Reputation: 45
Create Remediation Task is Greyed Out on Managed Identity ACA built-in policy
Unable to Create Remediation Task on managed identity ACA built in policy. Although compliance state is working fine on all resources. Need to remediate non compliant resources. The question is, do Remediation applicable on managed identity built-in policy? See image above thank you!
Upvotes: 0
Views: 198
Answers (1)
Reputation: 7820
To enable System Managed Identity, since there is no built-in policy for this, you need to create a custom policy
Alternatively, you can also achieve the same requirement of enabling system-managed identity in container apps using PowerShell with an automation account. This way, it will automatically enable the identity for the container if it's not already enabled.
1.Go to portal > automation account > Create an Automation Account
- Create a runbook with type powershell
- Open Runbook > Edit in Portal > add below script and click on Publish
Note: The automation Identity must have the
Contributorrole assigned to enable the System Managed Identity in container apps.
az login --identity
$containerApps = az containerapp list --query "[].{Name:name, ResourceGroup:resourceGroup, Identity:identity}" | ConvertFrom-Json
foreach ($app in $containerApps) {
$appName = $app.Name
$resourceGroup = $app.ResourceGroup
$identity = $app.Identity
Write-Output "Processing container app: $appName in resource group: $resourceGroup"
# Check if the app has a system-assigned identity
if (-not $identity -or $identity.type -eq "None") {
Write-Output "System-assigned identity is not enabled for $appName. Enabling identity now..."
az containerapp identity assign --name $appName --resource-group $resourceGroup --system-assigned
Write-Output "System-assigned identity enabled successfully for $appName."
} else {
Write-Output "System-assigned identity is already enabled for $appName."
}
}
Output:
You can schedule the runbook to execute a script every day at 5 PM, so it will check all container apps and automatically enable the identity if it's not enabled.
- Schedules the runbook > add a schedule > link schedule to yrunbookbook > Create.
Output
After running the runbook, The Identity has been enabled in all container apps.
Reference: Stack link
Upvotes: 0
Related Questions
- Azure Policy Compliance - "Compliant" resource groups showing as non-complaint
- Is it possible to create an Azure Policy Exemption at the same as as the resource being exempted?
- Azure Policy exemption not working as expected
- Bicep: policy remediation task complains about missing parameter
- Azure Policy Storage blobServices/tableServices/queueServices Diagnostic Logging
- Azure Policy for tag creation when a Resource Group is created is not working
- How to test compliance for Azure "Endpoint Security" policy
- How ignore/hide/deactivate my policy non-compliance state and get 100% compliance?
- Azure DeployIfNotExist Policy evalutes but do not deploy template/show compliant