Added policy "Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace" (#1129)

* Added Deploy-Diagnostics-LogAnalytics Signed-off-by: Jan Egil Ring <janegilring@microsoft.com> * Auto-update Portal experience [janegilring/d0fde789] * Added Deploy-Diagnostics-LogAnalytics.json to loadPolicyDefinitions array Signed-off-by: Jan Egil Ring <janegilring@microsoft.com> * Auto-update Portal experience [janegilring/b6899fbe] * Auto-update Portal experience [janegilring/b6899fbe] * Update Whats-new.md Signed-off-by: Jan Egil Ring <janegilring@microsoft.com> Co-authored-by: Jan Egil Ring <janegilring@microsoft.com> Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>
2022-11-21 19:11:53 +01:00 · 2022-11-21 19:11:53 +01:00 · 77fd165ec3
--- a/docs/wiki/Whats-new.md
+++ b/docs/wiki/Whats-new.md
@ -60,6 +60,7 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones:

 ### Policy

+- "**Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace**" definition added and also added to `Deploy-Diagnostics-LogAnalytics` initiative 
 - "**Deploy Diagnostic Settings for Databricks to Log Analytics workspace**" definition update
  - Version 1.1.0 -> 1.2.0
  - Added missing log categories
--- a/eslzArm/managementGroupTemplates/policyDefinitions/policies.json
+++ b/eslzArm/managementGroupTemplates/policyDefinitions/policies.json
--- a/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogAnalytics.json
+++ b/src/resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogAnalytics.json
@ -0,0 +1,189 @@
+{
+  "name": "Deploy-Diagnostics-LogAnalytics",
+  "type": "Microsoft.Authorization/policyDefinitions",
+  "apiVersion": "2021-06-01",
+  "scope": null,
+  "properties": {
+    "policyType": "Custom",
+    "mode": "Indexed",
+    "displayName": "Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace",
+    "description": "Deploys the diagnostic settings for Log Analytics workspaces to stream to a Log Analytics workspace when any Log Analytics workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled",
+    "metadata": {
+      "version": "1.1.0",
+      "category": "Monitoring",
+      "source": "https://github.com/Azure/Enterprise-Scale/",
+      "alzCloudEnvironments": [
+        "AzureCloud",
+        "AzureChinaCloud",
+        "AzureUSGovernment"
+      ]
+    },
+    "parameters": {
+      "logAnalytics": {
+        "type": "String",
+        "metadata": {
+          "displayName": "Log Analytics workspace",
+          "description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
+          "strongType": "omsWorkspace"
+        }
+      },
+      "effect": {
+        "type": "String",
+        "defaultValue": "DeployIfNotExists",
+        "allowedValues": [
+          "DeployIfNotExists",
+          "Disabled"
+        ],
+        "metadata": {
+          "displayName": "Effect",
+          "description": "Enable or disable the execution of the policy"
+        }
+      },
+      "profileName": {
+        "type": "String",
+        "defaultValue": "setbypolicy",
+        "metadata": {
+          "displayName": "Profile name",
+          "description": "The diagnostic settings profile name"
+        }
+      },
+      "metricsEnabled": {
+        "type": "String",
+        "defaultValue": "True",
+        "allowedValues": [
+          "True",
+          "False"
+        ],
+        "metadata": {
+          "displayName": "Enable metrics",
+          "description": "Whether to enable metrics stream to the Log Analytics workspace - True or False"
+        }
+      },
+      "logsEnabled": {
+        "type": "String",
+        "defaultValue": "True",
+        "allowedValues": [
+          "True",
+          "False"
+        ],
+        "metadata": {
+          "displayName": "Enable logs",
+          "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
+        }
+      }
+    },
+    "policyRule": {
+      "if": {
+        "field": "type",
+        "equals": "microsoft.operationalinsights/workspaces"
+      },
+      "then": {
+        "effect": "[[parameters('effect')]",
+        "details": {
+          "type": "Microsoft.Insights/diagnosticSettings",
+          "name": "[[parameters('profileName')]",
+          "existenceCondition": {
+            "allOf": [
+              {
+                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
+                "equals": "true"
+              },
+              {
+                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
+                "equals": "true"
+              },
+              {
+                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
+                "equals": "[[parameters('logAnalytics')]"
+              }
+            ]
+          },
+          "roleDefinitionIds": [
+            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
+          ],
+          "deployment": {
+            "properties": {
+              "mode": "Incremental",
+              "template": {
+                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+                "contentVersion": "1.0.0.0",
+                "parameters": {
+                  "resourceName": {
+                    "type": "String"
+                  },
+                  "logAnalytics": {
+                    "type": "String"
+                  },
+                  "location": {
+                    "type": "String"
+                  },
+                  "profileName": {
+                    "type": "String"
+                  },
+                  "metricsEnabled": {
+                    "type": "String"
+                  },
+                  "logsEnabled": {
+                    "type": "String"
+                  }
+                },
+                "variables": {},
+                "resources": [
+                  {
+                    "type": "microsoft.operationalinsights/workspaces/providers/diagnosticSettings",
+                    "apiVersion": "2017-05-01-preview",
+                    "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
+                    "location": "[[parameters('location')]",
+                    "dependsOn": [],
+                    "properties": {
+                      "workspaceId": "[[parameters('logAnalytics')]",
+                      "metrics": [
+                        {
+                          "category": "AllMetrics",
+                          "enabled": "[[parameters('metricsEnabled')]",
+                          "retentionPolicy": {
+                            "days": 0,
+                            "enabled": false
+                          },
+                          "timeGrain": null
+                        }
+                      ],
+                      "logs": [
+                        {
+                          "category": "Audit",
+                          "enabled": "[[parameters('logsEnabled')]"
+                        }
+                      ]
+                    }
+                  }
+                ],
+                "outputs": {}
+              },
+              "parameters": {
+                "logAnalytics": {
+                  "value": "[[parameters('logAnalytics')]"
+                },
+                "location": {
+                  "value": "[[field('location')]"
+                },
+                "resourceName": {
+                  "value": "[[field('name')]"
+                },
+                "profileName": {
+                  "value": "[[parameters('profileName')]"
+                },
+                "metricsEnabled": {
+                  "value": "[[parameters('metricsEnabled')]"
+                },
+                "logsEnabled": {
+                  "value": "[[parameters('logsEnabled')]"
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  }
+}
--- a/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics.json
+++ b/src/resources/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics.json
@ -394,6 +394,18 @@
          "description": "Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled"
        }
      },
+      "LogAnalyticsLogAnalyticsEffect": {
+        "type": "String",
+        "defaultValue": "DeployIfNotExists",
+        "allowedValues": [
+          "DeployIfNotExists",
+          "Disabled"
+        ],
+        "metadata": {
+          "displayName": "Deploy Diagnostic Settings for Log Analytics to Log Analytics workspace",
+          "description": "Deploys the diagnostic settings for Log Analytics to stream to a Log Analytics workspace when any Log Analytics workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category Audit enabled"
+        }
+      },
      "LogicAppsISELogAnalyticsEffect": {
        "type": "String",
        "defaultValue": "DeployIfNotExists",
@ -1349,6 +1361,22 @@
        },
        "groupNames": []
      },
+      {
+        "policyDefinitionReferenceId": "LogAnalyticsDeployDiagnosticLogDeployLogAnalytics",
+        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogAnalytics",
+        "parameters": {
+          "logAnalytics": {
+            "value": "[[parameters('logAnalytics')]"
+          },
+          "effect": {
+            "value": "[[parameters('LogAnalyticsLogAnalyticsEffect')]"
+          },
+          "profileName": {
+            "value": "[[parameters('profileName')]"
+          }
+        },
+        "groupNames": []
+      },
      {
        "policyDefinitionReferenceId": "LogicAppsISEDeployDiagnosticLogDeployLogAnalytics",
        "policyDefinitionId": "/providers/Microsoft.Management/managementGroups/contoso/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE",
--- a/src/templates/policies.bicep
+++ b/src/templates/policies.bicep
@ -120,6 +120,7 @@ var loadPolicyDefinitions = {
    loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight.json')
    loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub.json')
    loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer.json')
+    loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogAnalytics.json')
    loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE.json')
    loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB.json')
    loadTextContent('../resources/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService.json')