diff --git a/policyDefinitions/Data Factory/deny-datafactory-identitytype/azurepolicy.json b/policyDefinitions/Data Factory/deny-datafactory-identitytype/azurepolicy.json new file mode 100644 index 00000000..0a4b8bdd --- /dev/null +++ b/policyDefinitions/Data Factory/deny-datafactory-identitytype/azurepolicy.json @@ -0,0 +1,45 @@ +{ + "name": "333fc656-a811-49ab-ab07-66796c9a21d5", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Deny-DataFactory-IdentityType", + "description": "Enforces use of system assigned identity for data factory.", + "metadata": { + "version": "1.0.0", + "category": "Data Factory" + }, + "mode": "Indexed", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Deny, Audit or Disabled the execution of the Policy" + }, + "allowedValues": [ + "Deny", + "Audit", + "Disabled" + ], + "defaultValue": "Audit" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DataFactory/factories" + }, + { + "field": "identity.type", + "exists": false + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } + } + } +} diff --git a/policyDefinitions/Data Factory/deny-datafactory-identitytype/azurepolicy.parameters.json b/policyDefinitions/Data Factory/deny-datafactory-identitytype/azurepolicy.parameters.json new file mode 100644 index 00000000..d2c89f94 --- /dev/null +++ b/policyDefinitions/Data Factory/deny-datafactory-identitytype/azurepolicy.parameters.json @@ -0,0 +1,15 @@ +{ + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Deny, Audit or Disabled the execution of the Policy" + }, + "allowedValues": [ + "Deny", + "Audit", + "Disabled" + ], + "defaultValue": "Audit" + } +} diff --git a/policyDefinitions/Data Factory/deny-datafactory-identitytype/azurepolicy.rules.json b/policyDefinitions/Data Factory/deny-datafactory-identitytype/azurepolicy.rules.json new file mode 100644 index 00000000..a13c2352 --- /dev/null +++ b/policyDefinitions/Data Factory/deny-datafactory-identitytype/azurepolicy.rules.json @@ -0,0 +1,17 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DataFactory/factories" + }, + { + "field": "identity.type", + "exists": false + } + ] + }, + "then": { + "effect": "[parameters('effect')]" + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Configure diagnostic settings for Blob Services to Event Hub/azurepolicy.json b/policyDefinitions/Monitoring/To Event Hub/Configure diagnostic settings for Blob Services to Event Hub/azurepolicy.json new file mode 100644 index 00000000..adf29b20 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Configure diagnostic settings for Blob Services to Event Hub/azurepolicy.json @@ -0,0 +1,265 @@ +{ + "name": "23274a6c-af67-4279-9b19-1ae5158ecdb5", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Configure diagnostic settings for Blob Services to Event Hub", + "description": "Deploys the diagnostic settings for Blob Services to stream resource logs to an Event Hub when any blob Service which is missing this diagnostic settings is created or updated. The policy will set the diagnostic with Transaction metric and categories enabled. Made from the built-in policy for 'to Log Analytics workspace'.", + "metadata": { + "category": "Storage", + "version": "4.0.0" + }, + "mode": "All", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_blobServicesDiagnosticsLogsToEventHub" + }, + "metricsEnabled": { + "type": "Boolean", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + true, + false + ], + "defaultValue": true + }, + "logsEnabled": { + "type": "Boolean", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + true, + false + ], + "defaultValue": true + }, + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts/blobServices" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/metrics[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics[*].category", + "equals": "Transaction" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics[*].enabled", + "equals": "[parameters('metricsEnabled')]" + } + ] + } + }, + "equals": 1 + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "metricsEnabled": { + "type": "bool" + }, + "logsEnabled": { + "type": "bool" + }, + "profileName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts/blobServices/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [ + { + "timeGrain": null, + "enabled": false, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "category": "Capacity" + }, + { + "timeGrain": null, + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "category": "Transaction" + } + ], + "logs": [ + { + "category": "StorageRead", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "StorageWrite", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "StorageDelete", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Blob Services (Microsoft.Storage/storageAccounts/blobServices), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('fullName')]" + }, + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + } + } + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Configure diagnostic settings for Blob Services to Event Hub/azurepolicy.parameters.json b/policyDefinitions/Monitoring/To Event Hub/Configure diagnostic settings for Blob Services to Event Hub/azurepolicy.parameters.json new file mode 100644 index 00000000..43fbbcf3 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Configure diagnostic settings for Blob Services to Event Hub/azurepolicy.parameters.json @@ -0,0 +1,76 @@ +{ + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_blobServicesDiagnosticsLogsToEventHub" + }, + "metricsEnabled": { + "type": "Boolean", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + true, + false + ], + "defaultValue": true + }, + "logsEnabled": { + "type": "Boolean", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + true, + false + ], + "defaultValue": true + }, + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Configure diagnostic settings for Blob Services to Event Hub/azurepolicy.rules.json b/policyDefinitions/Monitoring/To Event Hub/Configure diagnostic settings for Blob Services to Event Hub/azurepolicy.rules.json new file mode 100644 index 00000000..d4923052 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Configure diagnostic settings for Blob Services to Event Hub/azurepolicy.rules.json @@ -0,0 +1,176 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts/blobServices" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/metrics[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics[*].category", + "equals": "Transaction" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics[*].enabled", + "equals": "[parameters('metricsEnabled')]" + } + ] + } + }, + "equals": 1 + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "metricsEnabled": { + "type": "bool" + }, + "logsEnabled": { + "type": "bool" + }, + "profileName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts/blobServices/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [ + { + "timeGrain": null, + "enabled": false, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "category": "Capacity" + }, + { + "timeGrain": null, + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "category": "Transaction" + } + ], + "logs": [ + { + "category": "StorageRead", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "StorageWrite", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "StorageDelete", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Blob Services (Microsoft.Storage/storageAccounts/blobServices), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('fullName')]" + }, + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Configure diagnostic settings for File Services to Event Hub/azurepolicy.json b/policyDefinitions/Monitoring/To Event Hub/Configure diagnostic settings for File Services to Event Hub/azurepolicy.json new file mode 100644 index 00000000..f0672e8b --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Configure diagnostic settings for File Services to Event Hub/azurepolicy.json @@ -0,0 +1,265 @@ +{ + "name": "469fed44-24a2-467e-9ead-800f55c2f062", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Configure diagnostic settings for File Services to Event Hub", + "description": "Deploys the diagnostic settings for File Services to stream resource logs to an Event Hub when any file Service which is missing this diagnostic settings is created or updated. The policy will set the diagnostic with Transaction metric and categories enabled. Made from the built-in policy for 'to Log Analytics workspace'.", + "metadata": { + "category": "Storage", + "version": "4.0.0" + }, + "mode": "All", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_fileServicesDiagnosticsLogsToEventHub" + }, + "metricsEnabled": { + "type": "Boolean", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + true, + false + ], + "defaultValue": true + }, + "logsEnabled": { + "type": "Boolean", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + true, + false + ], + "defaultValue": true + }, + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts/fileServices" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/metrics[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics[*].category", + "equals": "Transaction" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics[*].enabled", + "equals": "[parameters('metricsEnabled')]" + } + ] + } + }, + "equals": 1 + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "metricsEnabled": { + "type": "bool" + }, + "logsEnabled": { + "type": "bool" + }, + "profileName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts/fileServices/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [ + { + "timeGrain": null, + "enabled": false, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "category": "Capacity" + }, + { + "timeGrain": null, + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "category": "Transaction" + } + ], + "logs": [ + { + "category": "StorageRead", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "StorageWrite", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "StorageDelete", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type File Services (Microsoft.Storage/storageAccounts/fileServices), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('fullName')]" + }, + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + } + } + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Configure diagnostic settings for File Services to Event Hub/azurepolicy.parameters.json b/policyDefinitions/Monitoring/To Event Hub/Configure diagnostic settings for File Services to Event Hub/azurepolicy.parameters.json new file mode 100644 index 00000000..131cf876 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Configure diagnostic settings for File Services to Event Hub/azurepolicy.parameters.json @@ -0,0 +1,76 @@ +{ + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_fileServicesDiagnosticsLogsToEventHub" + }, + "metricsEnabled": { + "type": "Boolean", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + true, + false + ], + "defaultValue": true + }, + "logsEnabled": { + "type": "Boolean", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + true, + false + ], + "defaultValue": true + }, + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Configure diagnostic settings for File Services to Event Hub/azurepolicy.rules.json b/policyDefinitions/Monitoring/To Event Hub/Configure diagnostic settings for File Services to Event Hub/azurepolicy.rules.json new file mode 100644 index 00000000..a89bce50 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Configure diagnostic settings for File Services to Event Hub/azurepolicy.rules.json @@ -0,0 +1,176 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts/fileServices" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/metrics[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics[*].category", + "equals": "Transaction" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics[*].enabled", + "equals": "[parameters('metricsEnabled')]" + } + ] + } + }, + "equals": 1 + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "metricsEnabled": { + "type": "bool" + }, + "logsEnabled": { + "type": "bool" + }, + "profileName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts/fileServices/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [ + { + "timeGrain": null, + "enabled": false, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "category": "Capacity" + }, + { + "timeGrain": null, + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "category": "Transaction" + } + ], + "logs": [ + { + "category": "StorageRead", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "StorageWrite", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "StorageDelete", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type File Services (Microsoft.Storage/storageAccounts/fileServices), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('fullName')]" + }, + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Configure diagnostic settings for Queue Services to Event Hub/azurepolicy.json b/policyDefinitions/Monitoring/To Event Hub/Configure diagnostic settings for Queue Services to Event Hub/azurepolicy.json new file mode 100644 index 00000000..90cff1e9 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Configure diagnostic settings for Queue Services to Event Hub/azurepolicy.json @@ -0,0 +1,265 @@ +{ + "name": "862d874f-8e9c-4588-b17b-261f35bd97fc", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Configure diagnostic settings for Queue Services to Event Hub", + "description": "Deploys the diagnostic settings for Queue Services to stream resource logs to an Event Hub when any queue Service which is missing this diagnostic settings is created or updated. The policy will set the diagnostic with Transaction metric and categories enabled. Made from the built-in policy for 'to Log Analytics workspace'. Note: This policy is not triggered upon Storage Account creation and requires creation of a remediation task in order to update for the account.", + "metadata": { + "category": "Storage", + "version": "4.0.1" + }, + "mode": "All", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_queueServicesDiagnosticsLogsToEventHub" + }, + "metricsEnabled": { + "type": "Boolean", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + true, + false + ], + "defaultValue": true + }, + "logsEnabled": { + "type": "Boolean", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + true, + false + ], + "defaultValue": true + }, + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts/queueServices" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/metrics[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics[*].category", + "equals": "Transaction" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics[*].enabled", + "equals": "[parameters('metricsEnabled')]" + } + ] + } + }, + "equals": 1 + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "metricsEnabled": { + "type": "bool" + }, + "logsEnabled": { + "type": "bool" + }, + "profileName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [ + { + "timeGrain": null, + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "category": "Capacity" + }, + { + "timeGrain": null, + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "category": "Transaction" + } + ], + "logs": [ + { + "category": "StorageRead", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "StorageWrite", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "StorageDelete", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Queue Services (Microsoft.Storage/storageAccounts/queueServices), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('fullName')]" + }, + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + } + } + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Configure diagnostic settings for Queue Services to Event Hub/azurepolicy.parameters.json b/policyDefinitions/Monitoring/To Event Hub/Configure diagnostic settings for Queue Services to Event Hub/azurepolicy.parameters.json new file mode 100644 index 00000000..9799d698 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Configure diagnostic settings for Queue Services to Event Hub/azurepolicy.parameters.json @@ -0,0 +1,76 @@ +{ + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_queueServicesDiagnosticsLogsToEventHub" + }, + "metricsEnabled": { + "type": "Boolean", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + true, + false + ], + "defaultValue": true + }, + "logsEnabled": { + "type": "Boolean", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + true, + false + ], + "defaultValue": true + }, + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Configure diagnostic settings for Queue Services to Event Hub/azurepolicy.rules.json b/policyDefinitions/Monitoring/To Event Hub/Configure diagnostic settings for Queue Services to Event Hub/azurepolicy.rules.json new file mode 100644 index 00000000..b01108b4 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Configure diagnostic settings for Queue Services to Event Hub/azurepolicy.rules.json @@ -0,0 +1,176 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts/queueServices" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/metrics[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics[*].category", + "equals": "Transaction" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics[*].enabled", + "equals": "[parameters('metricsEnabled')]" + } + ] + } + }, + "equals": 1 + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "metricsEnabled": { + "type": "bool" + }, + "logsEnabled": { + "type": "bool" + }, + "profileName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts/queueServices/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [ + { + "timeGrain": null, + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "category": "Capacity" + }, + { + "timeGrain": null, + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "category": "Transaction" + } + ], + "logs": [ + { + "category": "StorageRead", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "StorageWrite", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "StorageDelete", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Queue Services (Microsoft.Storage/storageAccounts/queueServices), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('fullName')]" + }, + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Configure diagnostic settings for Storage Accounts to Event Hub/azurepolicy.json b/policyDefinitions/Monitoring/To Event Hub/Configure diagnostic settings for Storage Accounts to Event Hub/azurepolicy.json new file mode 100644 index 00000000..28a71341 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Configure diagnostic settings for Storage Accounts to Event Hub/azurepolicy.json @@ -0,0 +1,229 @@ +{ + "name": "5c4c164e-9f9f-4d69-9fe2-d5c1cd83f84d", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Configure diagnostic settings for Storage Accounts to Event Hub", + "description": "Deploys the diagnostic settings for Storage accounts to stream resource logs to an Event Hub when any storage accounts which is missing this diagnostic settings is created or updated. The policy will set the diagnostic with Transaction metric enabled. Made from the built-in policy for 'to Log Analytics