-
Notifications
You must be signed in to change notification settings - Fork 328
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #431 from vegazbabz/new-diag-pol-to-eh
Policies for various resource types diagnostic setting to event hub
- Loading branch information
Showing
141 changed files
with
21,409 additions
and
0 deletions.
There are no files selected for viewing
45 changes: 45 additions & 0 deletions
45
policyDefinitions/Data Factory/deny-datafactory-identitytype/azurepolicy.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
{ | ||
"name": "333fc656-a811-49ab-ab07-66796c9a21d5", | ||
"type": "Microsoft.Authorization/policyDefinitions", | ||
"properties": { | ||
"displayName": "Deny-DataFactory-IdentityType", | ||
"description": "Enforces use of system assigned identity for data factory.", | ||
"metadata": { | ||
"version": "1.0.0", | ||
"category": "Data Factory" | ||
}, | ||
"mode": "Indexed", | ||
"parameters": { | ||
"effect": { | ||
"type": "String", | ||
"metadata": { | ||
"displayName": "Effect", | ||
"description": "Deny, Audit or Disabled the execution of the Policy" | ||
}, | ||
"allowedValues": [ | ||
"Deny", | ||
"Audit", | ||
"Disabled" | ||
], | ||
"defaultValue": "Audit" | ||
} | ||
}, | ||
"policyRule": { | ||
"if": { | ||
"allOf": [ | ||
{ | ||
"field": "type", | ||
"equals": "Microsoft.DataFactory/factories" | ||
}, | ||
{ | ||
"field": "identity.type", | ||
"exists": false | ||
} | ||
] | ||
}, | ||
"then": { | ||
"effect": "[parameters('effect')]" | ||
} | ||
} | ||
} | ||
} |
15 changes: 15 additions & 0 deletions
15
policyDefinitions/Data Factory/deny-datafactory-identitytype/azurepolicy.parameters.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
{ | ||
"effect": { | ||
"type": "String", | ||
"metadata": { | ||
"displayName": "Effect", | ||
"description": "Deny, Audit or Disabled the execution of the Policy" | ||
}, | ||
"allowedValues": [ | ||
"Deny", | ||
"Audit", | ||
"Disabled" | ||
], | ||
"defaultValue": "Audit" | ||
} | ||
} |
17 changes: 17 additions & 0 deletions
17
policyDefinitions/Data Factory/deny-datafactory-identitytype/azurepolicy.rules.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
{ | ||
"if": { | ||
"allOf": [ | ||
{ | ||
"field": "type", | ||
"equals": "Microsoft.DataFactory/factories" | ||
}, | ||
{ | ||
"field": "identity.type", | ||
"exists": false | ||
} | ||
] | ||
}, | ||
"then": { | ||
"effect": "[parameters('effect')]" | ||
} | ||
} |
265 changes: 265 additions & 0 deletions
265
...o Event Hub/Configure diagnostic settings for Blob Services to Event Hub/azurepolicy.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,265 @@ | ||
{ | ||
"name": "23274a6c-af67-4279-9b19-1ae5158ecdb5", | ||
"type": "Microsoft.Authorization/policyDefinitions", | ||
"properties": { | ||
"displayName": "Configure diagnostic settings for Blob Services to Event Hub", | ||
"description": "Deploys the diagnostic settings for Blob Services to stream resource logs to an Event Hub when any blob Service which is missing this diagnostic settings is created or updated. The policy will set the diagnostic with Transaction metric and categories enabled. Made from the built-in policy for 'to Log Analytics workspace'.", | ||
"metadata": { | ||
"category": "Storage", | ||
"version": "4.0.0" | ||
}, | ||
"mode": "All", | ||
"parameters": { | ||
"effect": { | ||
"type": "String", | ||
"metadata": { | ||
"displayName": "Effect", | ||
"description": "Enable or disable the execution of the policy" | ||
}, | ||
"allowedValues": [ | ||
"DeployIfNotExists", | ||
"AuditIfNotExists", | ||
"Disabled" | ||
], | ||
"defaultValue": "DeployIfNotExists" | ||
}, | ||
"profileName": { | ||
"type": "String", | ||
"metadata": { | ||
"displayName": "Profile name", | ||
"description": "The diagnostic settings profile name" | ||
}, | ||
"defaultValue": "setbypolicy_blobServicesDiagnosticsLogsToEventHub" | ||
}, | ||
"metricsEnabled": { | ||
"type": "Boolean", | ||
"metadata": { | ||
"displayName": "Enable metrics", | ||
"description": "Whether to enable metrics stream to the Event Hub - True or False" | ||
}, | ||
"allowedValues": [ | ||
true, | ||
false | ||
], | ||
"defaultValue": true | ||
}, | ||
"logsEnabled": { | ||
"type": "Boolean", | ||
"metadata": { | ||
"displayName": "Enable logs", | ||
"description": "Whether to enable logs stream to the Event Hub - True or False" | ||
}, | ||
"allowedValues": [ | ||
true, | ||
false | ||
], | ||
"defaultValue": true | ||
}, | ||
"eventHubRuleId": { | ||
"type": "String", | ||
"metadata": { | ||
"displayName": "Event Hub Authorization Rule Id", | ||
"description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", | ||
"strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", | ||
"assignPermissions": true | ||
