diff --git a/docs/reference/contoso/armTemplates/auxiliary/diagnosticsAndSecurity.json b/docs/reference/contoso/armTemplates/auxiliary/diagnosticsAndSecurity.json new file mode 100644 index 0000000000..49d33f027b --- /dev/null +++ b/docs/reference/contoso/armTemplates/auxiliary/diagnosticsAndSecurity.json @@ -0,0 +1,352 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "maxLength": 5 + }, + "managementSubscriptionId": { + "type": "string", + "maxLength": 36, + "defaultValue": "" + }, + "enableLogAnalytics": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ], + "metadata": { + "description": "If 'Yes' is selected when also adding a subscription for management, ARM will assign two policies to enable auditing in your environment, into the Log Analytics workspace for platform monitoring. If 'No', it will be ignored." + } + }, + "enableAsc": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Standard", + "Free", + "No" + ], + "metadata": { + "description": "If 'Yes' is selected when also adding a subscription for management, ARM will assign two policies to enable auditing in your environment, into the Log Analytics workspace for platform monitoring. If 'No', it will be ignored." + } + }, + "connectivitySubscriptionId": { + "type": "string", + "maxLength": 36, + "defaultValue": "" + }, + "lzSubscriptionId": { + "type": "string", + "maxLength": 36, + "defaultValue": "" + } + }, + "variables": { + "policyDefinitions": { + "deployAzureActivityLog": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ActivityLog')]", + "deployResourceDiagnostics": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diag-LogAnalytics')]", + "vmMonitoring": "/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a", + "deployAzureSecurity": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-Standard')]", + "ascMonitoring": "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8" + }, + "policyAssignmentNames": { + "azureActivityLog": "Deploy-AzActivity-Log", + "vmMonitoring": "Deploy-VM-Monitoring", + "resourceDiagnostics": "Deploy-Resource-Diag", + "azureSecurity": "Deploy-ASC-Security", + "ascMonitoring": "Deploy-ASC-Monitoring" + }, + "rbacOwner": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635", + "roleAssignmentNames": { + "deployAzureActivityLog": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').azureActivityLog))]", + "deployVmMonitoring": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').vmMonitoring))]", + "deployAzureSecurity": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').azureSecurity))]", + "deployAscMonitoring": "[guid(concat(parameters('toplevelManagementGroupPrefix'), variables('policyAssignmentNames').ascMonitoring))]", + "deployResourceRiagnostics": "[guid(concat(parameters('topLevelManagementGroupPrefix'), variables('policyAssignmentNames').resourceDiagnostics))]" + }, + "blankTemplateEscaped": "{\"$schema\":\"https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{},\"variables\":{},\"resources\":[],\"outputs\":{}}", + "connectivityAscResourceDeploymentName": "[take(concat('asc-con', deployment().location, deployment().name), 64)]", + "connectivityActivityResourceDeploymentName": "[take(concat('activity-con', deployment().location, deployment().name), 64)]", + "lzAscResourceDeploymentName": "[take(concat('asc-lz', deployment().location, deployment().name), 64)]", + "lzActivityResourceDeploymentName": "[take(concat('activity-lz', deployment().location, deployment().name), 64)]", + "mgAscResourceDeploymentName": "[take(concat('asc-mgmt', deployment().location, deployment().name), 64)]", + "mgActivityResourceDeploymentName": "[take(concat('activity-mgmt', deployment().location, deployment().name), 64)]" + }, + "resources": [ + { + "condition": "[and(not(empty(parameters('managementSubscriptionId'))),equals(parameters('enableLogAnalytics'), 'Yes'))]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2018-05-01", + "name": "[variables('policyAssignmentNames').azureActivityLog]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "Deploy-AzActivity-Log", + "displayName": "Deploy-AzActivity-Log", + "policyDefinitionId": "[variables('policyDefinitions').deployAzureActivityLog]", + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", + "parameters": { + "logAnalytics": { + "value": "[toLower(concat('/subscriptions/', parameters('managementSubscriptionId'), '/resourceGroups/', parameters('topLevelManagementGroupPrefix'), '-mgmt', '/providers/Microsoft.OperationalInsights/workspaces/', parameters('topLevelManagementGroupPrefix'), '-la-', parameters('managementSubscriptionId')))]" + } + } + } + }, + { + "condition": "[and(not(empty(parameters('managementSubscriptionId'))),equals(parameters('enableLogAnalytics'), 'Yes'))]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployAzureActivityLog]", + "dependsOn": [ + "[variables('policyAssignmentNames').azureActivityLog]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacOwner'))]", + "principalId": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').azureActivityLog), '2018-05-01', 'Full' ).identity.principalId), 'na')]" + } + }, + { + "condition": "[and(not(empty(parameters('managementSubscriptionId'))),equals(parameters('enableLogAnalytics'), 'Yes'))]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2018-05-01", + "name": "[variables('policyAssignmentNames').vmMonitoring]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "Deploy-VM-Monitoring", + "displayName": "Deploy-VM-Monitoring", + "policyDefinitionId": "[variables('policyDefinitions').vmMonitoring]", + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", + "parameters": { + "logAnalytics_1": { + "value": "[toLower(concat('/subscriptions/', parameters('managementSubscriptionId'), '/resourceGroups/', parameters('topLevelManagementGroupPrefix'), '-mgmt', '/providers/Microsoft.OperationalInsights/workspaces/', parameters('topLevelManagementGroupPrefix'), '-la-', parameters('managementSubscriptionId')))]" + } + } + } + }, + { + "condition": "[and(not(empty(parameters('managementSubscriptionId'))),equals(parameters('enableLogAnalytics'), 'Yes'))]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployVmMonitoring]", + "dependsOn": [ + "[variables('policyAssignmentNames').vmMonitoring]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacOwner'))]", + "principalId": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').vmMonitoring), '2018-05-01', 'Full' ).identity.principalId), 'na')]" + } + }, + { + "condition": "[and(not(empty(parameters('managementSubscriptionId'))),equals(parameters('enableLogAnalytics'), 'Yes'))]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2018-05-01", + "name": "[variables('policyAssignmentNames').resourceDiagnostics]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "Deploy-Resource-Diag", + "displayName": "Deploy-Resource-Diag", + "policyDefinitionId": "[variables('policyDefinitions').deployResourceDiagnostics]", + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", + "parameters": { + "logAnalytics": { + "value": "[toLower(concat('/subscriptions/', parameters('managementSubscriptionId'), '/resourceGroups/', parameters('topLevelManagementGroupPrefix'), '-mgmt', '/providers/Microsoft.OperationalInsights/workspaces/', parameters('topLevelManagementGroupPrefix'), '-la-', parameters('managementSubscriptionId')))]" + } + } + } + }, + { + "condition": "[and(not(empty(parameters('managementSubscriptionId'))),equals(parameters('enableLogAnalytics'), 'Yes'))]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployResourceRiagnostics]", + "dependsOn": [ + "[variables('policyAssignmentNames').resourceDiagnostics]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacOwner'))]", + "principalId": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').resourceDiagnostics), '2018-05-01', 'Full' ).identity.principalId), 'na')]" + } + }, + { + "condition": "[and(not(empty(parameters('managementSubscriptionId'))),or(equals(parameters('enableAsc'), 'Standard'), equals(parameters('enableAsc'), 'Free')))]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2018-05-01", + "name": "[variables('policyAssignmentNames').azureSecurity]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "Deploy-ASC", + "displayName": "Deploy-ASC", + "policyDefinitionId": "[variables('policyDefinitions').deployAzureSecurity]", + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", + "parameters": { + "pricingTierVms": { + "value": "[parameters('enableAsc')]" + }, + "pricingTierSqlServers": { + "value": "[parameters('enableAsc')]" + }, + "pricingTierAppServices": { + "value": "[parameters('enableAsc')]" + }, + "pricingTierStorageAccounts": { + "value": "[parameters('enableAsc')]" + }, + "pricingTierContainerRegistry": { + "value": "[parameters('enableAsc')]" + }, + "pricingTierKeyVaults": { + "value": "[parameters('enableAsc')]" + }, + "pricingTierKubernetesService": { + "value": "[parameters('enableAsc')]" + } + } + } + }, + { + "condition": "[and(not(empty(parameters('managementSubscriptionId'))),or(equals(parameters('enableAsc'), 'Standard'), equals(parameters('enableAsc'), 'Free')))]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployAzureSecurity]", + "dependsOn": [ + "[variables('policyAssignmentNames').azureSecurity]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacOwner'))]", + "principalId": "[if(and(not(empty(parameters('managementSubscriptionId'))),or(equals(parameters('enableAsc'), 'Standard'), equals(parameters('enableAsc'), 'Free'))), toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').azureSecurity), '2018-05-01', 'Full' ).identity.principalId), 'na')]" + } + }, + { + "condition": "[and(not(empty(parameters('managementSubscriptionId'))),or(equals(parameters('enableAsc'), 'Standard'), equals(parameters('enableAsc'), 'Free')))]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2018-05-01", + "name": "[variables('policyAssignmentNames').ascMonitoring]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "ASC-Monitoring", + "displayName": "ASC-Monitoring", + "policyDefinitionId": "[variables('policyDefinitions').ascMonitoring]", + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]" + } + }, + { + "condition": "[and(not(empty(parameters('managementSubscriptionId'))),equals(parameters('enableLogAnalytics'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('mgActivityResourceDeploymentName')]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/roleAssignments/', variables('roleAssignmentNames').deployAzureActivityLog)]" + ], + "subscriptionId": "[parameters('managementSubscriptionId')]", + "properties": { + "mode": "incremental", + "template": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), reference(variables('policyDefinitions').deployAzureActivityLog, '2018-05-01').policyRule.then.details.deployment.properties.template, variables('blankTemplateEscaped'))]", + "parameters": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), reference(concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').azureActivityLog), '2018-05-01').parameters, json('null'))]" + } + }, + { + "condition": "[and(not(empty(parameters('managementSubscriptionId'))),or(equals(parameters('enableAsc'), 'Standard'), equals(parameters('enableAsc'), 'Free')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('mgAscResourceDeploymentName')]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/roleAssignments/', variables('roleAssignmentNames').deployAzureSecurity)]" + ], + "subscriptionId": "[parameters('managementSubscriptionId')]", + "properties": { + "mode": "incremental", + "template": "[if(and(not(empty(parameters('managementSubscriptionId'))),or(equals(parameters('enableAsc'), 'Standard'), equals(parameters('enableAsc'), 'Free'))), reference(variables('policyDefinitions').deployAzureSecurity, '2018-05-01').policyRule.then.details.deployment.properties.template, 'na')]", + "parameters": "[if(and(not(empty(parameters('managementSubscriptionId'))),or(equals(parameters('enableAsc'), 'Standard'), equals(parameters('enableAsc'), 