Azure
/
Enterprise-Scale
зеркало из https://github.com/Azure/Enterprise-Scale.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Diagnostic Settings for MGs (#1363)

This commit is contained in:
Luis Alfonso Chaves 2023-06-28 13:18:24 -06:00 коммит произвёл GitHub
Родитель e80d781a7c
Коммит 55e4880b78
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
7 изменённых файлов: 94 добавлений и 16 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

2
docs/wiki/How-Enterprise-Scale-Works.md
Просмотреть файл

@ -92,7 +92,7 @@ By default, all recommended settings and resources recommendations are enabled a
- Azure Security Center (Standard or Free tier)
- Azure Sentinel
- Diagnostics settings for Activity Logs, VMs, and PaaS resources sent to Log Analytics
- Diagnostics settings for Activity Logs, VMs, Management Groups and PaaS resources sent to Log Analytics
- When deploying [**Adventure Works**](./ALZ-Deploy-reference-implementations#deploy-a-reference-implementation) or [**Contoso**](./ALZ-Deploy-reference-implementations#deploy-a-reference-implementation): An Azure subscription dedicated for**Connectivity**, which deploys core Azure networking resources such as:

4
docs/wiki/Whats-new.md
Просмотреть файл

@ -56,6 +56,10 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones:
- Updated Portal Accelerator tooltips to provide more relevance and links to associated policies or initiatives.
#### Other
- When the option to deploy Log Analytics workspace and enable monitoring is enabled (Yes) in the Platform management, security, and governance section, Diagnostic Settings for Management Groups are also deployed.
### May 2023
#### Policy

5
eslzArm/eslz-portal.json
Просмотреть файл

@ -2364,7 +2364,8 @@
]
},
"visible": true
}, {
},
{
"name": "enableSqlThreat",
"type": "Microsoft.Common.OptionsGroup",
"label": "Ensure Azure SQL Threat Detection is enabled",
@ -2631,7 +2632,7 @@
}
]
}
},
},
{
"name": "denyPublicEndpoints",
"type": "Microsoft.Common.OptionsGroup",

