diff --git a/policy/custom/definitions/policy/LA-Microsoft.EventHub-namespaces/azurepolicy.config.json b/policy/custom/definitions/policy/LA-Microsoft.EventHub-namespaces/azurepolicy.config.json new file mode 100644 index 00000000..328739fc --- /dev/null +++ b/policy/custom/definitions/policy/LA-Microsoft.EventHub-namespaces/azurepolicy.config.json @@ -0,0 +1,4 @@ +{ + "name": "Deploy Diagnostic Settings for Event Hub to Log Analytics workspace", + "mode": "indexed" +} \ No newline at end of file diff --git a/policy/custom/definitions/policy/LA-Microsoft.EventHub-namespaces/azurepolicy.parameters.json b/policy/custom/definitions/policy/LA-Microsoft.EventHub-namespaces/azurepolicy.parameters.json new file mode 100644 index 00000000..cd26717e --- /dev/null +++ b/policy/custom/definitions/policy/LA-Microsoft.EventHub-namespaces/azurepolicy.parameters.json @@ -0,0 +1,49 @@ +{ + "profileName": { + "type": "String", + "metadata": { + "displayName": "Profile Name for Config", + "description": "The profile name Azure Diagnostics" + } + }, + "logAnalytics": { + "type": "string", + "metadata": { + "displayName": "logAnalytics", + "description": "The target Log Analytics Workspace for Azure Diagnostics", + "strongType": "omsWorkspace" + } + }, + "azureRegions": { + "type": "Array", + "metadata": { + "displayName": "Allowed Locations", + "description": "The list of locations that can be specified when deploying resources", + "strongType": "location" + } + }, + "metricsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable Metrics", + "description": "Enable Metrics - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "False" + }, + "logsEnabled": { + "type": "String", + "metadata": { + "displayName": "Enable Logs", + "description": "Enable Logs - True or False" + }, + "allowedValues": [ + "True", + "False" + ], + "defaultValue": "True" + } +} diff --git a/policy/custom/definitions/policy/LA-Microsoft.EventHub-namespaces/azurepolicy.rules.json b/policy/custom/definitions/policy/LA-Microsoft.EventHub-namespaces/azurepolicy.rules.json new file mode 100644 index 00000000..514200fc --- /dev/null +++ b/policy/custom/definitions/policy/LA-Microsoft.EventHub-namespaces/azurepolicy.rules.json @@ -0,0 +1,154 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.EventHub/namespaces" + }, + { + "field": "location", + "in": "[parameters('AzureRegions')]" + } + ] + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "[parameters('LogsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "[parameters('MetricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "type": "string" + }, + "location": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "metricsEnabled": { + "type": "string" + }, + "logsEnabled": { + "type": "string" + }, + "profileName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.EventHub/namespaces/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[concat(parameters('name'), '/', 'Microsoft.Insights/', parameters('profileName'))]", + "location": "[parameters('location')]", + "properties": { + "workspaceId": "[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": "[parameters('metricsEnabled')]", + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logs": [ + { + "category": "ArchiveLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "OperationalLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "AutoScaleLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "KafkaCoordinatorLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "KafkaUserErrorLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "EventHubVNetConnectionEvent", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "CustomerManagedKeyUserLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "RuntimeAuditLogs", + "enabled": "[parameters('logsEnabled')]" + }, + { + "category": "ApplicationMetricsLogs", + "enabled": "[parameters('logsEnabled')]" + } + ] + } + } + ], + "outputs": { + "policy": { + "type": "string", + "value": "[concat(parameters('logAnalytics'), 'configured for diagnostic logs for ', ': ', parameters('name'))]" + } + } + }, + "parameters": { + "logAnalytics": { + "value": "[parameters('logAnalytics')]" + }, + "location": { + "value": "[field('location')]" + }, + "name": { + "value": "[field('name')]" + }, + "metricsEnabled": { + "value": "[parameters('metricsEnabled')]" + }, + "logsEnabled": { + "value": "[parameters('logsEnabled')]" + }, + "profileName": { + "value": "[parameters('profileName')]" + } + } + } + } + } + } +} diff --git a/policy/custom/definitions/policyset/LogAnalytics.bicep b/policy/custom/definitions/policyset/LogAnalytics.bicep index 04ed3d94..d0e45764 100644 --- a/policy/custom/definitions/policyset/LogAnalytics.bicep +++ b/policy/custom/definitions/policyset/LogAnalytics.bicep @@ -223,18 +223,6 @@ resource policyset_name 'Microsoft.Authorization/policySetDefinitions@2020-03-01 } } } - { - groupNames: [ - 'BUILTIN' - ] - policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/1f6e93e8-6b31-41b1-83f6-36e449a42579' - policyDefinitionReferenceId: toLower(replace('Deploy Diagnostic Settings for Event Hub to Log Analytics workspace', ' ', '-')) - parameters: { - logAnalytics: { - value: '[parameters(\'logAnalytics\')]' - } - } - } { groupNames: [ 'BUILTIN' @@ -1296,6 +1284,27 @@ resource policyset_name 'Microsoft.Authorization/policySetDefinitions@2020-03-01 } } } + { + groupNames: [ + 'CUSTOM' + ] + policyDefinitionId: extensionResourceId(customPolicyDefinitionMgScope, 'Microsoft.Authorization/policyDefinitions', 'LA-Microsoft.EventHub-namespaces') + policyDefinitionReferenceId: toLower(replace('Deploy Diagnostic Settings for Event Hub to Log Analytics workspace', ' ', '-')) + parameters: { + logAnalytics: { + value: '[parameters(\'logAnalytics\')]' + } + profileName: { + value: 'setbypolicy_logAnalytics' + } + azureRegions: { + value: [ + 'canadacentral' + 'canadaeast' + ] + } + } + } ] } }