├── Prerequisite ├── resourceGraphPS.ps1 ├── resourceGraphCLI.azcli └── README.md ├── Templates ├── Mgmt │ ├── workloadSubscription.json │ ├── nestedtemplates │ │ └── ascConfig.json │ └── psDeployment.ps1 ├── AzureMgmtServices │ └── WorkloadOnboarding │ │ ├── onboardLinuxToAzureLogAnalytics.json │ │ ├── onboardWindowsToAzureLogAnalytics.json │ │ └── onboardToAzureBackup.json ├── cliDeployment.azcli └── psDeployment.ps1 ├── README.md └── Policies ├── getIdentityUsedByPolicyAssignment.json ├── lockDownAutomationAccount.json ├── AzureRmPolicyRemediation.ps1 ├── AzMonDeployIfNotExists-template.json ├── enableBackup.json ├── vnetAzMonDeloyIfNotExists.json ├── vmmsDiskEncryption.json ├── logicIntegrationAzMonDeloyIfNotExists.json ├── dnsAzMonDeloyIfNotExists.json ├── redisAzMonDeloyIfNotExists.json ├── websitesAzMonDeloyIfNotExists.json ├── hdiAzMonDeloyIfNotExists.json ├── relayAzMonDeloyIfNotExists.json ├── mySQLAzMonDeloyIfNotExists.json ├── egTopicsAzMonDeloyIfNotExists.json ├── ehClustersAzMonDeloyIfNotExists.json ├── vmAzMonDeloyIfNotExists.json ├── nicAzMonDeloyIfNotExists.json ├── cognitiveAzMonDeloyIfNotExists.json ├── signalrAzMonDeloyIfNotExists.json ├── acrAzMonDeloyIfNotExists.json ├── tsiAzMonDeloyIfNotExists.json ├── egETopicsAzMonDeloyIfNotExists.json ├── aciAzMonDeloyIfNotExists.json ├── classicComputeAzMonDeloyIfNotExists.json ├── egSubscriptionsAzMonDeloyIfNotExists.json ├── vmssAzMonDeloyIfNotExists.json ├── nsgAzMonDeployIfNotExists.json ├── keyVaultAzMonDeployIfNotExists.json ├── serviceBusAzMonDeployIfNotExists.json ├── batchAzMonDeloyIfNotExists.json ├── logicAppAzMonDeloyIfNotExists.json ├── searchAzMonDeloyIfNotExists.json ├── expressRouteAzMonDeloyIfNotExists.json ├── trafficManagerAzMonDeloyIfNotExists.json ├── pipAzMonDeployIfNotExists.json ├── adlsAzMonDeloyIfNotExists.json ├── analysisAzMonDeployIfNotExists.json ├── lbAzMonDeployIfNotExists.json ├── adlaAzMonDeloyIfNotExists.json ├── asaAzMonDeloyIfNotExists.json ├── postreSQLAzMonDeloyIfNotExists.json ├── iotPSAzMonDeloyIfNotExists.json ├── adfAzMonDeloyIfNotExists.json ├── cosmosAzMonDeloyIfNotExists.json ├── ehNamespacesAzMonDeloyIfNotExists.json └── automationAzMonDeployIfNotExists.json /Prerequisite/resourceGraphPS.ps1: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Prerequisite/resourceGraphCLI.azcli: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Templates/Mgmt/workloadSubscription.json: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # azureArchitectures 2 | This repository contains samples and patterns for architectures in Azure, that can be deployed using ARM templates 3 | -------------------------------------------------------------------------------- /Policies/getIdentityUsedByPolicyAssignment.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "policyAssignmentId": { 6 | "type": "string" 7 | } 8 | }, 9 | "resources": [], 10 | "outputs": { 11 | "identityUsedByPolicyAssignment": { 12 | "type": "object", 13 | "value": "[reference(concat(subscription().id, '/providers/Microsoft.Authorization/policyAssignments/', parameters('policyAssignmentId')), '2018-03-01', 'Full')]" 14 | } 15 | } 16 | } -------------------------------------------------------------------------------- /Policies/lockDownAutomationAccount.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "displayName": "Govern Automation account", 4 | "description": "Policy to lock down automation account child resources", 5 | "parameters": { 6 | }, 7 | "policyRule": { 8 | "if": { 9 | "allOf": [ 10 | { 11 | "field": "type", 12 | "in": [ 13 | "Microsoft.Automation/automationAccounts/runbooks", 14 | "Microsoft.Automation/automationAccounts/variables", 15 | "Microsoft.Automation/automationAccounts/modules", 16 | "Microsoft.Automation/automationAccounts/credentials", 17 | "Microsoft.Automation/automationAccounts/connections", 18 | "Microsoft.Automation/automationAccount/certificates" 19 | ] 20 | } 21 | ] 22 | }, 23 | "then": { 24 | "effect": "deny" 25 | } 26 | } 27 | } 28 | } -------------------------------------------------------------------------------- /Prerequisite/README.md: -------------------------------------------------------------------------------- 1 | # Prerequisite 2 | 3 | If you have an existing environment, use the sample Resource Graph queries to understand - and determine the policies needed for the target Azure Architecture. 4 | 5 | 6 | 7 | Get an overview of all resources within the Azure tenant 8 | 9 | >Note: This assumes the signed in user has the appropriate permission at scope, across subscriptions. 10 | 11 | ```` 12 | az graph query --q "summarize count()" 13 | ```` 14 | 15 | Get an overview of all resource types, summarized by count 16 | 17 | ```` 18 | az graph query --q "summarize count() by tostring(type)" 19 | ```` 20 | 21 | Get an overview of the top 10 regions with most resources 22 | 23 | ```` 24 | az graph query --q "summarize count() by tostring(location) | top 10 by location asc" 25 | ```` 26 | 27 | Get an overview of Linux vs Windows usage 28 | 29 | ```` 30 | az graph query --q "where type =~ 'Microsoft.Compute/virtualMachines' | extend os = properties.storageProfile.osDisk.osType | summarize count() by tostring(os)" 31 | ```` 32 | 33 | Get an understanding of usage - and distribution of tags 34 | 35 | ```` 36 | az graph query --q "where tags != '' | project name, type, tags, resourceGroups" 37 | ```` 38 | 39 | See if any Azure mgmt services are deployed 40 | 41 | ```` 42 | az graph query --q "where type =~ 'Microsoft.OperationalInsights/workspaces' or type =~ 'Microsoft.Automation/automationAccounts' or type =~ 'Microsoft.RecoveryServices/vaults' | project name, location, resourceGroup, type, subscriptionId" 43 | ```` 44 | 45 | -------------------------------------------------------------------------------- /Templates/AzureMgmtServices/WorkloadOnboarding/onboardLinuxToAzureLogAnalytics.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "vmName": { 6 | "type": "string" 7 | }, 8 | "location": { 9 | "type": "string" 10 | }, 11 | "logAnalytics": { 12 | "type": "string" 13 | } 14 | }, 15 | "resources": [ 16 | { 17 | "name": "[concat(parameters('vmName'),'/omsPolicy')]", 18 | "type": "Microsoft.Compute/virtualMachines/extensions", 19 | "location": "[parameters('location')]", 20 | "apiVersion": "2017-03-30", 21 | "properties": { 22 | "publisher": "Microsoft.EnterpriseCloud.Monitoring", 23 | "type": "OmsAgentForLinux", 24 | "typeHandlerVersion": "1.4", 25 | "autoUpgradeMinorVersion": true, 26 | "settings": { 27 | "workspaceId": "[reference(parameters('logAnalytics'), '2015-11-01-preview').customerId]" 28 | }, 29 | "protectedSettings": { 30 | "workspaceKey": "[listKeys(parameters('logAnalytics'), '2015-11-01-preview').primarySharedKey]" 31 | } 32 | } 33 | } 34 | ], 35 | "outputs": { 36 | "policy": { 37 | "type": "string", 38 | "value": "[concat('Enabled monitoring for Linux VM', ': ', parameters('vmName'))]" 39 | } 40 | } 41 | } -------------------------------------------------------------------------------- /Templates/AzureMgmtServices/WorkloadOnboarding/onboardWindowsToAzureLogAnalytics.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "vmName": { 6 | "type": "string" 7 | }, 8 | "location": { 9 | "type": "string" 10 | }, 11 | "logAnalytics": { 12 | "type": "string" 13 | } 14 | }, 15 | "resources": [ 16 | { 17 | "name": "[concat(parameters('vmName'),'/omsPolicy')]", 18 | "type": "Microsoft.Compute/virtualMachines/extensions", 19 | "location": "[parameters('location')]", 20 | "apiVersion": "2017-03-30", 21 | "properties": { 22 | "publisher": "Microsoft.EnterpriseCloud.Monitoring", 23 | "type": "MicrosoftMonitoringAgent", 24 | "typeHandlerVersion": "1.0", 25 | "autoUpgradeMinorVersion": true, 26 | "settings": { 27 | "workspaceId": "[reference(parameters('logAnalytics'), '2015-11-01-preview').customerId]" 28 | }, 29 | "protectedSettings": { 30 | "workspaceKey": "[listKeys(parameters('logAnalytics'), '2015-11-01-preview').primarySharedKey]" 31 | } 32 | } 33 | } 34 | ], 35 | "outputs": { 36 | "policy": { 37 | "type": "string", 38 | "value": "[concat('Enabled monitoring for Windows VM', ': ', parameters('vmName'))]" 39 | } 40 | } 41 | } -------------------------------------------------------------------------------- /Policies/AzureRmPolicyRemediation.ps1: -------------------------------------------------------------------------------- 1 | function New-AzureRmPolicyRemediation { 2 | <# 3 | .Synopsis 4 | Remediates one or more policies with DeployIfNotExists. 5 | 6 | .Example 7 | New-AzureRmPolicyRemediation -PolicyAssignmentId -Scope -Locations 8 | #> 9 | [cmdletbinding()] 10 | param ( 11 | [Parameter(Mandatory, ValueFromPipeline)] 12 | [ValidateNotNullOrEmpty()] 13 | [string] $PolicyAssignmentId, 14 | 15 | [string] $Scope, 16 | 17 | [Parameter(Mandatory)] 18 | [ValidateNotNullOrEmpty()] 19 | [string] $Locations 20 | ) 21 | begin { 22 | $currentContext = Get-AzureRmContext 23 | $token = $currentContext.TokenCache.ReadItems() | ? {$_.tenantid -eq $currentContext.Tenant.Id -and $_.displayableId -eq $currentContext.Account.id} 24 | } 25 | process { 26 | 27 | if ([string]::IsNullOrEmpty($Scope)) 28 | { 29 | Write-Verbose "No Scope provided; we will attempt remediation at current scope; '$($currentContext.Subscription.Id)" 30 | 31 | # Verifying that policy with deployIfNotExists is assigned at scope 32 | $PolicyId = Get-AzureRmPolicyAssignment -Id $PolicyAssignmentId 33 | if ($PolicyId.subscriptionId -ne $currentContext.Subscription.Id) 34 | { 35 | Write-Output "'$($policyId)' is not found at Scope '$($CurrentContext.Subscription.Id)'" 36 | } 37 | else { 38 | 39 | $body = @" 40 | { 41 | "properties": { 42 | "policyAssignmentId": $($PolicyAssignmentId | ConvertTo-Json) 43 | } 44 | 45 | } 46 | "@ 47 | $remediationName = (Get-Random) 48 | $iwrArgs = @{ 49 | Uri = "https://management.azure.com/subscriptions/$($currentContext.Subscription.Id)/providers/Microsoft.PolicyInsights/remediations/$($remediationName)?api-version=2018-07-01-preview" 50 | Headers = @{ 51 | Authorization = "Bearer $($token[0].AccessToken)" 52 | 'Content-Type' = 'application/json' 53 | } 54 | Method = 'PUT' 55 | Body = $body 56 | UseBasicParsing = $true 57 | } 58 | $result = Invoke-WebRequest @iwrArgs 59 | #pretty print 60 | [Newtonsoft.Json.Linq.JObject]::Parse($result.Content).ToString() 61 | } 62 | } 63 | else 64 | { 65 | Write-Verbose "We're gonna party on Scope: '$Scope'" 66 | } 67 | 68 | } 69 | } -------------------------------------------------------------------------------- /Templates/Mgmt/nestedtemplates/ascConfig.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "securitySettings": { 6 | "type": "string", 7 | "allowedValues": [ 8 | "On", 9 | "Off" 10 | ], 11 | "metadata": { 12 | "description": "Turn security settings On or Off." 13 | } 14 | }, 15 | "emailContact": { 16 | "type": "string", 17 | "metadata": { 18 | "description": "Add one or more e-mail addresses for notificatoins." 19 | } 20 | }, 21 | "securityPhoneNumber": { 22 | "type": "string", 23 | "defaultValue": "555-555-111-2", 24 | "metadata": { 25 | "description": "Add a phone number for security related incidents." 26 | } 27 | } 28 | }, 29 | "variables": {}, 30 | "resources": [ 31 | { 32 | "type": "Microsoft.Security/policies", 33 | "apiVersion": "2015-06-01-preview", 34 | "name": "default", 35 | "properties": { 36 | "policyLevel": "Subscription", 37 | "name": "default", 38 | "unique": "Off", 39 | "logCollection": "Off", 40 | "recommendations": { 41 | "patch": "[parameters('securitySettings')]", 42 | "baseline": "[parameters('securitySettings')]", 43 | "antimalware": "[parameters('securitySettings')]", 44 | "diskEncryption": "[parameters('securitySettings')]", 45 | "acls": "[parameters('securitySettings')]", 46 | "nsgs": "[parameters('securitySettings')]", 47 | "waf": "[parameters('securitySettings')]", 48 | "sqlAuditing": "[parameters('securitySettings')]", 49 | "sqlTde": "[parameters('securitySettings')]", 50 | "ngfw": "[parameters('securitySettings')]", 51 | "vulnerabilityAssessment": "[parameters('securitySettings')]", 52 | "storageEncryption": "[parameters('securitySettings')]", 53 | "jitNetworkAccess": "[parameters('securitySettings')]" 54 | }, 55 | "securityContactConfiguration": { 56 | "securityContactEmails": [ 57 | "[parameters('emailContact')]" 58 | ], 59 | "securityContactPhone": "[parameters('securityPhoneNumber')]", 60 | "areNotificationsOn": true, 61 | "sendToAdminOn": false 62 | }, 63 | "pricingConfiguration": { 64 | "selectedPricingTier": "Free" 65 | } 66 | } 67 | } 68 | ], 69 | "outputs": {} 70 | } -------------------------------------------------------------------------------- /Policies/AzMonDeployIfNotExists-template.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "displayName": "Apply diagnostic settings for ", 4 | "description": "This policy automatically deploys and enable diagnostic settings to ", 5 | "parameters": { 6 | "logAnalytics": { 7 | "type": "string", 8 | "metadata": { 9 | "displayName": "Log Analyitcs workspace", 10 | "description": "Select the Log Analytics workspace from dropdown list", 11 | "strongType": "omsWorkspace" 12 | } 13 | } 14 | }, 15 | "policyRule": { 16 | "if": { 17 | "field": "type", 18 | "equals": "" 19 | }, 20 | "then": { 21 | "effect": "deployIfNotExists", 22 | "details": { 23 | "type": "Microsoft.Insights/diagnosticSettings", 24 | "name": "setByPolicy", 25 | "deployment": { 26 | "properties": { 27 | "mode": "incremental", 28 | "template": { 29 | "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", 30 | "contentVersion": "1.0.0.0", 31 | "parameters": { 32 | "resourceName": { 33 | "type": "string" 34 | }, 35 | "logAnalytics": { 36 | "type": "string" 37 | }, 38 | "location": { 39 | "type": "string" 40 | } 41 | }, 42 | "variables": {}, 43 | "resources": [ 44 | { 45 | "type": "/providers/diagnosticSettings", 46 | "apiVersion": "2017-05-01-preview", 47 | "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", 48 | "location": "[parameters('location')]", 49 | "dependsOn": [], 50 | "properties": { 51 | "workspaceId": "[parameters('logAnalytics')]", 52 | } 53 | } 54 | ], 55 | "outputs": {} 56 | }, 57 | "parameters": { 58 | "logAnalytics": { 59 | "value": "[parameters('logAnalytics')]" 60 | }, 61 | "location": { 62 | "value": "[field('location')]" 63 | }, 64 | "resourceName": { 65 | "value": "[field('name')]" 66 | } 67 | } 68 | } 69 | } 70 | } 71 | } 72 | } 73 | } 74 | } -------------------------------------------------------------------------------- /Policies/enableBackup.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "vmName": { 6 | "type": "string", 7 | "metadata": { 8 | "description": "Name of Azure Virtual Machines" 9 | } 10 | }, 11 | "vmRgName": { 12 | "type": "string", 13 | "metadata": { 14 | "description": "Resource group containing the virtual machines." 15 | } 16 | }, 17 | "recoveryVaultName": { 18 | "type": "string", 19 | "metadata": { 20 | "description": "Recovery services vault name where the VMs will be backed up to. The default vaule is 'Backup-vault'." 