policy_definition" "dfservers_policy" {
  name         = "defenderForServers"
  policy_type  = "Custom"
  mode         = "All"
  display_name = "Deploy Azure Defender for servers with plan"
  description  = "Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities."
  management_group_id = data.azurerm_management_group.root_management_group.id

  metadata = <<METADATA
    {
    "category": "Security Center"
    }

METADATA


  policy_rule = <<POLICY_RULE
 {
    "if": {
      "field": "type",
      "equals": "Microsoft.Resources/subscriptions"
    },
    "then": {
      "effect": "[parameters('effect')]",
      "details": {
        "type": "Microsoft.Security/pricings",
        "name": "VirtualMachines",
        "deploymentScope": "subscription",
        "existenceScope": "subscription",
        "roleDefinitionIds": [
          "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"
        ],
        "existenceCondition": {
          "allOf": [
            {
              "field": "Microsoft.Security/pricings/pricingTier",
              "equals": "Standard"
            },
            {
              "field": "Microsoft.Security/pricings/subPlan",
              "equals": "[parameters('plan_type')]"
            }
          ]
        },
        "deployment": {
          "location": "westeurope",
          "properties": {
            "mode": "incremental",
            "parameters": {
              "plan_type": {
                  "value": "[parameters('plan_type')]"
              }
            },
            "template": {
              "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
              "contentVersion": "1.0.0.0",
              "parameters": {
                "plan_type": {
                  "type": "String",
                  "metadata": {
                    "displayName": "Server Plan Type",
                    "description": "Define which plan type to use. Either P1 or P2"
                  },
                  "allowedValues": [
                    "P1",
                    "P2"
                  ],
                  "defaultValue": "P2"
                }
              },
              "variables": {},
              "resources": [
                {
                  "type": "Microsoft.Security/pricings",
                  "apiVersion": "2018-06-01",
                  "name": "VirtualMachines",
                  "properties": {
                    "pricingTier": "Standard",
                    "subPlan": "[parameters('plan_type')]"
                  }
                }
              ],
              "outputs": {}
            }
          }
        }
      }
    }
  }
POLICY_RULE


  parameters = <<PARAMETERS
 {
    "effect": {
      "type": "String",
      "metadata": {
        "displayName": "Effect",
        "description": "Enable or disable the execution of the policy"
      },
      "allowedValues": [
        "DeployIfNotExists",
        "Disabled"
      ],
      "defaultValue": "DeployIfNotExists"
    },
    "plan_type": {
      "type": "String",
      "metadata": {
        "displayName": "Server Plan Type",
        "description": "Define which plan type to use. Either P1 or P2"
      },
      "allowedValues": [
        "P1",
        "P2"
      ],
      "defaultValue": "P2"
    }
  }
PARAMETERS

}

And the assignment is as follows:

resource "azurerm_management_group_policy_assignment" "dfserver_sandbox_assignment" {
  name         = "Def4ServersSB"
  display_name = "Deploy 'Defender for Servers' with Plan P1"
  location     = var.location

  policy_definition_id = azurerm_policy_definition.dfservers_policy.id
  management_group_id  = data.azurerm_management_group.sandbox_management_group.id

  identity {
    type = "SystemAssigned"
  }

  parameters = jsonencode({
    "plan_type": {
      "value": "P1"
    },
  })
}

I have also attached the Security Admin role to the System Managed Identity as there seems to be a bug regarding it:

# This is needed due to a bug where the automatically created System Managed Identity does not have the required permissions (https://github.com/hashicorp/terraform-provider-azurerm/issues/6486)
resource "azurerm_role_assignment" "ra_dfserver_sandbox" {
  scope                = azurerm_management_group_policy_assignment.dfserver_sandbox_assignment.management_group_id
  role_definition_name = "Security Admin"
  principal_id         = azurerm_management_group_policy_assignment.dfserver_sandbox_assignment.identity[0].principal_id
}

After a bit of time the policy seems to work as expected, picking up a few non-complaint subscriptions:

I'm also able to create a remediation task and run it successfully:

All good then, right? Nah.

If go and check the values for the subscription I can see that it is still P2:

Maybe there was an error and the parameter is setup as P2 instead of P1? Nope:

Maybe for some reason the deployment didn't run? This is my current thesis, but on the activity log of the values this shows up:

Do you guys have any idea why this might be happening? Any light would be really appreciated :)

Answer 1

Leonardo Tavares, Thank you for posting this question here with so much of details. It really helped understand the context very well :)

Based on the snippet of policy definition shared above, one of the suggestions I have is to modify the deployment resource template for "DeployIfNotExists".

Based on the ARM template resource definition, API version "2018-06-01" as used in the policy definition did not have the "subPlan" field. The newer API version "2022-03-01" has it though.

You may use the API Versions: drop down list to toggle between the API definition based on versions on this page.

Hope this helps. If you are still facing this issue with the newer version of API, I would request reaching out to Azure Support so that it can be investigated 1:1, as it will require trace analysis from the resource deployment attempts.

If the solution does help, please click Accept answer so that it can help others in the community looking for help on similar topics.

Answer 2

Hi,

I think the issue here is with the ExistenceCondition, can you specify the current state of the Plan instead of parameter? Also in the assignment terraform code it is P1, is this correct value?

Hope this helps.

JS

==

Please accept as answer and do a Thumbs-up to upvote this response if you are satisfied with the community help. Your upvote will be beneficial for the community users facing similar issues.