Ifthikhar B Ahamed
Reputation: 1
Azure Policy to Create/update diagnostic setting
I am new to azure policy and i am trying to implement azure policy to enforce creation of diagnostic setting on azure resources.
My goal is to achieve below..
- Create a diagnostic settings on resource every time a new resource is created. -- works
- Recreate/modify if diagnostics setting/destination is manually changed or deleted. -- Not working
- Recreate/modify the diagnostics settings at scale when the assignment is recreated with different configuration. -- Not working
This is the policy i am using
"existenceCondition": {
"anyof": [
{
"field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
"equals": "[parameters('logsEnabled')]"
},
{
"field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId",
"equals": "[parameters('eventHubAuthorizationRuleId')]"
},
{
"field": "Microsoft.Insights/diagnosticSettings/eventHubName",
"equals": "[parameters('eventHubName')]"
},
{
"field": "Microsoft.Insights/diagnosticSettings/workspaceId",
"equals": "[parameters('workspaceId')]"
}
]
My goal is to achieve below..
- Create a diagnostic settings on resource every time a new resource is created. -- works
- Recreate/modify if diagnostics setting/destination is manually changed or deleted. -- Not working
- Recreate/modify the diagnostics settings at scale when the assignment is recreated with different configuration. -- Not working
Upvotes: 0
Views: 2096
Answers (1)
Venkat V
Reputation: 7820
The Azure policy will enable diagnostic settings on newly created resources and will also modify the diagnostic settings if they have been updated or deleted manually.
{
"mode": "All",
"policyRule": {
"if": {
"field": "type",
"equals": "*"
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Insights/diagnosticSettings",
"name": "ensurediagnosticsettings",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
"notEquals": "false"
},
{
"field": "Microsoft.Insights/diagnosticSettings/eventHubAuthorizationRuleId",
"notEquals": ""
},
{
"field": "Microsoft.Insights/diagnosticSettings/eventHubName",
"notEquals": ""
},
{
"field": "Microsoft.Insights/diagnosticSettings/workspaceId",
"equals": "[parameters('workspaceId')]"
}
]
},
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"resources": [
{
"type": "Microsoft.Insights/diagnosticSettings",
"name": "[concat(resourceGroup().name, '/', 'Microsoft.Insights/diagnosticSettings')]",
"apiVersion": "2017-05-01-preview",
"properties": {
"logs": [
{
"category": "default",
"enabled": true,
"retentionPolicy": {
"days": 365,
"enabled": true
}
}
],
"metrics": []
}
}
]
},
"parameters": {}
}
}
}
}
},
"parameters": {
"workspaceId": {
"type": "String",
"metadata": {
"displayName": "Workspace ID",
"description": "The ID of the workspace for diagnostic settings."
}
}
}
}
Policy Assignment:
The policy will make sure that all resources in the active subscription have their diagnostic settings enabled after it has been assigned to the scope.
Upvotes: 0
Related Questions
- Delete old Windows Azure Diagnostics data from table storage (performance counters, etc.)
- create Azure Entra ID Diagnostic Setting using Powershell
- How to enable diagnostics with bicep for Azure Web PubSub?
- Azure policy to deny adding a second diagnostic setting to any resource if the first diagnostic setting already exists
- How to audit logging categories in Diagnostic settings via Azure policy?
- Anyone succeed with enabling VM diagnostics using azurerm_virtual_machine_extension?
- Create a policy to deploy the diagnostic setting to both Log Analytic workspace and storage account
- Enable diagnostic settings for Storage account using Azure Policy Definition
- download azure diagnostic logs?