workspace'.", + "metadata": { + "category": "Storage", + "version": "4.0.0" + }, + "mode": "Indexed", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_storageAccountsDiagnosticsLogsToEventHub" + }, + "metricsEnabled": { + "type": "Boolean", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + true, + false + ], + "defaultValue": true + }, + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/metrics[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics[*].category", + "equals": "Transaction" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics[*].enabled", + "equals": "[parameters('metricsEnabled')]" + } + ] + } + }, + "equals": 1 + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "metricsEnabled": { + "type": "bool" + }, + "profileName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [ + { + "timeGrain": null, + "enabled": false, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "category": "Capacity" + }, + { + "timeGrain": null, + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "category": "Transaction" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Storage Accounts (Microsoft.Storage/storageAccounts), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('fullName')]" + }, + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + } + } + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Configure diagnostic settings for Storage Accounts to Event Hub/azurepolicy.parameters.json b/policyDefinitions/Monitoring/To Event Hub/Configure diagnostic settings for Storage Accounts to Event Hub/azurepolicy.parameters.json new file mode 100644 index 00000000..cc01f767 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Configure diagnostic settings for Storage Accounts to Event Hub/azurepolicy.parameters.json @@ -0,0 +1,64 @@ +{ + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_storageAccountsDiagnosticsLogsToEventHub" + }, + "metricsEnabled": { + "type": "Boolean", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + true, + false + ], + "defaultValue": true + }, + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Configure diagnostic settings for Storage Accounts to Event Hub/azurepolicy.rules.json b/policyDefinitions/Monitoring/To Event Hub/Configure diagnostic settings for Storage Accounts to Event Hub/azurepolicy.rules.json new file mode 100644 index 00000000..4c7a37c1 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Configure diagnostic settings for Storage Accounts to Event Hub/azurepolicy.rules.json @@ -0,0 +1,152 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/metrics[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics[*].category", + "equals": "Transaction" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics[*].enabled", + "equals": "[parameters('metricsEnabled')]" + } + ] + } + }, + "equals": 1 + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "metricsEnabled": { + "type": "bool" + }, + "profileName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [ + { + "timeGrain": null, + "enabled": false, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "category": "Capacity" + }, + { + "timeGrain": null, + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "category": "Transaction" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Storage Accounts (Microsoft.Storage/storageAccounts), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('fullName')]" + }, + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Configure diagnostic settings for Table Services to Event Hub/azurepolicy.json b/policyDefinitions/Monitoring/To Event Hub/Configure diagnostic settings for Table Services to Event Hub/azurepolicy.json new file mode 100644 index 00000000..794f41bf --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Configure diagnostic settings for Table Services to Event Hub/azurepolicy.json @@ -0,0 +1,265 @@ +{ + "name": "c5ab81f1-8edb-4fd2-be15-0e993f800f11", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Configure diagnostic settings for Table Services to Event Hub", + "description": "Deploys the diagnostic settings for Table Services to stream resource logs to an Event Hub when any table Service which is missing this diagnostic settings is created or updated. The policy will set the diagnostic with Transaction metric and categories enabled. Made from the built-in policy for 'to Log Analytics workspace'. Note: This policy is not triggered upon Storage Account creation and requires creation of a remediation task in order to update for the account.", + "metadata": { + "category": "Storage", + "version": "4.0.1" + }, + "mode": "All", + "parameters": { + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_tableServicesDiagnosticsLogsToEventHub" + }, + "metricsEnabled": { + "type": "Boolean", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + true, + false + ], + "defaultValue": true + }, + "logsEnabled": { + "type": "Boolean", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + true, + false + ], + "defaultValue": true + }, + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts/tableServices" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/metrics[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics[*].category", + "equals": "Transaction" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics[*].enabled", + "equals": "[parameters('metricsEnabled')]" + } + ] + } + }, + "equals": 1 + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "eventHubRuleId": { + "type": "string" + }, + "metricsEnabled": { + "type": "bool" + }, + "logsEnabled": { + "type": "bool" + }, + "profileName": { + "type": "string" + }, + "eventHubName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts/tableServices/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [ + { + "timeGrain": null, + "enabled": false, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "category": "Capacity" + }, + { + "timeGrain": null, + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "category": "Transaction" + } + ], + "logs": [ + { + "category": "StorageRead", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "StorageWrite", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "StorageDelete", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Table Services (Microsoft.Storage/storageAccounts/tableServices), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('fullName')]" + }, + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + } + } + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Configure diagnostic settings for Table Services to Event Hub/azurepolicy.parameters.json b/policyDefinitions/Monitoring/To Event Hub/Configure diagnostic settings for Table Services to Event Hub/azurepolicy.parameters.json new file mode 100644 index 00000000..c591c3a7 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Configure diagnostic settings for Table Services to Event Hub/azurepolicy.parameters.json @@ -0,0 +1,76 @@ +{ + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_tableServicesDiagnosticsLogsToEventHub" + }, + "metricsEnabled": { + "type": "Boolean", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + true, + false + ], + "defaultValue": true + }, + "logsEnabled": { + "type": "Boolean", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + true, + false + ], + "defaultValue": true + }, + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Configure diagnostic settings for Table Services to Event Hub/azurepolicy.rules.json b/policyDefinitions/Monitoring/To Event Hub/Configure diagnostic settings for Table Services to Event Hub/azurepolicy.rules.json new file mode 100644 index 00000000..93966a7a --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Configure diagnostic settings for Table Services to Event Hub/azurepolicy.rules.json @@ -0,0 +1,176 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts/tableServices" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/metrics[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics[*].category", + "equals": "Transaction" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics[*].enabled", + "equals": "[parameters('metricsEnabled')]" + } + ] + } + }, + "equals": 1 + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "eventHubRuleId": { + "type": "string" + }, + "metricsEnabled": { + "type": "bool" + }, + "logsEnabled": { + "type": "bool" + }, + "profileName": { + "type": "string" + }, + "eventHubName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Storage/storageAccounts/tableServices/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [ + { + "timeGrain": null, + "enabled": false, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "category": "Capacity" + }, + { + "timeGrain": null, + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "category": "Transaction" + } + ], + "logs": [ + { + "category": "StorageRead", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "StorageWrite", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "StorageDelete", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Table Services (Microsoft.Storage/storageAccounts/tableServices), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('fullName')]" + }, + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for AVD Application Group to Event Hub/azurepolicy.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for AVD Application Group to Event Hub/azurepolicy.json new file mode 100644 index 00000000..8cd787fe --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for AVD Application Group to Event Hub/azurepolicy.json @@ -0,0 +1,216 @@ +{ + "name": "e2a4f121-3ecd-4b6a-9d21-2dc2e3f7aadd", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Deploy Diagnostic Settings for AVD Application Group to Event Hub", + "description": "Deploys the diagnostic settings for AVD Application Groups to stream to a Event Hub when any AVD Application Group which is missing this diagnostic settings is created or updated. The policy will set the diagnostic with all categories enabled.", + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "mode": "Indexed", + "parameters": { + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "The location the Event Hub resides in. Only Logic Apps in this location will be linked to this Event Hub.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DesktopVirtualization/applicationGroups" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "microsoft.insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + } + ] + } + }, + "equals": 1 + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DesktopVirtualization/applicationGroups/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type AVD Application Groups (Microsoft.DesktopVirtualization/applicationGroups), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for AVD Application Group to Event Hub/azurepolicy.parameters.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for AVD Application Group to Event Hub/azurepolicy.parameters.json new file mode 100644 index 00000000..713063bf --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for AVD Application Group to Event Hub/azurepolicy.parameters.json @@ -0,0 +1,64 @@ +{ + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "The location the Event Hub resides in. Only Logic Apps in this location will be linked to this Event Hub.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for AVD Application Group to Event Hub/azurepolicy.rules.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for AVD Application Group to Event Hub/azurepolicy.rules.json new file mode 100644 index 00000000..5ec6a5de --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for AVD Application Group to Event Hub/azurepolicy.rules.json @@ -0,0 +1,139 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DesktopVirtualization/applicationGroups" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "microsoft.insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + } + ] + } + }, + "equals": 1 + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DesktopVirtualization/applicationGroups/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type AVD Application Groups (Microsoft.DesktopVirtualization/applicationGroups), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for AVD Host Pool to Event Hub/azurepolicy.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for AVD Host Pool to Event Hub/azurepolicy.json new file mode 100644 index 00000000..a574b632 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for AVD Host Pool to Event Hub/azurepolicy.json @@ -0,0 +1,216 @@ +{ + "name": "fb557712-10e4-4023-b1af-031fadfbfd49", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Deploy Diagnostic Settings for AVD Host Pool to Event Hub", + "description": "Deploys the diagnostic settings for AVD Host Pools to stream to a Event Hub when any AVD Host Pool which is missing this diagnostic settings is created or updated. The policy will set the diagnostic with all categories enabled.", + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "mode": "Indexed", + "parameters": { + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "The location the Event Hub resides in. Only Logic Apps in this location will be linked to this Event Hub.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DesktopVirtualization/hostpools" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "microsoft.insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + } + ] + } + }, + "equals": 1 + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DesktopVirtualization/hostpools/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type AVD Host Pools (Microsoft.DesktopVirtualization/hostpools), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for AVD Host Pool to Event Hub/azurepolicy.parameters.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for AVD Host Pool to Event Hub/azurepolicy.parameters.json new file mode 100644 index 00000000..713063bf --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for AVD Host Pool to Event Hub/azurepolicy.parameters.json @@ -0,0 +1,64 @@ +{ + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "The location the Event Hub resides in. Only Logic Apps in this location will be linked to this Event Hub.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for AVD Host Pool to Event Hub/azurepolicy.rules.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for AVD Host Pool to Event Hub/azurepolicy.rules.json new file mode 100644 index 00000000..fccbe9ec --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for AVD Host Pool to Event Hub/azurepolicy.rules.json @@ -0,0 +1,139 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DesktopVirtualization/hostpools" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "microsoft.insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + } + ] + } + }, + "equals": 1 + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DesktopVirtualization/hostpools/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type AVD Host Pools (Microsoft.DesktopVirtualization/hostpools), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for AVD Scaling Plan to Event Hub/azurepolicy.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for AVD Scaling Plan to Event Hub/azurepolicy.json new file mode 100644 index 00000000..aefc56c7 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for AVD Scaling Plan to Event Hub/azurepolicy.json @@ -0,0 +1,216 @@ +{ + "name": "73f500a0-c149-4939-8ab6-c01a2c51faa9", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Deploy Diagnostic Settings for AVD Scaling Plan to Event Hub", + "description": "Deploys the diagnostic settings for AVD Scaling Plans to stream to a Event Hub when any AVD Scaling which is missing this diagnostic settings is created or updated. The policy will set the diagnostic with all categories enabled.", + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "mode": "Indexed", + "parameters": { + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "The location the Event Hub resides in. Only Logic Apps in this location will be linked to this Event Hub.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DesktopVirtualization/scalingplans" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "microsoft.insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + } + ] + } + }, + "equals": 1 + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DesktopVirtualization/scalingplans/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type AVD Scaling (Microsoft.DesktopVirtualization/scalingplans), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for AVD Scaling Plan to Event Hub/azurepolicy.parameters.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for AVD Scaling Plan to Event Hub/azurepolicy.parameters.json new file mode 100644 index 00000000..713063bf --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for AVD Scaling Plan to Event Hub/azurepolicy.parameters.json @@ -0,0 +1,64 @@ +{ + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "The location the Event Hub resides in. Only Logic Apps in this location will be linked to this Event Hub.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for AVD Scaling Plan to Event Hub/azurepolicy.rules.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for AVD Scaling Plan to Event Hub/azurepolicy.rules.json new file mode 100644 index 00000000..ee7d20ab --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for AVD Scaling Plan to Event Hub/azurepolicy.rules.json @@ -0,0 +1,139 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DesktopVirtualization/scalingplans" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "microsoft.insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + } + ] + } + }, + "equals": 1 + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DesktopVirtualization/scalingplans/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type AVD Scaling (Microsoft.DesktopVirtualization/scalingplans), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for AVD Workspace to Event Hub/azurepolicy.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for AVD Workspace to Event Hub/azurepolicy.json new file mode 100644 index 00000000..2a14539c --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for AVD Workspace to Event Hub/azurepolicy.json @@ -0,0 +1,216 @@ +{ + "name": "c790917b-b3ba-429d-91e0-1b99acf3d2d3", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Deploy Diagnostic Settings for AVD Workspace to Event Hub", + "description": "Deploys the diagnostic settings for AVD Workspaces to stream to a Event Hub when any AVD Workspace which is missing this diagnostic settings is created or updated. The policy will set the diagnostic with all categories enabled.", + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "mode": "Indexed", + "parameters": { + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "The location the Event Hub resides in. Only Logic Apps in this location will be linked to this Event Hub.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "swedencentral" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DesktopVirtualization/workspaces" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "microsoft.insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + } + ] + } + }, + "equals": 1 + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DesktopVirtualization/workspaces/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type AVD Workspaces (Microsoft.DesktopVirtualization/workspaces), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for AVD Workspace to Event Hub/azurepolicy.parameters.