问题描述
使用Azure Policy服务,对公司内部全部的订阅下的Activity Log,都需要配置导出到Log A Workspace中。
以下Policy规则可以实现此目的。
Policy内容说明
在Policy Rule部分中,选择资源的类型为 "Microsoft.Resources/subscriptions", 效果使用 DeployIfNotExists (如果不存在,则通过修复任务进行修正。
在 existenceCondition 条件中,如果当前订阅已经启用了 diagnostic setting并且输出日志到同一个Log A workspace,表示满足Policy要求,不需要进行修正。
在 deployment 中,使用了 ARM 模板, 为订阅添加Diagnostic Setting并且所有的日志Category均启用。
因 deployment 操作,会修改诊断日志配置(属于Monitor服务)以及Log A Workspace,所以需要为这个ARM Deployment操作给与两个contributor权限, 即 roleDefinitionIds 中的内容。
使用三个输入参数 logAnalytics, effect, logsEnabled 作为Policy的判断条件。
Policy示例
{
"mode": "All",
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Resources/subscriptions"
},
"then": {
"effect": "[parameters('effect')]",
"details": {
"type": "Microsoft.Insights/diagnosticSettings",
"deploymentScope": "subscription",
"existenceScope": "subscription",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
"equals": "[parameters('logsEnabled')]"
},
{
"field": "Microsoft.Insights/diagnosticSettings/workspaceId",
"equals": "[parameters('logAnalytics')]"
}
]
},
"deployment": {
"location": "chinaeast2",
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"logAnalytics": {
"type": "string"
},
"logsEnabled": {
"type": "string"
}
},
"variables": {},
"resources": [
{
"name": "policy-enabled-ActivityLogs-to-logA",
"type": "Microsoft.Insights/diagnosticSettings",
"apiVersion": "2017-05-01-preview",
"location": "Global",
"properties": {
"workspaceId": "[parameters('logAnalytics')]",
"logs": [
{
"category": "Administrative",
"enabled": "[parameters('logsEnabled')]"
},
{
"category": "Security",
"enabled": "[parameters('logsEnabled')]"
},
{
"category": "ServiceHealth",
"enabled": "[parameters('logsEnabled')]"
},
{
"category": "Alert",
"enabled": "[parameters('logsEnabled')]"
},
{
"category": "Recommendation",
"enabled": "[parameters('logsEnabled')]"
},
{
"category": "Policy",
"enabled": "[parameters('logsEnabled')]"
},
{
"category": "Autoscale",
"enabled": "[parameters('logsEnabled')]"
},
{
"category": "ResourceHealth",
"enabled": "[parameters('logsEnabled')]"
}
]
}
}
],
"outputs": {}
},
"parameters": {
"logAnalytics": {
"value": "[parameters('logAnalytics')]"
},
"logsEnabled": {
"value": "[parameters('logsEnabled')]"
}
}
}
},
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
]
}
}
},
"parameters": {
"logAnalytics": {
"type": "String",
"metadata": {
"displayName": "Primary Log Analytics workspace",
"description": "If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
"strongType": "omsWorkspace",
"assignPermissions": true
}
},
"effect": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Enable or disable the execution of the policy"
},
"allowedValues": [
"DeployIfNotExists",
"Disabled"
],
"defaultValue": "DeployIfNotExists"
},
"logsEnabled": {
"type": "String",
"metadata": {
"displayName": "Enable logs",
"description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
},
"allowedValues": [
"True",
"False"
],
"defaultValue": "True"
}
}
}当在复杂的环境中面临问题,格物之道需:浊而静之徐清,安以动之徐生。 云中,恰是如此!
