Revised Event Hub Diagnostic Settings policy (Azure#339)

SenthuranSivananthan · web-flow · commit 5851a09acff4 · 2022-08-17T18:50:15.000-04:00
diff --git a/policy/custom/definitions/policy/LA-Microsoft.EventHub-namespaces/azurepolicy.config.json b/policy/custom/definitions/policy/LA-Microsoft.EventHub-namespaces/azurepolicy.config.json
@@ -0,0 +1,4 @@
+{
+    "name": "Deploy Diagnostic Settings for Event Hub to Log Analytics workspace",
+    "mode": "indexed"
+}
diff --git a/policy/custom/definitions/policy/LA-Microsoft.EventHub-namespaces/azurepolicy.parameters.json b/policy/custom/definitions/policy/LA-Microsoft.EventHub-namespaces/azurepolicy.parameters.json
@@ -0,0 +1,49 @@
+{
+  "profileName": {
+    "type": "String",
+    "metadata": {
+      "displayName": "Profile Name for Config",
+      "description": "The profile name Azure Diagnostics"
+    }
+  },
+  "logAnalytics": {
+    "type": "string",
+    "metadata": {
+      "displayName": "logAnalytics",
+      "description": "The target Log Analytics Workspace for Azure Diagnostics",
+      "strongType": "omsWorkspace"
+    }
+  },
+  "azureRegions": {
+    "type": "Array",
+    "metadata": {
+      "displayName": "Allowed Locations",
+      "description": "The list of locations that can be specified when deploying resources",
+      "strongType": "location"
+    }
+  },
+  "metricsEnabled": {
+    "type": "String",
+    "metadata": {
+      "displayName": "Enable Metrics",
+      "description": "Enable Metrics - True or False"
+    },
+    "allowedValues": [
+      "True",
+      "False"
+    ],
+    "defaultValue": "False"
+  },
+  "logsEnabled": {
+    "type": "String",
+    "metadata": {
+      "displayName": "Enable Logs",
+      "description": "Enable Logs - True or False"
+    },
+    "allowedValues": [
+      "True",
+      "False"
+    ],
+    "defaultValue": "True"
+  }
+}
diff --git a/policy/custom/definitions/policy/LA-Microsoft.EventHub-namespaces/azurepolicy.rules.json b/policy/custom/definitions/policy/LA-Microsoft.EventHub-namespaces/azurepolicy.rules.json
@@ -0,0 +1,154 @@
+{
+  "if": {
+    "allOf": [
+      {
+        "field": "type",
+        "equals": "Microsoft.EventHub/namespaces"
+      },
+      {
+        "field": "location",
+        "in": "[parameters('AzureRegions')]"
+      }
+    ]
+  },
+  "then": {
+    "effect": "deployIfNotExists",
+    "details": {
+      "type": "Microsoft.Insights/diagnosticSettings",
+      "existenceCondition": {
+        "allOf": [
+          {
+            "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
+            "equals": "[parameters('LogsEnabled')]"
+          },
+          {
+            "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
+            "equals": "[parameters('MetricsEnabled')]"
+          },
+          {
+            "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
+            "equals": "[parameters('logAnalytics')]"
+          }
+        ]
+      },
+      "roleDefinitionIds": [
+        "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
+      ],
+      "deployment": {
+        "properties": {
+          "mode": "incremental",
+          "template": {
+            "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+            "contentVersion": "1.0.0.0",
+            "parameters": {
+              "name": {
+                "type": "string"
+              },
+              "location": {
+                "type": "string"
+              },
+              "logAnalytics": {
+                "type": "string"
+              },
+              "metricsEnabled": {
+                "type": "string"
+              },
+              "logsEnabled": {
+                "type": "string"
+              },
+              "profileName": {
+                "type": "string"
+              }
+            },
+            "variables": {},
+            "resources": [
+              {
+                "type": "Microsoft.EventHub/namespaces/providers/diagnosticSettings",
+                "apiVersion": "2017-05-01-preview",
+                "name": "[concat(parameters('name'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
+                "location": "[parameters('location')]",
+                "properties": {
+                  "workspaceId": "[parameters('logAnalytics')]",
+                  "metrics": [
+                    {
+                      "category": "AllMetrics",
+                      "enabled": "[parameters('metricsEnabled')]",
+                      "retentionPolicy": {
+                        "enabled": false,
+                        "days": 0
+                      }
+                    }
+                  ],
+                  "logs": [
+                    {
+                      "category": "ArchiveLogs",
+                      "enabled": "[parameters('logsEnabled')]"
+                    },
+                    {
+                      "category": "OperationalLogs",
+                      "enabled": "[parameters('logsEnabled')]"
+                    },
+                    {
+                      "category": "AutoScaleLogs",
+                      "enabled": "[parameters('logsEnabled')]"
+                    },
+                    {
+                      "category": "KafkaCoordinatorLogs",
+                      "enabled": "[parameters('logsEnabled')]"