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for AVD Workspace to Event Hub/azurepolicy.parameters.json new file mode 100644 index 00000000..d0977e18 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for AVD Workspace to Event Hub/azurepolicy.parameters.json @@ -0,0 +1,64 @@ +{ + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "The location the Event Hub resides in. Only Logic Apps in this location will be linked to this Event Hub.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "swedencentral" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for AVD Workspace to Event Hub/azurepolicy.rules.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for AVD Workspace to Event Hub/azurepolicy.rules.json new file mode 100644 index 00000000..75ca0d9b --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for AVD Workspace to Event Hub/azurepolicy.rules.json @@ -0,0 +1,139 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DesktopVirtualization/workspaces" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "microsoft.insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + } + ] + } + }, + "equals": 1 + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DesktopVirtualization/workspaces/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type AVD Workspaces (Microsoft.DesktopVirtualization/workspaces), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Analysis Services to Event Hub/azurepolicy.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Analysis Services to Event Hub/azurepolicy.json new file mode 100644 index 00000000..0d6606dd --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Analysis Services to Event Hub/azurepolicy.json @@ -0,0 +1,243 @@ +{ + "name": "78c61908-59be-47e9-9d17-6c6886c12be5", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Deploy Diagnostic Settings for Analysis Services to Event Hub", + "description": "Deploys the diagnostic settings for Analysis Services to stream to a Event Hub when any Analysis Services which is missing this diagnostic settings is created or updated. The policy will set the diagnostic with all metrics and categories enabled.", + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "mode": "Indexed", + "parameters": { + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "categoryGroup": { + "type": "String", + "metadata": { + "displayName": "Category Group", + "description": "Diagnostic category group - none, audit, or allLogs." + }, + "allowedValues": [ + "allLogs" + ], + "defaultValue": "allLogs" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.AnalysisServices/servers" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[equals(parameters('categoryGroup'), 'allLogs')]" + }, + { + "field": "microsoft.insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + } + ] + } + }, + "equals": 1 + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "eventHubLocation": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "categoryGroup": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.AnalysisServices/servers/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('eventHubLocation')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[equals(parameters('categoryGroup'), 'allLogs')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Analysis Services servers (Microsoft.AnalysisServices/servers), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "eventHubLocation": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "categoryGroup": { + "value": "[parameters('categoryGroup')]" + } + } + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Analysis Services to Event Hub/azurepolicy.parameters.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Analysis Services to Event Hub/azurepolicy.parameters.json new file mode 100644 index 00000000..a688d08b --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Analysis Services to Event Hub/azurepolicy.parameters.json @@ -0,0 +1,75 @@ +{ + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "categoryGroup": { + "type": "String", + "metadata": { + "displayName": "Category Group", + "description": "Diagnostic category group - none, audit, or allLogs." + }, + "allowedValues": [ + "allLogs" + ], + "defaultValue": "allLogs" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Analysis Services to Event Hub/azurepolicy.rules.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Analysis Services to Event Hub/azurepolicy.rules.json new file mode 100644 index 00000000..561929a9 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Analysis Services to Event Hub/azurepolicy.rules.json @@ -0,0 +1,155 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.AnalysisServices/servers" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[equals(parameters('categoryGroup'), 'allLogs')]" + }, + { + "field": "microsoft.insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + } + ] + } + }, + "equals": 1 + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "eventHubLocation": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "categoryGroup": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.AnalysisServices/servers/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('eventHubLocation')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[equals(parameters('categoryGroup'), 'allLogs')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Analysis Services servers (Microsoft.AnalysisServices/servers), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "eventHubLocation": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "categoryGroup": { + "value": "[parameters('categoryGroup')]" + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for App Service to Event Hub/azurepolicy.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for App Service to Event Hub/azurepolicy.json new file mode 100644 index 00000000..3d22947f --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for App Service to Event Hub/azurepolicy.json @@ -0,0 +1,252 @@ +{ + "name": "bcc7a2c4-346f-4fc8-b986-65fd2d1f5bde", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Deploy Diagnostic Settings for App Service to Event Hub", + "description": "Deploys the diagnostic settings for Web App to stream to a Event Hub when any Web App which is missing this diagnostic settings is created or updated. The policy will set the diagnostic with all metrics and category enabled.", + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "mode": "Indexed", + "parameters": { + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "value": "[field('kind')]", + "notContains": "functionapp" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "microsoft.insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + } + ] + } + }, + "equals": 1 + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "eventHubLocation": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Web/sites/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('eventHubLocation')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Web App (not functionapps) (Microsoft.Web/sites), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "eventHubLocation": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for App Service to Event Hub/azurepolicy.parameters.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for App Service to Event Hub/azurepolicy.parameters.json new file mode 100644 index 00000000..3eccfba9 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for App Service to Event Hub/azurepolicy.parameters.json @@ -0,0 +1,76 @@ +{ + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for App Service to Event Hub/azurepolicy.rules.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for App Service to Event Hub/azurepolicy.rules.json new file mode 100644 index 00000000..9d3f4ca2 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for App Service to Event Hub/azurepolicy.rules.json @@ -0,0 +1,163 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "value": "[field('kind')]", + "notContains": "functionapp" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "microsoft.insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + } + ] + } + }, + "equals": 1 + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "eventHubLocation": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Web/sites/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('eventHubLocation')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Web App (not functionapps) (Microsoft.Web/sites), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "eventHubLocation": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Application Gateway to Event Hub/azurepolicy.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Application Gateway to Event Hub/azurepolicy.json new file mode 100644 index 00000000..f2cf4ffc --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Application Gateway to Event Hub/azurepolicy.json @@ -0,0 +1,248 @@ +{ + "name": "14d9dea0-4fc5-48ea-9dc0-1e8eb806f794", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Deploy Diagnostic Settings for Application Gateway to Event Hub", + "description": "Deploys the diagnostic settings for Application Gateway to stream to a Event Hub when any Application Gateway which is missing this diagnostic settings is created or updated. The policy will set the diagnostic with all metrics and category enabled.", + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "mode": "Indexed", + "parameters": { + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/applicationGateways" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "microsoft.insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + } + ] + } + }, + "equals": 1 + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "eventHubLocation": { + "type": "string" + }, + "profileName": { + "type": "string" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/applicationGateways/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('eventHubLocation')]", + "dependsOn": [], + "properties": { + "eventHubName": "[parameters('eventHubName')]", + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Application Gateways (Microsoft.Network/applicationGateways), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "eventHubLocation": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Application Gateway to Event Hub/azurepolicy.parameters.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Application Gateway to Event Hub/azurepolicy.parameters.json new file mode 100644 index 00000000..3eccfba9 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Application Gateway to Event Hub/azurepolicy.parameters.json @@ -0,0 +1,76 @@ +{ + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Application Gateway to Event Hub/azurepolicy.rules.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Application Gateway to Event Hub/azurepolicy.rules.json new file mode 100644 index 00000000..afbfdd1a --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Application Gateway to Event Hub/azurepolicy.rules.json @@ -0,0 +1,159 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/applicationGateways" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "microsoft.insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + } + ] + } + }, + "equals": 1 + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "eventHubLocation": { + "type": "string" + }, + "profileName": { + "type": "string" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/applicationGateways/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('eventHubLocation')]", + "dependsOn": [], + "properties": { + "eventHubName": "[parameters('eventHubName')]", + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Application Gateways (Microsoft.Network/applicationGateways), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "eventHubLocation": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Application Insights to Event Hub/azurepolicy.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Application Insights to Event Hub/azurepolicy.json new file mode 100644 index 00000000..11a0fb94 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Application Insights to Event Hub/azurepolicy.json @@ -0,0 +1,248 @@ +{ + "name": "77a42613-edec-4f4f-b1c7-4848f1e2c7d1", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Deploy Diagnostic Settings for Application Insights to Event Hub", + "description": "Deploys the diagnostic settings for Application Insights to stream to an Event Hub when any Application Insights which is missing this diagnostic settings is created or updated. The policy will set the diagnostic with all metrics and category enabled.", + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "mode": "Indexed", + "parameters": { + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Insights/components" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "microsoft.insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + } + ] + } + }, + "equals": 1 + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "eventHubLocation": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/components/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('eventHubLocation')]", + "dependsOn": [], + "properties": { + "eventHubName": "[parameters('eventHubName')]", + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Application Insights (Microsoft.Insights/components), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "eventHubLocation": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Application Insights to Event Hub/azurepolicy.parameters.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Application Insights to Event Hub/azurepolicy.parameters.json new file mode 100644 index 00000000..9a80056e --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Application Insights to Event Hub/azurepolicy.parameters.json @@ -0,0 +1,76 @@ +{ + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Application Insights to Event Hub/azurepolicy.rules.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Application Insights to Event Hub/azurepolicy.rules.json new file mode 100644 index 00000000..9aa96175 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Application Insights to Event Hub/azurepolicy.rules.json @@ -0,0 +1,159 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Insights/components" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "microsoft.insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + } + ] + } + }, + "equals": 1 + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "eventHubLocation": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/components/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('eventHubLocation')]", + "dependsOn": [], + "properties": { + "eventHubName": "[parameters('eventHubName')]", + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Application Insights (Microsoft.Insights/components), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "eventHubLocation": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Autoscale Settings to Event Hub/azurepolicy.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Autoscale Settings to Event Hub/azurepolicy.json new file mode 100644 index 00000000..cb2c6b3a --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Autoscale Settings to Event Hub/azurepolicy.json @@ -0,0 +1,247 @@ +{ + "name": "d652dcb5-3dd6-497b-bc1b-ce90e5b72147", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Deploy Diagnostic Settings for Autoscale Settings to Event Hub", + "description": "Deploys the diagnostic settings for Azure Monitor Autoscale Settings to stream to an Event Hub when any application group which is missing this diagnostic settings is created or updated. The policy will set the diagnostic with all and categories enabled.", + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "mode": "Indexed", + "parameters": { + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Insights/autoscalesettings" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "microsoft.insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + } + ] + } + }, + "equals": 1 + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "eventHubLocation": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/autoscalesettings/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('eventHubLocation')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Monitor Autoscale settings (Microsoft.Insights/autoscalesettings), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "eventHubLocation": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Autoscale Settings to Event Hub/azurepolicy.parameters.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Autoscale Settings to Event Hub/azurepolicy.parameters.json new file mode 100644 index 00000000..df02e2f2 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Autoscale Settings to Event Hub/azurepolicy.parameters.json @@ -0,0 +1,76 @@ +{ + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Autoscale Settings to Event Hub/azurepolicy.rules.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Autoscale Settings to Event Hub/azurepolicy.rules.json new file mode 100644 index 00000000..9ba266de --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Autoscale Settings to Event Hub/azurepolicy.rules.json @@ -0,0 +1,158 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Insights/autoscalesettings" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "microsoft.insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + } + ] + } + }, + "equals": 1 + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "eventHubLocation": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/autoscalesettings/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('eventHubLocation')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Monitor Autoscale settings (Microsoft.Insights/autoscalesettings), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "eventHubLocation": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Azure API for FHIR to Event Hub/azurepolicy.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Azure API for FHIR to Event Hub/azurepolicy.json new file mode 100644 index 00000000..949e5b8e --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Azure API for FHIR to Event Hub/azurepolicy.json @@ -0,0 +1,234 @@ +{ + "name": "a998732d-c998-4fcd-b468-4e0ea8ba45bf", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Deploy Diagnostic Settings for Azure API for FHIR to Event Hub", + "description": "Deploys the diagnostic settings for Azure API for FHIR to stream to a Event Hub when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The policy will set the diagnostic with all metrics and category enabled.", + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "mode": "Indexed", + "parameters": { + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.HealthcareApis/services" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.HealthcareApis/services/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Azure API for FHIR (Microsoft.HealthcareApis/services), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Azure API for FHIR to Event Hub/azurepolicy.parameters.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Azure API for FHIR to Event Hub/azurepolicy.parameters.json new file mode 100644 index 00000000..3eccfba9 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Azure API for FHIR to Event Hub/azurepolicy.parameters.json @@ -0,0 +1,76 @@ +{ + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Azure API for FHIR to Event Hub/azurepolicy.rules.