Control: Virtual machines' Guest Configuration extension should be deployed with system-assigned managed identity
Description
The Guest Configuration extension requires a system assigned managed identity. Azure virtual machines in the scope of this policy will be non-compliant when they have the Guest Configuration extension installed but do not have a system assigned managed identity.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.compute_vm_guest_configuration_with_system_assigned_managed_identitySnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.compute_vm_guest_configuration_with_system_assigned_managed_identity --shareSQL
This control uses a named query:
with gc_installed_vm as ( select distinct a.vm_id, title from azure_compute_virtual_machine as a, jsonb_array_elements(extensions) as b where b ->> 'Publisher' = 'Microsoft.GuestConfiguration')select a.vm_id as resource, case when b.vm_id is null then 'skip' when b.vm_id is not null and string_to_array(identity ->> 'type' , ', ') @> array['SystemAssigned'] then 'ok' else 'alarm' end as status, case when b.vm_id is null then a.title || ' guest configuration extension not installed.' when b.vm_id is not null and string_to_array(identity ->> 'type' , ', ') @> array['SystemAssigned'] then a.title || ' guest configuration extension installed with system-assigned managed identity.' else a.title || ' guest configuration extension not installed with system-assigned managed identity.' end as reason , a.resource_group as resource_group , sub.display_name as subscriptionfrom azure_compute_virtual_machine as a left join gc_installed_vm as b on a.vm_id = b.vm_id, azure_subscription as subwhere sub.subscription_id = a.subscription_id;