21 | } 22 | }, 23 | "recoveryVaultResourceGroup": { 24 | "type": "string", 25 | "metadata": { 26 | "description": "Select the resource group containing the recovery vault" 27 | } 28 | }, 29 | "location": { 30 | "type": "string", 31 | "metadata": { 32 | "description": "Location for VM and Backup vault" 33 | } 34 | } 35 | }, 36 | "variables": { 37 | "backupFabric": "Azure", 38 | "backupPolicy": "DefaultPolicy", 39 | "v2VmType": "Microsoft.Compute/virtualMachines", 40 | "v2VmContainer": "iaasvmcontainer;iaasvmcontainerv2;", 41 | "v2Vm": "vm;iaasvmcontainerv2;" 42 | }, 43 | "resources": [ 44 | { 45 | "type": "Microsoft.Resources/deployments", 46 | "apiVersion": "2017-05-10", 47 | "name": "backupSetByPolicy", 48 | "resourceGroup": "[parameters('recoveryVaultResourceGroup')]", 49 | "properties": { 50 | "mode": "Incremental", 51 | "template": { 52 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", 53 | "contentVersion": "1.0.0.0", 54 | "parameters": {}, 55 | "variables": {}, 56 | "resources": [ 57 | { 58 | "name": "[concat(parameters('recoveryVaultName'), '/', variables('backupFabric'), '/', variables('v2VmContainer'), concat(parameters('vmRgName'),';',parameters('vmName')), '/', variables('v2Vm'), concat(parameters('vmRgName'),';',parameters('vmName')))]", 59 | "apiVersion": "2016-12-01", 60 | "location": "[parameters('location')]", 61 | "type": "Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems", 62 | "properties": { 63 | "protectedItemType": "[variables('v2VmType')]", 64 | "policyId": "[resourceId('Microsoft.RecoveryServices/vaults/backupPolicies',parameters('recoveryVaultName'),variables('backupPolicy'))]", 65 | "sourceResourceId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', parameters('vmRgName'), '/providers/Microsoft.Compute/virtualMachines/', parameters('vmName'))]" 66 | } 67 | } 68 | ], 69 | "outputs": {} 70 | } 71 | } 72 | } 73 | ], 74 | "outputs": { 75 | "status": { 76 | "type": "string", 77 | "value": "[concat('Backup enabled successfully for VM:', ' ', parameters('vmName'))]" 78 | } 79 | } 80 | } -------------------------------------------------------------------------------- /Templates/AzureMgmtServices/WorkloadOnboarding/onboardToAzureBackup.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "vmName": { 6 | "type": "string", 7 | "metadata": { 8 | "description": "Name of Azure Virtual Machines" 9 | } 10 | }, 11 | "vmRgName": { 12 | "type": "string", 13 | "metadata": { 14 | "description": "Resource group containing the virtual machines." 15 | } 16 | }, 17 | "recoveryVaultName": { 18 | "type": "string", 19 | "metadata": { 20 | "description": "Recovery services vault name where the VMs will be backed up to. The default vaule is 'Backup-vault'." 21 | } 22 | }, 23 | "recoveryVaultResourceGroup": { 24 | "type": "string", 25 | "metadata": { 26 | "description": "Select the resource group containing the recovery vault" 27 | } 28 | }, 29 | "location": { 30 | "type": "string", 31 | "metadata": { 32 | "description": "Location for VM and Backup vault" 33 | } 34 | } 35 | }, 36 | "variables": { 37 | "backupFabric": "Azure", 38 | "backupPolicy": "DefaultPolicy", 39 | "v2VmType": "Microsoft.Compute/virtualMachines", 40 | "v2VmContainer": "iaasvmcontainer;iaasvmcontainerv2;", 41 | "v2Vm": "vm;iaasvmcontainerv2;" 42 | }, 43 | "resources": [ 44 | { 45 | "type": "Microsoft.Resources/deployments", 46 | "apiVersion": "2017-05-10", 47 | "name": "backupSetByPolicy", 48 | "resourceGroup": "[parameters('recoveryVaultResourceGroup')]", 49 | "properties": { 50 | "mode": "Incremental", 51 | "template": { 52 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", 53 | "contentVersion": "1.0.0.0", 54 | "parameters": {}, 55 | "variables": {}, 56 | "resources": [ 57 | { 58 | "name": "[concat(parameters('recoveryVaultName'), '/', variables('backupFabric'), '/', variables('v2VmContainer'), concat(parameters('vmRgName'),';',parameters('vmName')), '/', variables('v2Vm'), concat(parameters('vmRgName'),';',parameters('vmName')))]", 59 | "apiVersion": "2016-12-01", 60 | "location": "[parameters('location')]", 61 | "type": "Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems", 62 | "properties": { 63 | "protectedItemType": "[variables('v2VmType')]", 64 | "policyId": "[resourceId('Microsoft.RecoveryServices/vaults/backupPolicies',parameters('recoveryVaultName'),variables('backupPolicy'))]", 65 | "sourceResourceId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', parameters('vmRgName'), '/providers/Microsoft.Compute/virtualMachines/', parameters('vmName'))]" 66 | } 67 | } 68 | ], 69 | "outputs": {} 70 | } 71 | } 72 | } 73 | ], 74 | "outputs": { 75 | "status": { 76 | "type": "string", 77 | "value": "[concat('Backup enabled successfully for VM:', ' ', parameters('vmName'))]" 78 | } 79 | } 80 | } -------------------------------------------------------------------------------- /Templates/cliDeployment.azcli: -------------------------------------------------------------------------------- 1 | # Replace the variables below to reflect your environment(s) 2 | # Defining global deployment variables 3 | 4 | mgmtSubscriptionId="" 5 | userSubscriptionId="" 6 | 7 | mgmtSubscriptionTemplateUri="https://raw.githubusercontent.com/krnese/azureArchitectures/master/Templates/Mgmt/mgmtSubscription.json" 8 | userSubscriptionTemplateUri="https://raw.githubusercontent.com/krnese/azureArchitectures/master/Templates/User/userSubscription.json" 9 | 10 | # Set subscription context to mgmt subscription 11 | 12 | az account set -s $mgmtSubscriptionId 13 | 14 | # Defining variables for mgmt subscription deployment 15 | 16 | mgmtRgName="nesemgmt" 17 | rgsLocation="eastus" 18 | nwRgName="neseNetwork" 19 | userPrincipalName="" 20 | principalId="$(az ad user show --upn-or-object-id $userPrincipalName --query "objectId" -o tsv)" 21 | roleDefinitionId="$(az role definition list --name "Owner" --query "[].[name]" -o tsv)" 22 | deniedLocation="northeurope" #optional 23 | deploymentName="shared" 24 | deploymentLocation="eastus" 25 | enableResourceLocks="Yes" #optional 26 | 27 | # Deploying mgmt subscription template 28 | 29 | az deployment create --name $deploymentName \ 30 | --location $deploymentLocation \ 31 | --template-uri $mgmtSubscriptionTemplateUri \ 32 | --parameters principalId=$principalId roleDefinitionId=$roleDefinitionId mgmtRgName=$mgmtRgName rgsLocation=$rgsLocation nwRgName=$nwRgName \ 33 | --verbose 34 | 35 | # Fetching resourceId from the previous deployment 36 | 37 | logAnalyticsId="$(az resource list --resource-group $mgmtRgName --resource-type 'Microsoft.OperationalInsights/workspaces' --query '[].[id]' -o tsv)" 38 | 39 | # Switching deployment context to user subscription 40 | 41 | az account set -s $userSubscriptionId 42 | 43 | # Defining variables for user subscription deployment 44 | 45 | userRgsLocation="eastus" 46 | userNwRgName ="spokeNetwork" 47 | userPrincipalName="krnese@microsoft.com" 48 | userPrincipalId="$(az ad user show --upn-or-object-id $userPrincipalName --query "objectId" -o tsv)" 49 | userRoleDefinitionId="$(az role definition list --name "Owner" --query "[].[name]" -o tsv)" 50 | userDeniedLocation="northeurope" #optional 51 | userDeploymentName="user" 52 | userDeploymentLocation="eastus" 53 | userEnableResourceLocks="Yes" 54 | mgmtSubId=$mgmtSubscriptionId 55 | mgmtNwRgName=$nwRgName 56 | 57 | 58 | # Deploying user subscription template 59 | 60 | az deployment create --name $userDeploymentName \ 61 | --location $userDeploymentLocation \ 62 | --template-uri $userSubscriptionTemplateUri \ 63 | --parameters nwRgName=$userNwRgName roleDefinitionId=$userRoleDefinitionId enableResourceLocks=Yes nwRgName=$userNwRgName principalId=$userPrincipalId rgsLocation=$userRgsLocation logAnalyticsId=$logAnalyticsId mgmtSubId=$mgmtSubId mgmtNwRgName=$nwRgName \ 64 | --verbose 65 | 66 | # Defining variables for vm workload deployment 67 | 68 | vmNamePrefix="uservm10" 69 | production="Yes" 70 | platform="Linux" 71 | workloadTemplateUri="https://raw.githubusercontent.com/krnese/azureArchitectures/master/Templates/Workload/vmCondition.json" 72 | userName="azureadmin" 73 | rgDeploymentName="workload" 74 | location="eastus" 75 | 76 | # Create Resource Group 77 | 78 | az group create -n $vmNamePrefix -l $location 79 | 80 | # Deploy worklaod to user subscription 81 | 82 | az group deployment create -n $rgDeploymentName \ 83 | -l $location \ 84 | --template-uri $workloadTemplateUri \ 85 | --parameters userName=$userName platform=$platform production=$production vmNamePrefix=$vmNamePrefix \ 86 | --verbose 87 | 88 | # The end 89 | -------------------------------------------------------------------------------- /Policies/vnetAzMonDeloyIfNotExists.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "displayName": "Apply diagnostic settings for Virtual Networks", 4 | "description": "This policy automatically deploys and enable diagnostic settings to Virtual Networks", 5 | "parameters": { 6 | "logAnalytics": { 7 | "type": "string", 8 | "metadata": { 9 | "displayName": "Log Analyitcs workspace", 10 | "description": "Select the Log Analytics workspace from dropdown list", 11 | "strongType": "omsWorkspace" 12 | } 13 | } 14 | }, 15 | "policyRule": { 16 | "if": { 17 | "field": "type", 18 | "equals": "Microsoft.Network/virtualNetworks" 19 | }, 20 | "then": { 21 | "effect": "deployIfNotExists", 22 | "details": { 23 | "type": "Microsoft.Insights/diagnosticSettings", 24 | "name": "setByPolicy", 25 | "deployment": { 26 | "properties": { 27 | "mode": "incremental", 28 | "template": { 29 | "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", 30 | "contentVersion": "1.0.0.0", 31 | "parameters": { 32 | "resourceName": { 33 | "type": "string" 34 | }, 35 | "logAnalytics": { 36 | "type": "string" 37 | }, 38 | "location": { 39 | "type": "string" 40 | } 41 | }, 42 | "variables": {}, 43 | "resources": [ 44 | { 45 | "type": "Microsoft.Network/virtualNetworks/providers/diagnosticSettings", 46 | "apiVersion": "2017-05-01-preview", 47 | "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", 48 | "location": "[parameters('location')]", 49 | "dependsOn": [], 50 | "properties": { 51 | "workspaceId": "[parameters('logAnalytics')]", 52 | "logs": [ 53 | { 54 | "category": "VMProtectionAlerts", 55 | "enabled": true 56 | } 57 | ] 58 | } 59 | } 60 | ], 61 | "outputs": {} 62 | }, 63 | "parameters": { 64 | "logAnalytics": { 65 | "value": "[parameters('logAnalytics')]" 66 | }, 67 | "location": { 68 | "value": "[field('location')]" 69 | }, 70 | "resourceName": { 71 | "value": "[field('name')]" 72 | } 73 | } 74 | } 75 | } 76 | } 77 | } 78 | } 79 | } 80 | } 81 | -------------------------------------------------------------------------------- /Policies/vmmsDiskEncryption.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", 3 | "contentVersion": "1.0.0.0", 4 | "parameters": { 5 | "vmssName": { 6 | "type": "string", 7 | "metadata": { 8 | "description": "Name of VMSS to be encrypted" 9 | }, 10 | "maxLength": 61 11 | }, 12 | "keyVaultName": { 13 | "type": "string", 14 | "metadata": { 15 | "description": "Name of the KeyVault to place the volume encryption key" 16 | } 17 | }, 18 | "keyVaultResourceGroup": { 19 | "type": "string", 20 | "metadata": { 21 | "description": "Resource group of the KeyVault" 22 | } 23 | }, 24 | "keyEncryptionKeyURL": { 25 | "type": "string", 26 | "defaultValue": "", 27 | "metadata": { 28 | "description": "URL of the KeyEncryptionKey used to encrypt the volume encryption key" 29 | } 30 | }, 31 | "keyEncryptionAlgorithm": { 32 | "type": "string", 33 | "defaultValue": "RSA-OAEP", 34 | "metadata": { 35 | "description": "keyEncryptionAlgorithm used to wrap volume encryption key using KeyEncryptionKeyURL" 36 | } 37 | }, 38 | "volumeType": { 39 | "type": "string", 40 | "defaultValue": "All", 41 | "metadata": { 42 | "description": "Type of the volume OS or Data to perform encryption operation" 43 | } 44 | }, 45 | "forceUpdateTag": { 46 | "type": "string", 47 | "defaultValue": "[uniqueString(resourceGroup().id, deployment().name)]", 48 | "metadata": { 49 | "description": "Pass in an unique value like a GUID everytime the operation needs to be force run" 50 | } 51 | }, 52 | "resizeOSDisk": { 53 | "type": "bool", 54 | "defaultValue": false, 55 | "metadata": { 56 | "description": "Should the OS partition be resized to occupy full OS VHD before splitting system volume" 57 | } 58 | } 59 | }, 60 | "variables": { 61 | "keyVaultResourceID": "[resourceId(parameters('keyVaultResourceGroup'), 'Microsoft.KeyVault/vaults/', parameters('keyVaultName'))]" 62 | }, 63 | "resources": [ 64 | { 65 | "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", 66 | "name": "[concat(parameters('vmssName'),'/', 'AzureDiskEncryption')]", 67 | "location": "[resourceGroup().location]", 68 | "apiVersion": "2017-03-30", 69 | "properties": { 70 | "publisher": "Microsoft.Azure.Security", 71 | "type": "AzureDiskEncryption", 72 | "typeHandlerVersion": "2.2", 73 | "autoUpgradeMinorVersion": true, 74 | "forceUpdateTag": "[parameters('forceUpdateTag')]", 75 | "settings": { 76 | "EncryptionOperation": "EnableEncryption", 77 | "KeyVaultURL": "[reference(variables('keyVaultResourceId'),'2018-02-14-preview').vaultUri]", 78 | "KeyVaultResourceId": "[variables('keyVaultResourceID')]", 79 | "KeyEncryptionKeyURL": "[parameters('keyEncryptionKeyURL')]", 80 | "KekVaultResourceId": "[variables('keyVaultResourceID')]", 81 | "KeyEncryptionAlgorithm": "[parameters('keyEncryptionAlgorithm')]", 82 | "VolumeType": "[parameters('volumeType')]", 83 | "ResizeOSDisk": "[parameters('resizeOSDisk')]" 84 | } 85 | } 86 | } 87 | ], 88 | "outputs": { 89 | "status": { 90 | "type": "string", 91 | "value": "[concat('Successfully enabled disk encryption on VMSS:', ' ', parameters('vmssName'))]" 92 | } 93 | } 94 | } -------------------------------------------------------------------------------- /Policies/logicIntegrationAzMonDeloyIfNotExists.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "displayName": "Apply diagnostic settings for Integration Accounts", 4 | "description": "This policy automatically deploys and enable diagnostic settings to Integration Accounts", 5 | "parameters": { 6 | "logAnalytics": { 7 | "type": "string", 8 | "metadata": { 9 | "displayName": "Log Analyitcs workspace", 10 | "description": "Select the Log Analytics workspace from dropdown list", 11 | "strongType": "omsWorkspace" 12 | } 13 | } 14 | }, 15 | "policyRule": { 16 | "if": { 17 | "field": "type", 18 | "equals": "Microsoft.Logic/integrationAccounts" 19 | }, 20 | "then": { 21 | "effect": "deployIfNotExists", 22 | "details": { 23 | "type": "Microsoft.Insights/diagnosticSettings", 24 | "name": "setByPolicy", 25 | "deployment": { 26 | "properties": { 27 | "mode": "incremental", 28 | "template": { 29 | "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", 30 | "contentVersion": "1.0.0.0", 31 | "parameters": { 32 | "resourceName": { 33 | "type": "string" 34 | }, 35 | "logAnalytics": { 36 | "type": "string" 37 | }, 38 | "location": { 39 | "type": "string" 40 | } 41 | }, 42 | "variables": {}, 43 | "resources": [ 44 | { 45 | "type": "Microsoft.Logic/integrationAccounts/providers/diagnosticSettings", 46 | "apiVersion": "2017-05-01-preview", 47 | "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", 48 | "location": "[parameters('location')]", 49 | "dependsOn": [], 50 | "properties": { 51 | "workspaceId": "[parameters('logAnalytics')]", 52 | "logs": [ 53 | { 54 | "category": "IntegrationAccountTrackingEvents", 55 | "enabled": true 56 | } 57 | ] 58 | } 59 | } 60 | ], 61 | "outputs": {} 62 | }, 63 | "parameters": { 64 | "logAnalytics": { 65 | "value": "[parameters('logAnalytics')]" 66 | }, 67 | "location": { 68 | "value": "[field('location')]" 69 | }, 70 | "resourceName": { 71 | "value": "[field('name')]" 72 | } 73 | } 74 | } 75 | } 76 | } 77 | } 78 | } 79 | } 80 | } 81 | -------------------------------------------------------------------------------- /Policies/dnsAzMonDeloyIfNotExists.