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Azure API for FHIR to Event Hub/azurepolicy.rules.json new file mode 100644 index 00000000..96571c22 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Azure API for FHIR to Event Hub/azurepolicy.rules.json @@ -0,0 +1,145 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.HealthcareApis/services" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.HealthcareApis/services/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Azure API for FHIR (Microsoft.HealthcareApis/services), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Azure Data Explorer Cluster to Event Hub/azurepolicy.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Azure Data Explorer Cluster to Event Hub/azurepolicy.json new file mode 100644 index 00000000..2edf118c --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Azure Data Explorer Cluster to Event Hub/azurepolicy.json @@ -0,0 +1,234 @@ +{ + "name": "0af98247-f412-4fff-8454-16f9016ae6c4", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Deploy Diagnostic Settings for Azure Data Explorer Cluster to Event Hub", + "description": "Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Event Hub when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The policy will set the diagnostic with all metrics and category enabled.", + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "mode": "Indexed", + "parameters": { + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Kusto/Clusters" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Kusto/Clusters/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Azure Data Explorer Cluster (Microsoft.Kusto/Clusters), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Azure Data Explorer Cluster to Event Hub/azurepolicy.parameters.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Azure Data Explorer Cluster to Event Hub/azurepolicy.parameters.json new file mode 100644 index 00000000..3eccfba9 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Azure Data Explorer Cluster to Event Hub/azurepolicy.parameters.json @@ -0,0 +1,76 @@ +{ + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Azure Data Explorer Cluster to Event Hub/azurepolicy.rules.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Azure Data Explorer Cluster to Event Hub/azurepolicy.rules.json new file mode 100644 index 00000000..554bd115 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Azure Data Explorer Cluster to Event Hub/azurepolicy.rules.json @@ -0,0 +1,145 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Kusto/Clusters" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Kusto/Clusters/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Azure Data Explorer Cluster (Microsoft.Kusto/Clusters), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Azure Function App to Event Hub/azurepolicy.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Azure Function App to Event Hub/azurepolicy.json new file mode 100644 index 00000000..669a5c79 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Azure Function App to Event Hub/azurepolicy.json @@ -0,0 +1,234 @@ +{ + "name": "ba22807a-8167-4224-b4e1-074830eb42e3", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Deploy Diagnostic Settings for Azure Function App to Event Hub", + "description": "Deploys the diagnostic settings for Azure Function App to stream to a Event Hub when any function app which is missing this diagnostic settings is created or updated. The policy will set the diagnostic with all metrics and category enabled.", + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "mode": "Indexed", + "parameters": { + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "value": "[field('kind')]", + "contains": "functionapp" + }, + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Web/sites/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Web App (functionapps) (Microsoft.Web/sites), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Azure Function App to Event Hub/azurepolicy.parameters.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Azure Function App to Event Hub/azurepolicy.parameters.json new file mode 100644 index 00000000..3eccfba9 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Azure Function App to Event Hub/azurepolicy.parameters.json @@ -0,0 +1,76 @@ +{ + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Azure Function App to Event Hub/azurepolicy.rules.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Azure Function App to Event Hub/azurepolicy.rules.json new file mode 100644 index 00000000..432fbec3 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Azure Function App to Event Hub/azurepolicy.rules.json @@ -0,0 +1,145 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + { + "value": "[field('kind')]", + "contains": "functionapp" + }, + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Web/sites/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Web App (functionapps) (Microsoft.Web/sites), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Batch Account to Event Hub/azurepolicy.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Batch Account to Event Hub/azurepolicy.json new file mode 100644 index 00000000..590ebefe --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Batch Account to Event Hub/azurepolicy.json @@ -0,0 +1,229 @@ +{ + "name": "3c2d201e-17ab-4f18-ba74-66733f380b85", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Deploy Diagnostic Settings for Batch Account to Event Hub", + "description": "Deploys the diagnostic settings for Batch Account to stream to a regional Event Hub when any Batch Account which is missing this diagnostic settings is created or updated. Amended built-in policy to add eventHubName-parameter to stream to a specific event hub.", + "metadata": { + "version": "2.0.0", + "category": "Monitoring" + }, + "mode": "Indexed", + "parameters": { + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "string", + "defaultValue": "setbypolicy_EH", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "eventHubRuleId": { + "type": "string", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "The location the Event Hub resides in. Only Batch Accounts in this location will be linked to this Event Hub.", + "strongType": "location" + }, + "defaultValue": "" + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "metricsEnabled": { + "type": "string", + "defaultValue": "False", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + } + }, + "logsEnabled": { + "type": "string", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + } + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Batch/batchAccounts" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "metricsEnabled": { + "type": "string" + }, + "logsEnabled": { + "type": "string" + }, + "profileName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Batch/batchAccounts/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Batch Account (Microsoft.Batch/batchAccounts), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + } + } + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Batch Account to Event Hub/azurepolicy.parameters.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Batch Account to Event Hub/azurepolicy.parameters.json new file mode 100644 index 00000000..c03eb754 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Batch Account to Event Hub/azurepolicy.parameters.json @@ -0,0 +1,72 @@ +{ + "effect": { + "type": "String", + "defaultValue": "DeployIfNotExists", + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + } + }, + "profileName": { + "type": "string", + "defaultValue": "setbypolicy_EH", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + } + }, + "eventHubRuleId": { + "type": "string", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "The location the Event Hub resides in. Only Batch Accounts in this location will be linked to this Event Hub.", + "strongType": "location" + }, + "defaultValue": "" + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "metricsEnabled": { + "type": "string", + "defaultValue": "False", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + } + }, + "logsEnabled": { + "type": "string", + "defaultValue": "True", + "allowedValues": [ + "True", + "False" + ], + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Batch Account to Event Hub/azurepolicy.rules.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Batch Account to Event Hub/azurepolicy.rules.json new file mode 100644 index 00000000..d8b2efc1 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Batch Account to Event Hub/azurepolicy.rules.json @@ -0,0 +1,144 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Batch/batchAccounts" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "metricsEnabled": { + "type": "string" + }, + "logsEnabled": { + "type": "string" + }, + "profileName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Batch/batchAccounts/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Batch Account (Microsoft.Batch/batchAccounts), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for CDN Endpoint to Event Hub/azurepolicy.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for CDN Endpoint to Event Hub/azurepolicy.json new file mode 100644 index 00000000..addd5331 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for CDN Endpoint to Event Hub/azurepolicy.json @@ -0,0 +1,202 @@ +{ + "name": "b4b503bb-4a7b-4c65-9e66-9d327781d3ee", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Deploy Diagnostic Settings for CDN Endpoint to Event Hub", + "description": "Deploys the diagnostic settings for CDN Endpoint to stream to a Event Hub when any CDN Endpoint which is missing this diagnostic settings is created or updated. The policy will set the diagnostic with all metrics and category enabled.", + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "mode": "Indexed", + "parameters": { + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Cdn/profiles/endpoints" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Cdn/profiles/endpoints/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type CDN Endpoints (Microsoft.Cdn/profiles/endpoints), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('fullName')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for CDN Endpoint to Event Hub/azurepolicy.parameters.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for CDN Endpoint to Event Hub/azurepolicy.parameters.json new file mode 100644 index 00000000..c022809f --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for CDN Endpoint to Event Hub/azurepolicy.parameters.json @@ -0,0 +1,64 @@ +{ + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for CDN Endpoint to Event Hub/azurepolicy.rules.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for CDN Endpoint to Event Hub/azurepolicy.rules.json new file mode 100644 index 00000000..0d971f17 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for CDN Endpoint to Event Hub/azurepolicy.rules.json @@ -0,0 +1,125 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Cdn/profiles/endpoints" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Cdn/profiles/endpoints/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type CDN Endpoints (Microsoft.Cdn/profiles/endpoints), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('fullName')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Cosmos DB to Event Hub/azurepolicy.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Cosmos DB to Event Hub/azurepolicy.json new file mode 100644 index 00000000..def0670d --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Cosmos DB to Event Hub/azurepolicy.json @@ -0,0 +1,311 @@ +{ + "name": "d176c9b1-2522-4e21-9caa-8d3869e81516", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Deploy Diagnostic Settings for Cosmos DB to Event Hub", + "description": "Deploys the diagnostic settings for Cosmos DB to stream to a Event Hub when any Cosmos DB which is missing this diagnostic settings is created or updated. The policy will set the diagnostic with all metrics and category enabled.", + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "mode": "Indexed", + "parameters": { + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DocumentDB/databaseAccounts" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DocumentDB/databaseAccounts/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [ + { + "category": "Requests", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "DataPlaneRequests", + "categoryGroup": null, + "enabled": "[parameters('logsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + } + }, + { + "category": "MongoRequests", + "categoryGroup": null, + "enabled": "[parameters('logsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + } + }, + { + "category": "QueryRuntimeStatistics", + "categoryGroup": null, + "enabled": "[parameters('logsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + } + }, + { + "category": "PartitionKeyStatistics", + "categoryGroup": null, + "enabled": "[parameters('logsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + } + }, + { + "category": "PartitionKeyRUConsumption", + "categoryGroup": null, + "enabled": "[parameters('logsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + } + }, + { + "category": "ControlPlaneRequests", + "categoryGroup": null, + "enabled": "[parameters('logsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + } + }, + { + "category": "CassandraRequests", + "categoryGroup": null, + "enabled": "[parameters('logsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + } + }, + { + "category": "GremlinRequests", + "categoryGroup": null, + "enabled": "[parameters('logsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + } + }, + { + "category": "TableApiRequests", + "categoryGroup": null, + "enabled": "[parameters('logsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + } + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Cosmos DB (Microsoft.DocumentDB/databaseAccounts), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Cosmos DB to Event Hub/azurepolicy.parameters.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Cosmos DB to Event Hub/azurepolicy.parameters.json new file mode 100644 index 00000000..3eccfba9 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Cosmos DB to Event Hub/azurepolicy.parameters.json @@ -0,0 +1,76 @@ +{ + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Cosmos DB to Event Hub/azurepolicy.rules.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Cosmos DB to Event Hub/azurepolicy.rules.json new file mode 100644 index 00000000..08331ceb --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Cosmos DB to Event Hub/azurepolicy.rules.json @@ -0,0 +1,222 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DocumentDB/databaseAccounts" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DocumentDB/databaseAccounts/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [ + { + "category": "Requests", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "DataPlaneRequests", + "categoryGroup": null, + "enabled": "[parameters('logsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + } + }, + { + "category": "MongoRequests", + "categoryGroup": null, + "enabled": "[parameters('logsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + } + }, + { + "category": "QueryRuntimeStatistics", + "categoryGroup": null, + "enabled": "[parameters('logsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + } + }, + { + "category": "PartitionKeyStatistics", + "categoryGroup": null, + "enabled": "[parameters('logsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + } + }, + { + "category": "PartitionKeyRUConsumption", + "categoryGroup": null, + "enabled": "[parameters('logsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + } + }, + { + "category": "ControlPlaneRequests", + "categoryGroup": null, + "enabled": "[parameters('logsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + } + }, + { + "category": "CassandraRequests", + "categoryGroup": null, + "enabled": "[parameters('logsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + } + }, + { + "category": "GremlinRequests", + "categoryGroup": null, + "enabled": "[parameters('logsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + } + }, + { + "category": "TableApiRequests", + "categoryGroup": null, + "enabled": "[parameters('logsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + } + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Cosmos DB (Microsoft.DocumentDB/databaseAccounts), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Data Factory to Event Hub/azurepolicy.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Data Factory to Event Hub/azurepolicy.json new file mode 100644 index 00000000..467ae8a1 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Data Factory to Event Hub/azurepolicy.json @@ -0,0 +1,234 @@ +{ + "name": "5d301975-2fa2-43b7-a5c2-fbb5c6f5f14a", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Deploy Diagnostic Settings for Data Factory to Event Hub", + "description": "Deploys the diagnostic settings for Data Factory to stream to a Event Hub when any Data Factory which is missing this diagnostic settings is created or updated. The policy will set the diagnostic with all metrics and category enabled.", + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "mode": "Indexed", + "parameters": { + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DataFactory/factories" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DataFactory/factories/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Data Factory (Microsoft.DataFactory/factories), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Data Factory to Event Hub/azurepolicy.parameters.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Data Factory to Event Hub/azurepolicy.parameters.json new file mode 100644 index 00000000..3eccfba9 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Data Factory to Event Hub/azurepolicy.parameters.json @@ -0,0 +1,76 @@ +{ + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Data Factory to Event Hub/azurepolicy.rules.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Data Factory to Event Hub/azurepolicy.rules.json new file mode 100644 index 00000000..496276da --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Data Factory to Event Hub/azurepolicy.rules.json @@ -0,0 +1,145 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DataFactory/factories" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DataFactory/factories/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Data Factory (Microsoft.DataFactory/factories), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Database for MySQL to Event Hub/azurepolicy.