diff --git a/policyDefinitions/Budget/deploy-subscription-budget-in-mg/azurepolicy.json b/policyDefinitions/Budget/deploy-subscription-budget-in-mg/azurepolicy.json new file mode 100644 index 00000000..5a94c5ba --- /dev/null +++ b/policyDefinitions/Budget/deploy-subscription-budget-in-mg/azurepolicy.json @@ -0,0 +1,254 @@ +{ + "name": "6bd66aff-f8f2-4e98-a276-619a78b00e79", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Deploy subscription budget in MG", + "description": "Deploy a budget for a subscription that will notify the owner once a threshold of 50%, 90%, and 100% of the actual cost of budget is reached. Use the tags 'Owner-Email' and 'Technical-Contact-Email' with email addresses to send emails to those emails.", + "metadata": { + "category": "Budget", + "version": "1.0.0" + }, + "mode": "All", + "parameters": { + "amount": { + "defaultValue": "1000", + "metadata": { + "description": "The total amount of cost or usage to track with the budget", + "displayName": "amount" + }, + "type": "String" + }, + "budgetName": { + "defaultValue": "budget-set-by-policy", + "metadata": { + "description": "The name for the budget to be created", + "displayName": "budgetName" + }, + "type": "String" + }, + "contactRoles": { + "defaultValue": [ + "Contributor" + ], + "metadata": { + "description": "The list of contact RBAC roles, in an array, to send the budget notification to when the threshold is exceeded.", + "displayName": "contactRoles" + }, + "type": "Array" + }, + "firstThreshold": { + "defaultValue": "50", + "metadata": { + "description": "Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.", + "displayName": "firstThreshold" + }, + "type": "String" + }, + "secondThreshold": { + "defaultValue": "90", + "metadata": { + "description": "Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.", + "displayName": "secondThreshold" + }, + "type": "String" + }, + "thirdThreshold": { + "defaultValue": "100", + "metadata": { + "description": "Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.", + "displayName": "thirdThreshold" + }, + "type": "String" + }, + "timeGrain": { + "allowedValues": [ + "Monthly", + "Quarterly", + "Annually", + "BillingMonth", + "BillingQuarter", + "BillingAnnual" + ], + "defaultValue": "BillingMonth", + "metadata": { + "description": "The time covered by a budget. Tracking of the amount will be reset based on the time grain.", + "displayName": "timeGrain" + }, + "type": "String" + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "DeployIfNotExists, AuditIfNotExists or Disabled the execution of the Policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "equals": "Microsoft.Resources/subscriptions", + "field": "type" + } + ] + }, + "then": { + "details": { + "deployment": { + "location": "westeurope", + "properties": { + "mode": "Incremental", + "parameters": { + "amount": { + "value": "[parameters('amount')]" + }, + "budgetName": { + "value": "[parameters('budgetName')]" + }, + "contactEmails": { + "value": [ + "[field(concat('tags[','Owner-Email', ']'))]", + "[field(concat('tags[','Technical-Contact-Email', ']'))]" + ] + }, + "contactRoles": { + "value": "[parameters('contactRoles')]" + }, + "firstThreshold": { + "value": "[parameters('firstThreshold')]" + }, + "secondThreshold": { + "value": "[parameters('secondThreshold')]" + }, + "thirdThreshold": { + "value": "[parameters('thirdThreshold')]" + }, + "timeGrain": { + "value": "[parameters('timeGrain')]" + } + }, + "template": { + "$schema": "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "amount": { + "type": "String" + }, + "budgetName": { + "type": "String" + }, + "contactEmails": { + "type": "Array" + }, + "contactRoles": { + "type": "Array" + }, + "firstThreshold": { + "type": "String" + }, + "secondThreshold": { + "type": "String" + }, + "thirdThreshold": { + "type": "String" + }, + "startDate": { + "defaultValue": "[concat(utcNow('MM'), '/01/', utcNow('yyyy'))]", + "type": "String" + }, + "timeGrain": { + "type": "String" + } + }, + "resources": [ + { + "apiVersion": "2021-10-01", + "name": "[parameters('budgetName')]", + "properties": { + "amount": "[parameters('amount')]", + "category": "Cost", + "notifications": { + "NotificationForExceededBudget1": { + "contactEmails": "[parameters('contactEmails')]", + "contactRoles": "[parameters('contactRoles')]", + "enabled": true, + "operator": "GreaterThan", + "threshold": "[parameters('firstThreshold')]" + }, + "NotificationForExceededBudget2": { + "contactEmails": "[parameters('contactEmails')]", + "contactRoles": "[parameters('contactRoles')]", + "enabled": true, + "operator": "GreaterThan", + "threshold": "[parameters('secondThreshold')]" + }, + "NotificationForExceededBudget3": { + "contactEmails": "[parameters('contactEmails')]", + "contactRoles": "[parameters('contactRoles')]", + "enabled": true, + "operator": "GreaterThan", + "threshold": "[parameters('thirdThreshold')]" + }, + "NotificationForExceededBudget4": { + "contactEmails": "[parameters('contactEmails')]", + "contactRoles": "[parameters('contactRoles')]", + "enabled": true, + "operator": "GreaterThan", + "threshold": "[parameters('firstThreshold')]", + "thresholdType": "Forecasted" + }, + "NotificationForExceededBudget5": { + "contactEmails": "[parameters('contactEmails')]", + "contactRoles": "[parameters('contactRoles')]", + "enabled": true, + "operator": "GreaterThan", + "threshold": "[parameters('thirdThreshold')]", + "thresholdType": "Forecasted" + } + }, + "timeGrain": "[parameters('timeGrain')]", + "timePeriod": { + "startDate": "[parameters('startDate')]" + } + }, + "type": "Microsoft.Consumption/budgets" + } + ] + } + } + }, + "deploymentScope": "subscription", + "existenceCondition": { + "allOf": [ + { + "equals": "[parameters('amount')]", + "field": "Microsoft.Consumption/budgets/amount" + }, + { + "equals": "[parameters('timeGrain')]", + "field": "Microsoft.Consumption/budgets/timeGrain" + }, + { + "equals": "Cost", + "field": "Microsoft.Consumption/budgets/category" + } + ] + }, + "existenceScope": "subscription", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/434105ed-43f6-45c7-a02f-909b2ba83430" + ], + "type": "Microsoft.Consumption/budgets" + }, + "effect": "[parameters('effect')]" + } + } + } +} diff --git a/policyDefinitions/Budget/deploy-subscription-budget-in-mg/azurepolicy.parameters.json b/policyDefinitions/Budget/deploy-subscription-budget-in-mg/azurepolicy.parameters.json new file mode 100644 index 00000000..a08f793f --- /dev/null +++ b/policyDefinitions/Budget/deploy-subscription-budget-in-mg/azurepolicy.parameters.json @@ -0,0 +1,81 @@ +{ + "amount": { + "defaultValue": "1000", + "metadata": { + "description": "The total amount of cost or usage to track with the budget", + "displayName": "amount" + }, + "type": "String" + }, + "budgetName": { + "defaultValue": "budget-set-by-policy", + "metadata": { + "description": "The name for the budget to be created", + "displayName": "budgetName" + }, + "type": "String" + }, + "contactRoles": { + "defaultValue": [ + "Contributor" + ], + "metadata": { + "description": "The list of contact RBAC roles, in an array, to send the budget notification to when the threshold is exceeded.", + "displayName": "contactRoles" + }, + "type": "Array" + }, + "firstThreshold": { + "defaultValue": "50", + "metadata": { + "description": "Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.", + "displayName": "firstThreshold" + }, + "type": "String" + }, + "secondThreshold": { + "defaultValue": "90", + "metadata": { + "description": "Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.", + "displayName": "secondThreshold" + }, + "type": "String" + }, + "thirdThreshold": { + "defaultValue": "100", + "metadata": { + "description": "Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000.", + "displayName": "thirdThreshold" + }, + "type": "String" + }, + "timeGrain": { + "allowedValues": [ + "Monthly", + "Quarterly", + "Annually", + "BillingMonth", + "BillingQuarter", + "BillingAnnual" + ], + "defaultValue": "BillingMonth", + "metadata": { + "description": "The time covered by a budget. Tracking of the amount will be reset based on the time grain.", + "displayName": "timeGrain" + }, + "type": "String" + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "DeployIfNotExists, AuditIfNotExists or Disabled the execution of the Policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + } +} diff --git a/policyDefinitions/Budget/deploy-subscription-budget-in-mg/azurepolicy.rules.json b/policyDefinitions/Budget/deploy-subscription-budget-in-mg/azurepolicy.rules.json new file mode 100644 index 00000000..81c5ab1c --- /dev/null +++ b/policyDefinitions/Budget/deploy-subscription-budget-in-mg/azurepolicy.rules.json @@ -0,0 +1,160 @@ +{ + "if": { + "allOf": [ + { + "equals": "Microsoft.Resources/subscriptions", + "field": "type" + } + ] + }, + "then": { + "details": { + "deployment": { + "location": "westeurope", + "properties": { + "mode": "Incremental", + "parameters": { + "amount": { + "value": "[parameters('amount')]" + }, + "budgetName": { + "value": "[parameters('budgetName')]" + }, + "contactEmails": { + "value": [ + "[field(concat('tags[','Owner-Email', ']'))]", + "[field(concat('tags[','Technical-Contact-Email', ']'))]" + ] + }, + "contactRoles": { + "value": "[parameters('contactRoles')]" + }, + "firstThreshold": { + "value": "[parameters('firstThreshold')]" + }, + "secondThreshold": { + "value": "[parameters('secondThreshold')]" + }, + "thirdThreshold": { + "value": "[parameters('thirdThreshold')]" + }, + "timeGrain": { + "value": "[parameters('timeGrain')]" + } + }, + "template": { + "$schema": "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "amount": { + "type": "String" + }, + "budgetName": { + "type": "String" + }, + "contactEmails": { + "type": "Array" + }, + "contactRoles": { + "type": "Array" + }, + "firstThreshold": { + "type": "String" + }, + "secondThreshold": { + "type": "String" + }, + "thirdThreshold": { + "type": "String" + }, + "startDate": { + "defaultValue": "[concat(utcNow('MM'), '/01/', utcNow('yyyy'))]", + "type": "String" + }, + "timeGrain": { + "type": "String" + } + }, + "resources": [ + { + "apiVersion": "2021-10-01", + "name": "[parameters('budgetName')]", + "properties": { + "amount": "[parameters('amount')]", + "category": "Cost", + "notifications": { + "NotificationForExceededBudget1": { + "contactEmails": "[parameters('contactEmails')]", + "contactRoles": "[parameters('contactRoles')]", + "enabled": true, + "operator": "GreaterThan", + "threshold": "[parameters('firstThreshold')]" + }, + "NotificationForExceededBudget2": { + "contactEmails": "[parameters('contactEmails')]", + "contactRoles": "[parameters('contactRoles')]", + "enabled": true, + "operator": "GreaterThan", + "threshold": "[parameters('secondThreshold')]" + }, + "NotificationForExceededBudget3": { + "contactEmails": "[parameters('contactEmails')]", + "contactRoles": "[parameters('contactRoles')]", + "enabled": true, + "operator": "GreaterThan", + "threshold": "[parameters('thirdThreshold')]" + }, + "NotificationForExceededBudget4": { + "contactEmails": "[parameters('contactEmails')]", + "contactRoles": "[parameters('contactRoles')]", + "enabled": true, + "operator": "GreaterThan", + "threshold": "[parameters('firstThreshold')]", + "thresholdType": "Forecasted" + }, + "NotificationForExceededBudget5": { + "contactEmails": "[parameters('contactEmails')]", + "contactRoles": "[parameters('contactRoles')]", + "enabled": true, + "operator": "GreaterThan", + "threshold": "[parameters('thirdThreshold')]", + "thresholdType": "Forecasted" + } + }, + "timeGrain": "[parameters('timeGrain')]", + "timePeriod": { + "startDate": "[parameters('startDate')]" + } + }, + "type": "Microsoft.Consumption/budgets" + } + ] + } + } + }, + "deploymentScope": "subscription", + "existenceCondition": { + "allOf": [ + { + "equals": "[parameters('amount')]", + "field": "Microsoft.Consumption/budgets/amount" + }, + { + "equals": "[parameters('timeGrain')]", + "field": "Microsoft.Consumption/budgets/timeGrain" + }, + { + "equals": "Cost", + "field": "Microsoft.Consumption/budgets/category" + } + ] + }, + "existenceScope": "subscription", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/434105ed-43f6-45c7-a02f-909b2ba83430" + ], + "type": "Microsoft.Consumption/budgets" + }, + "effect": "[parameters('effect')]" + } +} diff --git a/policyDefinitions/Monitoring/enable-logging-by-category-group-for-notification-hubs-namespaces-to-event-hub/azurepolicy.json b/policyDefinitions/Monitoring/enable-logging-by-category-group-for-notification-hubs-namespaces-to-event-hub/azurepolicy.json new file mode 100644 index 00000000..8e34b4c5 --- /dev/null +++ b/policyDefinitions/Monitoring/enable-logging-by-category-group-for-notification-hubs-namespaces-to-event-hub/azurepolicy.json @@ -0,0 +1,224 @@ +{ + "name": "c66c8050-7a45-4549-90bd-1c875571017c", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Enable