Skip to content

Commit

Permalink
Add KV logs and re-adjust log analytics workspace retention/remove lo…
Browse files Browse the repository at this point in the history 
…cks (Azure#941)

* added key vault logging

* update array for diagnostic settings keyvault

* recomplie bicep

* added storageaccount for kv

* recompile arm bicep template

* GitHub Action: Build Bicep to JSON

* remove lock on log analytics workspace to fall inline with guidance

* added conditional logic to change workspace retention based on sentinel deployment

* revised retention variable logic

* compiled bicep

* GitHub Action: Build Bicep to JSON

---------

Co-authored-by: github-actions <[email protected]>
Co-authored-by: Jason Masten <[email protected]>
  • Loading branch information
@jayhaddad @jamasten
3 people authored Mar 28, 2024
1 parent 9d4619e commit 2778a07
Show file tree
Hide file tree
Showing 7 changed files with 187 additions and 48 deletions.
25 changes: 23 additions & 2 deletions src/bicep/mlz.bicep
View file
Original file line number Diff line number Diff line change
Expand Up @@ -227,6 +227,20 @@ param identityNetworkSecurityGroupDiagnosticsLogs array = [
@description('An array of Network Security Group Metrics to apply to enable for the Identity Virtual Network. See https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#metrics for valid settings.')
param identityNetworkSecurityGroupDiagnosticsMetrics array = []

// KEY VAULT PARAMETERS
@description('An array of Key Vault Diagnostic Logs categories to collect. See "https://learn.microsoft.com/en-us/azure/key-vault/general/logging?tabs=Vault" for valid values.')
param KeyVaultDiagnosticsLogs array = [
{
category: 'AuditEvent'
enabled: true
}
{
category: 'AzurePolicyEvaluationDetails'
enabled: true
}
]


// OPERATIONS PARAMETERS

@description('An array of Network Diagnostic Logs to enable for the Operations Virtual Network. See https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#logs for valid settings.')
Expand Down Expand Up @@ -287,8 +301,11 @@ param deploySentinel bool = false
@description('The daily quota for Log Analytics Workspace logs in Gigabytes. It defaults to "-1" for no quota.')
param logAnalyticsWorkspaceCappingDailyQuotaGb int = -1

@description('The number of days to retain Log Analytics Workspace logs. It defaults to "30".')
param logAnalyticsWorkspaceRetentionInDays int = 30
@description('The number of days to retain Log Analytics Workspace logs without Sentinel. It defaults to "30".')
param logAnalyticsWorkspaceNoSentinelRetentionInDays int = 30

@description('The number of days to retain logs in Sentinel-linked Workspace. It defaults to "90".')
param logAnalyticsSentinelWorkspaceRetentionInDays int = 90

@allowed([
'Free'
Expand Down Expand Up @@ -461,6 +478,8 @@ var defaultTags = {
var firewallClientPrivateIpAddress = firewallClientUsableIpAddresses[3]
var firewallClientUsableIpAddresses = [for i in range(0, 4): cidrHost(firewallClientSubnetAddressPrefix, i)]

var logAnalyticsWorkspaceRetentionInDays = deploySentinel ? logAnalyticsSentinelWorkspaceRetentionInDays : logAnalyticsWorkspaceNoSentinelRetentionInDays

