Skip to content

Commit

Permalink
Merge pull request #431 from vegazbabz/new-diag-pol-to-eh
Browse files Browse the repository at this point in the history
Policies for various resource types diagnostic setting to event hub
  • Loading branch information
aschabus authored Apr 3, 2024
2 parents ef0419a + af3875c commit 0939851
Show file tree
Hide file tree
Showing 141 changed files with 21,409 additions and 0 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
{
"name": "333fc656-a811-49ab-ab07-66796c9a21d5",
"type": "Microsoft.Authorization/policyDefinitions",
"properties": {
"displayName": "Deny-DataFactory-IdentityType",
"description": "Enforces use of system assigned identity for data factory.",
"metadata": {
"version": "1.0.0",
"category": "Data Factory"
},
"mode": "Indexed",
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Deny, Audit or Disabled the execution of the Policy"
},
"allowedValues": [
"Deny",
"Audit",
"Disabled"
],
"defaultValue": "Audit"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.DataFactory/factories"
},
{
"field": "identity.type",
"exists": false
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
{
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Deny, Audit or Disabled the execution of the Policy"
},
"allowedValues": [
"Deny",
"Audit",
"Disabled"
],
"defaultValue": "Audit"
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.DataFactory/factories"
},
{
"field": "identity.type",
"exists": false
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,265 @@
{
"name": "23274a6c-af67-4279-9b19-1ae5158ecdb5",
"type": "Microsoft.Authorization/policyDefinitions",
"properties": {
"displayName": "Configure diagnostic settings for Blob Services to Event Hub",
"description": "Deploys the diagnostic settings for Blob Services to stream resource logs to an Event Hub when any blob Service which is missing this diagnostic settings is created or updated. The policy will set the diagnostic with Transaction metric and categories enabled. Made from the built-in policy for 'to Log Analytics workspace'.",
"metadata": {
"category": "Storage",
"version": "4.0.0"
},
"mode": "All",
"parameters": {
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"DeployIfNotExists",
"AuditIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists"
},
"profileName": {
"type": "String",
"metadata": {
"displayName": "Profile name",
"description": "The diagnostic settings profile name"
},
"defaultValue": "setbypolicy_blobServicesDiagnosticsLogsToEventHub"
},
"metricsEnabled": {
"type": "Boolean",
"metadata": {
"displayName": "Enable metrics",
"description": "Whether to enable metrics stream to the Event Hub - True or False"
},
"allowedValues": [
true,
false
],
"defaultValue": true
},
"logsEnabled": {
"type": "Boolean",
"metadata": {
"displayName": "Enable logs",
"description": "Whether to enable logs stream to the Event Hub - True or False"
},
"allowedValues": [
true,
false
],
"defaultValue": true
},
"eventHubRuleId": {
"type": "String",
"metadata": {
"displayName": "Event Hub Authorization Rule Id",
"description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}",
"strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules",
"assignPermissions": true
}
},
"eventHubName": {
"type": "String",
"metadata": {
"displayName": "Event Hub Name",
"description": "Specify the name of the Event Hub"
}
},
"eventHubLocation": {
"type": "String",
"metadata": {
"displayName": "Event Hub Location",
"description": "Resource Location must be in the same location as the Event Hub Namespace.",
"strongType": "location"
},
"allowedValues": [
"swedencentral",
"westeurope"
],
"defaultValue": "westeurope"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Storage/storageAccounts/blobServices"
},
{
"anyOf": [
{
"value": "[parameters('eventHubLocation')]",
"equals": ""
},
{
"field": "location",
"equals": "[parameters('eventHubLocation')]"
}
]
}
]
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.Insights/diagnosticSettings",
"name": "[parameters('profileName')]",
"existenceCondition": {
"allOf": [
{
"count": {
"field": "Microsoft.Insights/diagnosticSettings/metrics[*]",
"where": {
"allOf": [
{
"field": "Microsoft.Insights/diagnosticSettings/metrics[*].category",
"equals": "Transaction"
},
{
"field": "Microsoft.Insights/diagnosticSettings/metrics[*].enabled",
"equals": "[parameters('metricsEnabled')]"
}
]
}
},
"equals": 1
},
{
"field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
"equals": "[parameters('logsEnabled')]"
},
{
"field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId",
"matchInsensitively": "[parameters('eventHubRuleId')]"
},
{
"field": "Microsoft.Insights/diagnosticSettings/eventHubName",
"matchInsensitively": "[parameters('eventHubName')]"
}
]
},
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec",
"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
],
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"resourceName": {
"type": "string"
},
"location": {
"type": "string"
},
"eventHubRuleId": {
"type": "string"
},
"eventHubName": {
"type": "string"
},
"metricsEnabled": {
"type": "bool"
},
"logsEnabled": {
"type": "bool"
},
"profileName": {
"type": "string"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts/blobServices/providers/diagnosticSettings",
"apiVersion": "2021-05-01-preview",
"name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
"location": "[parameters('location')]",
"dependsOn": [],
"properties": {
"eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]",
"eventHubName": "[parameters('eventHubName')]",
"metrics": [
{
"timeGrain": null,
"enabled": false,
"retentionPolicy": {
"days": 0,
"enabled": false
},
"category": "Capacity"
},
{
"timeGrain": null,
"enabled": "[parameters('metricsEnabled')]",
"retentionPolicy": {
"days": 0,
"enabled": false
},
"category": "Transaction"
}
],
"logs": [
{
"category": "StorageRead",
"enabled": "[parameters('logsEnabled')]"
},
{
"category": "StorageWrite",
"enabled": "[parameters('logsEnabled')]"
},
{
"category": "StorageDelete",
"enabled": "[parameters('logsEnabled')]"
}
]
}
}
],
"outputs": {
"policy": {
"type": "string",
"value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Blob Services (Microsoft.Storage/storageAccounts/blobServices), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]"
}
}
},
"parameters": {
"location": {
"value": "[field('location')]"
},
"resourceName": {
"value": "[field('fullName')]"
},
"eventHubRuleId": {
"value": "[parameters('eventHubRuleId')]"
},
"eventHubName": {
"value": "[parameters('eventHubName')]"
},
"metricsEnabled": {
"value": "[parameters('metricsEnabled')]"
},
"logsEnabled": {
"value": "[parameters('logsEnabled')]"
},
"profileName": {
"value": "[parameters('profileName')]"
}
}
}
}
}
}
}
}
}
Loading

0 comments on commit 0939851

Please sign in to comment.