57
eslzArm/eslzArm.json
Просмотреть файл

@ -390,7 +390,7 @@
"subnetMaskForAzFwMgmt": {
"type": "string",
"defaultValue": ""
},
},
"identitySubscriptionId": {
"type": "string",
"defaultValue": "",
@ -670,7 +670,7 @@
"No"
]
},
"enforceKvGuardrails": {
"enforceKvGuardrails": {
"type": "string",
"defaultValue": "No",
"allowedValues": [
@ -746,6 +746,13 @@
"decommissioned": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-', 'decommissioned')]",
"sandboxes": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-', 'sandboxes')]"
},
"copy": [
{
"name": "mgmtGroupsArray",
"count": "[length(items(variables('mgmtGroups')))]",
"input": "[items(variables('mgmtGroups'))[copyIndex('mgmtGroupsArray')].value]"
}
],
// Declaring scopes that will be used for optional deployments, such as platform components (monitoring, networking, identity), policy assignments, subscription placement etc.
"scopes": {
"eslzRootManagementGroup": "[tenantResourceId('Microsoft.Management/managementGroups/', variables('mgmtGroups').eslzRoot)]",
@ -820,7 +827,8 @@
"classicResourcesPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-ClassicResourceTypesPolicyAssignment.json')]",
"govMdfcPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/gov/fairfaxDINE-MDFCConfigPolicyAssignment.json')]",
"costOptimizationPolicyInitiative": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/AUDIT-UnusedResourcesPolicyAssignment.json')]",
"VMUnmanagedDiskPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-VMUnmanagedDiskPolicyAssignment.json')]"
"VMUnmanagedDiskPolicyAssignment": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/policyAssignments/DENY-VMUnmanagedDiskPolicyAssignment.json')]",
"diagnosticSettingsforManagementGroups": "[uri(deployment().properties.templateLink.uri, 'managementGroupTemplates/diagSettingsMGs/diagSettingsMGs.json')]"
},
// Declaring deterministic deployment names
"deploymentSuffix": "[concat('-', deployment().location, '-', guid(parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow')))]",
@ -895,7 +903,8 @@
"denyClassicResourcePolicyDeploymentName": "[take(concat('alz-NoClassicResource', variables('deploymentSuffix')), 64)]",
"costOptimizationDeploymentName": "[take(concat('alz-CostOptimization', variables('deploymentSuffix')), 64)]",
"denyVMUnmanagedDiskPolicyDeploymentName": "[take(concat('alz-NoUnmanagedDiskResource', variables('deploymentSuffix')), 64)]",
"ztnPhase1PidCuaDeploymentName": "[take(concat('pid-', variables('ztnPhase1CuaId'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'), coalesce(parameters('connectivitySubscriptionId'), parameters('singlePlatformSubscriptionId'))), '-ztnp1'), 64)]"
"ztnPhase1PidCuaDeploymentName": "[take(concat('pid-', variables('ztnPhase1CuaId'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'), coalesce(parameters('connectivitySubscriptionId'), parameters('singlePlatformSubscriptionId'))), '-ztnp1'), 64)]",
"diagnosticSettingsforMGsDeploymentName": "[take(concat('alz-DiagSettingsMGs', variables('deploymentSuffix')), 64)]"
},
"esLiteDeploymentNames": {
"mgmtGroupLiteDeploymentName": "[take(concat('alz-MgsLite', variables('deploymentSuffix')), 64)]",
@ -1424,6 +1433,37 @@
}
}
},
{
// Deploying Diagnostic Settings to management groups if Log Analytics was deployed via a loop
"condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), equals(parameters('enableLogAnalytics'), 'Yes'))]",
"type": "Microsoft.Resources/deployments",
"apiVersion": "2020-10-01",
"name": "[take(concat(variables('deploymentNames').diagnosticSettingsforMGsDeploymentName, variables('mgmtGroupsArray')[copyIndex()]), 64)]",
"scope": "[concat('Microsoft.Management/managementGroups/', variables('mgmtGroupsArray')[copyIndex()])]",
"location": "[deployment().location]",
"dependsOn": [
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').mgmtSubscriptionPlacement)]",
"[resourceId('Microsoft.Resources/deployments', variables('esLitedeploymentNames').platformLiteSubscriptionPlacement)]",
"[resourceId('Microsoft.Resources/deployments', variables('deploymentNames').monitoringDeploymentName)]",
"[resourceId('Microsoft.Resources/deployments', variables('esLiteDeploymentNames').monitoringLiteDeploymentName)]"
],
"copy": {
"name": "mgDiagSettings",
"count": "[length(variables('mgmtGroupsArray'))]"
},
"properties": {
"mode": "Incremental",
"templateLink": {
"contentVersion": "1.0.0.0",
"uri": "[variables('deploymentUris').diagnosticSettingsforManagementGroups]"
},
"parameters": {
"logAnalyticsResourceId": {
"value": "[variables('platformResourceIds').logAnalyticsResourceId]"
}
}
}
},
{
// Assigning Microsoft Cloud Security Benchmark policy to intermediate root management group if condition is true
"condition": "[and(or(not(empty(parameters('singlePlatformSubscriptionId'))), not(empty(parameters('managementSubscriptionId')))), or(equals(parameters('enableLogAnalytics'), 'Yes'), equals(parameters('enableAsc'), 'Yes')))]",
@ -1655,7 +1695,7 @@
},
"enforcementMode": {
"value": "[if(equals(parameters('enableAscForSql'), 'DeployIfNotExists'), 'Default', 'DoNotEnforce')]"
}
}
}
}
},
@ -1682,7 +1722,7 @@
},
"enforcementMode": {
"value": "[if(equals(parameters('enableMDEndpoints'), 'DeployIfNotExists'), 'Default', 'DoNotEnforce')]"
}
}
}
}
},
@ -1940,7 +1980,7 @@
},
"subnetMaskForAzFwMgmt": {
"value": "[parameters('subnetMaskForAzFwMgmt')]"
},
},
"subnetMaskForGw": {
"value": "[parameters('subnetMaskForGw')]"
},
@ -2203,7 +2243,6 @@
"dnsZones",
"dnsZonesLite",
"policyCompletion"
],
"properties": {
"mode": "Incremental",
@ -3848,7 +3887,7 @@
},
"subnetMaskForAzFwMgmt": {
"value": "[parameters('subnetMaskForAzFwMgmt')]"
},
},
"subnetMaskForGw": {
"value": "[parameters('subnetMaskForGw')]"
},

34
eslzArm/managementGroupTemplates/diagSettingsMGs/diagSettingsMGs.json Normal file
Просмотреть файл

@ -0,0 +1,34 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"logAnalyticsResourceId": {
"type": "string",
"metadata": {
"description": "Provide the resourceId to the central Log Analytics workspace."
}
}
},
"variables": {
},
"resources": [
{
"type": "Microsoft.Insights/diagnosticSettings",
"apiVersion": "2021-05-01-preview",
"name": "toLa",
"properties": {
"workspaceId": "[parameters('logAnalyticsResourceId')]",
"logs": [
{
"category": "Administrative",
"enabled": true
},
{
"category": "Policy",
"enabled": true
}
]
}
}
]
}

4
eslzArm/managementGroupTemplates/policyDefinitions/policies.json
Просмотреть файл

@ -4,8 +4,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.17.1.54307",
"templateHash": "13762017431849386924"
"version": "0.18.4.5664",
"templateHash": "7779651487214483570"
}
},
"parameters": {

4
eslzArm/managementGroupTemplates/roleDefinitions/customRoleDefinitions.json
Просмотреть файл

@ -4,8 +4,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.17.1.54307",
"templateHash": "15335867400465104001"
"version": "0.18.4.5664",
"templateHash": "3061641957963194598"
}
},
"variables": {