logging by category group for Notification Hubs namespaces (microsoft.notificationhubs/namespaces) to Event Hub", + "description": "Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to an Event Hub for Notification Hubs namespace (microsoft.notificationhubs/namespaces).", + "metadata": { + "category": "Monitoring", + "version": "1.1.0" + }, + "mode": "Indexed", + "parameters": { + "diagnosticSettingName": { + "type": "String", + "metadata": { + "displayName": "Diagnostic Setting Name", + "description": "Diagnostic Setting Name" + }, + "defaultValue": "setByPolicy-EventHub" + }, + "categoryGroup": { + "type": "String", + "metadata": { + "displayName": "Category Group", + "description": "Diagnostic category group - none, audit, or allLogs." + }, + "allowedValues": [ + "audit", + "allLogs" + ], + "defaultValue": "audit" + }, + "resourceLocation": { + "type": "String", + "metadata": { + "displayName": "Resource Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + } + }, + "eventHubAuthorizationRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "Event Hub Authorization Rule Id - the authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Event Hub Name." + }, + "defaultValue": "Monitoring" + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "DeployIfNotExists, AuditIfNotExists or Disabled the execution of the Policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "microsoft.notificationhubs/namespaces" + }, + { + "field": "location", + "equals": "[parameters('resourceLocation')]" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[equals(parameters('categoryGroup'), 'audit')]" + }, + { + "field": "microsoft.insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "audit" + } + ] + } + }, + "equals": 1 + }, + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[equals(parameters('categoryGroup'), 'allLogs')]" + }, + { + "field": "microsoft.insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + } + ] + } + }, + "equals": 1 + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "equals": "[parameters('eventHubAuthorizationRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "equals": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "diagnosticSettingName": { + "type": "string" + }, + "categoryGroup": { + "type": "String" + }, + "eventHubName": { + "type": "string" + }, + "eventHubAuthorizationRuleId": { + "type": "string" + }, + "resourceLocation": { + "type": "string" + }, + "resourceName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "microsoft.notificationhubs/namespaces/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('diagnosticSettingName'))]", + "location": "[parameters('resourceLocation')]", + "properties": { + "eventHubName": "[parameters('eventHubName')]", + "eventHubAuthorizationRuleId": "[parameters('eventHubAuthorizationRuleId')]", + "logs": [ + { + "categoryGroup": "audit", + "enabled": "[equals(parameters('categoryGroup'), 'audit')]" + }, + { + "categoryGroup": "allLogs", + "enabled": "[equals(parameters('categoryGroup'), 'allLogs')]" + } + ], + "metrics": [] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('diagnosticSettingName'), ' for type Notification Hubs namespace (microsoft.notificationhubs/namespaces), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubAuthorizationRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "diagnosticSettingName": { + "value": "[parameters('diagnosticSettingName')]" + }, + "categoryGroup": { + "value": "[parameters('categoryGroup')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "eventHubAuthorizationRuleId": { + "value": "[parameters('eventHubAuthorizationRuleId')]" + }, + "resourceLocation": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + } + } + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/enable-logging-by-category-group-for-notification-hubs-namespaces-to-event-hub/azurepolicy.parameters.json b/policyDefinitions/Monitoring/enable-logging-by-category-group-for-notification-hubs-namespaces-to-event-hub/azurepolicy.parameters.json new file mode 100644 index 00000000..e4f4237a --- /dev/null +++ b/policyDefinitions/Monitoring/enable-logging-by-category-group-for-notification-hubs-namespaces-to-event-hub/azurepolicy.parameters.json @@ -0,0 +1,60 @@ +{ + "diagnosticSettingName": { + "type": "String", + "metadata": { + "displayName": "Diagnostic Setting Name", + "description": "Diagnostic Setting Name" + }, + "defaultValue": "setByPolicy-EventHub" + }, + "categoryGroup": { + "type": "String", + "metadata": { + "displayName": "Category Group", + "description": "Diagnostic category group - none, audit, or allLogs." + }, + "allowedValues": [ + "audit", + "allLogs" + ], + "defaultValue": "audit" + }, + "resourceLocation": { + "type": "String", + "metadata": { + "displayName": "Resource Location", + "description": "Resource Location must be in the same location as the Event Hub Namespace.", + "strongType": "location" + } + }, + "eventHubAuthorizationRuleId": { + "type": "String", + "metadata": { + "displayName": "Event Hub Authorization Rule Id", + "description": "Event Hub Authorization Rule Id - the authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}", + "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules", + "assignPermissions": true + } + }, + "eventHubName": { + "type": "String", + "metadata": { + "displayName": "Event Hub Name", + "description": "Event Hub Name." + }, + "defaultValue": "Monitoring" + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "DeployIfNotExists, AuditIfNotExists or Disabled the execution of the Policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + } +} diff --git a/policyDefinitions/Monitoring/enable-logging-by-category-group-for-notification-hubs-namespaces-to-event-hub/azurepolicy.rules.json b/policyDefinitions/Monitoring/enable-logging-by-category-group-for-notification-hubs-namespaces-to-event-hub/azurepolicy.rules.json new file mode 100644 index 00000000..eba530c5 --- /dev/null +++ b/policyDefinitions/Monitoring/enable-logging-by-category-group-for-notification-hubs-namespaces-to-event-hub/azurepolicy.rules.json @@ -0,0 +1,151 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "microsoft.notificationhubs/namespaces" + }, + { + "field": "location", + "equals": "[parameters('resourceLocation')]" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[equals(parameters('categoryGroup'), 'audit')]" + }, + { + "field": "microsoft.insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "audit" + } + ] + } + }, + "equals": 1 + }, + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[equals(parameters('categoryGroup'), 'allLogs')]" + }, + { + "field": "microsoft.insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + } + ] + } + }, + "equals": 1 + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId", + "equals": "[parameters('eventHubAuthorizationRuleId')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/eventHubName", + "equals": "[parameters('eventHubName')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293", + "/providers/Microsoft.Authorization/roleDefinitions/f526a384-b230-433a-b45c-95f59c4a2dec" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "diagnosticSettingName": { + "type": "string" + }, + "categoryGroup": { + "type": "String" + }, + "eventHubName": { + "type": "string" + }, + "eventHubAuthorizationRuleId": { + "type": "string" + }, + "resourceLocation": { + "type": "string" + }, + "resourceName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "microsoft.notificationhubs/namespaces/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('diagnosticSettingName'))]", + "location": "[parameters('resourceLocation')]", + "properties": { + "eventHubName": "[parameters('eventHubName')]", + "eventHubAuthorizationRuleId": "[parameters('eventHubAuthorizationRuleId')]", + "logs": [ + { + "categoryGroup": "audit", + "enabled": "[equals(parameters('categoryGroup'), 'audit')]" + }, + { + "categoryGroup": "allLogs", + "enabled": "[equals(parameters('categoryGroup'), 'allLogs')]" + } + ], + "metrics": [] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('diagnosticSettingName'), ' for type Notification Hubs namespace (microsoft.notificationhubs/namespaces), resourceName ', parameters('resourceName'), ' to EventHub ', parameters('eventHubAuthorizationRuleId'), ':', parameters('eventHubName'), ' configured')]" + } + } + }, + "parameters": { + "diagnosticSettingName": { + "value": "[parameters('diagnosticSettingName')]" + }, + "categoryGroup": { + "value": "[parameters('categoryGroup')]" + }, + "eventHubName": { + "value": "[parameters('eventHubName')]" + }, + "eventHubAuthorizationRuleId": { + "value": "[parameters('eventHubAuthorizationRuleId')]" + }, + "resourceLocation": { + "value": "[field('location')]" + }, + "resourceName": { + "value": "[field('name')]" + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/enable-logging-by-category-group-for-notification-hubs-namespaces-to-log-analytics/azurepolicy.json