+                    },
+                    {
+                      "category": "KafkaUserErrorLogs",
+                      "enabled": "[parameters('logsEnabled')]"
+                    },
+                    {
+                      "category": "EventHubVNetConnectionEvent",
+                      "enabled": "[parameters('logsEnabled')]"
+                    },
+                    {
+                      "category": "CustomerManagedKeyUserLogs",
+                      "enabled": "[parameters('logsEnabled')]"
+                    },
+                    {
+                      "category": "RuntimeAuditLogs",
+                      "enabled": "[parameters('logsEnabled')]"
+                    },
+                    {
+                      "category": "ApplicationMetricsLogs",
+                      "enabled": "[parameters('logsEnabled')]"
+                    }
+                  ]
+                }
+              }
+            ],
+            "outputs": {
+              "policy": {
+                "type": "string",
+                "value": "[concat(parameters('logAnalytics'), 'configured for diagnostic logs for ', ': ', parameters('name'))]"
+              }
+            }
+          },
+          "parameters": {
+            "logAnalytics": {
+              "value": "[parameters('logAnalytics')]"
+            },
+            "location": {
+              "value": "[field('location')]"
+            },
+            "name": {
+              "value": "[field('name')]"
+            },
+            "metricsEnabled": {
+              "value": "[parameters('metricsEnabled')]"
+            },
+            "logsEnabled": {
+              "value": "[parameters('logsEnabled')]"
+            },
+            "profileName": {
+              "value": "[parameters('profileName')]"
+            }
+          }
+        }
+      }
+    }
+  }
+}
diff --git a/policy/custom/definitions/policyset/LogAnalytics.bicep b/policy/custom/definitions/policyset/LogAnalytics.bicep
@@ -223,18 +223,6 @@ resource policyset_name 'Microsoft.Authorization/policySetDefinitions@2020-03-01
           }
         }
       }
-      {
-        groupNames: [
-          'BUILTIN'
-        ]
-        policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579'
-        policyDefinitionReferenceId: toLower(replace('Deploy Diagnostic Settings for Event Hub to Log Analytics workspace', ' ', '-'))
-        parameters: {
-          logAnalytics: {
-            value: '[parameters(\'logAnalytics\')]'
-          }
-        }
-      }
       {
         groupNames: [
           'BUILTIN'
@@ -1296,6 +1284,27 @@ resource policyset_name 'Microsoft.Authorization/policySetDefinitions@2020-03-01
           }
         }
       }
+      {
+        groupNames: [
+          'CUSTOM'
+        ]
+        policyDefinitionId: extensionResourceId(customPolicyDefinitionMgScope, 'Microsoft.Authorization/policyDefinitions', 'LA-Microsoft.EventHub-namespaces')
+        policyDefinitionReferenceId: toLower(replace('Deploy Diagnostic Settings for Event Hub to Log Analytics workspace', ' ', '-'))
+        parameters: {
+          logAnalytics: {
+            value: '[parameters(\'logAnalytics\')]'
+          }
+          profileName: {
+            value: 'setbypolicy_logAnalytics'
+          }
+          azureRegions: {
+            value: [
+              'canadacentral'
+              'canadaeast'
+            ]
+          }
+        }
+      }
     ]
   }
 }

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +{
 +    "name": "Deploy Diagnostic Settings for Event Hub to Log Analytics workspace",
 +    "mode": "indexed"
 +}
Original file line number	Diff line number	Diff line change
`@@ -223,18 +223,6 @@ resource policyset_name 'Microsoft.Authorization/policySetDefinitions@2020-03-01`
`223`	`223`	`}`
`224`	`224`	`}`
`225`	`225`	`}`
`226`		`- {`
`227`		`- groupNames: [`
`228`		`- 'BUILTIN'`
`229`		`- ]`
`230`		`- policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579'`
`231`		`- policyDefinitionReferenceId: toLower(replace('Deploy Diagnostic Settings for Event Hub to Log Analytics workspace', ' ', '-'))`
`232`		`- parameters: {`
`233`		`- logAnalytics: {`
`234`		`- value: '[parameters(\'logAnalytics\')]'`
`235`		`- }`
`236`		`- }`
`237`		`- }`
`238`	`226`	`{`
`239`	`227`	`groupNames: [`
`240`	`228`	`'BUILTIN'`
`@@ -1296,6 +1284,27 @@ resource policyset_name 'Microsoft.Authorization/policySetDefinitions@2020-03-01`
`1296`	`1284`	`}`
`1297`	`1285`	`}`
`1298`	`1286`	`}`
	`1287`	`+ {`
	`1288`	`+ groupNames: [`
	`1289`	`+ 'CUSTOM'`
	`1290`	`+ ]`
	`1291`	`+ policyDefinitionId: extensionResourceId(customPolicyDefinitionMgScope, 'Microsoft.Authorization/policyDefinitions', 'LA-Microsoft.EventHub-namespaces')`
	`1292`	`+ policyDefinitionReferenceId: toLower(replace('Deploy Diagnostic Settings for Event Hub to Log Analytics workspace', ' ', '-'))`
	`1293`	`+ parameters: {`
	`1294`	`+ logAnalytics: {`
	`1295`	`+ value: '[parameters(\'logAnalytics\')]'`
	`1296`	`+ }`
	`1297`	`+ profileName: {`
	`1298`	`+ value: 'setbypolicy_logAnalytics'`
	`1299`	`+ }`
	`1300`	`+ azureRegions: {`
	`1301`	`+ value: [`
	`1302`	`+ 'canadacentral'`
	`1303`	`+ 'canadaeast'`
	`1304`	`+ ]`
	`1305`	`+ }`
	`1306`	`+ }`
	`1307`	`+ }`
`1299`	`1308`	`]`
`1300`	`1309`	`}`
`1301`	`1310`	`}`