Azure Policy DeployIfNotExists fails to change values with Defender for Servers

Leonardo Tavares 20 Reputation points
2023-03-02T18:55:26.7233333+00:00

I'm currently creating an Azure Policy that (is supposed to) deploys Microsoft Defender for Servers with Plan P1 if the current plan is different. Many subscriptions that I have currently have Microsoft Defender for Servers enabled, but use plan P2 instead of P1, so I created a policy with DeployIfNotExists that should change the values to the correct one, but it is not working as expected.

The policy is as follows (I'm using Terraform):

resource "azurerm_policy_definition" "dfservers_policy" {
  name         = "defenderForServers"
  policy_type  = "Custom"
  mode         = "All"
  display_name = "Deploy Azure Defender for servers with plan"
  description  = "Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities."
  management_group_id = data.azurerm_management_group.root_management_group.id

  metadata = <<METADATA
    {
    "category": "Security Center"
    }

METADATA


  policy_rule = <<POLICY_RULE
 {
    "if": {
      "field": "type",
      "equals": "Microsoft.Resources/subscriptions"
    },
    "then": {
      "effect": "[parameters('effect')]",
      "details": {
        "type": "Microsoft.Security/pricings",
        "name": "VirtualMachines",
        "deploymentScope": "subscription",
        "existenceScope": "subscription",
        "roleDefinitionIds": [
          "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd"
        ],
        "existenceCondition": {
          "allOf": [
            {
              "field": "Microsoft.Security/pricings/pricingTier",
              "equals": "Standard"
            },
            {
              "field": "Microsoft.Security/pricings/subPlan",
              "equals": "[parameters('plan_type')]"
            }
          ]
        },
        "deployment": {
          "location": "westeurope",
          "properties": {
            "mode": "incremental",
            "parameters": {
              "plan_type": {
                  "value": "[parameters('plan_type')]"
              }
            },
            "template": {
              "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
              "contentVersion": "1.0.0.0",
              "parameters": {
                "plan_type": {
                  "type": "String",
                  "metadata": {
                    "displayName": "Server Plan Type",
                    "description": "Define which plan type to use. Either P1 or P2"
                  },
                  "allowedValues": [
                    "P1",
                    "P2"
                  ],
                  "defaultValue": "P2"
                }
              },
              "variables": {},
              "resources": [
                {
                  "type": "Microsoft.Security/pricings",
                  "apiVersion": "2018-06-01",
                  "name": "VirtualMachines",
                  "properties": {
                    "pricingTier": "Standard",
                    "subPlan": "[parameters('plan_type')]"
                  }
                }
              ],
              "outputs": {}
            }
          }
        }
      }
    }
  }
POLICY_RULE


  parameters = <<PARAMETERS
 {
    "effect": {
      "type": "String",
      "metadata": {
        "displayName": "Effect",
        "description": "Enable or disable the execution of the policy"
      },
      "allowedValues": [
        "DeployIfNotExists",
        "Disabled"
      ],
      "defaultValue": "DeployIfNotExists"
    },
    "plan_type": {
      "type": "String",
      "metadata": {
        "displayName": "Server Plan Type",
        "description": "Define which plan type to use. Either P1 or P2"
      },
      "allowedValues": [
        "P1",
        "P2"
      ],
      "defaultValue": "P2"
    }
  }
PARAMETERS

}

And the assignment is as follows:

resource "azurerm_management_group_policy_assignment" "dfserver_sandbox_assignment" {
  name         = "Def4ServersSB"
  display_name = "Deploy 'Defender for Servers' with Plan P1"
  location     = var.location

  policy_definition_id = azurerm_policy_definition.dfservers_policy.id
  management_group_id  = data.azurerm_management_group.sandbox_management_group.id

  identity {
    type = "SystemAssigned"
  }

  parameters = jsonencode({
    "plan_type": {
      "value": "P1"
    },
  })
}

I have also attached the Security Admin role to the System Managed Identity as there seems to be a bug regarding it:

# This is needed due to a bug where the automatically created System Managed Identity does not have the required permissions (https://github.com/hashicorp/terraform-provider-azurerm/issues/6486)
resource "azurerm_role_assignment" "ra_dfserver_sandbox" {
  scope                = azurerm_management_group_policy_assignment.dfserver_sandbox_assignment.management_group_id
  role_definition_name = "Security Admin"
  principal_id         = azurerm_management_group_policy_assignment.dfserver_sandbox_assignment.identity[0].principal_id
}

After a bit of time the policy seems to work as expected, picking up a few non-complaint subscriptions: Screenshot 2023-03-02 at 15.22.58

I'm also able to create a remediation task and run it successfully:

Screenshot 2023-03-02 at 15.24.57

All good then, right? Nah.

If go and check the values for the subscription I can see that it is still P2: Screenshot 2023-03-02 at 15.27.41

Maybe there was an error and the parameter is setup as P2 instead of P1? Nope:

Screenshot 2023-03-02 at 15.26.09

Maybe for some reason the deployment didn't run? This is my current thesis, but on the activity log of the values this shows up:

Screenshot 2023-03-02 at 15.28.16

Do you guys have any idea why this might be happening? Any light would be really appreciated :)

Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
836 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,282 questions
0 comments No comments
{count} votes

Accepted answer
  1. AnuragSingh-MSFT 21,251 Reputation points
    2023-03-08T08:17:09.8733333+00:00

    Leonardo Tavares, Thank you for posting this question here with so much of details. It really helped understand the context very well :)

    Based on the snippet of policy definition shared above, one of the suggestions I have is to modify the deployment resource template for "DeployIfNotExists".

    User's image

    Based on the ARM template resource definition, API version "2018-06-01" as used in the policy definition did not have the "subPlan" field. The newer API version "2022-03-01" has it though.

    You may use the API Versions: drop down list to toggle between the API definition based on versions on this page.

    User's image

    Hope this helps. If you are still facing this issue with the newer version of API, I would request reaching out to Azure Support so that it can be investigated 1:1, as it will require trace analysis from the resource deployment attempts.

    If the solution does help, please click Accept answer so that it can help others in the community looking for help on similar topics.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. JimmySalian-2011 42,071 Reputation points
    2023-03-02T21:00:56.3766667+00:00

    Hi,

    I think the issue here is with the ExistenceCondition, can you specify the current state of the Plan instead of parameter? Also in the assignment terraform code it is P1, is this correct value?

    Hope this helps.

    JS

    ==

    Please accept as answer and do a Thumbs-up to upvote this response if you are satisfied with the community help. Your upvote will be beneficial for the community users facing similar issues.