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Database for MySQL to Event Hub/azurepolicy.json new file mode 100644 index 00000000..c6d2d894 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Database for MySQL to Event Hub/azurepolicy.json @@ -0,0 +1,234 @@ +{ + "name": "5b20c59c-cdc7-49ce-a68c-0f97a591cd6b", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Deploy Diagnostic Settings for Database for MySQL to Event Hub", + "description": "Deploys the diagnostic settings for Database for MySQL to stream to a Event Hub when any Database for MySQL which is missing this diagnostic settings is created or updated. The policy will set the diagnostic with all metrics and category enabled.", + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "mode": "Indexed", + "parameters": { + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DBforMySQL/servers" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DBforMySQL/servers/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Database for MySQL (Microsoft.DBforMySQL/servers), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Database for MySQL to Event Hub/azurepolicy.parameters.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Database for MySQL to Event Hub/azurepolicy.parameters.json new file mode 100644 index 00000000..3eccfba9 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Database for MySQL to Event Hub/azurepolicy.parameters.json @@ -0,0 +1,76 @@ +{ + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Database for MySQL to Event Hub/azurepolicy.rules.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Database for MySQL to Event Hub/azurepolicy.rules.json new file mode 100644 index 00000000..94e7daf3 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Database for MySQL to Event Hub/azurepolicy.rules.json @@ -0,0 +1,145 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DBforMySQL/servers" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DBforMySQL/servers/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Database for MySQL (Microsoft.DBforMySQL/servers), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Database for PostgreSQL to Event Hub/azurepolicy.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Database for PostgreSQL to Event Hub/azurepolicy.json new file mode 100644 index 00000000..b1368572 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Database for PostgreSQL to Event Hub/azurepolicy.json @@ -0,0 +1,248 @@ +{ + "name": "14c573ee-192d-49fb-80d3-6c4d22d75c54", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Deploy Diagnostic Settings for Database for PostgreSQL to Event Hub", + "description": "Deploys the diagnostic settings for Database for PostgreSQL to stream to a Event Hub when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The policy will set the diagnostic with all metrics and category enabled.", + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "mode": "Indexed", + "parameters": { + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DBforPostgreSQL/servers" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "microsoft.insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + } + ] + } + }, + "equals": 1 + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DBforPostgreSQL/servers/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Database for PostgreSQL (Microsoft.DBforPostgreSQL/servers), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Database for PostgreSQL to Event Hub/azurepolicy.parameters.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Database for PostgreSQL to Event Hub/azurepolicy.parameters.json new file mode 100644 index 00000000..3eccfba9 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Database for PostgreSQL to Event Hub/azurepolicy.parameters.json @@ -0,0 +1,76 @@ +{ + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Database for PostgreSQL to Event Hub/azurepolicy.rules.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Database for PostgreSQL to Event Hub/azurepolicy.rules.json new file mode 100644 index 00000000..55be5250 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Database for PostgreSQL to Event Hub/azurepolicy.rules.json @@ -0,0 +1,159 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DBforPostgreSQL/servers" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "microsoft.insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + } + ] + } + }, + "equals": 1 + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DBforPostgreSQL/servers/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Database for PostgreSQL (Microsoft.DBforPostgreSQL/servers), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Databricks to Event Hub/azurepolicy.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Databricks to Event Hub/azurepolicy.json new file mode 100644 index 00000000..83349873 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Databricks to Event Hub/azurepolicy.json @@ -0,0 +1,202 @@ +{ + "name": "51c5b2b9-9e1b-4508-a24c-3e32b5e97135", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Deploy Diagnostic Settings for Databricks to Event Hub", + "description": "Deploys the diagnostic settings for Databricks to stream to a Event Hub when any Databricks which is missing this diagnostic settings is created or updated. The policy will set the diagnostic with all metrics and category enabled.", + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "mode": "Indexed", + "parameters": { + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Databricks/workspaces" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Databricks/workspaces/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Databricks (Microsoft.Databricks/workspaces), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Databricks to Event Hub/azurepolicy.parameters.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Databricks to Event Hub/azurepolicy.parameters.json new file mode 100644 index 00000000..c022809f --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Databricks to Event Hub/azurepolicy.parameters.json @@ -0,0 +1,64 @@ +{ + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Databricks to Event Hub/azurepolicy.rules.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Databricks to Event Hub/azurepolicy.rules.json new file mode 100644 index 00000000..fd7e4880 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Databricks to Event Hub/azurepolicy.rules.json @@ -0,0 +1,125 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Databricks/workspaces" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Databricks/workspaces/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Databricks (Microsoft.Databricks/workspaces), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Dev Center to Event Hub/azurepolicy.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Dev Center to Event Hub/azurepolicy.json new file mode 100644 index 00000000..5b9fff0a --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Dev Center to Event Hub/azurepolicy.json @@ -0,0 +1,216 @@ +{ + "name": "521cc402-f89f-4445-aa6c-5fd509eabea6", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Deploy Diagnostic Settings for Dev Center to Event Hub", + "description": "Deploys the diagnostic settings for Dev Centers to stream to a Event Hub when any Dev Centers which is missing this diagnostic settings is created or updated. The policy will set the diagnostic with all metrics and category enabled.", + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "mode": "Indexed", + "parameters": { + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DevCenter/devcenters" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "microsoft.insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + } + ] + } + }, + "equals": 1 + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DevCenter/devcenters/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Dev Centers (Microsoft.DevCenter/devcenters), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Dev Center to Event Hub/azurepolicy.parameters.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Dev Center to Event Hub/azurepolicy.parameters.json new file mode 100644 index 00000000..abbef44e --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Dev Center to Event Hub/azurepolicy.parameters.json @@ -0,0 +1,64 @@ +{ + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Dev Center to Event Hub/azurepolicy.rules.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Dev Center to Event Hub/azurepolicy.rules.json new file mode 100644 index 00000000..5018c0cc --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Dev Center to Event Hub/azurepolicy.rules.json @@ -0,0 +1,139 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DevCenter/devcenters" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "microsoft.insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + } + ] + } + }, + "equals": 1 + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DevCenter/devcenters/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Dev Centers (Microsoft.DevCenter/devcenters), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Event Grid System Topic to Event Hub/azurepolicy.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Event Grid System Topic to Event Hub/azurepolicy.json new file mode 100644 index 00000000..b281a3c2 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Event Grid System Topic to Event Hub/azurepolicy.json @@ -0,0 +1,234 @@ +{ + "name": "d620ba41-1d18-4837-82e2-953547bf1d38", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Deploy Diagnostic Settings for Event Grid System Topic to Event Hub", + "description": "Deploys the diagnostic settings for Event Grid System Topic to stream to a Event Hub when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The policy will set the diagnostic with all metrics and category enabled.", + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "mode": "Indexed", + "parameters": { + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.EventGrid/systemTopics" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.EventGrid/systemTopics/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type EventGrid system topics (Microsoft.EventGrid/systemTopics), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Event Grid System Topic to Event Hub/azurepolicy.parameters.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Event Grid System Topic to Event Hub/azurepolicy.parameters.json new file mode 100644 index 00000000..3eccfba9 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Event Grid System Topic to Event Hub/azurepolicy.parameters.json @@ -0,0 +1,76 @@ +{ + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Event Grid System Topic to Event Hub/azurepolicy.rules.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Event Grid System Topic to Event Hub/azurepolicy.rules.json new file mode 100644 index 00000000..69c1d450 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Event Grid System Topic to Event Hub/azurepolicy.rules.json @@ -0,0 +1,145 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.EventGrid/systemTopics" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.EventGrid/systemTopics/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type EventGrid system topics (Microsoft.EventGrid/systemTopics), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Event Grid Topic to Event Hub/azurepolicy.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Event Grid Topic to Event Hub/azurepolicy.json new file mode 100644 index 00000000..ec96063b --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Event Grid Topic to Event Hub/azurepolicy.json @@ -0,0 +1,249 @@ +{ + "name": "cc5a3880-12a9-4a7f-be0b-1bd0ec0a1c6e", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Deploy Diagnostic Settings for Event Grid Topic to Event Hub", + "description": "Deploys the diagnostic settings for Event Grid Topic to stream to a Event Hub when any Event Grid Topic which is missing this diagnostic settings is created or updated. The policy will set the diagnostic with all metrics and category enabled.", + "metadata": { + "category": "Monitoring", + "version": "1.0.0" + }, + "mode": "Indexed", + "parameters": { + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub", + "strongType": "Microsoft.EventHub/Namespaces/EventHubs" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "The location the Event Hub resides in. Only Logic Apps in this location will be linked to this Event Hub.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.EventGrid/topics" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "microsoft.insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + } + ] + } + }, + "equals": 1 + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.EventGrid/topics/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Event Grid Topic (Microsoft.EventGrid/topics), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Event Grid Topic to Event Hub/azurepolicy.parameters.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Event Grid Topic to Event Hub/azurepolicy.parameters.json new file mode 100644 index 00000000..8a0aa3ac --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Event Grid Topic to Event Hub/azurepolicy.parameters.json @@ -0,0 +1,77 @@ +{ + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub", + "strongType": "Microsoft.EventHub/Namespaces/EventHubs" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "The location the Event Hub resides in. Only Logic Apps in this location will be linked to this Event Hub.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Event Grid Topic to Event Hub/azurepolicy.rules.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Event Grid Topic to Event Hub/azurepolicy.rules.json new file mode 100644 index 00000000..183b4210 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Event Grid Topic to Event Hub/azurepolicy.rules.json @@ -0,0 +1,159 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.EventGrid/topics" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "microsoft.insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + } + ] + } + }, + "equals": 1 + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.EventGrid/topics/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Event Grid Topic (Microsoft.EventGrid/topics), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for ExpressRoute to Event Hub/azurepolicy.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for ExpressRoute to Event Hub/azurepolicy.json new file mode 100644 index 00000000..babb35ca --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for ExpressRoute to Event Hub/azurepolicy.json @@ -0,0 +1,246 @@ +{ + "name": "3747a30d-92e6-4f27-89fa-a31b179acb48", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Deploy Diagnostic Settings for ExpressRoute to Event Hub", + "description": "Deploys the diagnostic settings for ExpressRoute to stream to a Event Hub when any ExpressRoute which is missing this diagnostic settings is created or updated. The policy will set the diagnostic with all metrics and category enabled.", + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "mode": "Indexed", + "parameters": { + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/expressRouteCircuits" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + }, + "greaterOrEquals": 1 + }, + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/metrics[*]", + "where": { + "field": "Microsoft.Insights/diagnosticSettings/metrics[*].enabled", + "equals": "[parameters('metricsEnabled')]" + } + }, + "greaterOrEquals": 1 + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/expressRouteCircuits/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubName": "[parameters('eventHubName')]", + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type ExpressRoute Circuits (Microsoft.Network/expressRouteCircuits), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for ExpressRoute to Event Hub/azurepolicy.parameters.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for ExpressRoute to Event Hub/azurepolicy.parameters.json new file mode 100644 index 00000000..3eccfba9 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for ExpressRoute to Event Hub/azurepolicy.parameters.json @@ -0,0 +1,76 @@ +{ + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for ExpressRoute to Event Hub/azurepolicy.rules.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for ExpressRoute to Event Hub/azurepolicy.rules.json new file mode 100644 index 00000000..b2b39553 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for ExpressRoute to Event Hub/azurepolicy.rules.json @@ -0,0 +1,157 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/expressRouteCircuits" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + } + }, + "greaterOrEquals": 1 + }, + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/metrics[*]", + "where": { + "field": "Microsoft.Insights/diagnosticSettings/metrics[*].enabled", + "equals": "[parameters('metricsEnabled')]" + } + }, + "greaterOrEquals": 1 + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/expressRouteCircuits/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubName": "[parameters('eventHubName')]", + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type ExpressRoute Circuits (Microsoft.Network/expressRouteCircuits), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Firewall to Event Hub/azurepolicy.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Firewall to Event Hub/azurepolicy.json new file mode 100644 index 00000000..e0fa5ba5 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Firewall to Event Hub/azurepolicy.json @@ -0,0 +1,234 @@ +{ + "name": "2f35eca4-2f46-43c7-8c6b-4dc3b6276d18", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Deploy Diagnostic Settings for Firewall to Event Hub", + "description": "Deploys the diagnostic settings for Firewall to stream to a Event Hub when any Firewall which is missing this diagnostic settings is created or updated. The policy will set the diagnostic with all metrics and category enabled.", + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "mode": "Indexed", + "parameters": { + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/azureFirewalls" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "profileName": { + "type": "string" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/azureFirewalls/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Azure Firewall (Microsoft.Network/azureFirewalls), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Firewall to Event Hub/azurepolicy.parameters.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Firewall to Event Hub/azurepolicy.parameters.json new file mode 100644 index 00000000..3eccfba9 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Firewall to Event Hub/azurepolicy.parameters.json @@ -0,0 +1,76 @@ +{ + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Firewall to Event Hub/azurepolicy.rules.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Firewall to Event Hub/azurepolicy.rules.json new file mode 100644 index 00000000..4052c379 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Firewall to Event Hub/azurepolicy.rules.json @@ -0,0 +1,145 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/azureFirewalls" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "profileName": { + "type": "string" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/azureFirewalls/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Azure Firewall (Microsoft.Network/azureFirewalls), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Load Balancer to Event Hub/azurepolicy.