Updated Azure Policy for Azure Diagnostic Settings

Few months ago, I published a set of Azure Policy definitions to configure Azure resources diagnostic settings. You can find the original post here: https://blog.tyang.org/2018/11/19/configuring-azure-resources-diagnostic-log-settings-using-azure-policy/. The definitions were offered in the form of an ARM template.

Since then, I have updated these policies, with the following updates:

Additional policies for connecting Diagnostic Settings to Azure Event Hub

In addition to policies to connect diagnostic settings to Log Analytics, I have added another set of policies to connect diagnostic settings of applicable resources to Azure Event Hubs

Added ExistenceCondition in policy definitions

ExistenceCondition detects if the resource you are trying to deploy via Azure Policy already exists. This is helpful if your Azure resource has already got diagnostic settings connected. In this condition, the policy definition will skip the deployment defined in DeployIfNotExist effect. You can read more about ExistenceCondition here: https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects#deployifnotexists

Various bug fixes

I have decided not to maintain the ARM template for these policies, because it is too big (hard to maintain), and currently you can not deploy ARM templates to management groups. The updated and new definitions come in the format of individual definition files.

You can find them here: https://github.com/tyconsulting/azurepolicy/tree/master/policy-definitions/resource-diagnostics-settings

To bulk deploy them, I recommend you to use deploy-policyDef.ps1 script, which I covered my my previous post: https://blog.tyang.org/2019/05/19/deploying-azure-policy-definitions-via-azure-devops-part-1/

I have also added two Policy Initiative definitions for these policies: https://github.com/tyconsulting/azurepolicy/tree/master/initiative-definitions/resource-diagnostics-settings. To deploy these initiative definitions, you MUST use my deploy-policySetDef.ps1 script, which is explained in the same post.

One comment

  1. Great contribution to the Azure policy community, just one point it would be useful, within the storage account definition policies, I would add the retention parameter, as consequence retention is 0 (forever).

Leave a Reply to Matteo Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: