Configuring Azure Resources Diagnostic Log Settings Using Azure Policy

In an Azure Policy definition, the “effect” section defines the behaviour of the policy if defined conditions are met. For example, the “Deny” effect will block the resource from being deployed in the first place, “Append” will add a set of properties to the resource you are deploying before being deployed by the ARM engine, and “DeployIfNotExists” deploys a resource if it does not already exist. In the old days, the biggest limitation I have faced was the use of “DeployIfNotExists” effect was only limited to built-in policies. In another word, If Microsoft hasn’t already created a policy for you, you can’t create one to suit your requirements.

At the 2018 North America Ignite, the Azure Governance team has announced that the Azure Policy effect “DeployIfNotExists” became available for custom policy definitions. This is a very exciting news for me, I have been waiting for this day for a long time, and it would have made my life a lot easier if it was available sooner.

A customer of mine had a requirement that all eligible resources should automatically forward all logs and metrics to an Azure Log Analytics workspace. i.e.

image

At the time of my engagement, this was not possible using a native method. Although for me, it was not hard to develop a custom automation solution for this requirement, but the customer wanted something native, obviously they didn’t want to create a technology debt that ended up having someone to support a custom solution after I’m gone.

Now since the “DeployIfNotExists” Azure Policy effect has been made available for general public, we are able to use custom Policy definitions to automatically configure applicable Azure resources to send logs and metrics to Log Analytics workspace.

Over the last few days, I have spent A LOT OF time developing an ARM template to deploy custom policy and initiative definitions for this purpose. Initially I thought there were only around 20 Azure resource types that are capable of sending diagnostic logs and metrics to Log Analytics. I was very wrong. I couldn’t find any documentation that has a COMPLETE list, and also couldn’t find a way to query what logs and metrics are available for each resources. In the end, the template I developed covered 47 resource types, by consolidating the following sources:

Over the last 3-4 days, I was up until 2am each day working on this template due to the lack of documentation. I have PERSONALLY tested all 47 resources included in this template by creating resources and monitoring the subsequent deployments initiated by the Azure Policy engine. In the end, this 5000+ line gigantic template is born. You can find the link to my GitHub repo that contains the template at the end of this post.

I’m almost certain this is not THE complete list to date, but it’s the best I can do for now:

 

Name Resource Type
Analysis Services Microsoft.AnalysisServices/servers
API Management Microsoft.ApiManagement/service
Application Gateway Microsoft.Network/applicationGateways
Automation account Microsoft.Automation/automationAccounts
Azure Container Instance Microsoft.ContainerInstance/containerGroups
Azure Container Registry Microsoft.ContainerRegistry/registrie
Azure Kubernetes Service Microsoft.ContainerService/managedClusters
Batch Microsoft.Batch/batchAccounts
CDN Endpoint Microsoft.Cdn/profiles/endpoints
Cognitive service Microsoft.CognitiveServices/accounts
Cosmos DB Microsoft.DocumentDB/databaseAccounts
Data Factory Microsoft.DataFactory/factories
Data lake analytics Microsoft.DataLakeAnalytics/accounts”
Data Lake storage Microsoft.DataLakeStore/accounts
Event Grid Subscriptions Microsoft.EventGrid/eventSubscriptions
Event Grid Topics Microsoft.EventGrid/topics
Event hub Microsoft.EventHub/namespaces”
Express Route Circuit Microsoft.Network/expressRouteCircuits
Firewall Microsoft.Network/azureFirewalls
HDInsight Microsoft.HDInsight/clusters
Iot hub Microsoft.Devices/IotHubs
Key vault Microsoft.KeyVault/vaults
Load balancer Microsoft.Network/loadBalancers
Logic Apps Integration Accounts Microsoft.Logic/integrationAccounts
Logic Apps Workflow Microsoft.Logic/workflows
MySQL DB Microsoft.DBforMySQL/servers
Network Interface Card (NIC) Microsoft.Network/networkInterfaces
Network Security Group Microsoft.Network/networkSecurityGroups
PostgreSQL DB Microsoft.DBforPostgreSQL/servers
Power BI Embedded Microsoft.PowerBIDedicated/capacities
Public ip Microsoft.Network/publicIPAddresse
Recovery Vault Microsoft.RecoveryServices/vaults
Redis Cache Microsoft.Cache/redis
Relay Microsoft.Relay/namespaces
Search Services Microsoft.Search/searchServices
Service Bus Microsoft.ServiceBus/namespaces
SignalR Microsoft.SignalRService/SignalR
SQL DBs Microsoft.Sql/servers/databases
SQL Elastic Pools Microsoft.Sql/servers/elasticPools
Stream Analytics Microsoft.StreamAnalytics/streamingjobs
Time Series Insights Microsoft.TimeSeriesInsights/environments
Traffic Manager Microsoft.Network/trafficManagerProfiles
Virtual Machine Microsoft.Compute/virtualMachines
Virtual Machine Scale Set Microsoft.Compute/virtualMachineScaleSets
Virtual Network Microsoft.Network/virtualNetworks
Virtual Network Gateway Microsoft.Network/virtualNetworkGateways
Websites Microsoft.Web/sites

Note: I could not test and build the DDoS Protection resource type into my template, which is listed in one of the links above. This is because the starting price for DDoS protection is around USD $2950 per month and it is charged per month. I can’t afford to create this resource in my lab subscriptions. If anyone is using it, and happy to run some tests for me, please let me know and I can add it to my template.

Since policy and initiative definitions are subscription-level resources, this ARM template is a subscription-level template. Unlike resource group level templates, to deploy subscription-level templates, you must use the “New-azurermdeployment” cmdlet instead. i.e.