'Free'))),reference(concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').azureSecurity), '2018-05-01').parameters, json('null'))]" + } + }, + { + "condition": "[and(not(empty(parameters('lzSubscriptionId'))),equals(parameters('enableLogAnalytics'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('lzActivityResourceDeploymentName')]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/roleAssignments/', variables('roleAssignmentNames').deployAzureActivityLog)]" + ], + "subscriptionId": "[parameters('lzSubscriptionId')]", + "properties": { + "mode": "incremental", + "template": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), reference(variables('policyDefinitions').deployAzureActivityLog, '2018-05-01').policyRule.then.details.deployment.properties.template, variables('blankTemplateEscaped'))]", + "parameters": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), reference(concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').azureActivityLog), '2018-05-01').parameters, json('null'))]" + } + }, + { + "condition": "[and(not(empty(parameters('lzSubscriptionId'))),or(equals(parameters('enableAsc'), 'Standard'), equals(parameters('enableAsc'), 'Free')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('lzAscResourceDeploymentName')]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/roleAssignments/', variables('roleAssignmentNames').deployAzureSecurity)]" + ], + "subscriptionId": "[parameters('lzSubscriptionId')]", + "properties": { + "mode": "incremental", + "template": "[if(and(not(empty(parameters('managementSubscriptionId'))),or(equals(parameters('enableAsc'), 'Standard'), equals(parameters('enableAsc'), 'Free'))), reference(variables('policyDefinitions').deployAzureSecurity, '2018-05-01').policyRule.then.details.deployment.properties.template, 'na')]", + "parameters": "[if(and(not(empty(parameters('managementSubscriptionId'))),or(equals(parameters('enableAsc'), 'Standard'), equals(parameters('enableAsc'), 'Free'))),reference(concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').azureSecurity), '2018-05-01').parameters, json('null'))]" + } + }, + { + "condition": "[and(not(empty(parameters('connectivitySubscriptionId'))),equals(parameters('enableLogAnalytics'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('connectivityActivityResourceDeploymentName')]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/roleAssignments/', variables('roleAssignmentNames').deployAzureActivityLog)]" + ], + "subscriptionId": "[parameters('connectivitySubscriptionId')]", + "properties": { + "mode": "incremental", + "template": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), reference(variables('policyDefinitions').deployAzureActivityLog, '2018-05-01').policyRule.then.details.deployment.properties.template, variables('blankTemplateEscaped'))]", + "parameters": "[if(equals(parameters('enableLogAnalytics'), 'Yes'), reference(concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').azureActivityLog), '2018-05-01').parameters, json('null'))]" + } + }, + { + "condition": "[and(not(empty(parameters('connectivitySubscriptionId'))),or(equals(parameters('enableAsc'), 'Standard'), equals(parameters('enableAsc'), 'Free')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('connectivityAscResourceDeploymentName')]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/roleAssignments/', variables('roleAssignmentNames').deployAzureSecurity)]" + ], + "subscriptionId": "[parameters('connectivitySubscriptionId')]", + "properties": { + "mode": "incremental", + "template": "[if(and(not(empty(parameters('managementSubscriptionId'))),or(equals(parameters('enableAsc'), 'Standard'), equals(parameters('enableAsc'), 'Free'))), reference(variables('policyDefinitions').deployAzureSecurity, '2018-05-01').policyRule.then.details.deployment.properties.template, 'na')]", + "parameters": "[if(and(not(empty(parameters('managementSubscriptionId'))),or(equals(parameters('enableAsc'), 'Standard'), equals(parameters('enableAsc'), 'Free'))),reference(concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').azureSecurity), '2018-05-01').parameters, json('null'))]" + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/docs/reference/contoso/armTemplates/auxiliary/logAnalytics.json b/docs/reference/contoso/armTemplates/auxiliary/logAnalytics.json new file mode 100644 index 0000000000..b3b6fac201 --- /dev/null +++ b/docs/reference/contoso/armTemplates/auxiliary/logAnalytics.json @@ -0,0 +1,104 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "maxLength": 5 + }, + "managementSubscriptionId": { + "type": "string", + "maxLength": 36 + }, + "enableLogAnalytics": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ], + "metadata": { + "description": "If 'Yes' is selected when also adding a subscription for management, ARM will assign two policies to enable auditing in your environment, into the Log Analytics workspace for platform monitoring. If 'No', it will be ignored." + } + } + }, + "variables": { + "policyDefinitions": { + "deployLogAnalytics": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Log-Analytics')]" + }, + "policyAssignmentNames": { + "logAnalytics": "Deploy-Log-Analytics" + }, + "rbacOwner": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635", + "roleAssignmentNames": { + "deployLogAnalytics": "[guid(concat(parameters('topLevelManagementGroupPrefix'), variables('policyAssignmentNames').logAnalytics))]" + }, + "resourceDeploymentName": "[take(concat('mgmt', deployment().location, deployment().name), 64)]" + }, + "resources": [ + { + "condition": "[and(not(empty(parameters('managementSubscriptionId'))),equals(parameters('enableLogAnalytics'), 'Yes'))]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2018-05-01", + "name": "[variables('policyAssignmentNames').loganalytics]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "Deploy-Log-Analytics", + "displayName": "Deploy-Log-Analytics", + "policyDefinitionId": "[variables('policyDefinitions').deployLogAnalytics]", + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '-management')]", + "parameters": { + "workspaceName": { + "value": "[concat(parameters('topLevelManagementGroupPrefix'), '-la-', parameters('managementSubscriptionId'))]" + }, + "automationAccountName": { + "value": "[concat(parameters('topLevelManagementGroupPrefix'), '-a-', parameters('managementSubscriptionId'))]" + }, + "workspaceRegion": { + "value": "[deployment().location]" + }, + "automationRegion": { + "value": "[deployment().location]" + }, + "rgName": { + "value": "[concat(parameters('topLevelManagementGroupPrefix'), '-mgmt')]" + } + } + } + }, + { + "condition": "[and(not(empty(parameters('managementSubscriptionId'))),equals(parameters('enableLogAnalytics'), 'Yes'))]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployLogAnalytics]", + "dependsOn": [ + "[variables('policyAssignmentNames').loganalytics]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacOwner'))]", + "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').loganalytics), '2018-05-01', 'Full' ).identity.principalId)]" + } + }, + { + "condition": "[and(not(empty(parameters('managementSubscriptionId'))),equals(parameters('enableLogAnalytics'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('resourceDeploymentName')]", + "location": "[deployment().location]", + "dependsOn": [ + "[resourceId('Microsoft.Authorization/roleAssignments/', variables('roleAssignmentNames').deployLogAnalytics)]" + ], + "subscriptionId": "[parameters('managementSubscriptionId')]", + "properties": { + "mode": "incremental", + "template": "[reference(variables('policyDefinitions').deployLogAnalytics, '2018-05-01').policyRule.then.details.deployment.properties.template]", + "parameters": "[reference(concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '-management', '/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').loganalytics), '2018-05-01').parameters]" + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/docs/reference/contoso/armTemplates/auxiliary/lz.json b/docs/reference/contoso/armTemplates/auxiliary/lz.json new file mode 100644 index 0000000000..20135ef33b --- /dev/null +++ b/docs/reference/contoso/armTemplates/auxiliary/lz.json @@ -0,0 +1,264 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "maxLength": 5 + }, + "enableSqlAudit": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "enableSqlEncryption": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "enableVmBackup": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "denyRdp": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "enableStorageHttps": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "denyIpForwarding": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "denySubnetWithoutNsg": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + } + }, + "variables": { + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '-landingzones')]", + "policyDefinitions": { + "deployVmBackup": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-AzureBackup-on-VM')]", + "denySubnetWithoutNsg": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg')]", + "denyRdp": "/providers/Microsoft.Authorization/policyDefinitions/e372f825-a257-4fb8-9175-797a8a8627d6", + "denyIpForwarding": "/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900", + "deploySqlEncryption": "/providers/Microsoft.Authorization/policyDefinitions/86a912f6-9a06-4e26-b447-11b16ba8659f", + "deploySqlSecurity": "/providers/Microsoft.Authorization/policyDefinitions/f4c68484-132f-41f9-9b6d-3e4b1cb55036", + "deploySqlAuditing": "/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9", + "storageHttps": "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9", + "deployStorageAtp": "/providers/Microsoft.Authorization/policyDefinitions/361c2074-3595-4e5d-8cab-4f21dffc835c" + }, + "policyAssignmentNames": { + "deployVmBackup": "Deploy-VM-Backup", + "denySubnetWithoutNsg": "Deny-Subnet-Without-Nsg", + "denyRdp": "Deny-RDP-from-internet", + "denyIpForwarding": "Deny-IP-forwarding", + "deploySqlEncryption": "Enforce-SQL-Encryption", + "deploysqlSecurity": "Deploy-SQL-Security", + "deploySqlAuditing": "Deploy-SQL-DB-Auditing", + "storageHttps": "Deny-Storage-http", + "deployStorageAtp": "Deploy-Storage-ATP" + }, + "rbacOwner": "8e3af657-a8ff-443c-a75c-2fe8c4bcb635", + "roleAssignmentNames": { + "deployVmBackup": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').deployVmBackup))]", + "deploySqlSecurity": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').deploysqlSecurity))]", + "deploySqlAuditing": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').deploySqlAuditing))]", + "deployStorageAtp": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').deployStorageAtp))]", + "deploySqlEncryption": "[guid(concat(parameters('toplevelManagementGroupPrefix'),variables('policyAssignmentNames').deploySqlEncryption))]" + }, + //"blankTemplateEscaped": "{\"$schema\":\"https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#\",\"contentVersion\":\"1.0.0.0\",\"parameters\":{},\"variables\":{},\"resources\":[],\"outputs\":{}}" + }, + "resources": [ + { + "condition": "[equals(parameters('enableVmBackup'), 'Yes')]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2018-05-01", + "name": "[variables('policyAssignmentNames').deployVmBackup]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "Deploy-VM-Backup", + "displayName": "Deploy-VM-Backup", + "policyDefinitionId": "[variables('policyDefinitions').deployVmBackup]", + "scope": "[variables('scope')]", + "parameters": {} + } + }, + { + "condition": "[equals(parameters('enableVmBackup'), 'Yes')]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deployVmBackup]", + "dependsOn": [ + "[variables('policyAssignmentNames').deployVmBackup]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacOwner'))]", + "principalId": "[if(equals(parameters('enableVmBackup'), 'Yes'), toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').deployVmBackup), '2018-05-01', 'Full' ).identity.principalId), 'na')]" + } + }, + { + "condition": "[equals(parameters('enableSqlAudit'), 'Yes')]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2018-05-01", + "name": "[variables('policyAssignmentNames').deploySqlAuditing]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "Deploy-SQL-Audit", + "displayName": "Deploy-SQL-Audit", + "policyDefinitionId": "[variables('policyDefinitions').deploySqlAuditing]", + "scope": "[variables('scope')]" + } + }, + { + "condition": "[equals(parameters('enableSqlAudit'), 'Yes')]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deploySqlAuditing]", + "dependsOn": [ + "[variables('policyAssignmentNames').deploySqlAuditing]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacOwner'))]", + "principalId": "[if(equals(parameters('enableSqlAudit'), 'Yes'), toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').deploySqlAuditing), '2018-05-01', 'Full' ).identity.principalId), 'na')]" + } + }, + /* + { + "condition": "[equals(parameters('enableSqlSecurity'), 'Yes')]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2018-05-01", + "name": "[variables('policyAssignmentNames').deploySqlSecurity]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "Deploy-SQL-Security", + "displayName": "Deploy-SQL-Security", + "policyDefinitionId": "[variables('policyDefinitions').deploySqlSecurity]", + "scope": "[variables('scope')]" + } + }, + { + "condition": "[equals(parameters('enableSqlSecurity'), 'Yes')]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deploySqlSecurity]", + "dependsOn": [ + "[variables('policyAssignmentNames').deploySqlSecurity]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacOwner'))]", + "principalId": "[if(equals(parameters('enableSqlSecurity'), 'Yes'), toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').deploysqlSecurity), '2018-05-01', 'Full' ).identity.principalId), 'na')]" + } + },*/ + { + "condition": "[equals(parameters('enableSqlEncryption'), 'Yes')]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2018-05-01", + "name": "[variables('policyAssignmentNames').deploySqlEncryption]", + "location": "[deployment().location]", + "identity": { + "type": "SystemAssigned" + }, + "properties": { + "description": "Deploy-SQL-Security", + "displayName": "Deploy-SQL-Security", + "policyDefinitionId": "[variables('policyDefinitions').deploySqlEncryption]", + "scope": "[variables('scope')]" + } + }, + { + "condition": "[equals(parameters('enableSqlEncryption'), 'Yes')]", + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2019-04-01-preview", + "name": "[variables('roleAssignmentNames').deploySqlEncryption]", + "dependsOn": [ + "[variables('policyAssignmentNames').deploySqlEncryption]" + ], + "properties": { + "principalType": "ServicePrincipal", + "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacOwner'))]", + "principalId": "[if(equals(parameters('enableSqlEncryption'), 'Yes'), toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').deploySqlEncryption), '2018-05-01', 'Full' ).identity.principalId), 'na')]" + } + }, + { + "condition": "[equals(parameters('enableStorageHttps'), 'Yes')]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2018-05-01", + "name": "[variables('policyAssignmentNames').storageHttps]", + "location": "[deployment().location]", + "properties": { + "description": "Enforce-Secure-Storage", + "displayName": "Enforce-Secure-Storage", + "policyDefinitionId": "[variables('policyDefinitions').storageHttps]", + "scope": "[variables('scope')]" + } + }, + { + "condition": "[equals(parameters('denyIpForwarding'), 'Yes')]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2018-05-01", + "name": "[variables('policyAssignmentNames').denyIpForwarding]", + "location": "[deployment().location]", + "properties": { + "description": "Deny-IP-Forwarding", + "displayName": "Deny-IP-Forwarding", + "policyDefinitionId": "[variables('policyDefinitions').denyIpForwarding]", + "scope": "[variables('scope')]" + } + }, + { + "condition": "[equals(parameters('denySubnetWithoutNsg'), 'Yes')]", + "type": "Microsoft.Authorization/policyAssignments", + "apiVersion": "2018-05-01", + "name": "[variables('policyAssignmentNames').denySubnetWithoutNsg]", + "location": "[deployment().location]", + "properties": { + "description": "Deny-Subnet-Without-Nsg", + "displayName": "Deny-Subnet-Without-Nsg", + "policyDefinitionId": "[variables('policyDefinitions').denySubnetWithoutNsg]", + "scope": "[variables('scope')]" + } + } + ], + "outputs": {} +} \ No newline at end of file diff --git a/docs/reference/contoso/armTemplates/auxiliary/policies.json b/docs/reference/contoso/armTemplates/auxiliary/policies.json new file mode 100644 index 0000000000..3c51e28c9b --- /dev/null +++ b/docs/reference/contoso/armTemplates/auxiliary/policies.json @@ -0,0 +1,10797 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "maxLength": 5 + } + }, + "variables": { + "scope": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'))]", + "policies": { + "policyDefinitions": [ + { + "Name": "Append-KV-SoftDelete", + "Properties": { + "Description": "When a Key Vault is created with out soft delete enabled then this will add it.", + "DisplayName": "Append-KV-SoftDelete", + "Mode": "All", + "Parameters": {}, + "PolicyRule": { + "if": { + "anyOf": [ + { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.KeyVault/vaults" + }, + { + "field": "Microsoft.KeyVault/vaults/enableSoftDelete", + "notEquals": false + } + ] + } + ] + }, + "then": { + "effect": "append", + "details": [ + { + "field": "Microsoft.KeyVault/vaults/enableSoftDelete", + "value": true + } + ] + } + } + } + }, + { + "Name": "Deny-AppGW-Without-WAF", + "Properties": { + "Description": null, + "DisplayName": "Deny-AppGW-Without-WAF", + "Mode": "All", + "Parameters": {}, + "PolicyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/applicationGateways" + }, + { + "field": "Microsoft.Network/applicationGateways/sku.name", + "notequals": "WAF_v2" + } + ] + }, + "then": { + "effect": "Deny" + } + } + } + }, + { + "Name": "Deny-ERPeering", + "Properties": { + "Description": "Denies creation of ER Peerings under the assigned scope.", + "DisplayName": "Deny-ERPeering", + "Mode": "All", + "Parameters": {}, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings" + }, + "then": { + "effect": "deny" + } + } + } + }, + { + "Name": "Deny-Private-DNS-Zones", + "Properties": { + "Description": "Denies creation of Private DNS Zones under the assigned scope", + "DisplayName": "Deny-Private-DNS-Zones", + "Mode": "All", + "Parameters": {}, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/privateDnsZones" + }, + "then": { + "effect": "deny" + } + } + } + }, + { + "Name": "Deny-PublicEndpoint-Aks", + "Properties": { + "Description": "This policy restricts creation of non-private AKS clusters", + "DisplayName": "Deny-PublicEndpoint-Aks", + "Mode": "All", + "Parameters": null, + "PolicyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.ContainerService/managedClusters" + }, + { + "field": "Microsoft.ContainerService/managedClusters/apiServerAccessProfile.enablePrivateCluster", + "notequals": "true" + } + ] + }, + "then": { + "effect": "Deny" + } + } + } + }, + { + "Name": "Deny-PublicEndpoint-CosmosDB", + "Properties": { + "Description": "This policy restrict creation of cosmos db accounts with exposed public endpoints", + "DisplayName": "Deny-PublicEndpoint-CosmosDB", + "Mode": "All", + "Parameters": null, + "PolicyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DocumentDB/databaseAccounts" + }, + { + "field": "Microsoft.DocumentDB/databaseAccounts/publicNetworkAccess", + "notequals": "Disabled" + } + ] + }, + "then": { + "effect": "Deny" + } + } + } + }, + { + "Name": "Deny-PublicEndpoint-KeyVault", + "Properties": { + "Description": "This policy restrict creation of Key Vaults with IP Firewall exposed to all public endpoints", + "DisplayName": "Deny-PublicEndpoint-KeyVault", + "Mode": "All", + "Parameters": null, + "PolicyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.KeyVault/vaults" + }, + { + "field": "Microsoft.KeyVault/vaults/networkAcls.defaultAction", + "notequals": "Deny" + } + ] + }, + "then": { + "effect": "Deny" + } + } + } + }, + { + "Name": "Deny-PublicEndpoint-MariaDB", + "Properties": { + "Description": "This policy restrict creation of Maria DB accounts with exposed public endpoints", + "DisplayName": "Deny-PublicEndpoint-MariaDB", + "Mode": "All", + "Parameters": null, + "PolicyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DBforMariaDB/servers" + }, + { + "field": "Microsoft.DBforMariaDB/servers/publicNetworkAccess", + "notequals": "Disabled" + } + ] + }, + "then": { + "effect": "Deny" + } + } + } + }, + { + "Name": "Deny-PublicEndpoint-MySQL", + "Properties": { + "Description": "This policy restrict creation of MySql DB accounts with exposed public endpoints", + "DisplayName": "Deny-PublicEndpoint-MySQL", + "Mode": "All", + "Parameters": null, + "PolicyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DBforMySQL/servers" + }, + { + "field": "Microsoft.DBforMySQL/servers/publicNetworkAccess", + "notequals": "Disabled" + } + ] + }, + "then": { + "effect": "Deny" + } + } + } + }, + { + "Name": "Deny-PublicEndpoint-PostgreSql", + "Properties": { + "Description": "This policy restrict creation of Postgre SQL DB accounts with exposed public endpoints", + "DisplayName": "Deny-PublicEndpoint-PostgreSql", + "Mode": "All", + "Parameters": null, + "PolicyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.DBforPostgreSQL/servers" + }, + { + "field": "Microsoft.DBforPostgreSQL/servers/publicNetworkAccess", + "notequals": "Disabled" + } + ] + }, + "then": { + "effect": "Deny" + } + } + } + }, + { + "Name": "Deny-PublicEndpoint-Sql", + "Properties": { + "Description": "This policy restrict creation of Sql servers with exposed public endpoints", + "DisplayName": "Deny-PublicEndpoint-Sql", + "Mode": "All", + "Parameters": null, + "PolicyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Sql/servers" + }, + { + "field": "Microsoft.Sql/servers/publicNetworkAccess", + "notequals": "Disabled" + } + ] + }, + "then": { + "effect": "Deny" + } + } + } + }, + { + "Name": "Deny-PublicEndpoint-Storage", + "Properties": { + "Description": "This policy restrict creation of storage accounts with IP Firewall exposed to all public endpoints", + "DisplayName": "Deny-PublicEndpoint-Storage", + "Mode": "All", + "Parameters": null, + "PolicyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Storage/storageAccounts" + }, + { + "field": "Microsoft.Storage/storageAccounts/networkAcls.defaultAction", + "notequals": "Deny" + } + ] + }, + "then": { + "effect": "Deny" + } + } + } + }, + { + "Name": "Deny-PublicIP", + "Properties": { + "Description": "Denies creation of Public IPs under the assigned scope.", + "DisplayName": "Deny-PublicIP", + "Mode": "All", + "Parameters": {}, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/publicIPAddresses" + }, + "then": { + "effect": "deny" + } + } + } + }, + { + "Name": "Deny-Subnet-Without-Nsg", + "Properties": { + "Description": null, + "DisplayName": "Deny-Subnets-Without-NSG", + "Mode": "All", + "Parameters": {}, + "PolicyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks/subnets" + }, + { + "field": "Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id", + "exists": "false" + } + ] + }, + "then": { + "effect": "deny" + } + } + } + }, + { + "Name": "Deploy-ASC-Standard", + "Properties": { + "Description": "Ensures that subscriptions have Security Center Standard enabled.", + "DisplayName": "Deploy-ASC-Standard", + "Mode": "All", + "Parameters": { + "pricingTierVMs": { + "type": "String", + "metadata": { + "displayName": "pricingTierVMs", + "description": null + }, + "allowedValues": [ + "Standard", + "Free" + ], + "defaultValue": "Standard" + }, + "pricingTierSqlServers": { + "type": "String", + "metadata": { + "displayName": "pricingTierSqlServers", + "description": null + }, + "allowedValues": [ + "Standard", + "Free" + ], + "defaultValue": "Standard" + }, + "pricingTierAppServices": { + "type": "String", + "metadata": { + "displayName": "pricingTierAppServices", + "description": null + }, + "allowedValues": [ + "Standard", + "Free" + ], + "defaultValue": "Standard" + }, + "pricingTierStorageAccounts": { + "type": "String", + "metadata": { + "displayName": "pricingTierStorageAccounts", + "description": null + }, + "allowedValues": [ + "Standard", + "Free" + ], + "defaultValue": "Standard" + }, + "pricingTierContainerRegistry": { + "type": "String", + "metadata": { + "displayName": "pricingTierContainerRegistry", + "description": null + }, + "allowedValues": [ + "Standard", + "Free" + ], + "defaultValue": "Standard" + }, + "pricingTierKeyVaults": { + "type": "String", + "metadata": { + "displayName": "pricingTierKeyVaults", + "description": null + }, + "allowedValues": [ + "Standard", + "Free" + ], + "defaultValue": "Standard" + }, + "pricingTierKubernetesService": { + "type": "String", + "metadata": { + "displayName": "pricingTierKubernetesService", + "description": null + }, + "allowedValues": [ + "Standard", + "Free" + ], + "defaultValue": "Standard" + } + }, + "PolicyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + } + ] + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Security/pricings", + "deploymentScope": "subscription", + "existenceScope": "subscription", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" + ], + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Security/pricings/pricingTier", + "equals": "Standard" + }, + { + "field": "type", + "equals": "Microsoft.Security/pricings" + } + ] + }, + "deployment": { + "location": "northeurope", + "properties": { + "mode": "incremental", + "parameters": { + "pricingTierVMs": { + "value": "[[parameters('pricingTierVMs')]" + }, + "pricingTierSqlServers": { + "value": "[[parameters('pricingTierSqlServers')]" + }, + "pricingTierAppServices": { + "value": "[[parameters('pricingTierAppServices')]" + }, + "pricingTierStorageAccounts": { + "value": "[[parameters('pricingTierStorageAccounts')]" + }, + "pricingTierContainerRegistry": { + "value": "[[parameters('pricingTierContainerRegistry')]" + }, + "pricingTierKeyVaults": { + "value": "[[parameters('pricingTierKeyVaults')]" + }, + "pricingTierKubernetesService": { + "value": "[[parameters('pricingTierKubernetesService')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "pricingTierVMs": { + "type": "string", + "metadata": { + "description": "pricingTierVMs" + } + }, + "pricingTierSqlServers": { + "type": "string", + "metadata": { + "description": "pricingTierSqlServers" + } + }, + "pricingTierAppServices": { + "type": "string", + "metadata": { + "description": "pricingTierAppServices" + } + }, + "pricingTierStorageAccounts": { + "type": "string", + "metadata": { + "description": "pricingTierStorageAccounts" + } + }, + "pricingTierContainerRegistry": { + "type": "string", + "metadata": { + "description": "ContainerRegistry" + } + }, + "pricingTierKeyVaults": { + "type": "string", + "metadata": { + "description": "KeyVaults" + } + }, + "pricingTierKubernetesService": { + "type": "string", + "metadata": { + "description": "KubernetesService" + } + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "name": "VirtualMachines", + "properties": { + "pricingTier": "[[parameters('pricingTierVMs')]" + } + }, + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "name": "StorageAccounts", + "dependsOn": [ + "[[concat('Microsoft.Security/pricings/VirtualMachines')]" + ], + "properties": { + "pricingTier": "[[parameters('pricingTierStorageAccounts')]" + } + }, + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "name": "AppServices", + "dependsOn": [ + "[[concat('Microsoft.Security/pricings/StorageAccounts')]" + ], + "properties": { + "pricingTier": "[[parameters('pricingTierAppServices')]" + } + }, + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "name": "SqlServers", + "dependsOn": [ + "[[concat('Microsoft.Security/pricings/AppServices')]" + ], + "properties": { + "pricingTier": "[[parameters('pricingTierSqlServers')]" + } + }, + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "name": "KeyVaults", + "dependsOn": [ + "[[concat('Microsoft.Security/pricings/SqlServers')]" + ], + "properties": { + "pricingTier": "[[parameters('pricingTierKeyVaults')]" + } + }, + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "name": "KubernetesService", + "dependsOn": [ + "[[concat('Microsoft.Security/pricings/KeyVaults')]" + ], + "properties": { + "pricingTier": "[[parameters('pricingTierKubernetesService')]" + } + }, + { + "type": "Microsoft.Security/pricings", + "apiVersion": "2018-06-01", + "name": "ContainerRegistry", + "dependsOn": [ + "[[concat('Microsoft.Security/pricings/KubernetesService')]" + ], + "properties": { + "pricingTier": "[[parameters('pricingTierContainerRegistry')]" + } + } + ], + "outputs": {} + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-AzureBackup-on-VM", + "Properties": { + "Description": null, + "DisplayName": "Deploy-AzureBackup-on-VMs", + "Mode": "All", + "Parameters": {}, + "PolicyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Compute/virtualMachines" + }, + { + "anyOf": [ + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftWindowsServer" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "WindowsServer" + }, + { + "field": "Microsoft.Compute/imageSKU", + "in": [ + "2008-R2-SP1", + "2008-R2-SP1-smalldisk", + "2012-Datacenter", + "2012-Datacenter-smalldisk", + "2012-R2-Datacenter", + "2012-R2-Datacenter-smalldisk", + "2016-Datacenter", + "2016-Datacenter-Server-Core", + "2016-Datacenter-Server-Core-smalldisk", + "2016-Datacenter-smalldisk", + "2016-Datacenter-with-Containers", + "2016-Datacenter-with-RDSH", + "2019-Datacenter", + "2019-Datacenter-Core", + "2019-Datacenter-Core-smalldisk", + "2019-Datacenter-Core-with-Containers", + "2019-Datacenter-Core-with-Containers-smalldisk", + "2019-Datacenter-smalldisk", + "2019-Datacenter-with-Containers", + "2019-Datacenter-with-Containers-smalldisk", + "2019-Datacenter-zhcn" + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftWindowsServer" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "WindowsServerSemiAnnual" + }, + { + "field": "Microsoft.Compute/imageSKU", + "in": [ + "Datacenter-Core-1709-smalldisk", + "Datacenter-Core-1709-with-Containers-smalldisk", + "Datacenter-Core-1803-with-Containers-smalldisk" + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftWindowsServerHPCPack" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "WindowsServerHPCPack" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftSQLServer" + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2016" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2016-BYOL" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2012R2" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2012R2-BYOL" + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftRServer" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "MLServer-WS2016" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftVisualStudio" + }, + { + "field": "Microsoft.Compute/imageOffer", + "in": [ + "VisualStudio", + "Windows" + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftDynamicsAX" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "Dynamics" + }, + { + "field": "Microsoft.Compute/imageSKU", + "equals": "Pre-Req-AX7-Onebox-U8" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "microsoft-ads" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "windows-data-science-vm" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftWindowsDesktop" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "Windows-10" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "RedHat" + }, + { + "field": "Microsoft.Compute/imageOffer", + "in": [ + "RHEL", + "RHEL-SAP-HANA" + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageSKU", + "like": "6.*" + }, + { + "field": "Microsoft.Compute/imageSKU", + "like": "7*" + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "SUSE" + }, + { + "field": "Microsoft.Compute/imageOffer", + "in": [ + "SLES", + "SLES-HPC", + "SLES-HPC-Priority", + "SLES-SAP", + "SLES-SAP-BYOS", + "SLES-Priority", + "SLES-BYOS", + "SLES-SAPCAL", + "SLES-Standard" + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageSKU", + "like": "12*" + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "Canonical" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "UbuntuServer" + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageSKU", + "like": "14.04*LTS" + }, + { + "field": "Microsoft.Compute/imageSKU", + "like": "16.04*LTS" + }, + { + "field": "Microsoft.Compute/imageSKU", + "like": "18.04*LTS" + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "Oracle" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "Oracle-Linux" + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageSKU", + "like": "6.*" + }, + { + "field": "Microsoft.Compute/imageSKU", + "like": "7.*" + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "OpenLogic" + }, + { + "field": "Microsoft.Compute/imageOffer", + "in": [ + "CentOS", + "Centos-LVM", + "CentOS-SRIOV" + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageSKU", + "like": "6.*" + }, + { + "field": "Microsoft.Compute/imageSKU", + "like": "7*" + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "cloudera" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "cloudera-centos-os" + }, + { + "field": "Microsoft.Compute/imageSKU", + "like": "7*" + } + ] + } + ] + } + ] + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "resourceGroupName": "[[resourceGroup().name]", + "type": "Microsoft.RecoveryServices/backupprotecteditems", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "existenceCondition": { + "field": "name", + "like": "*" + }, + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "vmName": { + "type": "string", + "metadata": { + "description": "Name of Azure Virtual Machines" + } + }, + "vmRgName": { + "type": "string", + "metadata": { + "description": "Resource group containing the virtual machines." + } + }, + "location": { + "type": "string", + "metadata": { + "description": "Location for VM and Backup vault" + } + } + }, + "variables": { + "backupFabric": "Azure", + "backupPolicy": "DefaultPolicy", + "v2VmType": "Microsoft.Compute/virtualMachines", + "v2VmContainer": "iaasvmcontainer;iaasvmcontainerv2;", + "v2Vm": "vm;iaasvmcontainerv2;", + "vaultName": "[[concat(resourceGroup().name, '-backupvault')]" + }, + "resources": [ + { + "name": "[[variables('vaultName')]", + "type": "Microsoft.RecoveryServices/vaults", + "apiVersion": "2016-06-01", + "location": "[[parameters('location')]", + "properties": {}, + "sku": { + "name": "Standard" + } + }, + { + "name": "[[concat(variables('vaultName'), '/', variables('backupFabric'), '/', variables('v2VmContainer'), concat(parameters('vmRgName'),';',parameters('vmName')), '/', variables('v2Vm'), concat(parameters('vmRgName'),';',parameters('vmName')))]", + "apiVersion": "2016-12-01", + "location": "[[parameters('location')]", + "type": "Microsoft.RecoveryServices/vaults/backupFabrics/protectionContainers/protectedItems", + "dependsOn": [ + "[[resourceId('Microsoft.RecoveryServices/vaults/', variables('vaultName'))]" + ], + "properties": { + "protectedItemType": "[[variables('v2VmType')]", + "policyId": "[[resourceId('Microsoft.RecoveryServices/vaults/backupPolicies', variables('vaultName'),variables('backupPolicy'))]", + "sourceResourceId": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', parameters('vmRgName'), '/providers/Microsoft.Compute/virtualMachines/', parameters('vmName'))]" + } + } + ], + "outputs": { + "status": { + "type": "string", + "value": "[[concat('Backup enabled successfully for VM:', ' ', parameters('vmName'))]" + } + } + }, + "parameters": { + "vmName": { + "value": "[[field('name')]" + }, + "location": { + "value": "[[field('location')]" + }, + "vmRgName": { + "value": "[[resourceGroup().name]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-DDoSProtection", + "Properties": { + "Description": "This policy deploys an Azure DDoS Protection Standard plan", + "DisplayName": "Deploy-DDoSProtection", + "Mode": "All", + "Parameters": { + "ddosName": { + "type": "String", + "metadata": { + "displayName": "ddosName", + "description": "Name of the Virtual WAN" + } + }, + "ddosRegion": { + "type": "String", + "metadata": { + "displayName": "ddosRegion", + "description": "Select Azure region for Virtual WAN", + "strongType": "location" + } + }, + "rgName": { + "type": "String", + "metadata": { + "displayName": "rgName", + "description": "Provide name for resource group." + } + } + }, + "PolicyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + } + ] + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Network/ddosProtectionPlans", + "deploymentScope": "Subscription", + "existenceScope": "ResourceGroup", + "resourceGroupName": "[[parameters('rgName')]", + "name": "[[parameters('ddosName')]", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "location": "northeurope", + "properties": { + "mode": "incremental", + "parameters": { + "rgName": { + "value": "[[parameters('rgName')]" + }, + "ddosname": { + "value": "[[parameters('ddosname')]" + }, + "ddosregion": { + "value": "[[parameters('ddosRegion')]" + } + }, + "template": { + "$schema": "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "rgName": { + "type": "string" + }, + "ddosname": { + "type": "string" + }, + "ddosRegion": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2018-05-01", + "name": "[[parameters('rgName')]", + "location": "[[deployment().location]", + "properties": {} + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2018-05-01", + "name": "ddosprotection", + "resourceGroup": "[[parameters('rgName')]", + "dependsOn": [ + "[[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": {}, + "resources": [ + { + "type": "Microsoft.Network/ddosProtectionPlans", + "apiVersion": "2019-12-01", + "name": "[[parameters('ddosName')]", + "location": "[[parameters('ddosRegion')]", + "properties": {} + } + ], + "outputs": {} + } + } + } + ], + "outputs": {} + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-Diagnostics-AA", + "Properties": { + "Description": "Apply diagnostic settings for Azure Automation Accounts - Log Analytics", + "DisplayName": "Deploy-Diagnostics-AA", + "Mode": "All", + "Parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select the Log Analytics workspace from dropdown list", + "strongType": "omsWorkspace" + } + } + }, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Automation/automationAccounts" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Automation/automationAccounts/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": true, + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logs": [ + { + "category": "JobLogs", + "enabled": true + }, + { + "category": "JobStreams", + "enabled": true + }, + { + "category": "DscNodeStatus", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-Diagnostics-ACI", + "Properties": { + "Description": "Apply diagnostic settings for Azure Container Instances - Log Analytics", + "DisplayName": "Deploy-Diagnostics-ACI", + "Mode": "All", + "Parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select the Log Analytics workspace from dropdown list", + "strongType": "omsWorkspace" + } + } + }, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.ContainerInstance/containerGroups" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.ContainerInstance/containerGroups/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-Diagnostics-ACR", + "Properties": { + "Description": "Apply diagnostic settings for Azure Container Registries - Log Analytics", + "DisplayName": "Deploy-Diagnostics-ACR", + "Mode": "All", + "Parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select the Log Analytics workspace from dropdown list", + "strongType": "omsWorkspace" + } + } + }, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.ContainerRegistry/registries" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.ContainerRegistry/registries/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-Diagnostics-ActivityLog", + "Properties": { + "Description": "Ensures that Activity Log Diagnostics settings are set to push logs into Log Analytics", + "DisplayName": "Deploy-Diagnostics-ActivityLog", + "Mode": "All", + "Parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Primary Log Analytics workspace", + "description": "Select Log Analytics workspace from dropdown list", + "strongType": "omsWorkspace" + } + } + }, + "PolicyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + } + ] + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "deploymentScope": "Subscription", + "existenceScope": "Subscription", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "deployment": { + "location": "northeurope", + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "logAnalytics": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "name": "subscriptionLogsToLogAnalytics", + "type": "Microsoft.Insights/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "location": "Global", + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "logs": [ + { + "category": "Administrative", + "enabled": true + }, + { + "category": "Security", + "enabled": true + }, + { + "category": "ServiceHealth", + "enabled": true + }, + { + "category": "Alert", + "enabled": true + }, + { + "category": "Recommendation", + "enabled": true + }, + { + "category": "Policy", + "enabled": true + }, + { + "category": "Autoscale", + "enabled": true + }, + { + "category": "ResourceHealth", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + } + } + } + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" + ] + } + } + } + } + }, + { + "Name": "Deploy-Diagnostics-AKS", + "Properties": { + "Description": "Apply diagnostic settings for Azure Kubernetes Service - Log Analytics", + "DisplayName": "Deploy-Diagnostics-AKS", + "Mode": "All", + "Parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select the Log Analytics workspace from dropdown list", + "strongType": "omsWorkspace" + } + } + }, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.ContainerService/managedClusters" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.ContainerService/managedClusters/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "kube-audit", + "enabled": true + }, + { + "category": "kube-apiserver", + "enabled": true + }, + { + "category": "kube-controller-manager", + "enabled": true + }, + { + "category": "kube-scheduler", + "enabled": true + }, + { + "category": "cluster-autoscaler", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-Diagnostics-AnalysisService", + "Properties": { + "Description": "Apply diagnostic settings for Azure Analysis Services - Log Analytics", + "DisplayName": "Deploy-Diagnostics-AnalysisService", + "Mode": "All", + "Parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select the Log Analytics workspace from dropdown list", + "strongType": "omsWorkspace" + } + } + }, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.AnalysisServices/servers" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.AnalysisServices/servers/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "Engine", + "enabled": true + }, + { + "category": "Service", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-Diagnostics-APIMgmt", + "Properties": { + "Description": "Apply diagnostic settings for API Management services - Log Analytics", + "DisplayName": "Deploy-Diagnostics-APIMgmt", + "Mode": "All", + "Parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select the Log Analytics workspace from dropdown list", + "strongType": "omsWorkspace" + } + } + }, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.ApiManagement/service" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.ApiManagement/service/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "Gateway Requests", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + }, + { + "category": "Capacity", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + }, + { + "category": "EventHub Events", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "GatewayLogs", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-Diagnostics-ApplicationGateway", + "Properties": { + "Description": "Apply diagnostic settings for Application Gateways - Log Analytics", + "DisplayName": "Deploy-Diagnostics-ApplicationGateway", + "Mode": "All", + "Parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select the Log Analytics workspace from dropdown list", + "strongType": "omsWorkspace" + } + } + }, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/applicationGateways" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/applicationGateways/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "ApplicationGatewayAccessLog", + "enabled": true + }, + { + "category": "ApplicationGatewayPerformanceLog", + "enabled": true + }, + { + "category": "ApplicationGatewayFirewallLog", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-Diagnostics-Batch", + "Properties": { + "Description": "Apply diagnostic settings for Azure Batch accounts - Log Analytics", + "DisplayName": "Deploy-Diagnostics-Batch", + "Mode": "All", + "Parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select the Log Analytics workspace from dropdown list", + "strongType": "omsWorkspace" + } + } + }, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Batch/batchAccounts" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Batch/batchAccounts/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "ServiceLog", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-Diagnostics-CDNEndpoints", + "Properties": { + "Description": "Apply diagnostic settings for CDN Endpoints - Log Analytics", + "DisplayName": "Deploy-Diagnostics-CDNEndpoints", + "Mode": "All", + "Parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select the Log Analytics workspace from dropdown list", + "strongType": "omsWorkspace" + } + } + }, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Cdn/profiles/endpoints" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Cdn/profiles/endpoints/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [], + "logs": [ + { + "category": "CoreAnalytics", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('fullName')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-Diagnostics-CognitiveServices", + "Properties": { + "Description": "Apply diagnostic settings for Cognitive Services - Log Analytics", + "DisplayName": "Deploy-Diagnostics-CognitiveServices", + "Mode": "All", + "Parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select the Log Analytics workspace from dropdown list", + "strongType": "omsWorkspace" + } + } + }, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.CognitiveServices/accounts" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.CognitiveServices/accounts/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "Audit", + "enabled": true + }, + { + "category": "RequestResponse", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-Diagnostics-CosmosDB", + "Properties": { + "Description": "Apply diagnostic settings for Cosmos DB - Log Analytics", + "DisplayName": "Deploy-Diagnostics-CosmosDB", + "Mode": "All", + "Parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select the Log Analytics workspace from dropdown list", + "strongType": "omsWorkspace" + } + } + }, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DocumentDB/databaseAccounts" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DocumentDB/databaseAccounts/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "Requests", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "DataPlaneRequests", + "enabled": true + }, + { + "category": "MongoRequests", + "enabled": true + }, + { + "category": "QueryRuntimeStatistics", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-Diagnostics-DataFactory", + "Properties": { + "Description": "Apply diagnostic settings for Data Factory - Log Analytics", + "DisplayName": "Deploy-Diagnostics-DataFactory", + "Mode": "All", + "Parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select the Log Analytics workspace from dropdown list", + "strongType": "omsWorkspace" + } + } + }, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DataFactory/factories" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DataFactory/factories/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "ActivityRuns", + "enabled": true + }, + { + "category": "PipelineRuns", + "enabled": true + }, + { + "category": "TriggerRuns", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-Diagnostics-DataLakeStore", + "Properties": { + "Description": "Apply diagnostic settings for Data Lake Storage - Log Analytics", + "DisplayName": "Deploy-Diagnostics-DataLakeStore", + "Mode": "All", + "Parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select the Log Analytics workspace from dropdown list", + "strongType": "omsWorkspace" + } + } + }, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DataLakeStore/accounts" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DataLakeStore/accounts/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "Audit", + "enabled": true + }, + { + "category": "Requests", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-Diagnostics-DLAnalytics", + "Properties": { + "Description": "Apply diagnostic settings for Data Lake Analytics - Log Analytics", + "DisplayName": "Deploy-Diagnostics-DLAnalytics", + "Mode": "All", + "Parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select