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Load Balancer to Event Hub/azurepolicy.json new file mode 100644 index 00000000..41394187 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Load Balancer to Event Hub/azurepolicy.json @@ -0,0 +1,234 @@ +{ + "name": "6d0a95bd-a8b9-428f-9c9c-c4f39f805ec8", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Deploy Diagnostic Settings for Load Balancer to Event Hub", + "description": "Deploys the diagnostic settings for Load Balancer to stream to a Event Hub when any Load Balancer which is missing this diagnostic settings is created or updated. The policy will set the diagnostic with all metrics and category enabled.", + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "mode": "Indexed", + "parameters": { + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/loadBalancers" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "profileName": { + "type": "string" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/loadBalancers/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubName": "[parameters('eventHubName')]", + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "metrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Loadbalancers (Microsoft.Network/loadBalancers), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Load Balancer to Event Hub/azurepolicy.parameters.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Load Balancer to Event Hub/azurepolicy.parameters.json new file mode 100644 index 00000000..3eccfba9 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Load Balancer to Event Hub/azurepolicy.parameters.json @@ -0,0 +1,76 @@ +{ + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Load Balancer to Event Hub/azurepolicy.rules.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Load Balancer to Event Hub/azurepolicy.rules.json new file mode 100644 index 00000000..0a04e825 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Load Balancer to Event Hub/azurepolicy.rules.json @@ -0,0 +1,145 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/loadBalancers" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "profileName": { + "type": "string" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/loadBalancers/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubName": "[parameters('eventHubName')]", + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "metrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Loadbalancers (Microsoft.Network/loadBalancers), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Logic Apps ISE to Event Hub/azurepolicy.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Logic Apps ISE to Event Hub/azurepolicy.json new file mode 100644 index 00000000..1a700d52 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Logic Apps ISE to Event Hub/azurepolicy.json @@ -0,0 +1,216 @@ +{ + "name": "86dc2efc-422b-420d-bb32-b7260c6628ed", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Deploy Diagnostic Settings for Logic Apps ISE to Event Hub", + "description": "Deploys the diagnostic settings for Logic Apps integration service environments to stream to a Event Hub when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The policy will set the diagnostic with all metrics and category enabled.", + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "mode": "Indexed", + "parameters": { + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "The location the Event Hub resides in. Only Logic Apps in this location will be linked to this Event Hub.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "swedencentral" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Logic/integrationAccounts" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "microsoft.insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + } + ] + } + }, + "equals": 1 + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Logic/integrationAccounts/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Logic Apps ISE (Microsoft.Logic/integrationAccounts), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Logic Apps ISE to Event Hub/azurepolicy.parameters.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Logic Apps ISE to Event Hub/azurepolicy.parameters.json new file mode 100644 index 00000000..d0977e18 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Logic Apps ISE to Event Hub/azurepolicy.parameters.json @@ -0,0 +1,64 @@ +{ + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "The location the Event Hub resides in. Only Logic Apps in this location will be linked to this Event Hub.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "swedencentral" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Logic Apps ISE to Event Hub/azurepolicy.rules.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Logic Apps ISE to Event Hub/azurepolicy.rules.json new file mode 100644 index 00000000..9e96d869 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Logic Apps ISE to Event Hub/azurepolicy.rules.json @@ -0,0 +1,139 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Logic/integrationAccounts" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "microsoft.insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + } + ] + } + }, + "equals": 1 + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Logic/integrationAccounts/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Logic Apps ISE (Microsoft.Logic/integrationAccounts), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Logic Apps to Event Hub/azurepolicy.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Logic Apps to Event Hub/azurepolicy.json new file mode 100644 index 00000000..bf64aca6 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Logic Apps to Event Hub/azurepolicy.json @@ -0,0 +1,247 @@ +{ + "name": "4311173c-c039-4e84-8957-2734b6961292", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Deploy Diagnostic Settings for Logic Apps to Event Hub", + "description": "Deploys the diagnostic settings for Logic Apps to stream to an Event Hub when any Logic Apps which is missing this diagnostic settings is created or updated. The policy will set the diagnostic with all metrics and category enabled.", + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "mode": "Indexed", + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Logic/workflows" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "microsoft.insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + } + ] + } + }, + "equals": 1 + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "metricsEnabled": { + "type": "string" + }, + "logsEnabled": { + "type": "string" + }, + "profileName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Logic/workflows/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubName": "[parameters('eventHubName')]", + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Logic Apps (Microsoft.Logic/workflows), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + } + } + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Logic Apps to Event Hub/azurepolicy.parameters.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Logic Apps to Event Hub/azurepolicy.parameters.json new file mode 100644 index 00000000..ef7ea3ca --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Logic Apps to Event Hub/azurepolicy.parameters.json @@ -0,0 +1,76 @@ +{ + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Logic Apps to Event Hub/azurepolicy.rules.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Logic Apps to Event Hub/azurepolicy.rules.json new file mode 100644 index 00000000..847c2120 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Logic Apps to Event Hub/azurepolicy.rules.json @@ -0,0 +1,158 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Logic/workflows" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "microsoft.insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + } + ] + } + }, + "equals": 1 + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "metricsEnabled": { + "type": "string" + }, + "logsEnabled": { + "type": "string" + }, + "profileName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Logic/workflows/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubName": "[parameters('eventHubName')]", + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Logic Apps (Microsoft.Logic/workflows), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Machine Learning workspace to Event Hub/azurepolicy.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Machine Learning workspace to Event Hub/azurepolicy.json new file mode 100644 index 00000000..6b39d489 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Machine Learning workspace to Event Hub/azurepolicy.json @@ -0,0 +1,235 @@ +{ + "name": "11d5cab7-ddb9-4772-955a-9037cdcad6fd", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Deploy Diagnostic Settings for Machine Learning workspace to Event Hub", + "description": "Deploys the diagnostic settings for Machine Learning workspace to stream to a Event Hub when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The policy will set the diagnostic with all metrics and category enabled.", + "metadata": { + "category": "Monitoring", + "version": "1.0.0" + }, + "mode": "Indexed", + "parameters": { + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub", + "strongType": "Microsoft.EventHub/Namespaces/EventHubs" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "The location the Event Hub resides in. Only Logic Apps in this location will be linked to this Event Hub.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.MachineLearningServices/workspaces/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": true + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Machine Learning services workspace (Microsoft.MachineLearningServices/workspaces), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Machine Learning workspace to Event Hub/azurepolicy.parameters.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Machine Learning workspace to Event Hub/azurepolicy.parameters.json new file mode 100644 index 00000000..dcc457eb --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Machine Learning workspace to Event Hub/azurepolicy.parameters.json @@ -0,0 +1,77 @@ +{ + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub", + "strongType": "Microsoft.EventHub/Namespaces/EventHubs" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "The location the Event Hub resides in. Only Logic Apps in this location will be linked to this Event Hub.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Machine Learning workspace to Event Hub/azurepolicy.rules.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Machine Learning workspace to Event Hub/azurepolicy.rules.json new file mode 100644 index 00000000..b969adf8 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Machine Learning workspace to Event Hub/azurepolicy.rules.json @@ -0,0 +1,145 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.MachineLearningServices/workspaces/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": true + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Machine Learning services workspace (Microsoft.MachineLearningServices/workspaces), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for MariaDB to Event Hub/azurepolicy.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for MariaDB to Event Hub/azurepolicy.json new file mode 100644 index 00000000..d6b578fe --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for MariaDB to Event Hub/azurepolicy.json @@ -0,0 +1,234 @@ +{ + "name": "8a442cb6-4bdc-4091-a18c-080182c41529", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Deploy Diagnostic Settings for MariaDB to Event Hub", + "description": "Deploys the diagnostic settings for MariaDB to stream to a Event Hub when any MariaDB which is missing this diagnostic settings is created or updated. The policy will set the diagnostic with all metrics and category enabled.", + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "mode": "Indexed", + "parameters": { + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DBforMariaDB/servers" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DBforMariaDB/servers/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type MariaDB (Microsoft.DBforMariaDB), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for MariaDB to Event Hub/azurepolicy.parameters.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for MariaDB to Event Hub/azurepolicy.parameters.json new file mode 100644 index 00000000..3eccfba9 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for MariaDB to Event Hub/azurepolicy.parameters.json @@ -0,0 +1,76 @@ +{ + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for MariaDB to Event Hub/azurepolicy.rules.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for MariaDB to Event Hub/azurepolicy.rules.json new file mode 100644 index 00000000..d1399a4b --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for MariaDB to Event Hub/azurepolicy.rules.json @@ -0,0 +1,145 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DBforMariaDB/servers" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DBforMariaDB/servers/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type MariaDB (Microsoft.DBforMariaDB), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Network Security Groups to Event Hub/azurepolicy.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Network Security Groups to Event Hub/azurepolicy.json new file mode 100644 index 00000000..34b1ea7a --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Network Security Groups to Event Hub/azurepolicy.json @@ -0,0 +1,216 @@ +{ + "name": "2802d57c-31e0-4198-955e-9d0ca1ce022f", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Deploy Diagnostic Settings for Network Security Groups to Event Hub", + "description": "Deploys the diagnostic settings for Network Security Groups to stream to a Event Hub when any Network Security Groups which is missing this diagnostic settings is created or updated. The policy will set the diagnostic with all metrics and category enabled.", + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "mode": "Indexed", + "parameters": { + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/networkSecurityGroups" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "microsoft.insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + } + ] + } + }, + "equals": 1 + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/networkSecurityGroups/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Network Security Groups (Microsoft.Network/networkSecurityGroups), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Network Security Groups to Event Hub/azurepolicy.parameters.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Network Security Groups to Event Hub/azurepolicy.parameters.json new file mode 100644 index 00000000..c022809f --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Network Security Groups to Event Hub/azurepolicy.parameters.json @@ -0,0 +1,64 @@ +{ + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Network Security Groups to Event Hub/azurepolicy.rules.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Network Security Groups to Event Hub/azurepolicy.rules.json new file mode 100644 index 00000000..12ce79fe --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Network Security Groups to Event Hub/azurepolicy.rules.json @@ -0,0 +1,139 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/networkSecurityGroups" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "microsoft.insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + } + ] + } + }, + "equals": 1 + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/networkSecurityGroups/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Network Security Groups (Microsoft.Network/networkSecurityGroups), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Power BI Embedded to Event Hub/azurepolicy.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Power BI Embedded to Event Hub/azurepolicy.json new file mode 100644 index 00000000..2cdff102 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Power BI Embedded to Event Hub/azurepolicy.json @@ -0,0 +1,234 @@ +{ + "name": "2c41091e-b598-46f5-b77d-a611eda7f8c1", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Deploy Diagnostic Settings for Power BI Embedded to Event Hub", + "description": "Deploys the diagnostic settings for Power BI Embedded to stream to a Event Hub when any Power BI Embedded which is missing this diagnostic settings is created or updated. The policy will set the diagnostic with all metrics and category enabled.", + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "mode": "Indexed", + "parameters": { + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.PowerBIDedicated/capacities" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.PowerBIDedicated/capacities/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Power BI Dedicated capacities (Microsoft.PowerBIDedicated/capacities), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Power BI Embedded to Event Hub/azurepolicy.parameters.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Power BI Embedded to Event Hub/azurepolicy.parameters.json new file mode 100644 index 00000000..3eccfba9 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Power BI Embedded to Event Hub/azurepolicy.parameters.json @@ -0,0 +1,76 @@ +{ + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Power BI Embedded to Event Hub/azurepolicy.rules.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Power BI Embedded to Event Hub/azurepolicy.rules.json new file mode 100644 index 00000000..0a613680 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Power BI Embedded to Event Hub/azurepolicy.rules.json @@ -0,0 +1,145 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.PowerBIDedicated/capacities" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.PowerBIDedicated/capacities/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Power BI Dedicated capacities (Microsoft.PowerBIDedicated/capacities), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Recovery Services vault to Event Hub/azurepolicy.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Recovery Services vault to Event Hub/azurepolicy.json new file mode 100644 index 00000000..a7d26f3c --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Recovery Services vault to Event Hub/azurepolicy.json @@ -0,0 +1,278 @@ +{ + "name": "0f84b279-00a5-401f-8d5e-84e293f6dcad", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Deploy Diagnostic Settings for Recovery Services vault to Event Hub", + "description": "Deploys the diagnostic settings for Recovery Services vaults to stream to a Event Hub when any Recovery Services vaults which is missing this diagnostic settings is created or updated. The policy will set the diagnostic with all metrics and category enabled. Amended built-in policy to add eventHubName-parameter to stream to a specific event hub.", + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "mode": "Indexed", + "parameters": { + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + }, + "tagName": { + "type": "String", + "metadata": { + "displayName": "Exclusion Tag Name", + "description": "Name of the tag to use for excluding vaults from this policy. This should be used along with the Exclusion Tag Value parameter." + }, + "defaultValue": "" + }, + "tagValue": { + "type": "String", + "metadata": { + "displayName": "Exclusion Tag Value", + "description": "Value of the tag to use for excluding vaults from this policy. This should be used along with the Exclusion Tag Name parameter." + }, + "defaultValue": "" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.RecoveryServices/vaults" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + }, + { + "not": { + "field": "[concat('tags[',parameters('tagName'), ']')]", + "equals": "[parameters('tagValue')]" + } + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].Category", + "in": [ + "CoreAzureBackup", + "AddonAzureBackupJobs", + "AddonAzureBackupAlerts", + "AddonAzureBackupPolicy", + "AddonAzureBackupStorage", + "AddonAzureBackupProtectedInstance", + "AzureBackupReport" + ] + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].Enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 7 + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.RecoveryServices/vaults/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubName": "[parameters('eventHubName')]", + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "metrics": [ + { + "category": "Health", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Recover Services vaults (Microsoft.RecoveryServices/vaults), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Recovery Services vault to Event Hub/azurepolicy.parameters.