Jun 22 2021 12:16 PM - edited Jun 22 2021 12:16 PM
Hello all,
I've attached a policy definition that I created at a management group level. I assigned it to a management group in the hope that it would turn on Activity Log diagnostics settings for the subscription and connect them to my Event Hub.
The use case is that when I create a subscription and assign it to a particular management group, I need activity log diagnostics enabled, but I also need it set to send the data to the specified eventhub associated with the management group from our governance strategy.
I know I can change the subscription diagnostics settings with a cli command but I don't want to do that, I would like to have the policy assign this when the subscription is onboarded into the management group. If this is not possible please let me know, but I was able to successfully import this definition and assign it without any errors. I'm assuming that at some point Azure Policy would have complained about my policy rule resource type of 'Microsoft.Subscription'
Take a look at the policy def below and let me know if you think I have something wrong. At this point my compliance screen in azure shows 100% compliant but lists no resources and the subscriptions DO NOT have diagnostics settings enabled.
thanks
john
{
"name": "subscription-diagnostics-activitylogs-policyDef",
"properties": {
"displayName": "Apply diagnostic settings for Subscriptions",
"description": "This policy automatically deploys and enable diagnostic settings to Log Analytics and EventHub",
"metadata": {
"category": "Monitoring"
},
"mode": "all",
"parameters": {
"logAnalytics": {
"type": "string",
"metadata": {
"displayName": "Log Analytics workspace",
"description": "Select the Log Analytics workspace from dropdown list",
"strongType": "omsWorkspace"
}
},
"location": {
"type": "string",
"metadata": {
"displayName": "location",
"description": "Select location where the resources is deployed",
"strongType": "location"
}
},
"eventHub": {
"type": "string",
"metadata" :{
"displayName" : "eventHub",
"description" : "Event hub where logs will be sent",
"strongType" : "Microsoft.EventHub/namespaces/eventhubs"
}
},
"authorizationRule" : {
"type": "string",
"metadata" :{
"displayName": "authorizationRule",
"description": "Select the access key for the eventhub",
"strongType": "Microsoft.EventHub/namespaces/AuthorizationRules"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Subscription/"
},
{
"field": "location",
"equals": "[parameters('location')]"
}
]
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Insights/diagnosticSettings",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
"equals": "True"
},
{
"field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
"equals": "True"
},
{
"field": "Microsoft.Insights/diagnosticSettings/workspaceId",
"matchInsensitively": "[parameters('logAnalytics')]"
},
{
"field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId",
"matchInsensitively": "[parameters('authorizationRule')]"
},
{
"field": "Microsoft.Insights/diagnosticSettings/eventHubName",
"matchInsensitively": "[parameters('eventHub')]"
}
]
},
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"resourceName": {
"type": "string"
},
"logAnalytics": {
"type": "string"
},
"location": {
"type": "string"
},
"authorizationRule": {
"type" : "string"
},
"eventHub" : {
"type": "string"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Insights/diagnosticSettings",
"apiVersion": "2017-05-01-preview",
"name": "SubscriptionEventHubDiags-setByPolicy",
"location": "[parameters('location')]",
"properties": {
"workspaceId": "[parameters('workspaceId')]",
"eventHubAuthorizationRuleId": "[parameters('authorizationRule')]",
"eventHubName": "[parameters('eventHub')]",
"logs": [
{
"category": "Administrative",
"enabled": true
},
{
"category": "Security",
"enabled": true
},
{
"category": "ServiceHealth",
"enabled": true
},
{
"category": "Alert",
"enabled": true
},
{
"category": "Recommendation",
"enabled": true
},
{
"category": "Policy",
"enabled": true
},
{
"category": "Autoscale",
"enabled": true
},
{
"category": "ResourceHealth",
"enabled": true
}
]
}
}
],
"outputs": {}
},
"parameters": {
"logAnalytics": {
"value": "[parameters('logAnalytics')]"
},
"location": {
"value": "[field('location')]"
},
"resourceName": {
"value": "[field('name')]"
},
"authorizationRule":{
"value": "[parameters('authorizationRule')]"
},
"eventHub":{
"value": "[parameters('eventHub')]"
}
}
}
}
}
}
}
}
}
Jul 07 2022 10:25 AM
@John Wildes - I had the same thing happen. I had to change the Loganalytics parameter strongType property as shown below. I think they moved from one version of the API to a newer one that got rid of the old omsWorkspace type definition.
From:
“strongType”: “omsWorkspace”
To:
“strongType”: “Microsoft.OperationalInsights/workspaces”