the Log Analytics workspace from dropdown list", + "strongType": "omsWorkspace" + } + } + }, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DataLakeAnalytics/accounts" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DataLakeAnalytics/accounts/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "Audit", + "enabled": true + }, + { + "category": "Requests", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-Diagnostics-EventGridSub", + "Properties": { + "Description": "Apply diagnostic settings for Event Grid Subscriptions - Log Analytics", + "DisplayName": "Deploy-Diagnostics-EventGridSub", + "Mode": "All", + "Parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select the Log Analytics workspace from dropdown list", + "strongType": "omsWorkspace" + } + } + }, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.EventGrid/eventSubscriptions" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.EventGrid/eventSubscriptions/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-Diagnostics-EventGridTopic", + "Properties": { + "Description": "Apply diagnostic settings for Event Grid Topics - Log Analytics", + "DisplayName": "Deploy-Diagnostics-EventGridTopic", + "Mode": "All", + "Parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select the Log Analytics workspace from dropdown list", + "strongType": "omsWorkspace" + } + } + }, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.EventGrid/topics" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.EventGrid/topics/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-Diagnostics-EventHub", + "Properties": { + "Description": "Apply diagnostic settings for Event Hub Namespaces - Log Analytics", + "DisplayName": "Deploy-Diagnostics-EventHub", + "Mode": "All", + "Parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select the Log Analytics workspace from dropdown list", + "strongType": "omsWorkspace" + } + } + }, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.EventHub/namespaces" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.EventHub/namespaces/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "ArchiveLogs", + "enabled": true + }, + { + "category": "OperationalLogs", + "enabled": true + }, + { + "category": "AutoScaleLogs", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-Diagnostics-ExpressRoute", + "Properties": { + "Description": "Apply diagnostic settings for Express Routes Circuits - Log Analytics", + "DisplayName": "Deploy-Diagnostics-ExpressRoute", + "Mode": "All", + "Parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select the Log Analytics workspace from dropdown list", + "strongType": "omsWorkspace" + } + } + }, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/expressRouteCircuits" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/expressRouteCircuits/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "PeeringRouteLog", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-Diagnostics-Firewall", + "Properties": { + "Description": "Apply diagnostic settings for Azure Firewalls - Log Analytics", + "DisplayName": "Deploy-Diagnostics-Firewall", + "Mode": "All", + "Parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select the Log Analytics workspace from dropdown list", + "strongType": "omsWorkspace" + } + } + }, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/azureFirewalls" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/azureFirewalls/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "AzureFirewallApplicationRule", + "enabled": true + }, + { + "category": "AzureFirewallNetworkRule", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-Diagnostics-HDInsight", + "Properties": { + "Description": "Apply diagnostic settings for HDInsight - Log Analytics", + "DisplayName": "Deploy-Diagnostics-HDInsight", + "Mode": "All", + "Parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select the Log Analytics workspace from dropdown list", + "strongType": "omsWorkspace" + } + } + }, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.HDInsight/clusters" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.HDInsight/clusters/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-Diagnostics-iotHub", + "Properties": { + "Description": "Apply diagnostic settings for IoT Hubs - Log Analytics", + "DisplayName": "Deploy-Diagnostics-iotHub", + "Mode": "All", + "Parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select the Log Analytics workspace from dropdown list", + "strongType": "omsWorkspace" + } + } + }, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Devices/IotHubs" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Devices/IotHubs/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "Connections", + "enabled": true + }, + { + "category": "DeviceTelemetry", + "enabled": true + }, + { + "category": "C2DCommands", + "enabled": true + }, + { + "category": "DeviceIdentityOperations", + "enabled": true + }, + { + "category": "FileUploadOperations", + "enabled": true + }, + { + "category": "Routes", + "enabled": true + }, + { + "category": "D2CTwinOperations", + "enabled": true + }, + { + "category": "C2DTwinOperations", + "enabled": true + }, + { + "category": "TwinQueries", + "enabled": true + }, + { + "category": "JobsOperations", + "enabled": true + }, + { + "category": "DirectMethods", + "enabled": true + }, + { + "category": "E2EDiagnostics", + "enabled": true + }, + { + "category": "Configurations", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-Diagnostics-KeyVault", + "Properties": { + "Description": "Apply diagnostic settings for Key Vaults - Log Analytics", + "DisplayName": "Deploy-Diagnostics-KeyVault", + "Mode": "All", + "Parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select the Log Analytics workspace from dropdown list", + "strongType": "omsWorkspace" + } + } + }, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.KeyVault/vaults" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "name": "setByPolicy", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.KeyVault/vaults/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "AuditEvent", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-Diagnostics-LoadBalancer", + "Properties": { + "Description": "Apply diagnostic settings for Load Balancers - Log Analytics", + "DisplayName": "Deploy-Diagnostics-LoadBalancer", + "Mode": "All", + "Parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select the Log Analytics workspace from dropdown list", + "strongType": "omsWorkspace" + } + } + }, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/loadBalancers" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/loadBalancers/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": true, + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logs": [ + { + "category": "LoadBalancerAlertEvent", + "enabled": true + }, + { + "category": "LoadBalancerProbeHealthStatus", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-Diagnostics-LogicAppsISE", + "Properties": { + "Description": "Apply diagnostic settings for Logic Apps Integration Accounts - Log Analytics", + "DisplayName": "Deploy-Diagnostics-LogicAppsISE", + "Mode": "All", + "Parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select the Log Analytics workspace from dropdown list", + "strongType": "omsWorkspace" + } + } + }, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Logic/integrationAccounts" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Logic/integrationAccounts/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [], + "logs": [ + { + "category": "IntegrationAccountTrackingEvents", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-Diagnostics-LogicAppsWF", + "Properties": { + "Description": "Apply diagnostic settings for Logic Apps workflows - Log Analytics", + "DisplayName": "Deploy-Diagnostics-LogicAppsWF", + "Mode": "All", + "Parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select the Log Analytics workspace from dropdown list", + "strongType": "omsWorkspace" + } + } + }, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Logic/workflows" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Logic/workflows/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "WorkflowRuntime", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-Diagnostics-MlWorkspace", + "Properties": { + "Description": "Apply diagnostic settings for Ml Workspace - Log Analytics", + "DisplayName": "Deploy-Diagnostics-MlWorkspace", + "Mode": "Indexed", + "Parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select the Log Analytics workspace from dropdown list", + "strongType": "omsWorkspace" + } + } + }, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.MachineLearningServices/workspaces" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.MachineLearningServices/workspaces/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "Run", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + }, + { + "category": "Model", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": true + } + }, + { + "category": "Quota", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + }, + { + "category": "Resource", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "AmlComputeClusterEvent", + "enabled": true + }, + { + "category": "AmlComputeClusterNodeEvent", + "enabled": true + }, + { + "category": "AmlComputeJobEvent", + "enabled": true + }, + { + "category": "AmlComputeCpuGpuUtilization", + "enabled": true + }, + { + "category": "AmlRunStatusChangedEvent", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-Diagnostics-MySQL", + "Properties": { + "Description": "Apply diagnostic settings for MySQL Databases - Log Analytics", + "DisplayName": "Deploy-Diagnostics-MySQL", + "Mode": "All", + "Parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select the Log Analytics workspace from dropdown list", + "strongType": "omsWorkspace" + } + } + }, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DBforMySQL/servers" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DBforMySQL/servers/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "MySqlSlowLogs", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-Diagnostics-NetworkSecurityGroups", + "Properties": { + "Description": "Apply diagnostic settings for Network Security Groups - Log Analytics", + "DisplayName": "Deploy-Diagnostics-NetworkSecurityGroups", + "Mode": "All", + "Parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select the Log Analytics workspace from dropdown list", + "strongType": "omsWorkspace" + } + } + }, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/networkSecurityGroups" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/networkSecurityGroups/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [], + "logs": [ + { + "category": "NetworkSecurityGroupEvent", + "enabled": true + }, + { + "category": "NetworkSecurityGroupRuleCounter", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-Diagnostics-NIC", + "Properties": { + "Description": "Apply diagnostic settings for Network Interfaces - Log Analytics", + "DisplayName": "Deploy-Diagnostics-NIC", + "Mode": "All", + "Parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select the Log Analytics workspace from dropdown list", + "strongType": "omsWorkspace" + } + } + }, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/networkInterfaces" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/networkInterfaces/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": true, + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-Diagnostics-PostgreSQL", + "Properties": { + "Description": "Apply diagnostic settings for PostgreSQL Databases - Log Analytics", + "DisplayName": "Deploy-Diagnostics-PostgreSQL", + "Mode": "All", + "Parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select the Log Analytics workspace from dropdown list", + "strongType": "omsWorkspace" + } + } + }, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.DBforPostgreSQL/servers" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.DBforPostgreSQL/servers/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "PostgreSQLLogs", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-Diagnostics-PowerBIEmbedded", + "Properties": { + "Description": "Apply diagnostic settings for Power BI Embedded - Log