} | ||
}, | ||
"eventHubName": { | ||
"type": "String", | ||
"metadata": { | ||
"displayName": "Event Hub Name", | ||
"description": "Specify the name of the Event Hub" | ||
} | ||
}, | ||
"eventHubLocation": { | ||
"type": "String", | ||
"metadata": { | ||
"displayName": "Event Hub Location", | ||
"description": "Resource Location must be in the same location as the Event Hub Namespace.", | ||
"strongType": "location" | ||
}, | ||
"allowedValues": [ | ||
"swedencentral", | ||
"westeurope" | ||
], | ||
"defaultValue": "westeurope" | ||
} | ||
}, | ||
"policyRule": { | ||
"if": { | ||
"allOf": [ | ||
{ | ||
"field": "type", | ||
"equals": "Microsoft.Storage/storageAccounts/blobServices" | ||
}, | ||
{ | ||
"anyOf": [ | ||
{ | ||
"value": "[parameters('eventHubLocation')]", | ||
"equals": "" | ||
}, | ||
{ | ||
"field": "location", | ||
"equals": "[parameters('eventHubLocation')]" | ||
} | ||
] | ||
} | ||
] | ||
}, | ||
"then": { | ||
"effect": "[parameters('effect')]", | ||
"details": { | ||
"type": "Microsoft.Insights/diagnosticSettings", | ||
"name": "[parameters('profileName')]", | ||
"existenceCondition": { | ||
"allOf": [ | ||
{ | ||
"count": { | ||
"field": "Microsoft.Insights/diagnosticSettings/metrics[*]", | ||
"where": { | ||
"allOf": [ | ||
{ | ||
"field": "Microsoft.Insights/diagnosticSettings/metrics[*].category", | ||
"equals": "Transaction" | ||
}, | ||
{ | ||
"field": "Microsoft.Insights/diagnosticSettings/metrics[*].enabled", | ||
"equals": "[parameters('metricsEnabled')]" | ||
} | ||
] | ||
} | ||
}, | ||
"equals": 1 | ||
}, | ||
{ | ||
"field": "Microsoft.Insights/diagnosticSettings/logs.enabled", | ||
"equals": "[parameters('logsEnabled')]" | ||
}, | ||
{ | ||
"field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", | ||
"matchInsensitively": "[parameters('eventHubRuleId')]" | ||
}, | ||
{ | ||
"field": "Microsoft.Insights/diagnosticSettings/eventHubName", | ||
"matchInsensitively": "[parameters('eventHubName')]" | ||
} | ||
] | ||
}, | ||
"roleDefinitionIds": [ | ||
"/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", | ||
"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" | ||
], | ||
"deployment": { | ||
"properties": { | ||
"mode": "incremental", | ||
"template": { | ||
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", | ||
"contentVersion": "1.0.0.0", | ||
"parameters": { | ||
"resourceName": { | ||
"type": "string" | ||
}, | ||
"location": { | ||
"type": "string" | ||
}, | ||
"eventHubRuleId": { | ||
"type": "string" | ||
}, | ||
"eventHubName": { | ||
"type": "string" | ||
}, | ||
"metricsEnabled": { | ||
"type": "bool" | ||
}, | ||
"logsEnabled": { | ||
"type": "bool" | ||
}, | ||
"profileName": { | ||
"type": "string" | ||
} | ||
}, | ||
"variables": {}, | ||
"resources": [ | ||
{ | ||
"type": "Microsoft.Storage/storageAccounts/blobServices/providers/diagnosticSettings", | ||
"apiVersion": "2021-05-01-preview", | ||
"name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", | ||
"location": "[parameters('location')]", | ||
"dependsOn": [], | ||
"properties": { | ||
"eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", | ||
"eventHubName": "[parameters('eventHubName')]", | ||
"metrics": [ | ||
{ | ||
"timeGrain": null, | ||
"enabled": false, | ||
"retentionPolicy": { | ||
"days": 0, | ||
"enabled": false | ||
}, | ||
"category": "Capacity" | ||
}, | ||
{ | ||
"timeGrain": null, | ||
"enabled": "[parameters('metricsEnabled')]", | ||
"retentionPolicy": { | ||
"days": 0, | ||
"enabled": false | ||
}, | ||
"category": "Transaction" | ||
} | ||
], | ||
"logs": [ | ||
{ | ||
"category": "StorageRead", | ||
"enabled": "[parameters('logsEnabled')]" | ||
}, | ||
{ | ||
"category": "StorageWrite", | ||
"enabled": "[parameters('logsEnabled')]" | ||
}, | ||
{ | ||
"category": "StorageDelete", | ||
"enabled": "[parameters('logsEnabled')]" | ||
} | ||
] | ||
} | ||
} | ||
], | ||
"outputs": { | ||
"policy": { | ||
"type": "string", | ||
"value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Blob Services (Microsoft.Storage/storageAccounts/blobServices), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" | ||
} | ||
} | ||
}, | ||
"parameters": { | ||
"location": { | ||
"value": "[field('location')]" | ||
}, | ||
"resourceName": { | ||
"value": "[field('fullName')]" | ||
}, | ||
"eventHubRuleId": { | ||
"value": "[parameters('eventHubRuleId')]" | ||
}, | ||
"eventHubName": { | ||
"value": "[parameters('eventHubName')]" | ||
}, | ||
"metricsEnabled": { | ||
"value": "[parameters('metricsEnabled')]" | ||
}, | ||
"logsEnabled": { | ||
"value": "[parameters('logsEnabled')]" | ||
}, | ||
"profileName": { | ||
"value": "[parameters('profileName')]" | ||
} | ||
} | ||
} | ||
} | ||
} | ||
} | ||
} | ||
} | ||
} |
Oops, something went wrong.