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Recovery Services vault to Event Hub/azurepolicy.parameters.json new file mode 100644 index 00000000..d097e013 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Recovery Services vault to Event Hub/azurepolicy.parameters.json @@ -0,0 +1,92 @@ +{ + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + }, + "tagName": { + "type": "String", + "metadata": { + "displayName": "Exclusion Tag Name", + "description": "Name of the tag to use for excluding vaults from this policy. This should be used along with the Exclusion Tag Value parameter." + }, + "defaultValue": "" + }, + "tagValue": { + "type": "String", + "metadata": { + "displayName": "Exclusion Tag Value", + "description": "Value of the tag to use for excluding vaults from this policy. This should be used along with the Exclusion Tag Name parameter." + }, + "defaultValue": "" + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Recovery Services vault to Event Hub/azurepolicy.rules.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Recovery Services vault to Event Hub/azurepolicy.rules.json new file mode 100644 index 00000000..5a29130c --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Recovery Services vault to Event Hub/azurepolicy.rules.json @@ -0,0 +1,173 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.RecoveryServices/vaults" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + }, + { + "not": { + "field": "[concat('tags[',parameters('tagName'), ']')]", + "equals": "[parameters('tagValue')]" + } + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].Category", + "in": [ + "CoreAzureBackup", + "AddonAzureBackupJobs", + "AddonAzureBackupAlerts", + "AddonAzureBackupPolicy", + "AddonAzureBackupStorage", + "AddonAzureBackupProtectedInstance", + "AzureBackupReport" + ] + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].Enabled", + "equals": "[parameters('logsEnabled')]" + } + ] + } + }, + "equals": 7 + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.RecoveryServices/vaults/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubName": "[parameters('eventHubName')]", + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "metrics": [ + { + "category": "Health", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Recover Services vaults (Microsoft.RecoveryServices/vaults), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Relay to Event Hub/azurepolicy.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Relay to Event Hub/azurepolicy.json new file mode 100644 index 00000000..243c2368 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Relay to Event Hub/azurepolicy.json @@ -0,0 +1,229 @@ +{ + "name": "8be9a71b-542e-4c76-9865-4707a2205482", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Deploy Diagnostic Settings for Relay to Event Hub", + "description": "Deploys the diagnostic settings for Relay to stream to a Event Hub when any Relay which is missing this diagnostic settings is created or updated. The policy will set the diagnostic with all metrics and category enabled.", + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "mode": "Indexed", + "parameters": { + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Relay/namespaces" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Relay/namespaces/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Relay to Event Hub/azurepolicy.parameters.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Relay to Event Hub/azurepolicy.parameters.json new file mode 100644 index 00000000..3eccfba9 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Relay to Event Hub/azurepolicy.parameters.json @@ -0,0 +1,76 @@ +{ + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Relay to Event Hub/azurepolicy.rules.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Relay to Event Hub/azurepolicy.rules.json new file mode 100644 index 00000000..58fd5c32 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Relay to Event Hub/azurepolicy.rules.json @@ -0,0 +1,140 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Relay/namespaces" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Relay/namespaces/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for SQL Pools under Synapse Analytics to Event Hub/azurepolicy.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for SQL Pools under Synapse Analytics to Event Hub/azurepolicy.json new file mode 100644 index 00000000..70721020 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for SQL Pools under Synapse Analytics to Event Hub/azurepolicy.json @@ -0,0 +1,234 @@ +{ + "name": "fed261ce-b20a-4840-9527-18a64c4116d5", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Deploy Diagnostic Settings for SQL Pools under Synapse Analytics to Event Hub", + "description": "Deploys the diagnostic settings for SQL Pools under Synapse Analytics to stream to an Event Hub when any SQL Pools under Synapse Analytics which is missing this diagnostic settings is created or updated. The policy will set the diagnostic with all metrics and category enabled.", + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "mode": "Indexed", + "parameters": { + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "microsoft.synapse/workspaces/sqlpools" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Synapse/workspaces/sqlPools/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubName": "[parameters('eventHubName')]", + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type SQL Pools under Synapse Analytics (Microsoft.Synapse/workspaces/sqlPools), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for SQL Pools under Synapse Analytics to Event Hub/azurepolicy.parameters.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for SQL Pools under Synapse Analytics to Event Hub/azurepolicy.parameters.json new file mode 100644 index 00000000..f1b8dd18 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for SQL Pools under Synapse Analytics to Event Hub/azurepolicy.parameters.json @@ -0,0 +1,76 @@ +{ + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for SQL Pools under Synapse Analytics to Event Hub/azurepolicy.rules.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for SQL Pools under Synapse Analytics to Event Hub/azurepolicy.rules.json new file mode 100644 index 00000000..a8f025c5 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for SQL Pools under Synapse Analytics to Event Hub/azurepolicy.rules.json @@ -0,0 +1,145 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "microsoft.synapse/workspaces/sqlpools" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Synapse/workspaces/sqlPools/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubName": "[parameters('eventHubName')]", + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type SQL Pools under Synapse Analytics (Microsoft.Synapse/workspaces/sqlPools), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Synapse Analytics to Event Hub/azurepolicy.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Synapse Analytics to Event Hub/azurepolicy.json new file mode 100644 index 00000000..54061923 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Synapse Analytics to Event Hub/azurepolicy.json @@ -0,0 +1,216 @@ +{ + "name": "223d9c76-4a28-4188-a697-65f4b3f978c5", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Deploy Diagnostic Settings for Synapse Analytics to Event Hub", + "description": "Deploys the diagnostic settings for Synapse Analytics to stream to an Event Hub when any Synapse Analytics which is missing this diagnostic settings is created or updated. The policy will set the diagnostic with all metrics and category enabled.", + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "mode": "Indexed", + "parameters": { + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "microsoft.synapse/workspaces" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "microsoft.insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + } + ] + } + }, + "equals": 1 + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Synapse/workspaces/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubName": "[parameters('eventHubName')]", + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "metrics": [], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Synapse Analytics (Microsoft.Synapse/workspaces), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Synapse Analytics to Event Hub/azurepolicy.parameters.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Synapse Analytics to Event Hub/azurepolicy.parameters.json new file mode 100644 index 00000000..3d323fe3 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Synapse Analytics to Event Hub/azurepolicy.parameters.json @@ -0,0 +1,64 @@ +{ + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Synapse Analytics to Event Hub/azurepolicy.rules.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Synapse Analytics to Event Hub/azurepolicy.rules.json new file mode 100644 index 00000000..fee6fa71 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Synapse Analytics to Event Hub/azurepolicy.rules.json @@ -0,0 +1,139 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "microsoft.synapse/workspaces" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "microsoft.insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + } + ] + } + }, + "equals": 1 + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Synapse/workspaces/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubName": "[parameters('eventHubName')]", + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "metrics": [], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Synapse Analytics (Microsoft.Synapse/workspaces), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Synapse Spark Pool to Event Hub/azurepolicy.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Synapse Spark Pool to Event Hub/azurepolicy.json new file mode 100644 index 00000000..95a6b24a --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Synapse Spark Pool to Event Hub/azurepolicy.json @@ -0,0 +1,247 @@ +{ + "name": "7cff9125-ead0-47fc-a128-98d8fa060895", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Deploy Diagnostic Settings for Synapse Spark Pool to Event Hub", + "description": "Deploys the diagnostic settings for Synapse Spark Pools to stream to an Event Hub when any Synapse Spark Pools which is missing this diagnostic settings is created or updated. The policy will set the diagnostic with all metrics and category enabled.", + "metadata": { + "version": "1.0.0", + "category": "Synapse" + }, + "mode": "Indexed", + "parameters": { + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "The location the Event Hub resides in. Only Logic Apps in this location will be linked to this Event Hub.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Synapse/workspaces/bigDataPools" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "microsoft.insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + } + ] + } + }, + "equals": 1 + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Synapse/workspaces/bigDataPools/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Synapse Spark Pool (Microsoft.Synapse/workspaces/bigDataPools), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Synapse Spark Pool to Event Hub/azurepolicy.parameters.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Synapse Spark Pool to Event Hub/azurepolicy.parameters.json new file mode 100644 index 00000000..9068cb16 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Synapse Spark Pool to Event Hub/azurepolicy.parameters.json @@ -0,0 +1,76 @@ +{ + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "The location the Event Hub resides in. Only Logic Apps in this location will be linked to this Event Hub.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Log Analytics workspace - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Synapse Spark Pool to Event Hub/azurepolicy.rules.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Synapse Spark Pool to Event Hub/azurepolicy.rules.json new file mode 100644 index 00000000..b95e97d0 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Synapse Spark Pool to Event Hub/azurepolicy.rules.json @@ -0,0 +1,158 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Synapse/workspaces/bigDataPools" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "microsoft.insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + } + ] + } + }, + "equals": 1 + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Synapse/workspaces/bigDataPools/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Synapse Spark Pool (Microsoft.Synapse/workspaces/bigDataPools), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Time Series Insights to Event Hub/azurepolicy.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Time Series Insights to Event Hub/azurepolicy.json new file mode 100644 index 00000000..d782dfdc --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Time Series Insights to Event Hub/azurepolicy.json @@ -0,0 +1,234 @@ +{ + "name": "a6bd56ef-13dc-4912-b4c9-98b7483eeb34", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Deploy Diagnostic Settings for Time Series Insights to Event Hub", + "description": "Deploys the diagnostic settings for Time Series Insights to stream to a Event Hub when any Time Series Insights which is missing this diagnostic settings is created or updated. The policy will set the diagnostic with all metrics and category enabled.", + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "mode": "Indexed", + "parameters": { + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.TimeSeriesInsights/environments" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.TimeSeriesInsights/environments/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Time Series Insights (Microsoft.TimeSeriesInsights/environments), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Time Series Insights to Event Hub/azurepolicy.parameters.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Time Series Insights to Event Hub/azurepolicy.parameters.json new file mode 100644 index 00000000..3eccfba9 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Time Series Insights to Event Hub/azurepolicy.parameters.json @@ -0,0 +1,76 @@ +{ + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Time Series Insights to Event Hub/azurepolicy.rules.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Time Series Insights to Event Hub/azurepolicy.rules.json new file mode 100644 index 00000000..4f2f7188 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Time Series Insights to Event Hub/azurepolicy.rules.json @@ -0,0 +1,145 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.TimeSeriesInsights/environments" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.TimeSeriesInsights/environments/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Time Series Insights (Microsoft.TimeSeriesInsights/environments), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Traffic Manager to Event Hub/azurepolicy.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Traffic Manager to Event Hub/azurepolicy.json new file mode 100644 index 00000000..979d888c --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Traffic Manager to Event Hub/azurepolicy.json @@ -0,0 +1,234 @@ +{ + "name": "89570c90-10f9-424c-96fa-47502f470eba", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Deploy Diagnostic Settings for Traffic Manager to Event Hub", + "description": "Deploys the diagnostic settings for Traffic Manager to stream to a Event Hub when any Traffic Manager which is missing this diagnostic settings is created or updated. The policy will set the diagnostic with all metrics and category enabled.", + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "mode": "Indexed", + "parameters": { + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/trafficManagerProfiles" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/trafficManagerProfiles/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Traffic Manager (Microsoft.Network/trafficManagerProfiles), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Traffic Manager to Event Hub/azurepolicy.parameters.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Traffic Manager to Event Hub/azurepolicy.parameters.json new file mode 100644 index 00000000..3eccfba9 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Traffic Manager to Event Hub/azurepolicy.parameters.json @@ -0,0 +1,76 @@ +{ + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Traffic Manager to Event Hub/azurepolicy.rules.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Traffic Manager to Event Hub/azurepolicy.rules.json new file mode 100644 index 00000000..dbdbecc7 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Traffic Manager to Event Hub/azurepolicy.rules.json @@ -0,0 +1,145 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/trafficManagerProfiles" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "String" + }, + "eventHubRuleId": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "location": { + "type": "String" + }, + "profileName": { + "type": "String" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/trafficManagerProfiles/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "eventHubName": "[parameters('eventHubName')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Traffic Manager (Microsoft.Network/trafficManagerProfiles), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Virtual Network to Event Hub/azurepolicy.