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "displayName": "Apply diagnostic settings for DNS", 4 | "description": "This policy automatically deploys and enable diagnostic settings to DNS", 5 | "parameters": { 6 | "logAnalytics": { 7 | "type": "string", 8 | "metadata": { 9 | "displayName": "Log Analyitcs workspace", 10 | "description": "Select the Log Analytics workspace from dropdown list", 11 | "strongType": "omsWorkspace" 12 | } 13 | } 14 | }, 15 | "policyRule": { 16 | "if": { 17 | "field": "type", 18 | "equals": "Microsoft.Network/dnszones" 19 | }, 20 | "then": { 21 | "effect": "deployIfNotExists", 22 | "details": { 23 | "type": "Microsoft.Insights/diagnosticSettings", 24 | "name": "setByPolicy", 25 | "deployment": { 26 | "properties": { 27 | "mode": "incremental", 28 | "template": { 29 | "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", 30 | "contentVersion": "1.0.0.0", 31 | "parameters": { 32 | "resourceName": { 33 | "type": "string" 34 | }, 35 | "logAnalytics": { 36 | "type": "string" 37 | }, 38 | "location": { 39 | "type": "string" 40 | } 41 | }, 42 | "variables": {}, 43 | "resources": [ 44 | { 45 | "type": "Microsoft.Network/dnszones/providers/diagnosticSettings", 46 | "apiVersion": "2017-05-01-preview", 47 | "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", 48 | "location": "[parameters('location')]", 49 | "dependsOn": [], 50 | "properties": { 51 | "workspaceId": "[parameters('logAnalytics')]", 52 | "metrics": [ 53 | { 54 | "category": "AllMetrics", 55 | "enabled": true, 56 | "retentionPolicy": { 57 | "enabled": false, 58 | "days": 0 59 | } 60 | } 61 | ] 62 | } 63 | } 64 | ], 65 | "outputs": {} 66 | }, 67 | "parameters": { 68 | "logAnalytics": { 69 | "value": "[parameters('logAnalytics')]" 70 | }, 71 | "location": { 72 | "value": "[field('location')]" 73 | }, 74 | "resourceName": { 75 | "value": "[field('name')]" 76 | } 77 | } 78 | } 79 | } 80 | } 81 | } 82 | } 83 | } 84 | } 85 | -------------------------------------------------------------------------------- /Policies/redisAzMonDeloyIfNotExists.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "displayName": "Apply diagnostic settings for Redis Cache", 4 | "description": "This policy automatically deploys and enable diagnostic settings to Redis Cache", 5 | "parameters": { 6 | "logAnalytics": { 7 | "type": "string", 8 | "metadata": { 9 | "displayName": "Log Analyitcs workspace", 10 | "description": "Select the Log Analytics workspace from dropdown list", 11 | "strongType": "omsWorkspace" 12 | } 13 | } 14 | }, 15 | "policyRule": { 16 | "if": { 17 | "field": "type", 18 | "equals": "Microsoft.Cache/redis" 19 | }, 20 | "then": { 21 | "effect": "deployIfNotExists", 22 | "details": { 23 | "type": "Microsoft.Insights/diagnosticSettings", 24 | "name": "setByPolicy", 25 | "deployment": { 26 | "properties": { 27 | "mode": "incremental", 28 | "template": { 29 | "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", 30 | "contentVersion": "1.0.0.0", 31 | "parameters": { 32 | "resourceName": { 33 | "type": "string" 34 | }, 35 | "logAnalytics": { 36 | "type": "string" 37 | }, 38 | "location": { 39 | "type": "string" 40 | } 41 | }, 42 | "variables": {}, 43 | "resources": [ 44 | { 45 | "type": "Microsoft.Cache/redis/providers/diagnosticSettings", 46 | "apiVersion": "2017-05-01-preview", 47 | "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", 48 | "location": "[parameters('location')]", 49 | "dependsOn": [], 50 | "properties": { 51 | "workspaceId": "[parameters('logAnalytics')]", 52 | "metrics": [ 53 | { 54 | "category": "AllMetrics", 55 | "enabled": true, 56 | "retentionPolicy": { 57 | "enabled": false, 58 | "days": 0 59 | } 60 | } 61 | ] 62 | } 63 | } 64 | ], 65 | "outputs": {} 66 | }, 67 | "parameters": { 68 | "logAnalytics": { 69 | "value": "[parameters('logAnalytics')]" 70 | }, 71 | "location": { 72 | "value": "[field('location')]" 73 | }, 74 | "resourceName": { 75 | "value": "[field('name')]" 76 | } 77 | } 78 | } 79 | } 80 | } 81 | } 82 | } 83 | } 84 | } 85 | -------------------------------------------------------------------------------- /Policies/websitesAzMonDeloyIfNotExists.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "displayName": "Apply diagnostic settings for Azure Web Sites", 4 | "description": "This policy automatically deploys and enable diagnostic settings to Azure Web Sites", 5 | "parameters": { 6 | "logAnalytics": { 7 | "type": "string", 8 | "metadata": { 9 | "displayName": "Log Analyitcs workspace", 10 | "description": "Select the Log Analytics workspace from dropdown list", 11 | "strongType": "omsWorkspace" 12 | } 13 | } 14 | }, 15 | "policyRule": { 16 | "if": { 17 | "field": "type", 18 | "equals": "Microsoft.Web/sites" 19 | }, 20 | "then": { 21 | "effect": "deployIfNotExists", 22 | "details": { 23 | "type": "Microsoft.Insights/diagnosticSettings", 24 | "name": "setByPolicy", 25 | "deployment": { 26 | "properties": { 27 | "mode": "incremental", 28 | "template": { 29 | "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", 30 | "contentVersion": "1.0.0.0", 31 | "parameters": { 32 | "resourceName": { 33 | "type": "string" 34 | }, 35 | "logAnalytics": { 36 | "type": "string" 37 | }, 38 | "location": { 39 | "type": "string" 40 | } 41 | }, 42 | "variables": {}, 43 | "resources": [ 44 | { 45 | "type": "Microsoft.Web/sites/providers/diagnosticSettings", 46 | "apiVersion": "2017-05-01-preview", 47 | "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", 48 | "location": "[parameters('location')]", 49 | "dependsOn": [], 50 | "properties": { 51 | "workspaceId": "[parameters('logAnalytics')]", 52 | "metrics": [ 53 | { 54 | "category": "AllMetrics", 55 | "enabled": true, 56 | "retentionPolicy": { 57 | "enabled": false, 58 | "days": 0 59 | } 60 | } 61 | ] 62 | } 63 | } 64 | ], 65 | "outputs": {} 66 | }, 67 | "parameters": { 68 | "logAnalytics": { 69 | "value": "[parameters('logAnalytics')]" 70 | }, 71 | "location": { 72 | "value": "[field('location')]" 73 | }, 74 | "resourceName": { 75 | "value": "[field('name')]" 76 | } 77 | } 78 | } 79 | } 80 | } 81 | } 82 | } 83 | } 84 | } 85 | -------------------------------------------------------------------------------- /Policies/hdiAzMonDeloyIfNotExists.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "displayName": "Apply diagnostic settings for HDInsight", 4 | "description": "This policy automatically deploys and enable diagnostic settings to HDInsight", 5 | "parameters": { 6 | "logAnalytics": { 7 | "type": "string", 8 | "metadata": { 9 | "displayName": "Log Analyitcs workspace", 10 | "description": "Select the Log Analytics workspace from dropdown list", 11 | "strongType": "omsWorkspace" 12 | } 13 | } 14 | }, 15 | "policyRule": { 16 | "if": { 17 | "field": "type", 18 | "equals": "Microsoft.HDInsight/clusters" 19 | }, 20 | "then": { 21 | "effect": "deployIfNotExists", 22 | "details": { 23 | "type": "Microsoft.Insights/diagnosticSettings", 24 | "name": "setByPolicy", 25 | "deployment": { 26 | "properties": { 27 | "mode": "incremental", 28 | "template": { 29 | "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", 30 | "contentVersion": "1.0.0.0", 31 | "parameters": { 32 | "resourceName": { 33 | "type": "string" 34 | }, 35 | "logAnalytics": { 36 | "type": "string" 37 | }, 38 | "location": { 39 | "type": "string" 40 | } 41 | }, 42 | "variables": {}, 43 | "resources": [ 44 | { 45 | "type": "Microsoft.HDInsight/clusters/providers/diagnosticSettings", 46 | "apiVersion": "2017-05-01-preview", 47 | "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", 48 | "location": "[parameters('location')]", 49 | "dependsOn": [], 50 | "properties": { 51 | "workspaceId": "[parameters('logAnalytics')]", 52 | "metrics": [ 53 | { 54 | "category": "AllMetrics", 55 | "enabled": true, 56 | "retentionPolicy": { 57 | "enabled": false, 58 | "days": 0 59 | } 60 | } 61 | ] 62 | } 63 | } 64 | ], 65 | "outputs": {} 66 | }, 67 | "parameters": { 68 | "logAnalytics": { 69 | "value": "[parameters('logAnalytics')]" 70 | }, 71 | "location": { 72 | "value": "[field('location')]" 73 | }, 74 | "resourceName": { 75 | "value": "[field('name')]" 76 | } 77 | } 78 | } 79 | } 80 | } 81 | } 82 | } 83 | } 84 | } 85 | -------------------------------------------------------------------------------- /Policies/relayAzMonDeloyIfNotExists.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "displayName": "Apply diagnostic settings for Azure Relay", 4 | "description": "This policy automatically deploys and enable diagnostic settings to Azure Relay", 5 | "parameters": { 6 | "logAnalytics": { 7 | "type": "string", 8 | "metadata": { 9 | "displayName": "Log Analyitcs workspace", 10 | "description": "Select the Log Analytics workspace from dropdown list", 11 | "strongType": "omsWorkspace" 12 | } 13 | } 14 | }, 15 | "policyRule": { 16 | "if": { 17 | "field": "type", 18 | "equals": "Microsoft.Relay/namespaces" 19 | }, 20 | "then": { 21 | "effect": "deployIfNotExists", 22 | "details": { 23 | "type": "Microsoft.Insights/diagnosticSettings", 24 | "name": "setByPolicy", 25 | "deployment": { 26 | "properties": { 27 | "mode": "incremental", 28 | "template": { 29 | "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", 30 | "contentVersion": "1.0.0.0", 31 | "parameters": { 32 | "resourceName": { 33 | "type": "string" 34 | }, 35 | "logAnalytics": { 36 | "type": "string" 37 | }, 38 | "location": { 39 | "type": "string" 40 | } 41 | }, 42 | "variables": {}, 43 | "resources": [ 44 | { 45 | "type": "Microsoft.Relay/namespaces/providers/diagnosticSettings", 46 | "apiVersion": "2017-05-01-preview", 47 | "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", 48 | "location": "[parameters('location')]", 49 | "dependsOn": [], 50 | "properties": { 51 | "workspaceId": "[parameters('logAnalytics')]", 52 | "metrics": [ 53 | { 54 | "category": "AllMetrics", 55 | "enabled": true, 56 | "retentionPolicy": { 57 | "enabled": false, 58 | "days": 0 59 | } 60 | } 61 | ] 62 | } 63 | } 64 | ], 65 | "outputs": {} 66 | }, 67 | "parameters": { 68 | "logAnalytics": { 69 | "value": "[parameters('logAnalytics')]" 70 | }, 71 | "location": { 72 | "value": "[field('location')]" 73 | }, 74 | "resourceName": { 75 | "value": "[field('name')]" 76 | } 77 | } 78 | } 79 | } 80 | } 81 | } 82 | } 83 | } 84 | } 85 | -------------------------------------------------------------------------------- /Policies/mySQLAzMonDeloyIfNotExists.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "displayName": "Apply diagnostic settings for DB for MySQL", 4 | "description": "This policy automatically deploys and enable diagnostic settings to DB for MySQL", 5 | "parameters": { 6 | "logAnalytics": { 7 | "type": "string", 8 | "metadata": { 9 | "displayName": "Log Analyitcs workspace", 10 | "description": "Select the Log Analytics workspace from dropdown list", 11 | "strongType": "omsWorkspace" 12 | } 13 | } 14 | }, 15 | "policyRule": { 16 | "if": { 17 | "field": "type", 18 | "equals": "Microsoft.DBforMySQL/servers" 19 | }, 20 | "then": { 21 | "effect": "deployIfNotExists", 22 | "details": { 23 | "type": "Microsoft.Insights/diagnosticSettings", 24 | "name": "setByPolicy", 25 | "deployment": { 26 | "properties": { 27 | "mode": "incremental", 28 | "template": { 29 | "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", 30 | "contentVersion": "1.0.0.0", 31 | "parameters": { 32 | "resourceName": { 33 | "type": "string" 34 | }, 35 | "logAnalytics": { 36 | "type": "string" 37 | }, 38 | "location": { 39 | "type": "string" 40 | } 41 | }, 42 | "variables": {}, 43 | "resources": [ 44 | { 45 | "type": "Microsoft.DBforMySQL/servers/providers/diagnosticSettings", 46 | "apiVersion": "2017-05-01-preview", 47 | "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", 48 | "location": "[parameters('location')]", 49 | "dependsOn": [], 50 | "properties": { 51 | "workspaceId": "[parameters('logAnalytics')]", 52 | "metrics": [ 53 | { 54 | "category": "AllMetrics", 55 | "enabled": true, 56 | "retentionPolicy": { 57 | "enabled": false, 58 | "days": 0 59 | } 60 | } 61 | ] 62 | } 63 | } 64 | ], 65 | "outputs": {} 66 | }, 67 | "parameters": { 68 | "logAnalytics": { 69 | "value": "[parameters('logAnalytics')]" 70 | }, 71 | "location": { 72 | "value": "[field('location')]" 73 | }, 74 | "resourceName": { 75 | "value": "[field('name')]" 76 | } 77 | } 78 | } 79 | } 80 | } 81 | } 82 | } 83 | } 84 | } 85 | -------------------------------------------------------------------------------- /Policies/egTopicsAzMonDeloyIfNotExists.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "displayName": "Apply diagnostic settings for Event Grid Topics", 4 | "description": "This policy automatically deploys and enable diagnostic settings to Event Grid Topics", 5 | "parameters": { 6 | "logAnalytics": { 7 | "type": "string", 8 | "metadata": { 9 | "displayName": "Log Analyitcs workspace", 10 | "description": "Select the Log Analytics workspace from dropdown list", 11 | "strongType": "omsWorkspace" 12 | } 13 | } 14 | }, 15 | "policyRule": { 16 | "if": { 17 | "field": "type", 18 | "equals": "Microsoft.EventGrid/topics" 19 | }, 20 | "then": { 21 | "effect": "deployIfNotExists", 22 | "details": { 23 | "type": "Microsoft.Insights/diagnosticSettings", 24 | "name": "setByPolicy", 25 | "deployment": { 26 | "properties": { 27 | "mode": "incremental", 28 | "template": { 29 | "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", 30 | "contentVersion": "1.0.0.0", 31 | "parameters": { 32 | "resourceName": { 33 | "type": "string" 34 | }, 35 | "logAnalytics": { 36 | "type": "string" 37 | }, 38 | "location": { 39 | "type": "string" 40 | } 41 | }, 42 | "variables": {}, 43 | "resources": [ 44 | { 45 | "type": "Microsoft.EventGrid/topics/providers/diagnosticSettings", 46 | "apiVersion": "2017-05-01-preview", 47 | "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", 48 | "location": "[parameters('location')]", 49 | "dependsOn": [], 50 | "properties": { 51 | "workspaceId": "[parameters('logAnalytics')]", 52 | "metrics": [ 53 | { 54 | "category": "AllMetrics", 55 | "enabled": true, 56 | "retentionPolicy": { 57 | "enabled": false, 58 | "days": 0 59 | } 60 | } 61 | ] 62 | } 63 | } 64 | ], 65 | "outputs": {} 66 | }, 67 | "parameters": { 68 | "logAnalytics": { 69 | "value": "[parameters('logAnalytics')]" 70 | }, 71 | "location": { 72 | "value": "[field('location')]" 73 | }, 74 | "resourceName": { 75 | "value": "[field('name')]" 76 | } 77 | } 78 | } 79 | } 80 | } 81 | } 82 | } 83 | } 84 | } 85 | -------------------------------------------------------------------------------- /Policies/ehClustersAzMonDeloyIfNotExists.