New-azurermdeployment -name ‘diag-policies’ –templatefile ‘C:\Temp\policy.definition.azuredeploy.json’ -location ‘australiasoutheast’ –verbose

As shown below, the template deploys 47 policies and 1 initiative:

image

When configuring policy assignments, in addition to creating the assignment itself, you may also need to configure permissions to the Log Analytics workspace of your choice. According to the Microsoft documentation for policy remediations, a Managed Identity (MSI) is created for each policy assignment that contains DeployIfNotExists effects in the definitions. The required permission for the target assignment scope is managed automatically. However, if the remediation tasks need to interact with resources outside of the assignment scope, you will need to manually configure the required permissions. In our case, if the Log Analytics workspace you have specified in the assignment is located outside of the assignment scope (i.e. in another resource group, or another subscription in the same AAD tenant), you will need to manually configure the permission as documented in the doco. The required role for the assignment MSI is “Log Analytics Contributor”.

For example, in my lab, I assigned the initiative to a resource group, and the Log Analytics workspace is located in another resource group:

Initiative Assignment:

image

Log Analytics Resource Group IAM:

image

Please keep in mind, for any resources deployed as the result of “DeployIfNotExists” effect, the Azure Policy engine waits approximately 10 minutes after the initial deployment. Therefore, you will not see the policy-triggered ARM deployments straightaway. This is by design.

image

You can find the template from my GitHub repo here: https://github.com/tyconsulting/azurepolicy/tree/master/arm-templates/diagnostic-settings

Lastly, please feel free to fork and raise PR if you’ve found any bugs or missing resource types.

14 comments

  1. Great post! I have 1 question. You use New-azurermdeployment to deploy the template to a subscription. Within our company we create policy definitions and assignments at the Management Group level. Can your template be made to work with Management Groups?

    1. currently, it is not possible to deploy ARM templates to management groups. you’d better check with Microsoft and see if they can provide an ETA 🙂

  2. First of all, great post, thank you.

    I had the exact same requirement but Policy wasn’t going to cut it for our client as they wanted to ensure that everything was dynamically populated.

    I leaned on Powershell and your Get-AzureADToken to basically loop through each resource then look at the following API to see all the possible Logs/Metrics to enable for that resource.
    “https://management.azure.com/$resourceid/providers/microsoft.insights/diagnosticSettingsCategories?api-version=2017-05-01-preview”

    Thinking this through, you could use the same method (IE powershell to loop through each resource via that API) but instead of executing powershell, use it to compile the ARM template and deploy.

    That way it’s still dynamic (ie, no one has to maintain xx templates if 1 extra resource or metric gets added by azure). Bit of work but could be fun 🙂

  3. cool. thanks for the tip. one of the great challenges for me while was working on this was not been able to find a complete list of supported resource types. I didn’t know this API so thanks for pointing it out. it would be good to find out what logs and metrics are supported for an EXISTING resource that you have deployed? When I get some time after the holiday seasons, I’ll deploy all the resources covered in my template and validate and make sure I haven’t missed any logs and metrics.

    1. What i ended up doing was looping through each resource (regardless if they could have diagnostics enabled or not), i’d call the API passing in the resource ID, the API would then either return a list of Logs/Metrics that can be enabled, or an exception “Resource Type not supported”.

      So this way, i covered what you mentioned “Find out what Logs and Metrics are supported for EXISTING resources.” – from here was easy enough to actually apply the diagnostics.

      This particular API doesnt take in a resource TYPE to tell you what’s possible so unfortunately it can only handle existing resources.

      1. correct. however, moving forward, I will be able to use this API to validate my template has got all correct logs and metrics. when I wrote the template, I manually validated them, which was very time consuming.

      2. Hey Dario,
        i am looking for the same script you mention here. Would you mind to share your script with me/us? It would be really great 🙂

        Thanks in advance,
        Dimitri Lider

  4. I have a issue assigning the initiative. When i want to assign the initiative trough the powershell command:

    New-AzureRmPolicyAssignment -Name “test” -PolicySetDefinition “/subscriptions/xxxxxxxxxx/providers/Microsoft.Authorization/policySetDefinitions/resource-diagnostic-settings-policySet” -Scope “/subscriptions/xxxxxxxxxx” -AssignIdentity -Location “West Europe”

    the script asks me to supply a value for the parameter logAnalytics. If i fill in the workspaceId (or the resourceId of the workspace, or the name of the workspace) the assignment is created successfully, but when i check the assignment in the portal, the log analytics workspace parameter is empty. There is a dropdown option there and i can select the workspace i want, but i need this done without using the portal. Do you have any idea what i am doing wrong or do you have the same problem if you want to assign the policy with powershell?

    1. if you assign it in the portal, then check the assignment in PowerShell, you will find the parameter value. I believe it should be the resource Id of your Log Analytics workspace. i.e. /subscriptions//resourcegroups//providers/microsoft.operationalinsights/workspaces/

  5. Grat post, thank you Tao.

    I don’t see the Microsoft.Web/serverfarms resource provider in your list. Have you tried that out, is it working?

    1. I don’t think the App Service Plan supports it? in the portal, if you go to a resource group where an app service plan is deployed, click on “Diagnostics Settings”, do you see that resource? I just checked, it doesn’t show in my environment.

      1. Ignore my previous comment. just had another look and used the Diagnostic Settings Category API and found App Service Plan actually supports it, but not visible in the portal. Updated the template.

  6. Hi there

    Just checked on a DDos protection plan and it does not display any ability to set Diagnostics.

    Cheers
    Manu

Leave a Reply to Dimitri Lider Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: