This article is Part 2 of the series that shows you how to setup alerting when an Azure Policy Compliance State changes. Part 1 of this article (https://techcommunity.microsoft.com/t5/fasttrack-for-azure/generate-azure-policy-compliance-alerts-b... demonstrated the architecture and the deployment of the resources through the Azure Portal. This Part 2 will show how to automate the deployment of the resources for this Policy Compliance Alerting Solution.
General knowledge of Azure, PowerShell, and the appropriate role-based access control assignment for resource creation, both in the portal and with command-line interfaces.
The challenge is the same as stated in Part 1 of this series. The ability to have event-driven alerting of Azure Policy Compliance changes is important for organizations for varying reasons. This solution can help close that gap.
The solution described in this article will follow a very similar architecture to the one described in Part 1. There are a few changes that we will describe in this article. In this Part 2, we will show how to automate the deployment of the resources needed for this Policy Alerting Solution using PowerShell and Bicep.
Once you have installed/configured all of the items specified in the Requirements section, the next step is to prepare the code for execution. The code leverages both PowerShell and Bicep. The script you will launch is the PolicyAlert-Launcher.ps1 file. This PowerShell script will orchestrate the process of deploying the resources needed for this Policy Alerting solution. The script will call other PowerShell and Bicep files during this process so keeping the directory structure intact is important.
Open the PolicyAlert-Launcher.ps1 file in your code editor; we used VS Code. At the top of the PowerShell script, PolicyAlert-Launcher.ps1, you will see the "param" section that holds all of the required parameters for the script. You will need to update these parameter values inside of the script in the editor (and save them) OR add those command-line arguments when you execute the script (eg .\PolicyAlert-Launcher.ps1 -RGName "My-RG-Name"). I find it easier to just change the parameter values inside the script in the editor. Here is a breakdown of the parameters and what to expect:
param(
[string]$AzureEnvironment = "AzureCloud",
[string]$SubscriptionId = "",
[string]$RGName = "rg-",
[string]$Location = "eastus",
[string]$functionAppName = "FNApp-",
[string]$functionTriggerName = "PolicyAlertTrigger",
[string]$appServicePlanName = "ASP-",
[string]$appInsightsName = "AI-",
[string]$storageAccountName = "",
[string]$storageSku = "Standard_LRS",
[string]$appServicePlanSku = "Y1",
[string]$LAWName = "LAW-",
[string]$eventGridSubName = "",
[string]$topicName = "",
[string]$dcrName = "DCR-",
[string]$dceName = "DCE-",
[string]$customTableName = "PolicyAlert",
[string]$alertRuleName = "AR-",
[string]$actionGroupName = "AG-",
[string]$actionGroupEmail = "joe@contoso.com",
[string]$functionBicep = ".\function-app\main.bicep",
[string]$eventGridBicep = ".\event-grid\main.bicep",
[string]$dcrBicep = ".\data-collection-rule\main.bicep",
[string]$alertBicep = ".\alert-rules\main.bicep",
[string]$reminders = ".\reminders.txt",
[string]$OutputFile = ".\PolicyAlert-Launcher-Log.log",
[string]$ScriptVer = "v1.0.4"
)
Once all the requirements are completed and you have verified the Notes from above, it is time to execute the code. In your PowerShell prompt, change directory to the root of the code, which would be at the same level you have stored the PolicyAlert-Launcher.ps1 script. Note, this is also the same directory where you should have the subdirectories, like data-collection-rule, event-grid, and function-app.
Now that your PowerShell prompt is at that directory level, you can execute the script with the command ".\PolicyAlert-Launcher.ps1" Once the code starts running, you will be prompted for your login to make changes to your subscription. The account you use will need to have the correct roles to deploy and configure all of the resources. As the script proceeds, you will see logging on-screen in the PowerShell terminal as well as a log file will be created in the same directory by default.
When the script completes, all of the resources should be deployed into the Resource Group that was specific in the parameters. The only remaining task is to update the PowerShell code that is now nested inside of the Function App that was created. The easiest way to do this is to use the Azure Portal to open the Function App. Once you have the Function App Opened in the portal, click on the "trigger" name, as indicated by your naming in the parameters. Now on the next page click the "Code + Test" button on the left.
This should open an editor where you will see the "run.ps1" PowerShell code within your Function App. You will need to update the values of the 3 variables at the top of the code ($Table, $DcrImmutableId, $DceURI). The PolicyAlert-Launcher.ps1 script should have created a file named "reminders.txt" in the same directory. Open that text file and you should see the values to use for the 3 variables in the Function App PowerShell code on your screen. Once you have put in those 3 values, click Save.
At this point, Policy Compliance Change data should start flowing into your custom Log Analytics Table. This may take a little time before the data starts flowing, depending on what kind of policies you have deployed, and the last policy compliance scan happened.
The code will have also created a query based Alert Rule that will send email notifications when a policy changes compliance state. This can be tuned to your preference in the Alert Rules. The query implemented by the code matches what was implemented in Part 1 of this article in the Portal.
This concludes the build of the resources for the Policy Compliance Alerting Solution. Be sure to subscribe and follow the posts in this series as well as the GitHub repo as follow-up articles and code updates will be coming on this topic.
Part 1: Generate Azure Policy Compliance Alerts By Sending Custom Data to Log Analytics (microsoft.com)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.