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Virtual Network to Event Hub/azurepolicy.json new file mode 100644 index 00000000..86a5ea6f --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Virtual Network to Event Hub/azurepolicy.json @@ -0,0 +1,234 @@ +{ + "name": "0c21e4d9-13e1-4a7d-a4bf-6a11b2abc20b", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Deploy Diagnostic Settings for Virtual Network to Event Hub", + "description": "Deploys the diagnostic settings for Virtual Network to stream to a Event Hub when any Virtual Network which is missing this diagnostic settings is created or updated. The policy will set the diagnostic with all metrics and category enabled.", + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "mode": "All", + "parameters": { + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "eventHubRuleId": { + "type": "string" + }, + "location": { + "type": "string" + }, + "profileName": { + "type": "string" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/virtualNetworks/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubName": "[parameters('eventHubName')]", + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Virtual Networks (Microsoft.Network/virtualNetworks), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Virtual Network to Event Hub/azurepolicy.parameters.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Virtual Network to Event Hub/azurepolicy.parameters.json new file mode 100644 index 00000000..0a04e52d --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Virtual Network to Event Hub/azurepolicy.parameters.json @@ -0,0 +1,76 @@ +{ + "eventHubLocation": { + "type": "String", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "allowedValues": [ + "swedencentral", + "westeurope" + ], + "defaultValue": "westeurope" + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Specify the name of the Event Hub" + } + }, + "eventHubRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile name", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_EH" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Virtual Network to Event Hub/azurepolicy.rules.json b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Virtual Network to Event Hub/azurepolicy.rules.json new file mode 100644 index 00000000..915faffe --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/Deploy Diagnostic Settings for Virtual Network to Event Hub/azurepolicy.rules.json @@ -0,0 +1,145 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + }, + { + "anyOf": [ + { + "value": "[parameters('eventHubLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('eventHubLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "[parameters('profileName')]", + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec", + "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "matchInsensitively": "[parameters('eventHubRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "matchInsensitively": "[parameters('eventHubName')]" + } + ] + }, + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "eventHubRuleId": { + "type": "string" + }, + "location": { + "type": "string" + }, + "profileName": { + "type": "string" + }, + "metricsEnabled": { + "type": "String" + }, + "logsEnabled": { + "type": "String" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/virtualNetworks/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "dependsOn": [], + "properties": { + "eventHubName": "[parameters('eventHubName')]", + "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "categoryGroup": "allLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('profileName'), ' for type Virtual Networks (Microsoft.Network/virtualNetworks), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "eventHubRuleId": { + "value": "[parameters('eventHubRuleId')]" + }, + "location": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/apply-diagnostic-settings-for-aks-microsoft.containerservice-managedclusters-to-a-regional-event-hub/azurepolicy.json b/policyDefinitions/Monitoring/To Event Hub/apply-diagnostic-settings-for-aks-microsoft.containerservice-managedclusters-to-a-regional-event-hub/azurepolicy.json new file mode 100644 index 00000000..2235b8dd --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/apply-diagnostic-settings-for-aks-microsoft.containerservice-managedclusters-to-a-regional-event-hub/azurepolicy.json @@ -0,0 +1,267 @@ +{ + "name": "C8586D4AF28A1CEC8539D9FCE8F59B71", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Apply Diagnostic Settings for AKS Microsoft.ContainerService/managedClusters to a Regional Event Hub", + "description": "This policy automatically deploys diagnostic settings to Apply Diagnostic Settings for AKS Microsoft.ContainerService/managedClusters to a Regional Event Hub.", + "metadata": { + "category": "Monitoring", + "version": "1.0.0" + }, + "mode": "Indexed", + "parameters": { + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile Name for Diagnostic Setting", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_eventHub" + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "The event hub for Azure Diagnostics" + } + }, + "eventHubAuthorizationRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "resourceLocation": { + "type": "Array", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "defaultValue": "" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable Metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable Logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "DeployIfNotExists, AuditIfNotExists or Disabled the execution of the Policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.ContainerService/managedClusters" + }, + { + "anyOf": [ + { + "value": "[parameters('resourceLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('resourceLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "equals": "[parameters('eventHubName')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "equals": "[parameters('eventHubAuthorizationRuleId')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "resourceLocation": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "eventHubAuthorizationRuleId": { + "type": "string" + }, + "metricsEnabled": { + "type": "string" + }, + "logsEnabled": { + "type": "string" + }, + "profileName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.ContainerService/managedClusters/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('resourceLocation')]", + "properties": { + "eventHubName": "[parameters('eventHubName')]", + "eventHubAuthorizationRuleId": "[parameters('eventHubAuthorizationRuleId')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logs": [ + { + "category": "kube-apiserver", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "kube-audit", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "kube-audit-admin", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "kube-controller-manager", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "kube-scheduler", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "cluster-autoscaler", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "cloud-controller-manager", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "guard", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "csi-azuredisk-controller", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "csi-azurefile-controller", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "csi-snapshot-controller", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat(parameters('eventHubName'), 'configured for diagnostic logs for ', ': ', parameters('resourceName'))]" + } + } + }, + "parameters": { + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "resourceLocation": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "eventHubAuthorizationRuleId": { + "value": "[parameters('eventHubAuthorizationRuleId')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + } + } + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/apply-diagnostic-settings-for-aks-microsoft.containerservice-managedclusters-to-a-regional-event-hub/azurepolicy.parameters.json b/policyDefinitions/Monitoring/To Event Hub/apply-diagnostic-settings-for-aks-microsoft.containerservice-managedclusters-to-a-regional-event-hub/azurepolicy.parameters.json new file mode 100644 index 00000000..c2baef56 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/apply-diagnostic-settings-for-aks-microsoft.containerservice-managedclusters-to-a-regional-event-hub/azurepolicy.parameters.json @@ -0,0 +1,72 @@ +{ + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile Name for Diagnostic Setting", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_eventHub" + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "The event hub for Azure Diagnostics" + } + }, + "eventHubAuthorizationRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "resourceLocation": { + "type": "Array", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "defaultValue": "" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable Metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable Logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "DeployIfNotExists, AuditIfNotExists or Disabled the execution of the Policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/apply-diagnostic-settings-for-aks-microsoft.containerservice-managedclusters-to-a-regional-event-hub/azurepolicy.rules.json b/policyDefinitions/Monitoring/To Event Hub/apply-diagnostic-settings-for-aks-microsoft.containerservice-managedclusters-to-a-regional-event-hub/azurepolicy.rules.json new file mode 100644 index 00000000..65dddfeb --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/apply-diagnostic-settings-for-aks-microsoft.containerservice-managedclusters-to-a-regional-event-hub/azurepolicy.rules.json @@ -0,0 +1,182 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.ContainerService/managedClusters" + }, + { + "anyOf": [ + { + "value": "[parameters('resourceLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('resourceLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "equals": "[parameters('eventHubName')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "equals": "[parameters('eventHubAuthorizationRuleId')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "resourceLocation": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "eventHubAuthorizationRuleId": { + "type": "string" + }, + "metricsEnabled": { + "type": "string" + }, + "logsEnabled": { + "type": "string" + }, + "profileName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.ContainerService/managedClusters/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('resourceLocation')]", + "properties": { + "eventHubName": "[parameters('eventHubName')]", + "eventHubAuthorizationRuleId": "[parameters('eventHubAuthorizationRuleId')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logs": [ + { + "category": "kube-apiserver", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "kube-audit", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "kube-audit-admin", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "kube-controller-manager", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "kube-scheduler", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "cluster-autoscaler", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "cloud-controller-manager", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "guard", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "csi-azuredisk-controller", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "csi-azurefile-controller", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "csi-snapshot-controller", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat(parameters('eventHubName'), 'configured for diagnostic logs for ', ': ', parameters('resourceName'))]" + } + } + }, + "parameters": { + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "resourceLocation": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "eventHubAuthorizationRuleId": { + "value": "[parameters('eventHubAuthorizationRuleId')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/apply-diagnostic-settings-for-microsoft.dbforpostgresql-flexibleservers-to-a-regional-event-hub/azurepolicy.json b/policyDefinitions/Monitoring/To Event Hub/apply-diagnostic-settings-for-microsoft.dbforpostgresql-flexibleservers-to-a-regional-event-hub/azurepolicy.json new file mode 100644 index 00000000..34ca8c65 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/apply-diagnostic-settings-for-microsoft.dbforpostgresql-flexibleservers-to-a-regional-event-hub/azurepolicy.json @@ -0,0 +1,244 @@ +{ + "name": "78502ccd-80e1-4e6d-ba9c-70fa3dbedc60", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Apply Diagnostic Settings for Microsoft.DBforPostgreSQL/flexibleServers to a Regional Event Hub", + "description": "This policy automatically deploys diagnostic settings to Apply Diagnostic Settings for Microsoft.DBforPostgreSQL/flexibleServers to a Regional Event Hub.", + "metadata": { + "category": "Monitoring", + "version": "1.0.0" + }, + "mode": "Indexed", + "parameters": { + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile Name for Diagnostic Setting", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_eventHub" + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "The event hub for Azure Diagnostics" + } + }, + "eventHubAuthorizationRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "resourceLocation": { + "type": "Array", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "defaultValue": "" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable Metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable Logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "DeployIfNotExists, AuditIfNotExists or Disabled the execution of the Policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DBforPostgreSQL/flexibleServers" + }, + { + "anyOf": [ + { + "value": "[parameters('resourceLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('resourceLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "equals": "[parameters('eventHubName')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "equals": "[parameters('eventHubAuthorizationRuleId')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "resourceLocation": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "eventHubAuthorizationRuleId": { + "type": "string" + }, + "metricsEnabled": { + "type": "string" + }, + "logsEnabled": { + "type": "string" + }, + "profileName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DBforPostgreSQL/flexibleServers/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('resourceLocation')]", + "properties": { + "eventHubName": "[parameters('eventHubName')]", + "eventHubAuthorizationRuleId": "[parameters('eventHubAuthorizationRuleId')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logs": [ + { + "category": "PostgreSQLLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "PostgreSQLFlexSessions", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "PostgreSQLFlexQueryStoreRuntime", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "PostgreSQLFlexQueryStoreWaitStats", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "PostgreSQLFlexTableStats", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "PostgreSQLFlexDatabaseXacts", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat(parameters('eventHubName'), 'configured for diagnostic logs for ', ': ', parameters('resourceName'))]" + } + } + }, + "parameters": { + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "eventHubAuthorizationRuleId": { + "value": "[parameters('eventHubAuthorizationRuleId')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + } + } + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/apply-diagnostic-settings-for-microsoft.dbforpostgresql-flexibleservers-to-a-regional-event-hub/azurepolicy.parameters.json b/policyDefinitions/Monitoring/To Event Hub/apply-diagnostic-settings-for-microsoft.dbforpostgresql-flexibleservers-to-a-regional-event-hub/azurepolicy.parameters.json new file mode 100644 index 00000000..c2baef56 --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/apply-diagnostic-settings-for-microsoft.dbforpostgresql-flexibleservers-to-a-regional-event-hub/azurepolicy.parameters.json @@ -0,0 +1,72 @@ +{ + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile Name for Diagnostic Setting", + "description": "The diagnostic settings profile name" + }, + "defaultValue": "setbypolicy_eventHub" + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "The event hub for Azure Diagnostics" + } + }, + "eventHubAuthorizationRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "resourceLocation": { + "type": "Array", + "metadata": { + "displayName": "Event Hub Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + }, + "defaultValue": "" + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable Metrics", + "description": "Whether to enable metrics stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable Logs", + "description": "Whether to enable logs stream to the Event Hub - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "DeployIfNotExists, AuditIfNotExists or Disabled the execution of the Policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + } +} diff --git a/policyDefinitions/Monitoring/To Event Hub/apply-diagnostic-settings-for-microsoft.dbforpostgresql-flexibleservers-to-a-regional-event-hub/azurepolicy.rules.json b/policyDefinitions/Monitoring/To Event Hub/apply-diagnostic-settings-for-microsoft.dbforpostgresql-flexibleservers-to-a-regional-event-hub/azurepolicy.rules.json new file mode 100644 index 00000000..4f4296ca --- /dev/null +++ b/policyDefinitions/Monitoring/To Event Hub/apply-diagnostic-settings-for-microsoft.dbforpostgresql-flexibleservers-to-a-regional-event-hub/azurepolicy.rules.json @@ -0,0 +1,159 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DBforPostgreSQL/flexibleServers" + }, + { + "anyOf": [ + { + "value": "[parameters('resourceLocation')]", + "equals": "" + }, + { + "field": "location", + "equals": "[parameters('resourceLocation')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('logsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('metricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "equals": "[parameters('eventHubName')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "equals": "[parameters('eventHubAuthorizationRuleId')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "resourceLocation": { + "type": "string" + }, + "eventHubName": { + "type": "string" + }, + "eventHubAuthorizationRuleId": { + "type": "string" + }, + "metricsEnabled": { + "type": "string" + }, + "logsEnabled": { + "type": "string" + }, + "profileName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DBforPostgreSQL/flexibleServers/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('resourceLocation')]", + "properties": { + "eventHubName": "[parameters('eventHubName')]", + "eventHubAuthorizationRuleId": "[parameters('eventHubAuthorizationRuleId')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logs": [ + { + "category": "PostgreSQLLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "PostgreSQLFlexSessions", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "PostgreSQLFlexQueryStoreRuntime", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "PostgreSQLFlexQueryStoreWaitStats", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "PostgreSQLFlexTableStats", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "PostgreSQLFlexDatabaseXacts", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat(parameters('eventHubName'), 'configured for diagnostic logs for ', ': ', parameters('resourceName'))]" + } + } + }, + "parameters": { + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "resourceName": { + "value": "[field('name')]" + }, + "eventHubAuthorizationRuleId": { + "value": "[parameters('eventHubAuthorizationRuleId')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + } + } + } + } + } + } +}