Azure
/
missionlz
зеркало из https://github.com/Azure/missionlz.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Add KV logs and re-adjust log analytics workspace retention/remove locks (#941) 

* added key vault logging

* update array for diagnostic settings keyvault

* recomplie bicep

* added storageaccount for kv

* recompile arm bicep template

* GitHub Action: Build Bicep to JSON

* remove lock on log analytics workspace to fall inline with guidance

* added conditional logic to change workspace retention based on sentinel deployment

* revised retention variable logic

* compiled bicep

* GitHub Action: Build Bicep to JSON

---------

Co-authored-by: github-actions <github-actions@github.com>
Co-authored-by: Jason Masten <jamasten@microsoft.com>
This commit is contained in:
Jay Haddad 2024-03-27 22:52:07 -04:00 коммит произвёл GitHub
Родитель de673486e3
Коммит 3c1851ab17
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: B5690EEEBB952194
7 изменённых файлов: 187 добавлений и 48 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

25
src/bicep/mlz.bicep
Просмотреть файл

@ -227,6 +227,20 @@ param identityNetworkSecurityGroupDiagnosticsLogs array = [
@description('An array of Network Security Group Metrics to apply to enable for the Identity Virtual Network. See https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#metrics for valid settings.')
param identityNetworkSecurityGroupDiagnosticsMetrics array = []
// KEY VAULT PARAMETERS
@description('An array of Key Vault Diagnostic Logs categories to collect. See "https://learn.microsoft.com/en-us/azure/key-vault/general/logging?tabs=Vault" for valid values.')
param KeyVaultDiagnosticsLogs array = [
{
category: 'AuditEvent'
enabled: true
}
{
category: 'AzurePolicyEvaluationDetails'
enabled: true
}
]
// OPERATIONS PARAMETERS
@description('An array of Network Diagnostic Logs to enable for the Operations Virtual Network. See https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#logs for valid settings.')
@ -287,8 +301,11 @@ param deploySentinel bool = false
@description('The daily quota for Log Analytics Workspace logs in Gigabytes. It defaults to "-1" for no quota.')
param logAnalyticsWorkspaceCappingDailyQuotaGb int = -1
@description('The number of days to retain Log Analytics Workspace logs. It defaults to "30".')
param logAnalyticsWorkspaceRetentionInDays int = 30
@description('The number of days to retain Log Analytics Workspace logs without Sentinel. It defaults to "30".')
param logAnalyticsWorkspaceNoSentinelRetentionInDays int = 30
@description('The number of days to retain logs in Sentinel-linked Workspace. It defaults to "90".')
param logAnalyticsSentinelWorkspaceRetentionInDays int = 90
@allowed([
'Free'
@ -461,6 +478,8 @@ var defaultTags = {
var firewallClientPrivateIpAddress = firewallClientUsableIpAddresses[3]
var firewallClientUsableIpAddresses = [for i in range(0, 4): cidrHost(firewallClientSubnetAddressPrefix, i)]
var logAnalyticsWorkspaceRetentionInDays = deploySentinel ? logAnalyticsSentinelWorkspaceRetentionInDays : logAnalyticsWorkspaceNoSentinelRetentionInDays
// NAMING CONVENTION
module namingConvention 'modules/naming-convention.bicep' = {
@ -669,6 +688,8 @@ module diagnostics 'modules/diagnostics.bicep' = {
deploymentNameSuffix: deploymentNameSuffix
firewallDiagnosticsLogs: firewallDiagnosticsLogs
firewallDiagnosticsMetrics: firewallDiagnosticsMetrics
KeyVaultName: customerManagedKeys.outputs.KeyVaultName
keyVaultDiagnosticLogs: KeyVaultDiagnosticsLogs
logAnalyticsWorkspaceResourceId: monitoring.outputs.logAnalyticsWorkspaceResourceId
networks: logic.outputs.networks
networkSecurityGroupDiagnosticsLogs: hubNetworkSecurityGroupDiagnosticsLogs

157
src/bicep/mlz.json
Просмотреть файл

@ -5,7 +5,7 @@
"_generator": {
"name": "bicep",
"version": "0.26.54.24096",
"templateHash": "459691962602818850"
"templateHash": "11246240944076095145"
}
},
"parameters": {
@ -395,6 +395,22 @@
"description": "An array of Network Security Group Metrics to apply to enable for the Identity Virtual Network. See https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#metrics for valid settings."
}
},
"KeyVaultDiagnosticsLogs": {
"type": "array",
"defaultValue": [
{
"category": "AuditEvent",
"enabled": true
},
{
"category": "AzurePolicyEvaluationDetails",
"enabled": true
}
],
"metadata": {
"description": "An array of Key Vault Diagnostic Logs categories to collect. See \"https://learn.microsoft.com/en-us/azure/key-vault/general/logging?tabs=Vault\" for valid values."
}
},
"operationsVirtualNetworkDiagnosticsLogs": {
"type": "array",
"defaultValue": [],
@ -497,11 +513,18 @@
"description": "The daily quota for Log Analytics Workspace logs in Gigabytes. It defaults to \"-1\" for no quota."
}
},
"logAnalyticsWorkspaceRetentionInDays": {
"logAnalyticsWorkspaceNoSentinelRetentionInDays": {
"type": "int",
"defaultValue": 30,
"metadata": {
"description": "The number of days to retain Log Analytics Workspace logs. It defaults to \"30\"."
"description": "The number of days to retain Log Analytics Workspace logs without Sentinel. It defaults to \"30\"."
}
},
"logAnalyticsSentinelWorkspaceRetentionInDays": {
"type": "int",
"defaultValue": 90,
"metadata": {
"description": "The number of days to retain logs in Sentinel-linked Workspace. It defaults to \"90\"."
}
},
"logAnalyticsWorkspaceSkuName": {
@ -798,7 +821,8 @@
"environmentAbbreviation": "[parameters('environmentAbbreviation')]",
"DeploymentType": "MissionLandingZoneARM"
},
"firewallClientPrivateIpAddress": "[variables('firewallClientUsableIpAddresses')[3]]"
"firewallClientPrivateIpAddress": "[variables('firewallClientUsableIpAddresses')[3]]",
"logAnalyticsWorkspaceRetentionInDays": "[if(parameters('deploySentinel'), parameters('logAnalyticsSentinelWorkspaceRetentionInDays'), parameters('logAnalyticsWorkspaceNoSentinelRetentionInDays'))]"
},
"resources": [
{
@ -4584,7 +4608,7 @@
"_generator": {
"name": "bicep",
"version": "0.26.54.24096",
"templateHash": "528320706664403182"
"templateHash": "3912836360709277206"
}
},
"parameters": {
@ -4649,7 +4673,7 @@
"_generator": {
"name": "bicep",
"version": "0.26.54.24096",
"templateHash": "12445413457654566620"
"templateHash": "17697959832977472677"
}
},
"parameters": {
@ -4839,6 +4863,10 @@
"type": "string",
"value": "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]"
},
"keyVaultName": {
"type": "string",
"value": "[parameters('keyVaultName')]"
},
"keyVaultUri": {
"type": "string",
"value": "[reference(resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName')), '2022-07-01').vaultUri]"
@ -5165,10 +5193,18 @@
"type": "string",
"value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('networkProperties').subscriptionId, parameters('networkProperties').resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-disk-encryption-set_{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.resourceId.value]"
},
"KeyVaultName": {
"type": "string",
"value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('networkProperties').subscriptionId, parameters('networkProperties').resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-key-vault-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.keyVaultName.value]"
},
"keyVaultUri": {
"type": "string",
"value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('networkProperties').subscriptionId, parameters('networkProperties').resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-key-vault-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.keyVaultUri.value]"
},
"keyVaultResourceId": {
"type": "string",
"value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('networkProperties').subscriptionId, parameters('networkProperties').resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-key-vault-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.keyVaultResourceId.value]"
},
"storageKeyName": {
"type": "string",
"value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('networkProperties').subscriptionId, parameters('networkProperties').resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-key-vault-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.storageKeyName.value]"
@ -5209,7 +5245,7 @@
"value": "[parameters('logAnalyticsWorkspaceCappingDailyQuotaGb')]"
},
"logAnalyticsWorkspaceRetentionInDays": {
"value": "[parameters('logAnalyticsWorkspaceRetentionInDays')]"
"value": "[variables('logAnalyticsWorkspaceRetentionInDays')]"
},
"logAnalyticsWorkspaceSkuName": {
"value": "[parameters('logAnalyticsWorkspaceSkuName')]"
@ -5234,7 +5270,7 @@
"_generator": {
"name": "bicep",
"version": "0.26.54.24096",
"templateHash": "21837642899684151"
"templateHash": "12328361973188250046"
}
},
"parameters": {
@ -5311,7 +5347,7 @@
"_generator": {
"name": "bicep",
"version": "0.26.54.24096",
"templateHash": "6676783541910058533"
"templateHash": "653212175555805634"
}
},
"parameters": {
@ -5342,13 +5378,6 @@
"metadata": {
"description": "Whether or not to deploy Sentinel solution to workspace."
}
},
"enableDeleteLock": {
"type": "bool",
"defaultValue": false,
"metadata": {
"description": "Enable lock to prevent accidental deletion"
}
}
},
"variables": {
@ -5402,8 +5431,7 @@
"product": "OMSGallery/KeyVaultAnalytics",
"promotionCode": ""
}
],
"lockName": "[format('{0}-lock', parameters('name'))]"
]
},
"resources": [
{
@ -5447,19 +5475,6 @@
"dependsOn": [
"[resourceId('Microsoft.OperationalInsights/workspaces', parameters('name'))]"
]
},
{
"condition": "[parameters('enableDeleteLock')]",
"type": "Microsoft.Authorization/locks",
"apiVersion": "2016-09-01",
"scope": "[format('Microsoft.OperationalInsights/workspaces/{0}', parameters('name'))]",
"name": "[variables('lockName')]",
"properties": {
"level": "CanNotDelete"
},
"dependsOn": [
"[resourceId('Microsoft.OperationalInsights/workspaces', parameters('name'))]"
]
}
],
"outputs": {
@ -7276,6 +7291,12 @@
"firewallDiagnosticsMetrics": {
"value": "[parameters('firewallDiagnosticsMetrics')]"
},
"KeyVaultName": {
"value": "[reference(subscriptionResourceId('Microsoft.Resources/deployments', format('deploy-cmk-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.KeyVaultName.value]"
},
"keyVaultDiagnosticLogs": {
"value": "[parameters('KeyVaultDiagnosticsLogs')]"
},
"logAnalyticsWorkspaceResourceId": {
"value": "[reference(subscriptionResourceId('Microsoft.Resources/deployments', format('deploy-monitoring-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.logAnalyticsWorkspaceResourceId.value]"
},
@ -7314,7 +7335,7 @@
"_generator": {
"name": "bicep",
"version": "0.26.54.24096",
"templateHash": "11489480336272395502"
"templateHash": "49100111797787087"
}
},
"parameters": {
@ -7327,6 +7348,12 @@
"firewallDiagnosticsMetrics": {
"type": "array"
},
"KeyVaultName": {
"type": "string"
},
"keyVaultDiagnosticLogs": {
"type": "array"
},
"logAnalyticsWorkspaceResourceId": {
"type": "string"
},
@ -7835,11 +7862,77 @@
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2022-09-01",
"name": "[format('deploy-kv-diags-{0}', parameters('deploymentNameSuffix'))]",
"subscriptionId": "[variables('hubSubscriptionId')]",
"resourceGroup": "[variables('hubResourceGroupName')]",
"properties": {
"expressionEvaluationOptions": {
"scope": "inner"
},
"mode": "Incremental",
"parameters": {
"logAnalyticsWorkspaceResourceId": {
"value": "[parameters('logAnalyticsWorkspaceResourceId')]"
},
"logs": {
"value": "[parameters('keyVaultDiagnosticLogs')]"
},
"keyVaultstorageAccountId": {
"value": "[parameters('storageAccountResourceIds')[0]]"
},
"name": {
"value": "[parameters('KeyVaultName')]"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.26.54.24096",
"templateHash": "9848944155815832346"
}
},
"parameters": {
"logAnalyticsWorkspaceResourceId": {
"type": "string"
},
"logs": {
"type": "array"
},
"name": {
"type": "string"
},
"keyVaultstorageAccountId": {
"type": "string"
}
},
"resources": [
{
"type": "Microsoft.Insights/diagnosticSettings",
"apiVersion": "2017-05-01-preview",
"scope": "[format('Microsoft.KeyVault/vaults/{0}', parameters('name'))]",
"name": "[format('{0}-diagnostics', parameters('name'))]",
"properties": {
"storageAccountId": "[parameters('keyVaultstorageAccountId')]",
"workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]",
"logs": "[parameters('logs')]"
}
}
]
}
}
}
]
}
},
"dependsOn": [
"[subscriptionResourceId('Microsoft.Resources/deployments', format('deploy-cmk-hub-{0}', parameters('deploymentNameSuffix')))]",
"[subscriptionResourceId('Microsoft.Resources/deployments', format('get-logic-{0}', parameters('deploymentNameSuffix')))]",
"[subscriptionResourceId('Microsoft.Resources/deployments', format('deploy-monitoring-{0}', parameters('deploymentNameSuffix')))]",
"[subscriptionResourceId('Microsoft.Resources/deployments', format('deploy-networking-{0}', parameters('deploymentNameSuffix')))]",

2
src/bicep/modules/customer-managed-keys.bicep
Просмотреть файл

@ -49,6 +49,8 @@ module userAssignedIdentity 'user-assigned-identity.bicep' = {
}
output diskEncryptionSetResourceId string = diskEncryptionSet.outputs.resourceId
output KeyVaultName string = keyVault.outputs.keyVaultName
output keyVaultUri string = keyVault.outputs.keyVaultUri
output keyVaultResourceId string = keyVault.outputs.keyVaultResourceId
output storageKeyName string = keyVault.outputs.storageKeyName
output userAssignedIdentityResourceId string = userAssignedIdentity.outputs.resourceId

13
src/bicep/modules/diagnostics.bicep
Просмотреть файл

@ -3,6 +3,8 @@ targetScope = 'subscription'
param deploymentNameSuffix string
param firewallDiagnosticsLogs array
param firewallDiagnosticsMetrics array
param KeyVaultName string
param keyVaultDiagnosticLogs array
param logAnalyticsWorkspaceResourceId string
param networks array
param networkSecurityGroupDiagnosticsLogs array
@ -89,3 +91,14 @@ module firewallDiagnostics '../modules/firewall-diagnostics.bicep' = {
name: hub.firewallName
}
}
module keyvaultDiagnostics '../modules/key-vault-diagnostics.bicep' = {
name: 'deploy-kv-diags-${deploymentNameSuffix}'
scope: resourceGroup(hubSubscriptionId, hubResourceGroupName)
params: {
logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId
logs: keyVaultDiagnosticLogs
keyVaultstorageAccountId: storageAccountResourceIds[0]
name: KeyVaultName
}
}

23
src/bicep/modules/key-vault-diagnostics.bicep Normal file
Просмотреть файл

@ -0,0 +1,23 @@
/*
Copyright (c) Microsoft Corporation.
Licensed under the MIT License.
*/
param logAnalyticsWorkspaceResourceId string
param logs array
param name string
param keyVaultstorageAccountId string
resource keyvault 'Microsoft.KeyVault/vaults@2022-07-01' existing = {
name: name
}
resource diagnostics 'Microsoft.Insights/diagnosticSettings@2017-05-01-preview' = {
scope: keyvault
name: '${keyvault.name}-diagnostics'
properties: {
storageAccountId: keyVaultstorageAccountId
workspaceId: logAnalyticsWorkspaceResourceId
logs: logs
}
}

1
src/bicep/modules/key-vault.bicep
Просмотреть файл

@ -144,5 +144,6 @@ resource key_storageAccounts 'Microsoft.KeyVault/vaults/keys@2022-07-01' = {
output keyUriWithVersion string = key_disks.properties.keyUriWithVersion
output keyVaultResourceId string = vault.id
output keyVaultName string = vault.name
output keyVaultUri string = vault.properties.vaultUri
output storageKeyName string = key_storageAccounts.name

14
src/bicep/modules/log-analytics-workspace.bicep
Просмотреть файл

@ -66,11 +66,6 @@ var solutions = [
}
]
@description('Enable lock to prevent accidental deletion')
param enableDeleteLock bool = false
var lockName = '${logAnalyticsWorkspace.name}-lock'
resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2021-06-01' = {
name: name
location: location
@ -103,13 +98,4 @@ resource logAnalyticsSolutions 'Microsoft.OperationsManagement/solutions@2015-11
}
}]
resource lock 'Microsoft.Authorization/locks@2016-09-01' = if (enableDeleteLock) {
scope: logAnalyticsWorkspace
name: lockName
properties: {
level: 'CanNotDelete'
}
}
output resourceId string = logAnalyticsWorkspace.id