b/policyDefinitions/Monitoring/enable-logging-by-category-group-for-notification-hubs-namespaces-to-log-analytics/azurepolicy.json new file mode 100644 index 00000000..4a5e4c1d --- /dev/null +++ b/policyDefinitions/Monitoring/enable-logging-by-category-group-for-notification-hubs-namespaces-to-log-analytics/azurepolicy.json @@ -0,0 +1,207 @@ +{ + "name": "65f86cc7-f01e-4c42-967c-e5014709f2c5", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Enable logging by category group for Notification Hubs namespaces (microsoft.notificationhubs/namespaces) to Log Analytics", + "description": "Resource logs should be enabled to track activities and events that take place on your resources and give you visibility and insights into any changes that occur. This policy deploys a diagnostic setting using a category group to route logs to a Log Analytics workspace for Notification Hubs namespaces (microsoft.notificationhubs/namespaces).", + "metadata": { + "category": "Monitoring", + "version": "1.0.0" + }, + "mode": "Indexed", + "parameters": { + "diagnosticSettingName": { + "type": "String", + "metadata": { + "displayName": "Diagnostic Setting Name", + "description": "Diagnostic Setting Name" + }, + "defaultValue": "setByPolicy-LogAnalytics" + }, + "categoryGroup": { + "type": "String", + "metadata": { + "displayName": "Category Group", + "description": "Diagnostic category group - none, audit, or allLogs." + }, + "allowedValues": [ + "audit", + "allLogs" + ], + "defaultValue": "audit" + }, + "resourceLocationList": { + "type": "Array", + "metadata": { + "displayName": "Resource Location List", + "description": "Resource Location List to send logs to nearby Log Analytics. A single entry \"*\" selects all locations (default)." + }, + "defaultValue": [ + "*" + ] + }, + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics Workspace", + "description": "Log Analytics Workspace", + "strongType": "omsWorkspace", + "assignPermissions": true + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "DeployIfNotExists, AuditIfNotExists or Disabled the execution of the Policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "microsoft.notificationhubs/namespaces" + }, + { + "anyOf": [ + { + "value": "[first(parameters('resourceLocationList'))]", + "equals": "*" + }, + { + "field": "location", + "in": "[parameters('resourceLocationList')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[equals(parameters('categoryGroup'), 'audit')]" + }, + { + "field": "microsoft.insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "audit" + } + ] + } + }, + "equals": 1 + }, + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[equals(parameters('categoryGroup'), 'allLogs')]" + }, + { + "field": "microsoft.insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + } + ] + } + }, + "equals": 1 + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "diagnosticSettingName": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "categoryGroup": { + "type": "String" + }, + "resourceName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "microsoft.notificationhubs/namespaces/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('diagnosticSettingName'))]", + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "logs": [ + { + "categoryGroup": "audit", + "enabled": "[equals(parameters('categoryGroup'), 'audit')]" + }, + { + "categoryGroup": "allLogs", + "enabled": "[equals(parameters('categoryGroup'), 'allLogs')]" + } + ], + "metrics": [] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('diagnosticSettingName'), ' for type Notification Hubs namespaces (microsoft.notificationhubs/namespaces), resourceName ', parameters('resourceName'), ' to Log Analytics ', parameters('logAnalytics'), ' configured')]" + } + } + }, + "parameters": { + "diagnosticSettingName": { + "value": "[parameters('diagnosticSettingName')]" + }, + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "categoryGroup": { + "value": "[parameters('categoryGroup')]" + }, + "resourceName": { + "value": "[field('name')]" + } + } + } + } + } + } + } + } +} diff --git a/policyDefinitions/Monitoring/enable-logging-by-category-group-for-notification-hubs-namespaces-to-log-analytics/azurepolicy.parameters.json b/policyDefinitions/Monitoring/enable-logging-by-category-group-for-notification-hubs-namespaces-to-log-analytics/azurepolicy.parameters.json new file mode 100644 index 00000000..9f4b289b --- /dev/null +++ b/policyDefinitions/Monitoring/enable-logging-by-category-group-for-notification-hubs-namespaces-to-log-analytics/azurepolicy.parameters.json @@ -0,0 +1,54 @@ +{ + "diagnosticSettingName": { + "type": "String", + "metadata": { + "displayName": "Diagnostic Setting Name", + "description": "Diagnostic Setting Name" + }, + "defaultValue": "setByPolicy-LogAnalytics" + }, + "categoryGroup": { + "type": "String", + "metadata": { + "displayName": "Category Group", + "description": "Diagnostic category group - none, audit, or allLogs." + }, + "allowedValues": [ + "audit", + "allLogs" + ], + "defaultValue": "audit" + }, + "resourceLocationList": { + "type": "Array", + "metadata": { + "displayName": "Resource Location List", + "description": "Resource Location List to send logs to nearby Log Analytics. A single entry \"*\" selects all locations (default)." + }, + "defaultValue": [ + "*" + ] + }, + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics Workspace", + "description": "Log Analytics Workspace", + "strongType": "omsWorkspace", + "assignPermissions": true + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "DeployIfNotExists, AuditIfNotExists or Disabled the execution of the Policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + } +} diff --git a/policyDefinitions/Monitoring/enable-logging-by-category-group-for-notification-hubs-namespaces-to-log-analytics/azurepolicy.rules.json b/policyDefinitions/Monitoring/enable-logging-by-category-group-for-notification-hubs-namespaces-to-log-analytics/azurepolicy.rules.json new file mode 100644 index 00000000..d3c45cef --- /dev/null +++ b/policyDefinitions/Monitoring/enable-logging-by-category-group-for-notification-hubs-namespaces-to-log-analytics/azurepolicy.rules.json @@ -0,0 +1,140 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "microsoft.notificationhubs/namespaces" + }, + { + "anyOf": [ + { + "value": "[first(parameters('resourceLocationList'))]", + "equals": "*" + }, + { + "field": "location", + "in": "[parameters('resourceLocationList')]" + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "existenceCondition": { + "allOf": [ + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[equals(parameters('categoryGroup'), 'audit')]" + }, + { + "field": "microsoft.insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "audit" + } + ] + } + }, + "equals": 1 + }, + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[equals(parameters('categoryGroup'), 'allLogs')]" + }, + { + "field": "microsoft.insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + } + ] + } + }, + "equals": 1 + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "diagnosticSettingName": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "categoryGroup": { + "type": "String" + }, + "resourceName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "microsoft.notificationhubs/namespaces/providers/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('diagnosticSettingName'))]", + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "logs": [ + { + "categoryGroup": "audit", + "enabled": "[equals(parameters('categoryGroup'), 'audit')]" + }, + { + "categoryGroup": "allLogs", + "enabled": "[equals(parameters('categoryGroup'), 'allLogs')]" + } + ], + "metrics": [] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat('Diagnostic setting ', parameters('diagnosticSettingName'), ' for type Notification Hubs namespaces (microsoft.notificationhubs/namespaces), resourceName ', parameters('resourceName'), ' to Log Analytics ', parameters('logAnalytics'), ' configured')]" + } + } + }, + "parameters": { + "diagnosticSettingName": { + "value": "[parameters('diagnosticSettingName')]" + }, + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "categoryGroup": { + "value": "[parameters('categoryGroup')]" + }, + "resourceName": { + "value": "[field('name')]" + } + } + } + } + } + } +}