// NAMING CONVENTION

module namingConvention 'modules/naming-convention.bicep' = {
Expand Down Expand Up @@ -669,6 +688,8 @@ module diagnostics 'modules/diagnostics.bicep' = {
deploymentNameSuffix: deploymentNameSuffix
firewallDiagnosticsLogs: firewallDiagnosticsLogs
firewallDiagnosticsMetrics: firewallDiagnosticsMetrics
KeyVaultName: customerManagedKeys.outputs.KeyVaultName
keyVaultDiagnosticLogs: KeyVaultDiagnosticsLogs
logAnalyticsWorkspaceResourceId: monitoring.outputs.logAnalyticsWorkspaceResourceId
networks: logic.outputs.networks
networkSecurityGroupDiagnosticsLogs: hubNetworkSecurityGroupDiagnosticsLogs
Expand Down
157 changes: 125 additions & 32 deletions src/bicep/mlz.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
"_generator": {
"name": "bicep",
"version": "0.26.54.24096",
"templateHash": "459691962602818850"
"templateHash": "11246240944076095145"
}
},
"parameters": {
Expand Down Expand Up @@ -395,6 +395,22 @@
"description": "An array of Network Security Group Metrics to apply to enable for the Identity Virtual Network. See https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#metrics for valid settings."
}
},
"KeyVaultDiagnosticsLogs": {
"type": "array",
"defaultValue": [
{
"category": "AuditEvent",
"enabled": true
},
{
"category": "AzurePolicyEvaluationDetails",
"enabled": true
}
],
"metadata": {
"description": "An array of Key Vault Diagnostic Logs categories to collect. See \"https://learn.microsoft.com/en-us/azure/key-vault/general/logging?tabs=Vault\" for valid values."
}
},
"operationsVirtualNetworkDiagnosticsLogs": {
"type": "array",
"defaultValue": [],
Expand Down Expand Up @@ -497,11 +513,18 @@
"description": "The daily quota for Log Analytics Workspace logs in Gigabytes. It defaults to \"-1\" for no quota."
}
},
"logAnalyticsWorkspaceRetentionInDays": {
"logAnalyticsWorkspaceNoSentinelRetentionInDays": {
"type": "int",
"defaultValue": 30,
"metadata": {
"description": "The number of days to retain Log Analytics Workspace logs. It defaults to \"30\"."
"description": "The number of days to retain Log Analytics Workspace logs without Sentinel. It defaults to \"30\"."
}
},
"logAnalyticsSentinelWorkspaceRetentionInDays": {
"type": "int",
"defaultValue": 90,
"metadata": {
"description": "The number of days to retain logs in Sentinel-linked Workspace. It defaults to \"90\"."
}
},
"logAnalyticsWorkspaceSkuName": {
Expand Down Expand Up @@ -798,7 +821,8 @@
"environmentAbbreviation": "[parameters('environmentAbbreviation')]",
"DeploymentType": "MissionLandingZoneARM"
},
"firewallClientPrivateIpAddress": "[variables('firewallClientUsableIpAddresses')[3]]"
"firewallClientPrivateIpAddress": "[variables('firewallClientUsableIpAddresses')[3]]",
"logAnalyticsWorkspaceRetentionInDays": "[if(parameters('deploySentinel'), parameters('logAnalyticsSentinelWorkspaceRetentionInDays'), parameters('logAnalyticsWorkspaceNoSentinelRetentionInDays'))]"
},
"resources": [
{
Expand Down Expand Up @@ -4584,7 +4608,7 @@
"_generator": {
"name": "bicep",
"version": "0.26.54.24096",
"templateHash": "528320706664403182"
"templateHash": "3912836360709277206"
}
},
"parameters": {
Expand Down Expand Up @@ -4649,7 +4673,7 @@
"_generator": {
"name": "bicep",
"version": "0.26.54.24096",
"templateHash": "12445413457654566620"
"templateHash": "17697959832977472677"
}
},
"parameters": {
Expand Down Expand Up @@ -4839,6 +4863,10 @@
"type": "string",
"value": "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]"
},
"keyVaultName": {
"type": "string",
"value": "[parameters('keyVaultName')]"
},
"keyVaultUri": {
"type": "string",
"value": "[reference(resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName')), '2022-07-01').vaultUri]"
Expand Down Expand Up @@ -5165,10 +5193,18 @@
"type": "string",
"value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('networkProperties').subscriptionId, parameters('networkProperties').resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-disk-encryption-set_{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.resourceId.value]"
},
"KeyVaultName": {
"type": "string",
"value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('networkProperties').subscriptionId, parameters('networkProperties').resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-key-vault-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.keyVaultName.value]"
},
"keyVaultUri": {
"type": "string",
"value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('networkProperties').subscriptionId, parameters('networkProperties').resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-key-vault-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.keyVaultUri.value]"
},
"keyVaultResourceId": {
"type": "string",
"value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('networkProperties').subscriptionId, parameters('networkProperties').resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-key-vault-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.keyVaultResourceId.value]"
},
"storageKeyName": {
"type": "string",
"value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('networkProperties').subscriptionId, parameters('networkProperties').resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-key-vault-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.storageKeyName.value]"
Expand Down Expand Up @@ -5209,7 +5245,7 @@
"value": "[parameters('logAnalyticsWorkspaceCappingDailyQuotaGb')]"
},
"logAnalyticsWorkspaceRetentionInDays": {
"value": "[parameters('logAnalyticsWorkspaceRetentionInDays')]"
"value": "[variables('logAnalyticsWorkspaceRetentionInDays')]"
},
"logAnalyticsWorkspaceSkuName": {
"value": "[parameters('logAnalyticsWorkspaceSkuName')]"
Expand All @@ -5234,7 +5270,7 @@
"_generator": {
"name": "bicep",
"version": "0.26.54.24096",
"templateHash": "21837642899684151"
"templateHash": "12328361973188250046"
}
},
"parameters": {
Expand Down Expand Up @@ -5311,7 +5347,7 @@
"_generator": {
"name": "bicep",
"version": "0.26.54.24096",
"templateHash": "6676783541910058533"
"templateHash": "653212175555805634"
}
},
"parameters": {
Expand Down Expand Up @@ -5342,13 +5378,6 @@
"metadata": {
"description": "Whether or not to deploy Sentinel solution to workspace."
}
},
"enableDeleteLock": {
"type": "bool",
"defaultValue": false,
"metadata": {
"description": "Enable lock to prevent accidental deletion"
}
}
},
"variables": {
Expand Down Expand Up @@ -5402,8 +5431,7 @@
"product": "OMSGallery/KeyVaultAnalytics",
"promotionCode": ""
}
],
"lockName": "[format('{0}-lock', parameters('name'))]"
]
},
"resources": [
{
Expand Down Expand Up @@ -5447,19 +5475,6 @@
"dependsOn": [
"[resourceId('Microsoft.OperationalInsights/workspaces', parameters('name'))]"
]
},
{
"condition": "[parameters('enableDeleteLock')]",
"type": "Microsoft.Authorization/locks",
"apiVersion": "2016-09-01",
"scope": "[format('Microsoft.OperationalInsights/workspaces/{0}', parameters('name'))]",
"name": "[variables('lockName')]",
"properties": {
"level": "CanNotDelete"
},
"dependsOn": [
"[resourceId('Microsoft.OperationalInsights/workspaces', parameters('name'))]"
]
}
],
"outputs": {
Expand Down Expand Up @@ -7276,6 +7291,12 @@
"firewallDiagnosticsMetrics": {
"value": "[parameters('firewallDiagnosticsMetrics')]"
},
"KeyVaultName": {
"value": "[reference(subscriptionResourceId('Microsoft.Resources/deployments', format('deploy-cmk-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.KeyVaultName.value]"
},
"keyVaultDiagnosticLogs": {
"value": "[parameters('KeyVaultDiagnosticsLogs')]"
},
"logAnalyticsWorkspaceResourceId": {
"value": "[reference(subscriptionResourceId('Microsoft.Resources/deployments', format('deploy-monitoring-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.logAnalyticsWorkspaceResourceId.value]"
},
Expand Down Expand Up @@ -7314,7 +7335,7 @@
"_generator": {
"name": "bicep",
"version": "0.26.54.24096",
"templateHash": "11489480336272395502"
"templateHash": "49100111797787087"
}
},
"parameters": {
Expand All @@ -7327,6 +7348,12 @@
"firewallDiagnosticsMetrics": {
"type": "array"
},
"KeyVaultName": {
"type": "string"
},
"keyVaultDiagnosticLogs": {
"type": "array"
},
"logAnalyticsWorkspaceResourceId": {
"type": "string"
},
Expand Down Expand Up @@ -7835,11 +7862,77 @@
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2022-09-01",
"name": "[format('deploy-kv-diags-{0}', parameters('deploymentNameSuffix'))]",
"subscriptionId": "[variables('hubSubscriptionId')]",
"resourceGroup": "[variables('hubResourceGroupName')]",
"properties": {
"expressionEvaluationOptions": {
"scope": "inner"
},
"mode": "Incremental",
"parameters": {
"logAnalyticsWorkspaceResourceId": {
"value": "[parameters('logAnalyticsWorkspaceResourceId')]"
},
"logs": {
"value": "[parameters('keyVaultDiagnosticLogs')]"
},
"keyVaultstorageAccountId": {
"value": "[parameters('storageAccountResourceIds')[0]]"
},
"name": {
"value": "[parameters('KeyVaultName')]"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.26.54.24096",
"templateHash": "9848944155815832346"
}
},
"parameters": {
"logAnalyticsWorkspaceResourceId": {
"type": "string"
},
"logs": {
"type": "array"
},
"name": {
"type": "string"
},
"keyVaultstorageAccountId": {
"type": "string"
}
},
"resources": [
{
"type": "Microsoft.Insights/diagnosticSettings",
"apiVersion": "2017-05-01-preview",
"scope": "[format('Microsoft.KeyVault/vaults/{0}', parameters('name'))]",
"name": "[format('{0}-diagnostics', parameters('name'))]",
"properties": {
"storageAccountId": "[parameters('keyVaultstorageAccountId')]",
"workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]",
"logs": "[parameters('logs')]"
}
}
]
}
}
}
]
}
},
"dependsOn": [
"[subscriptionResourceId('Microsoft.Resources/deployments', format('deploy-cmk-hub-{0}', parameters('deploymentNameSuffix')))]",
"[subscriptionResourceId('Microsoft.Resources/deployments', format('get-logic-{0}', parameters('deploymentNameSuffix')))]",
"[subscriptionResourceId('Microsoft.Resources/deployments', format('deploy-monitoring-{0}', parameters('deploymentNameSuffix')))]",
"[subscriptionResourceId('Microsoft.Resources/deployments', format('deploy-networking-{0}', parameters('deploymentNameSuffix')))]",
Expand Down
2 changes: 2 additions & 0 deletions src/bicep/modules/customer-managed-keys.bicep
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,8 @@ module userAssignedIdentity 'user-assigned-identity.bicep' = {
}

