-
Notifications
You must be signed in to change notification settings - Fork 91
/
Copy pathLogAnalytics.bicep
102 lines (87 loc) · 4.16 KB
/
LogAnalytics.bicep
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
// ----------------------------------------------------------------------------------
// Copyright (c) Microsoft Corporation.
// Licensed under the MIT license.
//
// THIS CODE AND INFORMATION ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND,
// EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES
// OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE.
// ----------------------------------------------------------------------------------
targetScope = 'managementGroup'
@description('Location for the deployment.')
param location string = deployment().location
@description('Management Group scope for the policy definition.')
param policyDefinitionManagementGroupId string
@description('Management Group scope for the policy assignment.')
param policyAssignmentManagementGroupId string
@allowed([
'Default'
'DoNotEnforce'
])
@description('Policy set assignment enforcement mode. Possible values are { Default, DoNotEnforce }. Default value: Default')
param enforcementMode string = 'Default'
@description('Log Analytics Workspace Resource Id')
param logAnalyticsResourceId string
@description('Log Analytics Workspace Id')
param logAnalyticsWorkspaceId string
var policyId = 'custom-enable-logging-to-loganalytics'
var assignmentName = 'Custom - Log Analytics for Azure Services'
var scope = tenantResourceId('Microsoft.Management/managementGroups', policyAssignmentManagementGroupId)
var policyDefinitionScope = tenantResourceId('Microsoft.Management/managementGroups', policyDefinitionManagementGroupId)
var policyScopedId = extensionResourceId(policyDefinitionScope, 'Microsoft.Authorization/policySetDefinitions', policyId)
// Telemetry - Azure customer usage attribution
// Reference: https://learn.microsoft.com/azure/marketplace/azure-partner-customer-usage-attribution
var telemetry = json(loadTextContent('../../../config/telemetry.json'))
module telemetryCustomerUsageAttribution '../../../azresources/telemetry/customer-usage-attribution-management-group.bicep' = if (telemetry.customerUsageAttribution.enabled) {
name: 'pid-${telemetry.customerUsageAttribution.modules.policy}-logging'
}
resource policySetAssignment 'Microsoft.Authorization/policyAssignments@2020-03-01' = {
name: 'logging-${uniqueString('law-',policyAssignmentManagementGroupId)}'
properties: {
displayName: assignmentName
policyDefinitionId: policyScopedId
scope: scope
notScopes: [
]
parameters: {
logAnalytics: {
value: logAnalyticsResourceId
}
logAnalyticsWorkspaceId: {
value: logAnalyticsWorkspaceId
}
}
enforcementMode: enforcementMode
}
identity: {
type: 'SystemAssigned'
}
location: location
}
// These role assignments are required to allow Policy Assignment to remediate.
resource policySetRoleAssignmentLogAnalyticsContributor 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
name: guid(policyAssignmentManagementGroupId, 'loganalytics', 'Log Analytics Contributor')
scope: managementGroup()
properties: {
roleDefinitionId: tenantResourceId('Microsoft.Authorization/roleDefinitions','92aaf0da-9dab-42b6-94a3-d43ce8d16293')
principalId: policySetAssignment.identity.principalId
principalType: 'ServicePrincipal'
}
}
resource policySetRoleAssignmentVirtualMachineContributor 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
name: guid(policyAssignmentManagementGroupId, 'loganalytics', 'Virtual Machine Contributor')
scope: managementGroup()
properties: {
roleDefinitionId: tenantResourceId('Microsoft.Authorization/roleDefinitions','9980e02c-c2be-4d73-94e8-173b1dc7cf3c')
principalId: policySetAssignment.identity.principalId
principalType: 'ServicePrincipal'
}
}
resource policySetRoleAssignmentMonitoringContributor 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
name: guid(policyAssignmentManagementGroupId, 'loganalytics', 'Monitoring Contributor')
scope: managementGroup()
properties: {
roleDefinitionId: tenantResourceId('Microsoft.Authorization/roleDefinitions','749f88d5-cbae-40b8-bcfc-e573ddc772fa')
principalId: policySetAssignment.identity.principalId
principalType: 'ServicePrincipal'
}
}