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "displayName": "Apply diagnostic settings for Event Hub Clusters", 4 | "description": "This policy automatically deploys and enable diagnostic settings to Event Hub Clusters", 5 | "parameters": { 6 | "logAnalytics": { 7 | "type": "string", 8 | "metadata": { 9 | "displayName": "Log Analyitcs workspace", 10 | "description": "Select the Log Analytics workspace from dropdown list", 11 | "strongType": "omsWorkspace" 12 | } 13 | } 14 | }, 15 | "policyRule": { 16 | "if": { 17 | "field": "type", 18 | "equals": "Microsoft.EventHub/clusters" 19 | }, 20 | "then": { 21 | "effect": "deployIfNotExists", 22 | "details": { 23 | "type": "Microsoft.Insights/diagnosticSettings", 24 | "name": "setByPolicy", 25 | "deployment": { 26 | "properties": { 27 | "mode": "incremental", 28 | "template": { 29 | "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", 30 | "contentVersion": "1.0.0.0", 31 | "parameters": { 32 | "resourceName": { 33 | "type": "string" 34 | }, 35 | "logAnalytics": { 36 | "type": "string" 37 | }, 38 | "location": { 39 | "type": "string" 40 | } 41 | }, 42 | "variables": {}, 43 | "resources": [ 44 | { 45 | "type": "Microsoft.EventHub/clusters/providers/diagnosticSettings", 46 | "apiVersion": "2017-05-01-preview", 47 | "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", 48 | "location": "[parameters('location')]", 49 | "dependsOn": [], 50 | "properties": { 51 | "workspaceId": "[parameters('logAnalytics')]", 52 | "metrics": [ 53 | { 54 | "category": "AllMetrics", 55 | "enabled": true, 56 | "retentionPolicy": { 57 | "enabled": false, 58 | "days": 0 59 | } 60 | } 61 | ] 62 | } 63 | } 64 | ], 65 | "outputs": {} 66 | }, 67 | "parameters": { 68 | "logAnalytics": { 69 | "value": "[parameters('logAnalytics')]" 70 | }, 71 | "location": { 72 | "value": "[field('location')]" 73 | }, 74 | "resourceName": { 75 | "value": "[field('name')]" 76 | } 77 | } 78 | } 79 | } 80 | } 81 | } 82 | } 83 | } 84 | } 85 | -------------------------------------------------------------------------------- /Policies/vmAzMonDeloyIfNotExists.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "displayName": "Apply diagnostic settings for Virtual Machines", 4 | "description": "This policy automatically deploys and enable diagnostic settings to Virtual Machines", 5 | "parameters": { 6 | "logAnalytics": { 7 | "type": "string", 8 | "metadata": { 9 | "displayName": "Log Analyitcs workspace", 10 | "description": "Select the Log Analytics workspace from dropdown list", 11 | "strongType": "omsWorkspace" 12 | } 13 | } 14 | }, 15 | "policyRule": { 16 | "if": { 17 | "field": "type", 18 | "equals": "Microsoft.Compute/virtualMachines" 19 | }, 20 | "then": { 21 | "effect": "deployIfNotExists", 22 | "details": { 23 | "type": "Microsoft.Insights/diagnosticSettings", 24 | "name": "setByPolicy", 25 | "deployment": { 26 | "properties": { 27 | "mode": "incremental", 28 | "template": { 29 | "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", 30 | "contentVersion": "1.0.0.0", 31 | "parameters": { 32 | "resourceName": { 33 | "type": "string" 34 | }, 35 | "logAnalytics": { 36 | "type": "string" 37 | }, 38 | "location": { 39 | "type": "string" 40 | } 41 | }, 42 | "variables": {}, 43 | "resources": [ 44 | { 45 | "type": "Microsoft.Compute/virtualMachines/providers/diagnosticSettings", 46 | "apiVersion": "2017-05-01-preview", 47 | "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", 48 | "location": "[parameters('location')]", 49 | "dependsOn": [], 50 | "properties": { 51 | "workspaceId": "[parameters('logAnalytics')]", 52 | "metrics": [ 53 | { 54 | "category": "AllMetrics", 55 | "enabled": true, 56 | "retentionPolicy": { 57 | "enabled": false, 58 | "days": 0 59 | } 60 | } 61 | ] 62 | } 63 | } 64 | ], 65 | "outputs": {} 66 | }, 67 | "parameters": { 68 | "logAnalytics": { 69 | "value": "[parameters('logAnalytics')]" 70 | }, 71 | "location": { 72 | "value": "[field('location')]" 73 | }, 74 | "resourceName": { 75 | "value": "[field('name')]" 76 | } 77 | } 78 | } 79 | } 80 | } 81 | } 82 | } 83 | } 84 | } 85 | -------------------------------------------------------------------------------- /Policies/nicAzMonDeloyIfNotExists.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "displayName": "Apply diagnostic settings for Network Interfaces", 4 | "description": "This policy automatically deploys and enable diagnostic settings to Network Interfaces", 5 | "parameters": { 6 | "logAnalytics": { 7 | "type": "string", 8 | "metadata": { 9 | "displayName": "Log Analyitcs workspace", 10 | "description": "Select the Log Analytics workspace from dropdown list", 11 | "strongType": "omsWorkspace" 12 | } 13 | } 14 | }, 15 | "policyRule": { 16 | "if": { 17 | "field": "type", 18 | "equals": "Microsoft.Network/networkInterfaces" 19 | }, 20 | "then": { 21 | "effect": "deployIfNotExists", 22 | "details": { 23 | "type": "Microsoft.Insights/diagnosticSettings", 24 | "name": "setByPolicy", 25 | "deployment": { 26 | "properties": { 27 | "mode": "incremental", 28 | "template": { 29 | "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", 30 | "contentVersion": "1.0.0.0", 31 | "parameters": { 32 | "resourceName": { 33 | "type": "string" 34 | }, 35 | "logAnalytics": { 36 | "type": "string" 37 | }, 38 | "location": { 39 | "type": "string" 40 | } 41 | }, 42 | "variables": {}, 43 | "resources": [ 44 | { 45 | "type": "Microsoft.Network/networkInterfaces/providers/diagnosticSettings", 46 | "apiVersion": "2017-05-01-preview", 47 | "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", 48 | "location": "[parameters('location')]", 49 | "dependsOn": [], 50 | "properties": { 51 | "workspaceId": "[parameters('logAnalytics')]", 52 | "metrics": [ 53 | { 54 | "category": "AllMetrics", 55 | "enabled": true, 56 | "retentionPolicy": { 57 | "enabled": false, 58 | "days": 0 59 | } 60 | } 61 | ] 62 | } 63 | } 64 | ], 65 | "outputs": {} 66 | }, 67 | "parameters": { 68 | "logAnalytics": { 69 | "value": "[parameters('logAnalytics')]" 70 | }, 71 | "location": { 72 | "value": "[field('location')]" 73 | }, 74 | "resourceName": { 75 | "value": "[field('name')]" 76 | } 77 | } 78 | } 79 | } 80 | } 81 | } 82 | } 83 | } 84 | } 85 | -------------------------------------------------------------------------------- /Policies/cognitiveAzMonDeloyIfNotExists.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "displayName": "Apply diagnostic settings for Cognitive Services.", 4 | "description": "This policy automatically deploys and enable diagnostic settings to Cognitive Services", 5 | "parameters": { 6 | "logAnalytics": { 7 | "type": "string", 8 | "metadata": { 9 | "displayName": "Log Analyitcs workspace", 10 | "description": "Select the Log Analytics workspace from dropdown list", 11 | "strongType": "omsWorkspace" 12 | } 13 | } 14 | }, 15 | "policyRule": { 16 | "if": { 17 | "field": "type", 18 | "equals": "Microsoft.CognitiveServices/accounts" 19 | }, 20 | "then": { 21 | "effect": "deployIfNotExists", 22 | "details": { 23 | "type": "Microsoft.Insights/diagnosticSettings", 24 | "name": "setByPolicy", 25 | "deployment": { 26 | "properties": { 27 | "mode": "incremental", 28 | "template": { 29 | "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", 30 | "contentVersion": "1.0.0.0", 31 | "parameters": { 32 | "resourceName": { 33 | "type": "string" 34 | }, 35 | "logAnalytics": { 36 | "type": "string" 37 | }, 38 | "location": { 39 | "type": "string" 40 | } 41 | }, 42 | "variables": {}, 43 | "resources": [ 44 | { 45 | "type": "Microsoft.CognitiveServices/accounts/providers/diagnosticSettings", 46 | "apiVersion": "2017-05-01-preview", 47 | "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", 48 | "location": "[parameters('location')]", 49 | "dependsOn": [], 50 | "properties": { 51 | "workspaceId": "[parameters('logAnalytics')]", 52 | "metrics": [ 53 | { 54 | "category": "AllMetrics", 55 | "enabled": true, 56 | "retentionPolicy": { 57 | "enabled": false, 58 | "days": 0 59 | } 60 | } 61 | ] 62 | } 63 | } 64 | ], 65 | "outputs": {} 66 | }, 67 | "parameters": { 68 | "logAnalytics": { 69 | "value": "[parameters('logAnalytics')]" 70 | }, 71 | "location": { 72 | "value": "[field('location')]" 73 | }, 74 | "resourceName": { 75 | "value": "[field('name')]" 76 | } 77 | } 78 | } 79 | } 80 | } 81 | } 82 | } 83 | } 84 | } -------------------------------------------------------------------------------- /Policies/signalrAzMonDeloyIfNotExists.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "displayName": "Apply diagnostic settings for Azure SignalR Service", 4 | "description": "This policy automatically deploys and enable diagnostic settings to Azure SignalR Service", 5 | "parameters": { 6 | "logAnalytics": { 7 | "type": "string", 8 | "metadata": { 9 | "displayName": "Log Analyitcs workspace", 10 | "description": "Select the Log Analytics workspace from dropdown list", 11 | "strongType": "omsWorkspace" 12 | } 13 | } 14 | }, 15 | "policyRule": { 16 | "if": { 17 | "field": "type", 18 | "equals": "Microsoft.SignalRService/SignalR" 19 | }, 20 | "then": { 21 | "effect": "deployIfNotExists", 22 | "details": { 23 | "type": "Microsoft.Insights/diagnosticSettings", 24 | "name": "setByPolicy", 25 | "deployment": { 26 | "properties": { 27 | "mode": "incremental", 28 | "template": { 29 | "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", 30 | "contentVersion": "1.0.0.0", 31 | "parameters": { 32 | "resourceName": { 33 | "type": "string" 34 | }, 35 | "logAnalytics": { 36 | "type": "string" 37 | }, 38 | "location": { 39 | "type": "string" 40 | } 41 | }, 42 | "variables": {}, 43 | "resources": [ 44 | { 45 | "type": "Microsoft.SignalRService/SignalR/providers/diagnosticSettings", 46 | "apiVersion": "2017-05-01-preview", 47 | "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", 48 | "location": "[parameters('location')]", 49 | "dependsOn": [], 50 | "properties": { 51 | "workspaceId": "[parameters('logAnalytics')]", 52 | "metrics": [ 53 | { 54 | "category": "AllMetrics", 55 | "enabled": true, 56 | "retentionPolicy": { 57 | "enabled": false, 58 | "days": 0 59 | } 60 | } 61 | ] 62 | } 63 | } 64 | ], 65 | "outputs": {} 66 | }, 67 | "parameters": { 68 | "logAnalytics": { 69 | "value": "[parameters('logAnalytics')]" 70 | }, 71 | "location": { 72 | "value": "[field('location')]" 73 | }, 74 | "resourceName": { 75 | "value": "[field('name')]" 76 | } 77 | } 78 | } 79 | } 80 | } 81 | } 82 | } 83 | } 84 | } 85 | -------------------------------------------------------------------------------- /Policies/acrAzMonDeloyIfNotExists.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "displayName": "Apply diagnostic settings for Azure Container Registry.", 4 | "description": "This policy automatically deploys and enable diagnostic settings to Azure Container Registry", 5 | "parameters": { 6 | "logAnalytics": { 7 | "type": "string", 8 | "metadata": { 9 | "displayName": "Log Analyitcs workspace", 10 | "description": "Select the Log Analytics workspace from dropdown list", 11 | "strongType": "omsWorkspace" 12 | } 13 | } 14 | }, 15 | "policyRule": { 16 | "if": { 17 | "field": "type", 18 | "equals": "Microsoft.ContainerRegistry/registries" 19 | }, 20 | "then": { 21 | "effect": "deployIfNotExists", 22 | "details": { 23 | "type": "Microsoft.Insights/diagnosticSettings", 24 | "name": "setByPolicy", 25 | "deployment": { 26 | "properties": { 27 | "mode": "incremental", 28 | "template": { 29 | "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", 30 | "contentVersion": "1.0.0.0", 31 | "parameters": { 32 | "resourceName": { 33 | "type": "string" 34 | }, 35 | "logAnalytics": { 36 | "type": "string" 37 | }, 38 | "location": { 39 | "type": "string" 40 | } 41 | }, 42 | "variables": {}, 43 | "resources": [ 44 | { 45 | "type": "Microsoft.ContainerRegistry/registries/providers/diagnosticSettings", 46 | "apiVersion": "2017-05-01-preview", 47 | "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", 48 | "location": "[parameters('location')]", 49 | "dependsOn": [], 50 | "properties": { 51 | "workspaceId": "[parameters('logAnalytics')]", 52 | "metrics": [ 53 | { 54 | "category": "AllMetrics", 55 | "enabled": true, 56 | "retentionPolicy": { 57 | "enabled": false, 58 | "days": 0 59 | } 60 | } 61 | ] 62 | } 63 | } 64 | ], 65 | "outputs": {} 66 | }, 67 | "parameters": { 68 | "logAnalytics": { 69 | "value": "[parameters('logAnalytics')]" 70 | }, 71 | "location": { 72 | "value": "[field('location')]" 73 | }, 74 | "resourceName": { 75 | "value": "[field('name')]" 76 | } 77 | } 78 | } 79 | } 80 | } 81 | } 82 | } 83 | } 84 | } -------------------------------------------------------------------------------- /Policies/tsiAzMonDeloyIfNotExists.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "displayName": "Apply diagnostic settings for Time Series Insights", 4 | "description": "This policy automatically deploys and enable diagnostic settings to Time Series Insights", 5 | "parameters": { 6 | "logAnalytics": { 7 | "type": "string", 8 | "metadata": { 9 | "displayName": "Log Analyitcs workspace", 10 | "description": "Select the Log Analytics workspace from dropdown list", 11 | "strongType": "omsWorkspace" 12 | } 13 | } 14 | }, 15 | "policyRule": { 16 | "if": { 17 | "field": "type", 18 | "equals": "Microsoft.TimeSeriesInsights/environments" 19 | }, 20 | "then": { 21 | "effect": "deployIfNotExists", 22 | "details": { 23 | "type": "Microsoft.Insights/diagnosticSettings", 24 | "name": "setByPolicy", 25 | "deployment": { 26 | "properties": { 27 | "mode": "incremental", 28 | "template": { 29 | "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", 30 | "contentVersion": "1.0.0.0", 31 | "parameters": { 32 | "resourceName": { 33 | "type": "string" 34 | }, 35 | "logAnalytics": { 36 | "type": "string" 37 | }, 38 | "location": { 39 | "type": "string" 40 | } 41 | }, 42 | "variables": {}, 43 | "resources": [ 44 | { 45 | "type": "Microsoft.TimeSeriesInsights/environments/providers/diagnosticSettings", 46 | "apiVersion": "2017-05-01-preview", 47 | "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", 48 | "location": "[parameters('location')]", 49 | "dependsOn": [], 50 | "properties": { 51 | "workspaceId": "[parameters('logAnalytics')]", 52 | "metrics": [ 53 | { 54 | "category": "AllMetrics", 55 | "enabled": true, 56 | "retentionPolicy": { 57 | "enabled": false, 58 | "days": 0 59 | } 60 | } 61 | ] 62 | } 63 | } 64 | ], 65 | "outputs": {} 66 | }, 67 | "parameters": { 68 | "logAnalytics": { 69 | "value": "[parameters('logAnalytics')]" 70 | }, 71 | "location": { 72 | "value": "[field('location')]" 73 | }, 74 | "resourceName": { 75 | "value": "[field('name')]" 76 | } 77 | } 78 | } 79 | } 80 | } 81 | } 82 | } 83 | } 84 | } 85 | -------------------------------------------------------------------------------- /Policies/egETopicsAzMonDeloyIfNotExists.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "displayName": "Apply diagnostic settings for Event Grid Extension Topics", 4 | "description": "This policy automatically deploys and enable diagnostic settings to Event Grid Extension Topics", 5 | "parameters": { 6 | "logAnalytics": { 7 | "type": "string", 8 | "metadata": { 9 | "displayName": "Log Analyitcs workspace", 10 | "description": "Select the Log Analytics workspace from dropdown list", 11 | "strongType": "omsWorkspace" 12 | } 13 | } 14 | }, 15 | "policyRule": { 16 | "if": { 17 | "field": "type", 18 | "equals": "Microsoft.EventGrid/extensionTopics" 19 | }, 20 | "then": { 21 | "effect": "deployIfNotExists", 22 | "details": { 23 | "type": "Microsoft.Insights/diagnosticSettings", 24 | "name": "setByPolicy", 25 | "deployment": { 26 | "properties": { 27 | "mode": "incremental", 28 | "template": { 29 | "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", 30 | "contentVersion": "1.0.0.0", 31 | "parameters": { 32 | "resourceName": { 33 | "type": "string" 34 | }, 35 | "logAnalytics": { 36 | "type": "string" 37 | }, 38 | "location": { 39 | "type": "string" 40 | } 41 | }, 42 | "variables": {}, 43 | "resources": [ 44 | { 45 | "type": "Microsoft.EventGrid/extensionTopics/providers/diagnosticSettings", 46 | "apiVersion": "2017-05-01-preview", 47 | "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", 48 | "location": "[parameters('location')]", 49 | "dependsOn": [], 50 | "properties": { 51 | "workspaceId": "[parameters('logAnalytics')]", 52 | "metrics": [ 53 | { 54 | "category": "AllMetrics", 55 | "enabled": true, 56 | "retentionPolicy": { 57 | "enabled": false, 58 | "days": 0 59 | } 60 | } 61 | ] 62 | } 63 | } 64 | ], 65 | "outputs": {} 66 | }, 67 | "parameters": { 68 | "logAnalytics": { 69 | "value": "[parameters('logAnalytics')]" 70 | }, 71 | "location": { 72 | "value": "[field('location')]" 73 | }, 74 | "resourceName": { 75 | "value": "[field('name')]" 76 | } 77 | } 78 | } 79 | } 80 | } 81 | } 82 | } 83 | } 84 | } 85 | -------------------------------------------------------------------------------- /Policies/aciAzMonDeloyIfNotExists.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "displayName": "Apply diagnostic settings for Azure Container Instances", 4 | "description": "This policy automatically deploys and enable diagnostic settings to Azure Container Instances", 5 | "parameters": { 6 | "logAnalytics": { 7 | "type": "string", 8 | "metadata": { 9 | "displayName": "Log Analyitcs workspace", 10 | "description": "Select the Log Analytics workspace from dropdown list", 11 | "strongType": "omsWorkspace" 12 | } 13 | } 14 | }, 15 | "policyRule": { 16 | "if": { 17 | "field": "type", 18 | "equals": "Microsoft.ContainerInstance/containerGroups" 19 | }, 20 | "then": { 21 | "effect": "deployIfNotExists", 22 | "details": { 23 | "type": "Microsoft.Insights/diagnosticSettings", 24 | "name": "setByPolicy", 25 | "deployment": { 26 | "properties": { 27 | "mode": "incremental", 28 | "template": { 29 | "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", 30 | "contentVersion": "1.0.0.0", 31 | "parameters": { 32 | "resourceName": { 33 | "type": "string" 34 | }, 35 | "logAnalytics": { 36 | "type": "string" 37 | }, 38 | "location": { 39 | "type": "string" 40 | } 41 | }, 42 | "variables": {}, 43 | "resources": [ 44 | { 45 | "type": "Microsoft.ContainerInstance/containerGroups/providers/diagnosticSettings", 46 | "apiVersion": "2017-05-01-preview", 47 | "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", 48 | "location": "[parameters('location')]", 49 | "dependsOn": [], 50 | "properties": { 51 | "workspaceId": "[parameters('logAnalytics')]", 52 | "metrics": [ 53 | { 54 | "category": "AllMetrics", 55 | "enabled": true, 56 | "retentionPolicy": { 57 | "enabled": false, 58 | "days": 0 59 | } 60 | } 61 | ] 62 | } 63 | } 64 | ], 65 | "outputs": {} 66 | }, 67 | "parameters": { 68 | "logAnalytics": { 69 | "value": "[parameters('logAnalytics')]" 70 | }, 71 | "location": { 72 | "value": "[field('location')]" 73 | }, 74 | "resourceName": { 75 | "value": "[field('name')]" 76 | } 77 | } 78 | } 79 | } 80 | } 81 | } 82 | } 83 | } 84 | } 85 | -------------------------------------------------------------------------------- /Policies/classicComputeAzMonDeloyIfNotExists.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "displayName": "Apply diagnostic settings for Classic Virtual Machines.", 4 | "description": "This policy automatically deploys and enable diagnostic settings to Classic Virtual Machines", 5 | "parameters": { 6 | "logAnalytics": { 7 | "type": "string", 8 | "metadata": { 9 | "displayName": "Log Analyitcs workspace", 10 | "description": "Select the Log Analytics workspace from dropdown list", 11 | "strongType": "omsWorkspace" 12 | } 13 | } 14 | }, 15 | "policyRule": { 16 | "if": { 17 | "field": "type", 18 | "equals": "Microsoft.ClassicCompute/virtualMachines" 19 | }, 20 | "then": { 21 | "effect": "deployIfNotExists", 22 | "details": { 23 | "type": "Microsoft.Insights/diagnosticSettings", 24 | "name": "setByPolicy", 25 | "deployment": { 26 | "properties": { 27 | "mode": "incremental", 28 | "template": { 29 | "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", 30 | "contentVersion": "1.0.0.0", 31 | "parameters": { 32 | "resourceName": { 33 | "type": "string" 34 | }, 35 | "logAnalytics": { 36 | "type": "string" 37 | }, 38 | "location": { 39 | "type": "string" 40 | } 41 | }, 42 | "variables": {}, 43 | "resources": [ 44 | { 45 | "type": "Microsoft.ClassicCompute/virtualMachines/providers/diagnosticSettings", 46 | "apiVersion": "2017-05-01-preview", 47 | "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", 48 | "location": "[parameters('location')]", 49 | "dependsOn": [], 50 | "properties": { 51 | "workspaceId": "[parameters('logAnalytics')]", 52 | "metrics": [ 53 | { 54 | "category": "AllMetrics", 55 | "enabled": true, 56 | "retentionPolicy": { 57 | "enabled": false, 58 | "days": 0 59 | } 60 | } 61 | ] 62 | } 63 | } 64 | ], 65 | "outputs": {} 66 | }, 67 | "parameters": { 68 | "logAnalytics": { 69 | "value": "[parameters('logAnalytics')]" 70 | }, 71 | "location": { 72 | "value": "[field('location')]" 73 | }, 74 | "resourceName": { 75 | "value": "[field('name')]" 76 | } 77 | } 78 | } 79 | } 80 | } 81 | } 82 | } 83 | } 84 | } -------------------------------------------------------------------------------- /Policies/egSubscriptionsAzMonDeloyIfNotExists.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "displayName": "Apply diagnostic settings for Event Grid Subscriptions", 4 | "description": "This policy automatically deploys and enable diagnostic settings to Event Grid Subscriptions", 5 | "parameters": { 6 | "logAnalytics": { 7 | "type": "string", 8 | "metadata": { 9 | "displayName": "Log Analyitcs workspace", 10 | "description": "Select the Log Analytics workspace from dropdown list", 11 | "strongType": "omsWorkspace" 12 | } 13 | } 14 | }, 15 | "policyRule": { 16 | "if": { 17 | "field": "type", 18 | "equals": "Microsoft.EventGrid/eventSubscriptions" 19 | }, 20 | "then": { 21 | "effect": "deployIfNotExists", 22 | "details": { 23 | "type": "Microsoft.Insights/diagnosticSettings", 24 | "name": "setByPolicy", 25 | "deployment": { 26 | "properties": { 27 | "mode": "incremental", 28 | "template": { 29 | "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", 30 | "contentVersion": "1.0.0.0", 31 | "parameters": { 32 | "resourceName": { 33 | "type": "string" 34 | }, 35 | "logAnalytics": { 36 | "type": "string" 37 | }, 38 | "location": { 39 | "type": "string" 40 | } 41 | }, 42 | "variables": {}, 43 | "resources": [ 44 | { 45 | "type": "Microsoft.EventGrid/eventSubscriptions/providers/diagnosticSettings", 46 | "apiVersion": "2017-05-01-preview", 47 | "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", 48 | "location": "[parameters('location')]", 49 | "dependsOn": [], 50 | "properties": { 51 | "workspaceId": "[parameters('logAnalytics')]", 52 | "metrics": [ 53 | { 54 | "category": "AllMetrics", 55 | "enabled": true, 56 | "retentionPolicy": { 57 | "enabled": false, 58 | "days": 0 59 | } 60 | } 61 | ] 62 | } 63 | } 64 | ], 65 | "outputs": {} 66 | }, 67 | "parameters": { 68 | "logAnalytics": { 69 | "value": "[parameters('logAnalytics')]" 70 | }, 71 | "location": { 72 | "value": "[field('location')]" 73 | }, 74 | "resourceName": { 75 | "value": "[field('name')]" 76 | } 77 | } 78 | } 79 | } 80 | } 81 | } 82 | } 83 | } 84 | } 85 | -------------------------------------------------------------------------------- /Policies/vmssAzMonDeloyIfNotExists.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "displayName": "Apply diagnostic settings for Virtual Machine Scale Sets", 4 | "description": "This policy automatically deploys and enable diagnostic settings to Virtual Machine Scale Sets", 5 | "parameters": { 6 | "logAnalytics": { 7 | "type": "string", 8 | "metadata": { 9 | "displayName": "Log Analyitcs workspace", 10 | "description": "Select the Log Analytics workspace from dropdown list", 11 | "strongType": "omsWorkspace" 12 | } 13 | } 14 | }, 15 | "policyRule": { 16 | "if": { 17 | "field": "type", 18 | "equals": "Microsoft.Compute/virtualMachinesScaleSets" 19 | }, 20 | "then": { 21 | "effect": "deployIfNotExists", 22 | "details": { 23 | "type": "Microsoft.Insights/diagnosticSettings", 24 | "name": "setByPolicy", 25 | "deployment": { 26 | "properties": { 27 | "mode": "incremental", 28 | "template": { 29 | "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", 30 | "contentVersion": "1.0.0.0", 31 | "parameters": { 32 | "resourceName": { 33 | "type": "string" 34 | }, 35 | "logAnalytics": { 36 | "type": "string" 37 | }, 38 | "location": { 39 | "type": "string" 40 | } 41 | }, 42 | "variables": {}, 43 | "resources": [ 44 | { 45 | "type": "Microsoft.Compute/virtualMachinesScaleSets/providers/diagnosticSettings", 46 | "apiVersion": "2017-05-01-preview", 47 | "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", 48 | "location": "[parameters('location')]", 49 | "dependsOn": [], 50 | "properties": { 51 | "workspaceId": "[parameters('logAnalytics')]", 52 | "metrics": [ 53 | { 54 | "category": "AllMetrics", 55 | "enabled": true, 56 | "retentionPolicy": { 57 | "enabled": false, 58 | "days": 0 59 | } 60 | } 61 | ] 62 | } 63 | } 64 | ], 65 | "outputs": {} 66 | }, 67 | "parameters": { 68 | "logAnalytics": { 69 | "value": "[parameters('logAnalytics')]" 70 | }, 71 | "location": { 72 | "value": "[field('location')]" 73 | }, 74 | "resourceName": { 75 | "value": "[field('name')]" 76 | } 77 | } 78 | } 79 | } 80 | } 81 | } 82 | } 83 | } 84 | } 85 | -------------------------------------------------------------------------------- /Templates/psDeployment.ps1: -------------------------------------------------------------------------------- 1 | ## Replace the variables below to reflect your environment(s) 2 | # Defining global deployment variables 3 | 4 | $mgmtSubscriptionId = "" 5 | $userSubscriptionId = "" 6 | 7 | $mgmtSubscriptionTemplateUri = "https://raw.githubusercontent.com/krnese/azureArchitectures/master/Templates/Mgmt/mgmtSubscription.json" 8 | $userSubscriptionTemplateUri = "https://raw.githubusercontent.com/krnese/azureArchitectures/master/Templates/User/userSubscription.json" 9 | 10 | # Set subscription context to mgmt subscription 11 | 12 | Select-AzureRmSubscription -SubscriptionId $mgmtSubscription 13 | 14 | # Defining variables for mgmt subscription deployment 15 | 16 | $mgmtRgName = "sharedMgmt" 17 | $rgsLocation = "eastus" 18 | $nwRgName = "hubNetwork" 19 | $userPrincipalName = "" 20 | $principalId = (Get-AzureRmADUser -UserPrincipalName $userPrinciaplName).id 21 | $roleDefinitionId = (Get-AzureRmRoleDefinition -Name Owner).id 22 | $deniedLocation = "northeurope" #optional 23 | $deploymentName = "shared" 24 | $deploymentLocation = "eastus" 25 | $enableResourceLocks = "Yes" #optional 26 | 27 | # Deploying mgmt subscription template 28 | 29 | New-AzureRmDeployment -Name $deploymentName ` 30 | -Location $deploymentLocation ` 31 | -TemplateUri $mgmtSubscriptionTemplateUri ` 32 | -principalId $principalId ` 33 | -roleDefinitionId $roleDefinitionId ` 34 | -rgsLocation $rgsLocation ` 35 | -mgmtRgName $mgmtRgName ` 36 | -nwRgName $nwRgName ` 37 | -enableResourceLocks $enableResourceLocks ` 38 | -Verbose 39 | 40 | # Fetching resourceId from the previous deployment 41 | 42 | $logAnalyticsId = (Get-AzureRmResource -ResourceType Microsoft.OperationalInsights/workspaces -ResourceGroupName $mgmtRgName).ResourceId 43 | 44 | # Switching deployment context to user subscription 45 | 46 | Select-AzureRmSubscription -SubscriptionId $userSubscriptionId 47 | 48 | # Defining variables for user subscription deployment 49 | 50 | $userRgsLocation = "eastus" 51 | $userNwRgName = "spokeNetwork" 52 | $userPrincipalName = "krnese@microsoft.com" 53 | $userPrincipalId = (Get-AzureRmADUser -UserPrincipalName $userPrincipalName).id 54 | $userRoleDefinitionId = (Get-AzureRmRoleDefinition -Name Owner).id 55 | $userDeniedLocation = "northeurope" #optional 56 | $userDeploymentName = "user" 57 | $userDeploymentLocation = "eastus" 58 | $userEnableResourceLocks = "Yes" 59 | $mgmtSubId = $mgmtSubscriptionId 60 | $mgmtNwRgName = $nwRgName 61 | $logAnalyticsId = $logAnalyticsId 62 | 63 | # Deploying user subscription template 64 | 65 | New-AzureRmDeployment -Name $userDeploymentName ` 66 | -Location $userDeploymentLocation ` 67 | -TemplateUri $userSubscriptionTemplateUri ` 68 | -principalId $userPrincipalId ` 69 | -roleDefinitionId $userRoleDefinitionId ` 70 | -rgsLocation $userRgsLocation ` 71 | -nwRgName $userNwRgName ` 72 | -enableResourceLocks $userEnableResourceLocks ` 73 | -logAnalyticsId $logAnalyticsId ` 74 | -mgmtNwRgName $mgmtNwRgName ` 75 | -Verbose 76 | 77 | # Defining variables for vm workload deployment 78 | 79 | $vmNamePrefix = "uservm10" 80 | $production = "Yes" 81 | $platform = "Linux" 82 | $workloadTemplateUri = "https://raw.githubusercontent.com/krnese/azureArchitectures/master/Templates/Workload/vmCondition.json" 83 | $userName = "azureadmin" 84 | $rgDeploymentName = "workload" 85 | $location = "eastus" 86 | $rgName = (New-AzureRmResourceGroup -Name $vmNamePrefix -Location $location).ResourceGroupName 87 | 88 | # Deploy worklaod to user subscription 89 | 90 | New-AzureRmResourceGroupDeployment -Name $rgDeploymentName ` 91 | -ResourceGroupName $rgName ` 92 | -TemplateUri $workloadTemplateUri ` 93 | -userName $userName ` 94 | -platform $platform ` 95 | -production $production ` 96 | -vmNamePrefix $vmNamePrefix ` 97 | -Verbose 98 | 99 | # The end -------------------------------------------------------------------------------- /Policies/nsgAzMonDeployIfNotExists.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "displayName": "Apply diagnostic settings for Azure Network Security Groups", 4 | "description": "This policy automatically deploys and enable diagnostic settings to Network Security Groups", 5 | "parameters": { 6 | "logAnalytics": { 7 | "type": "string", 8 | "metadata": { 9 | "displayName": "Log Analyitcs workspace", 10 | "description": "Select the Log Analytics workspace from dropdown list", 11 | "strongType": "omsWorkspace" 12 | } 13 | } 14 | }, 15 | "policyRule": { 16 | "if": { 17 | "field": "type", 18 | "equals": "Microsoft.Network/networkSecurityGroups" 19 | }, 20 | "then": { 21 | "effect": "deployIfNotExists", 22 | "details": { 23 | "type": "Microsoft.Insights/diagnosticSettings", 24 | "name": "setByPolicy", 25 | "deployment": { 26 | "properties": { 27 | "mode": "incremental", 28 | "template": { 29 | "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", 30 | "contentVersion": "1.0.0.0", 31 | "parameters": { 32 | "nsgName": { 33 | "type": "string" 34 | }, 35 | "logAnalytics": { 36 | "type": "string" 37 | }, 38 | "location": { 39 | "type": "string" 40 | } 41 | }, 42 | "variables": { 43 | }, 44 | "resources": [ 45 | { 46 | "type": "Microsoft.Network/networkSecurityGroups/providers/diagnosticSettings", 47 | "apiVersion": "2017-05-01-preview", 48 | "name": "[concat(parameters('nsgName'), '/', 'Microsoft.Insights/setByPolicy')]", 49 | "location": "[parameters('location')]", 50 | "dependsOn": [ 51 | ], 52 | "properties": { 53 | "workspaceId": "[parameters('logAnalytics')]", 54 | "logs": [ 55 | { 56 | "category": "NetworkSecurityGroupEvent", 57 | "enabled": true 58 | }, 59 | { 60 | "category": "NetworkSecurityGroupRuleCounter", 61 | "enabled": true 62 | } 63 | ] 64 | } 65 | } 66 | ], 67 | "outputs": {} 68 | }, 69 | "parameters": { 70 | "logAnalytics": { 71 | "value": "[parameters('logAnalytics')]" 72 | }, 73 | "location": { 74 | "value": "[field('location')]" 75 | }, 76 | "nsgName": { 77 | "value": "[field('name')]" 78 | } 79 | } 80 | } 81 | } 82 | } 83 | } 84 | } 85 | } 86 | } -------------------------------------------------------------------------------- /Templates/Mgmt/psDeployment.ps1: -------------------------------------------------------------------------------- 1 | ## Replace the variables below to reflect your environment(s) 2 | # Defining global deployment variables 3 | 4 | $mgmtSubscriptionId = "09e8ed26-7d8b-4678-a179-cfca8a0cef5c" 5 | $userSubscriptionId = "155c4768-b71c-4e4b-a990-97407f43edda" 6 | 7 | $mgmtSubscriptionTemplateUri = "https://raw.githubusercontent.com/krnese/azureArchitectures/master/Templates/Mgmt/mgmtSubscription.json" 8 | $userSubscriptionTemplateUri = "https://raw.githubusercontent.com/krnese/azureArchitectures/master/Templates/User/userSubscription.json" 9 | 10 | # Set subscription context to mgmt subscription 11 | 12 | Select-AzureRmSubscription -SubscriptionId $mgmtSubscription 13 | 14 | # Defining variables for mgmt subscription deployment 15 | 16 | $mgmtRgName = "sharedMgmt" 17 | $rgsLocation = "eastus" 18 | $nwRgName = "hubNetwork" 19 | $userPrincipalName = "krnese@microsoft.com" 20 | $principalId = (Get-AzureRmADUser -UserPrincipalName $userPrinciaplName).id 21 | $roleDefinitionId = (Get-AzureRmRoleDefinition -Name Owner).id 22 | $deniedLocation = "northeurope" #optional 23 | $deploymentName = "shared" 24 | $deploymentLocation = "eastus" 25 | $enableResourceLocks = "Yes" #optional 26 | 27 | # Deploying mgmt subscription template 28 | 29 | New-AzureRmDeployment -Name $deploymentName ` 30 | -Location $deploymentLocation ` 31 | -TemplateUri $mgmtSubscriptionTemplateUri ` 32 | -principalId $principalId ` 33 | -roleDefinitionId $roleDefinitionId ` 34 | -rgsLocation $rgsLocation ` 35 | -mgmtRgName $mgmtRgName ` 36 | -nwRgName $nwRgName ` 37 | -enableResourceLocks $enableResourceLocks ` 38 | -Verbose 39 | 40 | # Fetching resourceId from the previous deployment 41 | 42 | $logAnalyticsId = (Get-AzureRmResource -ResourceType Microsoft.OperationalInsights/workspaces -ResourceGroupName $mgmtRgName).ResourceId 43 | 44 | # Switching deployment context to user subscription 45 | 46 | Select-AzureRmSubscription -SubscriptionId $userSubscriptionId 47 | 48 | # Defining variables for user subscription deployment 49 | 50 | $userRgsLocation = "eastus" 51 | $userNwRgName = "spokeNetwork" 52 | $userPrincipalName = "krnese@microsoft.com" 53 | $userPrincipalId = (Get-AzureRmADUser -UserPrincipalName $userPrincipalName).id 54 | $userRoleDefinitionId = (Get-AzureRmRoleDefinition -Name Owner).id 55 | $userDeniedLocation = "northeurope" #optional 56 | $userDeploymentName = "user" 57 | $userDeploymentLocation = "eastus" 58 | $userEnableResourceLocks = "Yes" 59 | $mgmtSubId = $mgmtSubscriptionId 60 | $mgmtNwRgName = $nwRgName 61 | $logAnalyticsId = $logAnalyticsId 62 | 63 | # Deploying user subscription template 64 | 65 | New-AzureRmDeployment -Name $userDeploymentName ` 66 | -Location $userDeploymentLocation ` 67 | -TemplateUri $userSubscriptionTemplateUri ` 68 | -principalId $userPrincipalId ` 69 | -roleDefinitionId $userRoleDefinitionId ` 70 | -rgsLocation $userRgsLocation ` 71 | -nwRgName $userNwRgName ` 72 | -enableResourceLocks $userEnableResourceLocks ` 73 | -logAnalyticsId $logAnalyticsId ` 74 | -mgmtNwRgName $mgmtNwRgName ` 75 | -Verbose 76 | 77 | # Defining variables for vm workload deployment 78 | 79 | $vmNamePrefix = "uservm10" 80 | $production = "Yes" 81 | $platform = "Linux" 82 | $workloadTemplateUri = "https://raw.githubusercontent.com/krnese/azureArchitectures/master/Templates/Workload/vmCondition.json" 83 | $userName = "azureadmin" 84 | $rgDeploymentName = "workload" 85 | $location = "eastus" 86 | $rgName = (New-AzureRmResourceGroup -Name $vmNamePrefix -Location $location).ResourceGroupName 87 | 88 | # Deploy worklaod to user subscription 89 | 90 | New-AzureRmResourceGroupDeployment -Name $rgDeploymentName ` 91 | -ResourceGroupName $rgName ` 92 | -TemplateUri $workloadTemplateUri ` 93 | -userName $userName ` 94 | -platform $platform ` 95 | -production $production ` 96 | -vmNamePrefix $vmNamePrefix ` 97 | -Verbose 98 | 99 | # The end -------------------------------------------------------------------------------- /Policies/keyVaultAzMonDeployIfNotExists.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "displayName": "Apply diagnostic settings for Key Vaults", 4 | "description": "This policy automatically deploys and enable diagnostic settings to Key Vaults", 5 | "parameters": { 6 | "logAnalytics": { 7 | "type": "string", 8 | "metadata": { 9 | "displayName": "Log Analyitcs workspace", 10 | "description": "Select the Log Analytics workspace from dropdown list", 11 | "strongType": "omsWorkspace" 12 | } 13 | } 14 | }, 15 | "policyRule": { 16 | "if": { 17 | "field": "type", 18 | "equals": "Microsoft.KeyVault/vaults" 19 | }, 20 | "then": { 21 | "effect": "deployIfNotExists", 22 | "details": { 23 | "type": "Microsoft.Insights/diagnosticSettings", 24 | "name": "setByPolicy", 25 | "deployment": { 26 | "properties": { 27 | "mode": "incremental", 28 | "template": { 29 | "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", 30 | "contentVersion": "1.0.0.0", 31 | "parameters": { 32 | "vaultName": { 33 | "type": "string" 34 | }, 35 | "logAnalytics": { 36 | "type": "string" 37 | }, 38 | "location": { 39 | "type": "string" 40 | } 41 | }, 42 | "variables": {}, 43 | "resources": [ 44 | { 45 | "type": "Microsoft.KeyVault/vaults/providers/diagnosticSettings", 46 | "apiVersion": "2017-05-01-preview", 47 | "name": "[concat(parameters('vaultName'), '/', 'Microsoft.Insights/setByPolicy')]", 48 | "location": "[parameters('location')]", 49 | "dependsOn": [], 50 | "properties": { 51 | "workspaceId": "[parameters('logAnalytics')]", 52 | "metrics": [ 53 | { 54 | "category": "AllMetrics", 55 | "enabled": true, 56 | "retentionPolicy": { 57 | "enabled": false, 58 | "days": 0 59 | } 60 | } 61 | ], 62 | "logs": [ 63 | { 64 | "category": "AuditEvent", 65 | "enabled": true 66 | } 67 | ] 68 | } 69 | } 70 | ], 71 | "outputs": {} 72 | }, 73 | "parameters": { 74 | "logAnalytics": { 75 | "value": "[parameters('logAnalytics')]" 76 | }, 77 | "location": { 78 | "value": "[field('location')]" 79 | }, 80 | "vaultName": { 81 | "value": "[field('name')]" 82 | } 83 | } 84 | } 85 | } 86 | } 87 | } 88 | } 89 | } 90 | } -------------------------------------------------------------------------------- /Policies/serviceBusAzMonDeployIfNotExists.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "displayName": "Apply diagnostic settings for Service Bus", 4 | "description": "This policy automatically deploys and enable diagnostic settings to Service Bus", 5 | "parameters": { 6 | "logAnalytics": { 7 | "type": "string", 8 | "metadata": { 9 | "displayName": "Log Analyitcs workspace", 10 | "description": "Select the Log Analytics workspace from dropdown list", 11 | "strongType": "omsWorkspace" 12 | } 13 | } 14 | }, 15 | "policyRule": { 16 | "if": { 17 | "field": "type", 18 | "equals": "Microsoft.ServiceBus/namespaces" 19 | }, 20 | "then": { 21 | "effect": "deployIfNotExists", 22 | "details": { 23 | "type": "Microsoft.Insights/diagnosticSettings", 24 | "name": "setByPolicy", 25 | "deployment": { 26 | "properties": { 27 | "mode": "incremental", 28 | "template": { 29 | "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", 30 | "contentVersion": "1.0.0.0", 31 | "parameters": { 32 | "sbName": { 33 | "type": "string" 34 | }, 35 | "logAnalytics": { 36 | "type": "string" 37 | }, 38 | "location": { 39 | "type": "string" 40 | } 41 | }, 42 | "variables": {}, 43 | "resources": [ 44 | { 45 | "type": "Microsoft.ServiceBus/namespaces/providers/diagnosticSettings", 46 | "apiVersion": "2017-05-01-preview", 47 | "name": "[concat(parameters('sbName'), '/', 'Microsoft.Insights/setByPolicy')]", 48 | "location": "[parameters('location')]", 49 | "dependsOn": [], 50 | "properties": { 51 | "workspaceId": "[parameters('logAnalytics')]", 52 | "metrics": [ 53 | { 54 | "category": "AllMetrics", 55 | "enabled": true, 56 | "retentionPolicy": { 57 | "enabled": false, 58 | "days": 0 59 | } 60 | } 61 | ], 62 | "logs": [ 63 | { 64 | "category": "OperationalLogs", 65 | "enabled": true 66 | } 67 | ] 68 | } 69 | } 70 | ], 71 | "outputs": {} 72 | }, 73 | "parameters": { 74 | "logAnalytics": { 75 | "value": "[parameters('logAnalytics')]" 76 | }, 77 | "location": { 78 | "value": "[field('location')]" 79 | }, 80 | "sbName": { 81 | "value": "[field('name')]" 82 | } 83 | } 84 | } 85 | } 86 | } 87 | } 88 | } 89 | } 90 | } -------------------------------------------------------------------------------- /Policies/batchAzMonDeloyIfNotExists.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "displayName": "Apply diagnostic settings for Azure Batch.", 4 | "description": "This policy automatically deploys and enable diagnostic settings to Azure Batch", 5 | "parameters": { 6 | "logAnalytics": { 7 | "type": "string", 8 | "metadata": { 9 | "displayName": "Log Analyitcs workspace", 10 | "description": "Select the Log Analytics workspace from dropdown list", 11 | "strongType": "omsWorkspace" 12 | } 13 | } 14 | }, 15 | "policyRule": { 16 | "if": { 17 | "field": "type", 18 | "equals": "Microsoft.Batch/batchAccounts" 19 | }, 20 | "then": { 21 | "effect": "deployIfNotExists", 22 | "details": { 23 | "type": "Microsoft.Insights/diagnosticSettings", 24 | "name": "setByPolicy", 25 | "deployment": { 26 | "properties": { 27 | "mode": "incremental", 28 | "template": { 29 | "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", 30 | "contentVersion": "1.0.0.0", 31 | "parameters": { 32 | "resourceName": { 33 | "type": "string" 34 | }, 35 | "logAnalytics": { 36 | "type": "string" 37 | }, 38 | "location": { 39 | "type": "string" 40 | } 41 | }, 42 | "variables": {}, 43 | "resources": [ 44 | { 45 | "type": "Microsoft.Batch/batchAccounts/providers/diagnosticSettings", 46 | "apiVersion": "2017-05-01-preview", 47 | "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", 48 | "location": "[parameters('location')]", 49 | "dependsOn": [], 50 | "properties": { 51 | "workspaceId": "[parameters('logAnalytics')]", 52 | "metrics": [ 53 | { 54 | "category": "AllMetrics", 55 | "enabled": true, 56 | "retentionPolicy": { 57 | "enabled": false, 58 | "days": 0 59 | } 60 | } 61 | ], 62 | "logs": [ 63 | { 64 | "category": "ServiceLog", 65 | "enabled": true 66 | } 67 | ] 68 | } 69 | } 70 | ], 71 | "outputs": {} 72 | }, 73 | "parameters": { 74 | "logAnalytics": { 75 | "value": "[parameters('logAnalytics')]" 76 | }, 77 | "location": { 78 | "value": "[field('location')]" 79 | }, 80 | "resourceName": { 81 | "value": "[field('name')]" 82 | } 83 | } 84 | } 85 | } 86 | } 87 | } 88 | } 89 | } 90 | } -------------------------------------------------------------------------------- /Policies/logicAppAzMonDeloyIfNotExists.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "displayName": "Apply diagnostic settings for Logic Apps", 4 | "description": "This policy automatically deploys and enable diagnostic settings to Logic Apps", 5 | "parameters": { 6 | "logAnalytics": { 7 | "type": "string", 8 | "metadata": { 9 | "displayName": "Log Analyitcs workspace", 10 | "description": "Select the Log Analytics workspace from dropdown list", 11 | "strongType": "omsWorkspace" 12 | } 13 | } 14 | }, 15 | "policyRule": { 16 | "if": { 17 | "field": "type", 18 | "equals": "Microsoft.Logic/workflows" 19 | }, 20 | "then": { 21 | "effect": "deployIfNotExists", 22 | "details": { 23 | "type": "Microsoft.Insights/diagnosticSettings", 24 | "name": "setByPolicy", 25 | "deployment": { 26 | "properties": { 27 | "mode": "incremental", 28 | "template": { 29 | "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", 30 | "contentVersion": "1.0.0.0", 31 | "parameters": { 32 | "resourceName": { 33 | "type": "string" 34 | }, 35 | "logAnalytics": { 36 | "type": "string" 37 | }, 38 | "location": { 39 | "type": "string" 40 | } 41 | }, 42 | "variables": {}, 43 | "resources": [ 44 | { 45 | "type": "Microsoft.Logic/workflows/providers/diagnosticSettings", 46 | "apiVersion": "2017-05-01-preview", 47 | "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", 48 | "location": "[parameters('location')]", 49 | "dependsOn": [], 50 | "properties": { 51 | "workspaceId": "[parameters('logAnalytics')]", 52 | "metrics": [ 53 | { 54 | "category": "AllMetrics", 55 | "enabled": true, 56 | "retentionPolicy": { 57 | "enabled": false, 58 | "days": 0 59 | } 60 | } 61 | ], 62 | "logs": [ 63 | { 64 | "category": "WorkflowRuntime", 65 | "enabled": true 66 | } 67 | ] 68 | } 69 | } 70 | ], 71 | "outputs": {} 72 | }, 73 | "parameters": { 74 | "logAnalytics": { 75 | "value": "[parameters('logAnalytics')]" 76 | }, 77 | "location": { 78 | "value": "[field('location')]" 79 | }, 80 | "resourceName": { 81 | "value": "[field('name')]" 82 | } 83 | } 84 | } 85 | } 86 | } 87 | } 88 | } 89 | } 90 | } 91 | -------------------------------------------------------------------------------- /Policies/searchAzMonDeloyIfNotExists.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "displayName": "Apply diagnostic settings for Azure Search", 4 | "description": "This policy automatically deploys and enable diagnostic settings to Azure Search", 5 | "parameters": { 6 | "logAnalytics": { 7 | "type": "string", 8 | "metadata": { 9 | "displayName": "Log Analyitcs workspace", 10 | "description": "Select the Log Analytics workspace from dropdown list", 11 | "strongType": "omsWorkspace" 12 | } 13 | } 14 | }, 15 | "policyRule": { 16 | "if": { 17 | "field": "type", 18 | "equals": "Microsoft.Search/searchServices" 19 | }, 20 | "then": { 21 | "effect": "deployIfNotExists", 22 | "details": { 23 | "type": "Microsoft.Insights/diagnosticSettings", 24 | "name": "setByPolicy", 25 | "deployment": { 26 | "properties": { 27 | "mode": "incremental", 28 | "template": { 29 | "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", 30 | "contentVersion": "1.0.0.0", 31 | "parameters": { 32 | "resourceName": { 33 | "type": "string" 34 | }, 35 | "logAnalytics": { 36 | "type": "string" 37 | }, 38 | "location": { 39 | "type": "string" 40 | } 41 | }, 42 | "variables": {}, 43 | "resources": [ 44 | { 45 | "type": "Microsoft.Search/searchServices/providers/diagnosticSettings", 46 | "apiVersion": "2017-05-01-preview", 47 | "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", 48 | "location": "[parameters('location')]", 49 | "dependsOn": [], 50 | "properties": { 51 | "workspaceId": "[parameters('logAnalytics')]", 52 | "metrics": [ 53 | { 54 | "category": "AllMetrics", 55 | "enabled": true, 56 | "retentionPolicy": { 57 | "enabled": false, 58 | "days": 0 59 | } 60 | } 61 | ], 62 | "logs": [ 63 | { 64 | "category": "OperationLogs", 65 | "enabled": true 66 | } 67 | ] 68 | } 69 | } 70 | ], 71 | "outputs": {} 72 | }, 73 | "parameters": { 74 | "logAnalytics": { 75 | "value": "[parameters('logAnalytics')]" 76 | }, 77 | "location": { 78 | "value": "[field('location')]" 79 | }, 80 | "resourceName": { 81 | "value": "[field('name')]" 82 | } 83 | } 84 | } 85 | } 86 | } 87 | } 88 | } 89 | } 90 | } 91 | -------------------------------------------------------------------------------- /Policies/expressRouteAzMonDeloyIfNotExists.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "displayName": "Apply diagnostic settings for ExpressRoute", 4 | "description": "This policy automatically deploys and enable diagnostic settings to ExpressRoute", 5 | "parameters": { 6 | "logAnalytics": { 7 | "type": "string", 8 | "metadata": { 9 | "displayName": "Log Analyitcs workspace", 10 | "description": "Select the Log Analytics workspace from dropdown list", 11 | "strongType": "omsWorkspace" 12 | } 13 | } 14 | }, 15 | "policyRule": { 16 | "if": { 17 | "field": "type", 18 | "equals": "Microsoft.Network/expressRouteCircuits" 19 | }, 20 | "then": { 21 | "effect": "deployIfNotExists", 22 | "details": { 23 | "type": "Microsoft.Insights/diagnosticSettings", 24 | "name": "setByPolicy", 25 | "deployment": { 26 | "properties": { 27 | "mode": "incremental", 28 | "template": { 29 | "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", 30 | "contentVersion": "1.0.0.0", 31 | "parameters": { 32 | "resourceName": { 33 | "type": "string" 34 | }, 35 | "logAnalytics": { 36 | "type": "string" 37 | }, 38 | "location": { 39 | "type": "string" 40 | } 41 | }, 42 | "variables": {}, 43 | "resources": [ 44 | { 45 | "type": "Microsoft.Network/expressRouteCircuits/providers/diagnosticSettings", 46 | "apiVersion": "2017-05-01-preview", 47 | "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", 48 | "location": "[parameters('location')]", 49 | "dependsOn": [], 50 | "properties": { 51 | "workspaceId": "[parameters('logAnalytics')]", 52 | "metrics": [ 53 | { 54 | "category": "AllMetrics", 55 | "enabled": true, 56 | "retentionPolicy": { 57 | "enabled": false, 58 | "days": 0 59 | } 60 | } 61 | ], 62 | "logs": [ 63 | { 64 | "category": "GWMCountersTable", 65 | "enabled": true 66 | } 67 | ] 68 | } 69 | } 70 | ], 71 | "outputs": {} 72 | }, 73 | "parameters": { 74 | "logAnalytics": { 75 | "value": "[parameters('logAnalytics')]" 76 | }, 77 | "location": { 78 | "value": "[field('location')]" 79 | }, 80 | "resourceName": { 81 | "value": "[field('name')]" 82 | } 83 | } 84 | } 85 | } 86 | } 87 | } 88 | } 89 | } 90 | } 91 | -------------------------------------------------------------------------------- /Policies/trafficManagerAzMonDeloyIfNotExists.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "displayName": "Apply diagnostic settings for Traffic Manager Profiles", 4 | "description": "This policy automatically deploys and enable diagnostic settings to Traffic Manager Profiles", 5 | "parameters": { 6 | "logAnalytics": { 7 | "type": "string", 8 | "metadata": { 9 | "displayName": "Log Analyitcs workspace", 10 | "description": "Select the Log Analytics workspace from dropdown list", 11 | "strongType": "omsWorkspace" 12 | } 13 | } 14 | }, 15 | "policyRule": { 16 | "if": { 17 | "field": "type", 18 | "equals": "Microsoft.Network/trafficManagerProfiles" 19 | }, 20 | "then": { 21 | "effect": "deployIfNotExists", 22 | "details": { 23 | "type": "Microsoft.Insights/diagnosticSettings", 24 | "name": "setByPolicy", 25 | "deployment": { 26 | "properties": { 27 | "mode": "incremental", 28 | "template": { 29 | "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", 30 | "contentVersion": "1.0.0.0", 31 | "parameters": { 32 | "resourceName": { 33 | "type": "string" 34 | }, 35 | "logAnalytics": { 36 | "type": "string" 37 | }, 38 | "location": { 39 | "type": "string" 40 | } 41 | }, 42 | "variables": {}, 43 | "resources": [ 44 | { 45 | "type": "Microsoft.Network/trafficManagerProfiles/providers/diagnosticSettings", 46 | "apiVersion": "2017-05-01-preview", 47 | "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", 48 | "location": "[parameters('location')]", 49 | "dependsOn": [], 50 | "properties": { 51 | "workspaceId": "[parameters('logAnalytics')]", 52 | "metrics": [ 53 | { 54 | "category": "AllMetrics", 55 | "enabled": true, 56 | "retentionPolicy": { 57 | "enabled": false, 58 | "days": 0 59 | } 60 | } 61 | ], 62 | "logs": [ 63 | { 64 | "category": "ProbeHealthStatusEvents", 65 | "enabled": true 66 | } 67 | ] 68 | } 69 | } 70 | ], 71 | "outputs": {} 72 | }, 73 | "parameters": { 74 | "logAnalytics": { 75 | "value": "[parameters('logAnalytics')]" 76 | }, 77 | "location": { 78 | "value": "[field('location')]" 79 | }, 80 | "resourceName": { 81 | "value": "[field('name')]" 82 | } 83 | } 84 | } 85 | } 86 | } 87 | } 88 | } 89 | } 90 | } 91 | -------------------------------------------------------------------------------- /Policies/pipAzMonDeployIfNotExists.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "displayName": "Apply diagnostic settings for Public IP addresses", 4 | "description": "This policy automatically deploys and enable diagnostic settings to public IP addresses", 5 | "parameters": { 6 | "logAnalytics": { 7 | "type": "string", 8 | "metadata": { 9 | "displayName": "Log Analyitcs workspace", 10 | "description": "Select the Log Analytics workspace from dropdown list", 11 | "strongType": "omsWorkspace" 12 | } 13 | } 14 | }, 15 | "policyRule": { 16 | "if": { 17 | "field": "type", 18 | "equals": "Microsoft.Network/publicIpAddresses" 19 | }, 20 | "then": { 21 | "effect": "deployIfNotExists", 22 | "details": { 23 | "type": "Microsoft.Insights/diagnosticSettings", 24 | "name": "setByPolicy", 25 | "deployment": { 26 | "properties": { 27 | "mode": "incremental", 28 | "template": { 29 | "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", 30 | "contentVersion": "1.0.0.0", 31 | "parameters": { 32 | "publicIpName": { 33 | "type": "string" 34 | }, 35 | "location": { 36 | "type": "string" 37 | }, 38 | "logAnalytics": { 39 | "type": "string" 40 | } 41 | }, 42 | "variables": { 43 | }, 44 | "resources": [ 45 | { 46 | "type": "Microsoft.Network/publicIpAddresses/providers/diagnosticSettings", 47 | "apiVersion": "2017-05-01-preview", 48 | "name": "[concat(parameters('publicIpName'), '/', 'Microsoft.Insights/setByPolicy')]", 49 | "location": "[parameters('location')]", 50 | "dependsOn": [ 51 | ], 52 | "properties": { 53 | "workspaceId": "[parameters('logAnalytics')]", 54 | "metrics": [ 55 | { 56 | "timeGrain": "PT1M", 57 | "enabled": true, 58 | "retentionPolicy": { 59 | "enabled": false, 60 | "days": 0 61 | } 62 | } 63 | ], 64 | "logs": [ 65 | { 66 | "category": "DDoSProtectionNotifications", 67 | "enabled": true 68 | } 69 | ] 70 | } 71 | } 72 | ], 73 | "outputs": {} 74 | }, 75 | "parameters": { 76 | "logAnalytics": { 77 | "value": "[parameters('logAnalytics')]" 78 | }, 79 | "location": { 80 | "value": "[field('location')]" 81 | }, 82 | "publicIpName": { 83 | "value": "[field('name')]" 84 | } 85 | } 86 | } 87 | } 88 | } 89 | } 90 | } 91 | } 92 | } -------------------------------------------------------------------------------- /Policies/adlsAzMonDeloyIfNotExists.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "displayName": "Apply diagnostic settings for Data Lake Store.", 4 | "description": "This policy automatically deploys and enable diagnostic settings to Data Lake Store", 5 | "parameters": { 6 | "logAnalytics": { 7 | "type": "string", 8 | "metadata": { 9 | "displayName": "Log Analyitcs workspace", 10 | "description": "Select the Log Analytics workspace from dropdown list", 11 | "strongType": "omsWorkspace" 12 | } 13 | } 14 | }, 15 | "policyRule": { 16 | "if": { 17 | "field": "type", 18 | "equals": "Microsoft.DataLakeStore/accounts" 19 | }, 20 | "then": { 21 | "effect": "deployIfNotExists", 22 | "details": { 23 | "type": "Microsoft.Insights/diagnosticSettings", 24 | "name": "setByPolicy", 25 | "deployment": { 26 | "properties": { 27 | "mode": "incremental", 28 | "template": { 29 | "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", 30 | "contentVersion": "1.0.0.0", 31 | "parameters": { 32 | "resourceName": { 33 | "type": "string" 34 | }, 35 | "logAnalytics": { 36 | "type": "string" 37 | }, 38 | "location": { 39 | "type": "string" 40 | } 41 | }, 42 | "variables": {}, 43 | "resources": [ 44 | { 45 | "type": "Microsoft.DataLakeStore/accounts/providers/diagnosticSettings", 46 | "apiVersion": "2017-05-01-preview", 47 | "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", 48 | "location": "[parameters('location')]", 49 | "dependsOn": [], 50 | "properties": { 51 | "workspaceId": "[parameters('logAnalytics')]", 52 | "metrics": [ 53 | { 54 | "category": "AllMetrics", 55 | "enabled": true, 56 | "retentionPolicy": { 57 | "enabled": false, 58 | "days": 0 59 | } 60 | } 61 | ], 62 | "logs": [ 63 | { 64 | "category": "Audit", 65 | "enabled": true 66 | }, 67 | { 68 | "category": "Requests", 69 | "enabled": true 70 | } 71 | ] 72 | } 73 | } 74 | ], 75 | "outputs": {} 76 | }, 77 | "parameters": { 78 | "logAnalytics": { 79 | "value": "[parameters('logAnalytics')]" 80 | }, 81 | "location": { 82 | "value": "[field('location')]" 83 | }, 84 | "resourceName": { 85 | "value": "[field('name')]" 86 | } 87 | } 88 | } 89 | } 90 | } 91 | } 92 | } 93 | } 94 | } -------------------------------------------------------------------------------- /Policies/analysisAzMonDeployIfNotExists.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "displayName": "Apply diagnostic settings for Analysis Services.", 4 | "description": "This policy automatically deploys and enable diagnostic settings to Analysis Services", 5 | "parameters": { 6 | "logAnalytics": { 7 | "type": "string", 8 | "metadata": { 9 | "displayName": "Log Analyitcs workspace", 10 | "description": "Select the Log Analytics workspace from dropdown list", 11 | "strongType": "omsWorkspace" 12 | } 13 | } 14 | }, 15 | "policyRule": { 16 | "if": { 17 | "field": "type", 18 | "equals": "Microsoft.AnalysisServices/servers" 19 | }, 20 | "then": { 21 | "effect": "deployIfNotExists", 22 | "details": { 23 | "type": "Microsoft.Insights/diagnosticSettings", 24 | "name": "setByPolicy", 25 | "deployment": { 26 | "properties": { 27 | "mode": "incremental", 28 | "template": { 29 | "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", 30 | "contentVersion": "1.0.0.0", 31 | "parameters": { 32 | "analysisName": { 33 | "type": "string" 34 | }, 35 | "logAnalytics": { 36 | "type": "string" 37 | }, 38 | "location": { 39 | "type": "string" 40 | } 41 | }, 42 | "variables": {}, 43 | "resources": [ 44 | { 45 | "type": "Microsoft.AnalysisServices/servers/providers/diagnosticSettings", 46 | "apiVersion": "2017-05-01-preview", 47 | "name": "[concat(parameters('analysisName'), '/', 'Microsoft.Insights/setByPolicy')]", 48 | "location": "[parameters('location')]", 49 | "dependsOn": [], 50 | "properties": { 51 | "workspaceId": "[parameters('logAnalytics')]", 52 | "metrics": [ 53 | { 54 | "category": "AllMetrics", 55 | "enabled": true, 56 | "retentionPolicy": { 57 | "enabled": false, 58 | "days": 0 59 | } 60 | } 61 | ], 62 | "logs": [ 63 | { 64 | "category": "Engine", 65 | "enabled": true 66 | }, 67 | { 68 | "category": "Service", 69 | "enabled": true 70 | } 71 | ] 72 | } 73 | } 74 | ], 75 | "outputs": {} 76 | }, 77 | "parameters": { 78 | "logAnalytics": { 79 | "value": "[parameters('logAnalytics')]" 80 | }, 81 | "location": { 82 | "value": "[field('location')]" 83 | }, 84 | "analysisName": { 85 | "value": "[field('name')]" 86 | } 87 | } 88 | } 89 | } 90 | } 91 | } 92 | } 93 | } 94 | } -------------------------------------------------------------------------------- /Policies/lbAzMonDeployIfNotExists.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "displayName": "Apply diagnostic settings for Load Balancers", 4 | "description": "This policy automatically deploys and enable diagnostic settings to Load Balancers", 5 | "parameters": { 6 | "logAnalytics": { 7 | "type": "string", 8 | "metadata": { 9 | "displayName": "Log Analyitcs workspace", 10 | "description": "Select the Log Analytics workspace from dropdown list", 11 | "strongType": "omsWorkspace" 12 | } 13 | } 14 | }, 15 | "policyRule": { 16 | "if": { 17 | "field": "type", 18 | "equals": "Microsoft.Network/loadBalancers" 19 | }, 20 | "then": { 21 | "effect": "deployIfNotExists", 22 | "details": { 23 | "type": "Microsoft.Insights/diagnosticSettings", 24 | "name": "setByPolicy", 25 | "deployment": { 26 | "properties": { 27 | "mode": "incremental", 28 | "template": { 29 | "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", 30 | "contentVersion": "1.0.0.0", 31 | "parameters": { 32 | "lbName": { 33 | "type": "string" 34 | }, 35 | "logAnalytics": { 36 | "type": "string" 37 | }, 38 | "location": { 39 | "type": "string" 40 | } 41 | }, 42 | "variables": {}, 43 | "resources": [ 44 | { 45 | "type": "Microsoft.Network/loadBalancers/providers/diagnosticSettings", 46 | "apiVersion": "2017-05-01-preview", 47 | "name": "[concat(parameters('lbName'), '/', 'Microsoft.Insights/setByPolicy')]", 48 | "location": "[parameters('location')]", 49 | "dependsOn": [], 50 | "properties": { 51 | "workspaceId": "[parameters('logAnalytics')]", 52 | "metrics": [ 53 | { 54 | "category": "AllMetrics", 55 | "enabled": true, 56 | "retentionPolicy": { 57 | "enabled": false, 58 | "days": 0 59 | } 60 | } 61 | ], 62 | "logs": [ 63 | { 64 | "category": "LoadBalancerAlertEvent", 65 | "enabled": true 66 | }, 67 | { 68 | "category": "LoadBalancerProbeHealthStatus", 69 | "enabled": true 70 | } 71 | ] 72 | } 73 | } 74 | ], 75 | "outputs": {} 76 | }, 77 | "parameters": { 78 | "logAnalytics": { 79 | "value": "[parameters('logAnalytics')]" 80 | }, 81 | "location": { 82 | "value": "[field('location')]" 83 | }, 84 | "lbName": { 85 | "value": "[field('name')]" 86 | } 87 | } 88 | } 89 | } 90 | } 91 | } 92 | } 93 | } 94 | } -------------------------------------------------------------------------------- /Policies/adlaAzMonDeloyIfNotExists.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "displayName": "Apply diagnostic settings for Data Lake Analytics.", 4 | "description": "This policy automatically deploys and enable diagnostic settings to Data Lake Analytics", 5 | "parameters": { 6 | "logAnalytics": { 7 | "type": "string", 8 | "metadata": { 9 | "displayName": "Log Analyitcs workspace", 10 | "description": "Select the Log Analytics workspace from dropdown list", 11 | "strongType": "omsWorkspace" 12 | } 13 | } 14 | }, 15 | "policyRule": { 16 | "if": { 17 | "field": "type", 18 | "equals": "Microsoft.DataLakeAnalytics/accounts" 19 | }, 20 | "then": { 21 | "effect": "deployIfNotExists", 22 | "details": { 23 | "type": "Microsoft.Insights/diagnosticSettings", 24 | "name": "setByPolicy", 25 | "deployment": { 26 | "properties": { 27 | "mode": "incremental", 28 | "template": { 29 | "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", 30 | "contentVersion": "1.0.0.0", 31 | "parameters": { 32 | "resourceName": { 33 | "type": "string" 34 | }, 35 | "logAnalytics": { 36 | "type": "string" 37 | }, 38 | "location": { 39 | "type": "string" 40 | } 41 | }, 42 | "variables": {}, 43 | "resources": [ 44 | { 45 | "type": "Microsoft.DataLakeAnalytics/accounts/providers/diagnosticSettings", 46 | "apiVersion": "2017-05-01-preview", 47 | "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", 48 | "location": "[parameters('location')]", 49 | "dependsOn": [], 50 | "properties": { 51 | "workspaceId": "[parameters('logAnalytics')]", 52 | "metrics": [ 53 | { 54 | "category": "AllMetrics", 55 | "enabled": true, 56 | "retentionPolicy": { 57 | "enabled": false, 58 | "days": 0 59 | } 60 | } 61 | ], 62 | "logs": [ 63 | { 64 | "category": "Audit", 65 | "enabled": true 66 | }, 67 | { 68 | "category": "Requests", 69 | "enabled": true 70 | } 71 | ] 72 | } 73 | } 74 | ], 75 | "outputs": {} 76 | }, 77 | "parameters": { 78 | "logAnalytics": { 79 | "value": "[parameters('logAnalytics')]" 80 | }, 81 | "location": { 82 | "value": "[field('location')]" 83 | }, 84 | "resourceName": { 85 | "value": "[field('name')]" 86 | } 87 | } 88 | } 89 | } 90 | } 91 | } 92 | } 93 | } 94 | } 95 | -------------------------------------------------------------------------------- /Policies/asaAzMonDeloyIfNotExists.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "displayName": "Apply diagnostic settings for Azure Stream Analytics.", 4 | "description": "This policy automatically deploys and enable diagnostic settings to Azure Stream Analytics", 5 | "parameters": { 6 | "logAnalytics": { 7 | "type": "string", 8 | "metadata": { 9 | "displayName": "Log Analyitcs workspace", 10 | "description": "Select the Log Analytics workspace from dropdown list", 11 | "strongType": "omsWorkspace" 12 | } 13 | } 14 | }, 15 | "policyRule": { 16 | "if": { 17 | "field": "type", 18 | "equals": "Microsoft.StreamAnalytics/streamingjobs" 19 | }, 20 | "then": { 21 | "effect": "deployIfNotExists", 22 | "details": { 23 | "type": "Microsoft.Insights/diagnosticSettings", 24 | "name": "setByPolicy", 25 | "deployment": { 26 | "properties": { 27 | "mode": "incremental", 28 | "template": { 29 | "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", 30 | "contentVersion": "1.0.0.0", 31 | "parameters": { 32 | "resourceName": { 33 | "type": "string" 34 | }, 35 | "logAnalytics": { 36 | "type": "string" 37 | }, 38 | "location": { 39 | "type": "string" 40 | } 41 | }, 42 | "variables": {}, 43 | "resources": [ 44 | { 45 | "type": "Microsoft.StreamAnalytics/streamingjobs/providers/diagnosticSettings", 46 | "apiVersion": "2017-05-01-preview", 47 | "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", 48 | "location": "[parameters('location')]", 49 | "dependsOn": [], 50 | "properties": { 51 | "workspaceId": "[parameters('logAnalytics')]", 52 | "metrics": [ 53 | { 54 | "category": "AllMetrics", 55 | "enabled": true, 56 | "retentionPolicy": { 57 | "enabled": false, 58 | "days": 0 59 | } 60 | } 61 | ], 62 | "logs": [ 63 | { 64 | "category": "Authoring", 65 | "enabled": true 66 | }, 67 | { 68 | "category": "Execution", 69 | "enabled": true 70 | } 71 | ] 72 | } 73 | } 74 | ], 75 | "outputs": {} 76 | }, 77 | "parameters": { 78 | "logAnalytics": { 79 | "value": "[parameters('logAnalytics')]" 80 | }, 81 | "location": { 82 | "value": "[field('location')]" 83 | }, 84 | "resourceName": { 85 | "value": "[field('name')]" 86 | } 87 | } 88 | } 89 | } 90 | } 91 | } 92 | } 93 | } 94 | } -------------------------------------------------------------------------------- /Policies/postreSQLAzMonDeloyIfNotExists.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "displayName": "Apply diagnostic settings for DB for PostgreSQL", 4 | "description": "This policy automatically deploys and enable diagnostic settings to DB for PostgreSQL", 5 | "parameters": { 6 | "logAnalytics": { 7 | "type": "string", 8 | "metadata": { 9 | "displayName": "Log Analyitcs workspace", 10 | "description": "Select the Log Analytics workspace from dropdown list", 11 | "strongType": "omsWorkspace" 12 | } 13 | } 14 | }, 15 | "policyRule": { 16 | "if": { 17 | "field": "type", 18 | "equals": "Microsoft.DBforPostgreSQL/servers" 19 | }, 20 | "then": { 21 | "effect": "deployIfNotExists", 22 | "details": { 23 | "type": "Microsoft.Insights/diagnosticSettings", 24 | "name": "setByPolicy", 25 | "deployment": { 26 | "properties": { 27 | "mode": "incremental", 28 | "template": { 29 | "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", 30 | "contentVersion": "1.0.0.0", 31 | "parameters": { 32 | "resourceName": { 33 | "type": "string" 34 | }, 35 | "logAnalytics": { 36 | "type": "string" 37 | }, 38 | "location": { 39 | "type": "string" 40 | } 41 | }, 42 | "variables": {}, 43 | "resources": [ 44 | { 45 | "type": "Microsoft.DBforPostgreSQL/servers/providers/diagnosticSettings", 46 | "apiVersion": "2017-05-01-preview", 47 | "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", 48 | "location": "[parameters('location')]", 49 | "dependsOn": [], 50 | "properties": { 51 | "workspaceId": "[parameters('logAnalytics')]", 52 | "metrics": [ 53 | { 54 | "category": "AllMetrics", 55 | "enabled": true, 56 | "retentionPolicy": { 57 | "enabled": false, 58 | "days": 0 59 | } 60 | } 61 | ], 62 | "logs": [ 63 | { 64 | "category": "PostgreSQLBackupEvents", 65 | "enabled": true 66 | }, 67 | { 68 | "category": "PostgreSQLLogs", 69 | "enabled": true 70 | } 71 | ] 72 | } 73 | } 74 | ], 75 | "outputs": {} 76 | }, 77 | "parameters": { 78 | "logAnalytics": { 79 | "value": "[parameters('logAnalytics')]" 80 | }, 81 | "location": { 82 | "value": "[field('location')]" 83 | }, 84 | "resourceName": { 85 | "value": "[field('name')]" 86 | } 87 | } 88 | } 89 | } 90 | } 91 | } 92 | } 93 | } 94 | } 95 | -------------------------------------------------------------------------------- /Policies/iotPSAzMonDeloyIfNotExists.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "displayName": "Apply diagnostic settings for IoT Provisioning Serices", 4 | "description": "This policy automatically deploys and enable diagnostic settings to IoT Provisioning Serices", 5 | "parameters": { 6 | "logAnalytics": { 7 | "type": "string", 8 | "metadata": { 9 | "displayName": "Log Analyitcs workspace", 10 | "description": "Select the Log Analytics workspace from dropdown list", 11 | "strongType": "omsWorkspace" 12 | } 13 | } 14 | }, 15 | "policyRule": { 16 | "if": { 17 | "field": "type", 18 | "equals": "Microsoft.Devices/provisioningServices" 19 | }, 20 | "then": { 21 | "effect": "deployIfNotExists", 22 | "details": { 23 | "type": "Microsoft.Insights/diagnosticSettings", 24 | "name": "setByPolicy", 25 | "deployment": { 26 | "properties": { 27 | "mode": "incremental", 28 | "template": { 29 | "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", 30 | "contentVersion": "1.0.0.0", 31 | "parameters": { 32 | "resourceName": { 33 | "type": "string" 34 | }, 35 | "logAnalytics": { 36 | "type": "string" 37 | }, 38 | "location": { 39 | "type": "string" 40 | } 41 | }, 42 | "variables": {}, 43 | "resources": [ 44 | { 45 | "type": "Microsoft.Devices/provisioningServices/providers/diagnosticSettings", 46 | "apiVersion": "2017-05-01-preview", 47 | "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", 48 | "location": "[parameters('location')]", 49 | "dependsOn": [], 50 | "properties": { 51 | "workspaceId": "[parameters('logAnalytics')]", 52 | "metrics": [ 53 | { 54 | "category": "AllMetrics", 55 | "enabled": true, 56 | "retentionPolicy": { 57 | "enabled": false, 58 | "days": 0 59 | } 60 | } 61 | ], 62 | "logs": [ 63 | { 64 | "category": "DeviceOperations", 65 | "enabled": true 66 | }, 67 | { 68 | "category": "ServiceOperations", 69 | "enabled": true 70 | } 71 | ] 72 | } 73 | } 74 | ], 75 | "outputs": {} 76 | }, 77 | "parameters": { 78 | "logAnalytics": { 79 | "value": "[parameters('logAnalytics')]" 80 | }, 81 | "location": { 82 | "value": "[field('location')]" 83 | }, 84 | "resourceName": { 85 | "value": "[field('name')]" 86 | } 87 | } 88 | } 89 | } 90 | } 91 | } 92 | } 93 | } 94 | } 95 | -------------------------------------------------------------------------------- /Policies/adfAzMonDeloyIfNotExists.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "displayName": "Apply diagnostic settings for Azure Data Factories.", 4 | "description": "This policy automatically deploys and enable diagnostic settings to Azure Data Factories", 5 | "parameters": { 6 | "logAnalytics": { 7 | "type": "string", 8 | "metadata": { 9 | "displayName": "Log Analyitcs workspace", 10 | "description": "Select the Log Analytics workspace from dropdown list", 11 | "strongType": "omsWorkspace" 12 | } 13 | } 14 | }, 15 | "policyRule": { 16 | "if": { 17 | "field": "type", 18 | "equals": "Microsoft.DataFactory/factories" 19 | }, 20 | "then": { 21 | "effect": "deployIfNotExists", 22 | "details": { 23 | "type": "Microsoft.Insights/diagnosticSettings", 24 | "name": "setByPolicy", 25 | "deployment": { 26 | "properties": { 27 | "mode": "incremental", 28 | "template": { 29 | "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", 30 | "contentVersion": "1.0.0.0", 31 | "parameters": { 32 | "resourceName": { 33 | "type": "string" 34 | }, 35 | "logAnalytics": { 36 | "type": "string" 37 | }, 38 | "location": { 39 | "type": "string" 40 | } 41 | }, 42 | "variables": {}, 43 | "resources": [ 44 | { 45 | "type": "Microsoft.DataFactory/factories/providers/diagnosticSettings", 46 | "apiVersion": "2017-05-01-preview", 47 | "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", 48 | "location": "[parameters('location')]", 49 | "dependsOn": [], 50 | "properties": { 51 | "workspaceId": "[parameters('logAnalytics')]", 52 | "metrics": [ 53 | { 54 | "category": "AllMetrics", 55 | "enabled": true, 56 | "retentionPolicy": { 57 | "enabled": false, 58 | "days": 0 59 | } 60 | } 61 | ], 62 | "logs": [ 63 | { 64 | "category": "ActivityRuns", 65 | "enabled": true 66 | }, 67 | { 68 | "category": "PipelineRuns", 69 | "enabled": true 70 | }, 71 | { 72 | "category": "TriggerRuns", 73 | "enabled": true 74 | } 75 | ] 76 | } 77 | } 78 | ], 79 | "outputs": {} 80 | }, 81 | "parameters": { 82 | "logAnalytics": { 83 | "value": "[parameters('logAnalytics')]" 84 | }, 85 | "location": { 86 | "value": "[field('location')]" 87 | }, 88 | "resourceName": { 89 | "value": "[field('name')]" 90 | } 91 | } 92 | } 93 | } 94 | } 95 | } 96 | } 97 | } 98 | } 99 | -------------------------------------------------------------------------------- /Policies/cosmosAzMonDeloyIfNotExists.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "displayName": "Apply diagnostic settings for CosmosDB.", 4 | "description": "This policy automatically deploys and enable diagnostic settings to CosmosDB", 5 | "parameters": { 6 | "logAnalytics": { 7 | "type": "string", 8 | "metadata": { 9 | "displayName": "Log Analyitcs workspace", 10 | "description": "Select the Log Analytics workspace from dropdown list", 11 | "strongType": "omsWorkspace" 12 | } 13 | } 14 | }, 15 | "policyRule": { 16 | "if": { 17 | "field": "type", 18 | "equals": "Microsoft.DocumentDB/databaseAccounts" 19 | }, 20 | "then": { 21 | "effect": "deployIfNotExists", 22 | "details": { 23 | "type": "Microsoft.Insights/diagnosticSettings", 24 | "name": "setByPolicy", 25 | "deployment": { 26 | "properties": { 27 | "mode": "incremental", 28 | "template": { 29 | "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", 30 | "contentVersion": "1.0.0.0", 31 | "parameters": { 32 | "resourceName": { 33 | "type": "string" 34 | }, 35 | "logAnalytics": { 36 | "type": "string" 37 | }, 38 | "location": { 39 | "type": "string" 40 | } 41 | }, 42 | "variables": {}, 43 | "resources": [ 44 | { 45 | "type": "Microsoft.DocumentDB/databaseAccounts/providers/diagnosticSettings", 46 | "apiVersion": "2017-05-01-preview", 47 | "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", 48 | "location": "[parameters('location')]", 49 | "dependsOn": [], 50 | "properties": { 51 | "workspaceId": "[parameters('logAnalytics')]", 52 | "metrics": [ 53 | { 54 | "category": "AllMetrics", 55 | "enabled": true, 56 | "retentionPolicy": { 57 | "enabled": false, 58 | "days": 0 59 | } 60 | } 61 | ], 62 | "logs": [ 63 | { 64 | "category": "DataPlaneRequests", 65 | "enabled": true 66 | }, 67 | { 68 | "category": "MongoRequests", 69 | "enabled": true 70 | }, 71 | { 72 | "category": "QueryRuntimeStatistics", 73 | "enabled": true 74 | } 75 | ] 76 | } 77 | } 78 | ], 79 | "outputs": {} 80 | }, 81 | "parameters": { 82 | "logAnalytics": { 83 | "value": "[parameters('logAnalytics')]" 84 | }, 85 | "location": { 86 | "value": "[field('location')]" 87 | }, 88 | "resourceName": { 89 | "value": "[field('name')]" 90 | } 91 | } 92 | } 93 | } 94 | } 95 | } 96 | } 97 | } 98 | } 99 | -------------------------------------------------------------------------------- /Policies/ehNamespacesAzMonDeloyIfNotExists.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "displayName": "Apply diagnostic settings for Event Hub Namespaces", 4 | "description": "This policy automatically deploys and enable diagnostic settings to Event Hub Namespaces", 5 | "parameters": { 6 | "logAnalytics": { 7 | "type": "string", 8 | "metadata": { 9 | "displayName": "Log Analyitcs workspace", 10 | "description": "Select the Log Analytics workspace from dropdown list", 11 | "strongType": "omsWorkspace" 12 | } 13 | } 14 | }, 15 | "policyRule": { 16 | "if": { 17 | "field": "type", 18 | "equals": "Microsoft.EventHub/namespaces" 19 | }, 20 | "then": { 21 | "effect": "deployIfNotExists", 22 | "details": { 23 | "type": "Microsoft.Insights/diagnosticSettings", 24 | "name": "setByPolicy", 25 | "deployment": { 26 | "properties": { 27 | "mode": "incremental", 28 | "template": { 29 | "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", 30 | "contentVersion": "1.0.0.0", 31 | "parameters": { 32 | "resourceName": { 33 | "type": "string" 34 | }, 35 | "logAnalytics": { 36 | "type": "string" 37 | }, 38 | "location": { 39 | "type": "string" 40 | } 41 | }, 42 | "variables": {}, 43 | "resources": [ 44 | { 45 | "type": "Microsoft.EventHub/namespaces/providers/diagnosticSettings", 46 | "apiVersion": "2017-05-01-preview", 47 | "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", 48 | "location": "[parameters('location')]", 49 | "dependsOn": [], 50 | "properties": { 51 | "workspaceId": "[parameters('logAnalytics')]", 52 | "metrics": [ 53 | { 54 | "category": "AllMetrics", 55 | "enabled": true, 56 | "retentionPolicy": { 57 | "enabled": false, 58 | "days": 0 59 | } 60 | } 61 | ], 62 | "logs": [ 63 | { 64 | "category": "ArchiveLogs", 65 | "enabled": true 66 | }, 67 | { 68 | "category": "AutoScaleLogs", 69 | "enabled": true 70 | }, 71 | { 72 | "category": "OperationalLogs", 73 | "enabled": true 74 | } 75 | ] 76 | } 77 | } 78 | ], 79 | "outputs": {} 80 | }, 81 | "parameters": { 82 | "logAnalytics": { 83 | "value": "[parameters('logAnalytics')]" 84 | }, 85 | "location": { 86 | "value": "[field('location')]" 87 | }, 88 | "resourceName": { 89 | "value": "[field('name')]" 90 | } 91 | } 92 | } 93 | } 94 | } 95 | } 96 | } 97 | } 98 | } 99 | -------------------------------------------------------------------------------- /Policies/automationAzMonDeployIfNotExists.json: -------------------------------------------------------------------------------- 1 | { 2 | "properties": { 3 | "displayName": "Apply diagnostic settings for Automation Accounts.", 4 | "description": "This policy automatically deploys and enable diagnostic settings to Automation Accounts", 5 | "parameters": { 6 | "logAnalytics": { 7 | "type": "string", 8 | "metadata": { 9 | "displayName": "Log Analyitcs workspace", 10 | "description": "Select the Log Analytics workspace from dropdown list", 11 | "strongType": "omsWorkspace" 12 | } 13 | } 14 | }, 15 | "policyRule": { 16 | "if": { 17 | "field": "type", 18 | "equals": "Microsoft.Automation/automationAccounts" 19 | }, 20 | "then": { 21 | "effect": "deployIfNotExists", 22 | "details": { 23 | "type": "Microsoft.Insights/diagnosticSettings", 24 | "name": "setByPolicy", 25 | "deployment": { 26 | "properties": { 27 | "mode": "incremental", 28 | "template": { 29 | "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", 30 | "contentVersion": "1.0.0.0", 31 | "parameters": { 32 | "resourceName": { 33 | "type": "string" 34 | }, 35 | "logAnalytics": { 36 | "type": "string" 37 | }, 38 | "location": { 39 | "type": "string" 40 | } 41 | }, 42 | "variables": {}, 43 | "resources": [ 44 | { 45 | "type": "Microsoft.Automation/automationAccounts/providers/diagnosticSettings", 46 | "apiVersion": "2017-05-01-preview", 47 | "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", 48 | "location": "[parameters('location')]", 49 | "dependsOn": [], 50 | "properties": { 51 | "workspaceId": "[parameters('logAnalytics')]", 52 | "metrics": [ 53 | { 54 | "category": "AllMetrics", 55 | "enabled": true, 56 | "retentionPolicy": { 57 | "enabled": false, 58 | "days": 0 59 | } 60 | } 61 | ], 62 | "logs": [ 63 | { 64 | "category": "JobLogs", 65 | "enabled": true 66 | }, 67 | { 68 | "category": "JobStreams", 69 | "enabled": true 70 | }, 71 | { 72 | "category": "DscNodeStatus", 73 | "enabled": true 74 | } 75 | ] 76 | } 77 | } 78 | ], 79 | "outputs": {} 80 | }, 81 | "parameters": { 82 | "logAnalytics": { 83 | "value": "[parameters('logAnalytics')]" 84 | }, 85 | "location": { 86 | "value": "[field('location')]" 87 | }, 88 | "resourceName": { 89 | "value": "[field('name')]" 90 | } 91 | } 92 | } 93 | } 94 | } 95 | } 96 | } 97 | } 98 | } --------------------------------------------------------------------------------