output diskEncryptionSetResourceId string = diskEncryptionSet.outputs.resourceId
output KeyVaultName string = keyVault.outputs.keyVaultName
output keyVaultUri string = keyVault.outputs.keyVaultUri
output keyVaultResourceId string = keyVault.outputs.keyVaultResourceId
output storageKeyName string = keyVault.outputs.storageKeyName
output userAssignedIdentityResourceId string = userAssignedIdentity.outputs.resourceId
13 changes: 13 additions & 0 deletions src/bicep/modules/diagnostics.bicep
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ targetScope = 'subscription'
param deploymentNameSuffix string
param firewallDiagnosticsLogs array
param firewallDiagnosticsMetrics array
param KeyVaultName string
param keyVaultDiagnosticLogs array
param logAnalyticsWorkspaceResourceId string
param networks array
param networkSecurityGroupDiagnosticsLogs array
Expand Down Expand Up @@ -89,3 +91,14 @@ module firewallDiagnostics '../modules/firewall-diagnostics.bicep' = {
name: hub.firewallName
}
}

module keyvaultDiagnostics '../modules/key-vault-diagnostics.bicep' = {
name: 'deploy-kv-diags-${deploymentNameSuffix}'
scope: resourceGroup(hubSubscriptionId, hubResourceGroupName)
params: {
logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId
logs: keyVaultDiagnosticLogs
keyVaultstorageAccountId: storageAccountResourceIds[0]
name: KeyVaultName
}
}
Loading

0 comments on commit 2778a07

Please sign in to comment.