Analytics", + "DisplayName": "Deploy-Diagnostics-PowerBIEmbedded", + "Mode": "All", + "Parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select the Log Analytics workspace from dropdown list", + "strongType": "omsWorkspace" + } + } + }, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.PowerBIDedicated/capacities" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.PowerBIDedicated/capacities/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "Engine", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-Diagnostics-PublicIP", + "Properties": { + "Description": "Apply diagnostic settings for Public IPs - Log Analytics", + "DisplayName": "Deploy-Diagnostics-PublicIP", + "Mode": "All", + "Parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select the Log Analytics workspace from dropdown list", + "strongType": "omsWorkspace" + } + } + }, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/publicIPAddresses" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/publicIPAddresses/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "timeGrain": null, + "enabled": true, + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logs": [ + { + "category": "DDoSProtectionNotifications", + "enabled": true + }, + { + "category": "DDoSMitigationFlowLogs", + "enabled": true + }, + { + "category": "DDoSMitigationReports", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-Diagnostics-RecoveryVault", + "Properties": { + "Description": "Apply diagnostic settings for Recovery Vaults - Log Analytics", + "DisplayName": "Deploy-Diagnostics-RecoveryVault", + "Mode": "All", + "Parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select the Log Analytics workspace from dropdown list", + "strongType": "omsWorkspace" + } + } + }, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.RecoveryServices/vaults" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allof": [ + { + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allof": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].Category", + "in": [ + "CoreAzureBackup", + "AddonAzureBackupJobs", + "AddonAzureBackupAlerts", + "AddonAzureBackupPolicy", + "AddonAzureBackupStorage", + "AddonAzureBackupProtectedInstance" + ] + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].Enabled", + "equals": "True" + } + ] + } + }, + "Equals": 6 + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "notEquals": "[[parameters('logAnalytics')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/logAnalyticsDestinationType", + "equals": "Dedicated" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.RecoveryServices/vaults/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', 'setByPolicy')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "logAnalyticsDestinationType": "Dedicated", + "metrics": [], + "logs": [ + { + "category": "CoreAzureBackup", + "enabled": "true" + }, + { + "category": "AddonAzureBackupAlerts", + "enabled": "true" + }, + { + "category": "AddonAzureBackupJobs", + "enabled": "true" + }, + { + "category": "AddonAzureBackupPolicy", + "enabled": "true" + }, + { + "category": "AddonAzureBackupProtectedInstance", + "enabled": "true" + }, + { + "category": "AddonAzureBackupStorage", + "enabled": "true" + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-Diagnostics-RedisCache", + "Properties": { + "Description": "Apply diagnostic settings for Redis Cache - Log Analytics", + "DisplayName": "Deploy-Diagnostics-RedisCache", + "Mode": "All", + "Parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select the Log Analytics workspace from dropdown list", + "strongType": "omsWorkspace" + } + } + }, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Cache/redis" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Cache/redis/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-Diagnostics-Relay", + "Properties": { + "Description": "Apply diagnostic settings for Azure Relay - Log Analytics", + "DisplayName": "Deploy-Diagnostics-Relay", + "Mode": "All", + "Parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select the Log Analytics workspace from dropdown list", + "strongType": "omsWorkspace" + } + } + }, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Relay/namespaces" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Relay/namespaces/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-Diagnostics-SearchServices", + "Properties": { + "Description": "Apply diagnostic settings for Search Services - Log Analytics", + "DisplayName": "Deploy-Diagnostics-SearchServices", + "Mode": "All", + "Parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select the Log Analytics workspace from dropdown list", + "strongType": "omsWorkspace" + } + } + }, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Search/searchServices" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Search/searchServices/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "OperationLogs", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-Diagnostics-ServiceBus", + "Properties": { + "Description": "Apply diagnostic settings for Service Bus namespaces - Log Analytics", + "DisplayName": "Deploy-Diagnostics-ServiceBus", + "Mode": "All", + "Parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select the Log Analytics workspace from dropdown list", + "strongType": "omsWorkspace" + } + } + }, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.ServiceBus/namespaces" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.ServiceBus/namespaces/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "OperationalLogs", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-Diagnostics-SignalR", + "Properties": { + "Description": "Apply diagnostic settings for SignalR - Log Analytics", + "DisplayName": "Deploy-Diagnostics-SignalR", + "Mode": "All", + "Parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select the Log Analytics workspace from dropdown list", + "strongType": "omsWorkspace" + } + } + }, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.SignalRService/SignalR" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SignalRService/SignalR/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-Diagnostics-SQLDBs", + "Properties": { + "Description": "Apply diagnostic settings for SQL Databases - Log Analytics", + "DisplayName": "Deploy-Diagnostics-SQLDBs", + "Mode": "All", + "Parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select the Log Analytics workspace from dropdown list", + "strongType": "omsWorkspace" + } + } + }, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Sql/servers/databases" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Sql/servers/databases/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "SQLInsights", + "enabled": true + }, + { + "category": "AutomaticTuning", + "enabled": true + }, + { + "category": "QueryStoreRuntimeStatistics", + "enabled": true + }, + { + "category": "QueryStoreWaitStatistics", + "enabled": true + }, + { + "category": "Errors", + "enabled": true + }, + { + "category": "DatabaseWaitStatistics", + "enabled": true + }, + { + "category": "Timeouts", + "enabled": true + }, + { + "category": "Blocks", + "enabled": true + }, + { + "category": "Deadlocks", + "enabled": true + }, + { + "category": "SQLSecurityAuditEvents", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('fullName')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-Diagnostics-SQLElasticPools", + "Properties": { + "Description": "Apply diagnostic settings for SQL Elastic Pools - Log Analytics", + "DisplayName": "Deploy-Diagnostics-SQLElasticPools", + "Mode": "All", + "Parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select the Log Analytics workspace from dropdown list", + "strongType": "omsWorkspace" + } + } + }, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Sql/servers/elasticPools" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Sql/servers/elasticPools/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('fullName')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-Diagnostics-SQLMI", + "Properties": { + "Description": "Apply diagnostic settings for SQL Managed Instances - Log Analytics", + "DisplayName": "Deploy-Diagnostics-SQLMI", + "Mode": "All", + "Parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select the Log Analytics workspace from dropdown list", + "strongType": "omsWorkspace" + } + } + }, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Sql/managedInstances" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Sql/managedInstances/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "logs": [ + { + "category": "ResourceUsageStats", + "enabled": true + }, + { + "category": "SQLSecurityAuditEvents", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-Diagnostics-StreamAnalytics", + "Properties": { + "Description": "Apply diagnostic settings for Stream Analytics - Log Analytics", + "DisplayName": "Deploy-Diagnostics-StreamAnalytics", + "Mode": "All", + "Parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select the Log Analytics workspace from dropdown list", + "strongType": "omsWorkspace" + } + } + }, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.StreamAnalytics/streamingjobs" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.StreamAnalytics/streamingjobs/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "Execution", + "enabled": true + }, + { + "category": "Authoring", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-Diagnostics-TimeSeriesInsights", + "Properties": { + "Description": "Apply diagnostic settings for Time Series Insights - Log Analytics", + "DisplayName": "Deploy-Diagnostics-TimeSeriesInsights", + "Mode": "All", + "Parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select the Log Analytics workspace from dropdown list", + "strongType": "omsWorkspace" + } + } + }, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.TimeSeriesInsights/environments" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.TimeSeriesInsights/environments/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-Diagnostics-TrafficManager", + "Properties": { + "Description": "Apply diagnostic settings for Azure Traffic Manager - Log Analytics", + "DisplayName": "Deploy-Diagnostics-TrafficManager", + "Mode": "All", + "Parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select the Log Analytics workspace from dropdown list", + "strongType": "omsWorkspace" + } + } + }, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/trafficManagerProfiles" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/trafficManagerProfiles/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "ProbeHealthStatusEvents", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-Diagnostics-VirtualNetwork", + "Properties": { + "Description": "Apply diagnostic settings for Virtual Networks - Log Analytics", + "DisplayName": "Deploy-Diagnostics-VirtualNetwork", + "Mode": "All", + "Parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select the Log Analytics workspace from dropdown list", + "strongType": "omsWorkspace" + } + } + }, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/virtualNetworks" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/virtualNetworks/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logs": [ + { + "category": "VMProtectionAlerts", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-Diagnostics-VM", + "Properties": { + "Description": "Apply diagnostic settings for Virtual Machines - Log Analytics", + "DisplayName": "Deploy-Diagnostics-VM", + "Mode": "All", + "Parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select the Log Analytics workspace from dropdown list", + "strongType": "omsWorkspace" + } + } + }, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Compute/virtualMachines" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Compute/virtualMachines/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logs": [] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-Diagnostics-VMSS", + "Properties": { + "Description": "Apply diagnostic settings for Virtual Machine Scale Sets - Log Analytics", + "DisplayName": "Deploy-Diagnostics-VMSS", + "Mode": "All", + "Parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select the Log Analytics workspace from dropdown list", + "strongType": "omsWorkspace" + } + } + }, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Compute/virtualMachineScaleSets" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Compute/virtualMachineScaleSets/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "enabled": false, + "days": 0 + } + } + ], + "logs": [] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-Diagnostics-VNetGW", + "Properties": { + "Description": "Apply diagnostic settings for Virtual Network Gateways - Log Analytics", + "DisplayName": "Deploy-Diagnostics-VNetGW", + "Mode": "All", + "Parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select the Log Analytics workspace from dropdown list", + "strongType": "omsWorkspace" + } + } + }, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/virtualNetworkGateways" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/virtualNetworkGateways/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [ + { + "category": "GatewayDiagnosticLog", + "enabled": true + }, + { + "category": "IKEDiagnosticLog", + "enabled": true + }, + { + "category": "P2SDiagnosticLog", + "enabled": true + }, + { + "category": "RouteDiagnosticLog", + "enabled": true + }, + { + "category": "RouteDiagnosticLog", + "enabled": true + }, + { + "category": "TunnelDiagnosticLog", + "enabled": true + } + ] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-Diagnostics-WebServerFarm", + "Properties": { + "Description": "Apply diagnostic settings for Azure App Service Plans - Log Analytics", + "DisplayName": "Deploy-Diagnostics-WebServerFarm", + "Mode": "All", + "Parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select the Log Analytics workspace from dropdown list", + "strongType": "omsWorkspace" + } + } + }, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Web/serverfarms" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Web/serverfarms/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-Diagnostics-Website", + "Properties": { + "Description": "Apply diagnostic settings for Azure Web Sites", + "DisplayName": "Deploy-Diagnostics-Website", + "Mode": "All", + "Parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select the Log Analytics workspace from dropdown list", + "strongType": "omsWorkspace" + } + } + }, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Web/sites" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Insights/diagnosticSettings", + "name": "setByPolicy", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", + "equals": "true" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[[parameters('logAnalytics')]" + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "resourceName": { + "type": "string" + }, + "logAnalytics": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Web/sites/providers/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "name": "[[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]", + "location": "[[parameters('location')]", + "dependsOn": [], + "properties": { + "workspaceId": "[[parameters('logAnalytics')]", + "metrics": [ + { + "category": "AllMetrics", + "enabled": true, + "retentionPolicy": { + "days": 0, + "enabled": false + }, + "timeGrain": null + } + ], + "logs": [] + } + } + ], + "outputs": {} + }, + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + }, + "location": { + "value": "[[field('location')]" + }, + "resourceName": { + "value": "[[field('name')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-DNSZoneGroup-For-Blob-PrivateEndpoint", + "Properties": { + "Description": "Deploys a DNS Zone Group for Storage-Blob Private Endpoint", + "DisplayName": "Deploy-DNSZoneGroup-For-Blob-PrivateEndpoint", + "Mode": "Indexed", + "Parameters": { + "privateDnsZoneId": { + "type": "String", + "metadata": { + "displayName": "privateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones" + } + } + }, + "PolicyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/privateEndpoints" + }, + { + "count": { + "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]", + "where": { + "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]", + "equals": "blob" + } + }, + "greaterOrEquals": 1 + } + ] + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "privateDnsZoneId": { + "type": "string" + }, + "privateEndpointName": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "resources": [ + { + "name": "[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]", + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "apiVersion": "2020-03-01", + "location": "[[parameters('location')]", + "properties": { + "privateDnsZoneConfigs": [ + { + "name": "storageBlob-privateDnsZone", + "properties": { + "privateDnsZoneId": "[[parameters('privateDnsZoneId')]" + } + } + ] + } + } + ] + }, + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('privateDnsZoneId')]" + }, + "privateEndpointName": { + "value": "[[field('name')]" + }, + "location": { + "value": "[[field('location')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-DNSZoneGroup-For-File-PrivateEndpoint", + "Properties": { + "Description": "This policy deploys a DNS Zone Group for Storage-File Private Endpoint", + "DisplayName": "Deploy-DNSZoneGroup-For-File-PrivateEndpoint", + "Mode": "Indexed", + "Parameters": { + "privateDnsZoneId": { + "type": "String", + "metadata": { + "displayName": "privateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones" + } + } + }, + "PolicyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/privateEndpoints" + }, + { + "count": { + "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]", + "where": { + "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]", + "equals": "file" + } + }, + "greaterOrEquals": 1 + } + ] + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "privateDnsZoneId": { + "type": "string" + }, + "privateEndpointName": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "resources": [ + { + "name": "[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]", + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "apiVersion": "2020-03-01", + "location": "[[parameters('location')]", + "properties": { + "privateDnsZoneConfigs": [ + { + "name": "storageFile-privateDnsZone", + "properties": { + "privateDnsZoneId": "[[parameters('privateDnsZoneId')]" + } + } + ] + } + } + ] + }, + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('privateDnsZoneId')]" + }, + "privateEndpointName": { + "value": "[[field('name')]" + }, + "location": { + "value": "[[field('location')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-DNSZoneGroup-For-KeyVault-PrivateEndpoint", + "Properties": { + "Description": "This policy deploys a DNS Zone Group for Key Vault Private Endpoint", + "DisplayName": "Deploy-DNSZoneGroup-For-KeyVault-PrivateEndpoint", + "Mode": "Indexed", + "Parameters": { + "privateDnsZoneId": { + "type": "String", + "metadata": { + "displayName": "privateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones" + } + } + }, + "PolicyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/privateEndpoints" + }, + { + "count": { + "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]", + "where": { + "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]", + "equals": "vault" + } + }, + "greaterOrEquals": 1 + } + ] + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "privateDnsZoneId": { + "type": "string" + }, + "privateEndpointName": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "resources": [ + { + "name": "[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]", + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "apiVersion": "2020-03-01", + "location": "[[parameters('location')]", + "properties": { + "privateDnsZoneConfigs": [ + { + "name": "keyVault-privateDnsZone", + "properties": { + "privateDnsZoneId": "[[parameters('privateDnsZoneId')]" + } + } + ] + } + } + ] + }, + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('privateDnsZoneId')]" + }, + "privateEndpointName": { + "value": "[[field('name')]" + }, + "location": { + "value": "[[field('location')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-DNSZoneGroup-For-Queue-PrivateEndpoint", + "Properties": { + "Description": "This policy deploys a DNS Zone Group for Storage-Queue Private Endpoint", + "DisplayName": "Deploy-DNSZoneGroup-For-Queue-PrivateEndpoint", + "Mode": "Indexed", + "Parameters": { + "privateDnsZoneId": { + "type": "String", + "metadata": { + "displayName": "privateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones" + } + } + }, + "PolicyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/privateEndpoints" + }, + { + "count": { + "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]", + "where": { + "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]", + "equals": "queue" + } + }, + "greaterOrEquals": 1 + } + ] + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "privateDnsZoneId": { + "type": "string" + }, + "privateEndpointName": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "resources": [ + { + "name": "[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]", + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "apiVersion": "2020-03-01", + "location": "[[parameters('location')]", + "properties": { + "privateDnsZoneConfigs": [ + { + "name": "storageQueue-privateDnsZone", + "properties": { + "privateDnsZoneId": "[[parameters('privateDnsZoneId')]" + } + } + ] + } + } + ] + }, + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('privateDnsZoneId')]" + }, + "privateEndpointName": { + "value": "[[field('name')]" + }, + "location": { + "value": "[[field('location')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-DNSZoneGroup-For-Sql-PrivateEndpoint", + "Properties": { + "Description": "This policy deploys a DNS Zone Group for SQL Private Endpoint", + "DisplayName": "Deploy-DNSZoneGroup-For-Sql-PrivateEndpoint", + "Mode": "Indexed", + "Parameters": { + "privateDnsZoneId": { + "type": "String", + "metadata": { + "displayName": "privateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones" + } + } + }, + "PolicyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/privateEndpoints" + }, + { + "count": { + "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]", + "where": { + "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]", + "equals": "sqlServer" + } + }, + "greaterOrEquals": 1 + } + ] + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "privateDnsZoneId": { + "type": "string" + }, + "privateEndpointName": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "resources": [ + { + "name": "[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]", + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "apiVersion": "2020-03-01", + "location": "[[parameters('location')]", + "properties": { + "privateDnsZoneConfigs": [ + { + "name": "sqlServer-privateDnsZone", + "properties": { + "privateDnsZoneId": "[[parameters('privateDnsZoneId')]" + } + } + ] + } + } + ] + }, + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('privateDnsZoneId')]" + }, + "privateEndpointName": { + "value": "[[field('name')]" + }, + "location": { + "value": "[[field('location')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-DNSZoneGroup-For-Table-PrivateEndpoint", + "Properties": { + "Description": "This policy deploys a DNS Zone Group for Storage-Blob Private Endpoint", + "DisplayName": "Deploy-DNSZoneGroup-For-Table-PrivateEndpoint", + "Mode": "Indexed", + "Parameters": { + "privateDnsZoneId": { + "type": "String", + "metadata": { + "displayName": "privateDnsZoneId", + "strongType": "Microsoft.Network/privateDnsZones" + } + } + }, + "PolicyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/privateEndpoints" + }, + { + "count": { + "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]", + "where": { + "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]", + "equals": "table" + } + }, + "greaterOrEquals": 1 + } + ] + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "privateDnsZoneId": { + "type": "string" + }, + "privateEndpointName": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "resources": [ + { + "name": "[[concat(parameters('privateEndpointName'), '/deployedByPolicy')]", + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "apiVersion": "2020-03-01", + "location": "[[parameters('location')]", + "properties": { + "privateDnsZoneConfigs": [ + { + "name": "storageTable-privateDnsZone", + "properties": { + "privateDnsZoneId": "[[parameters('privateDnsZoneId')]" + } + } + ] + } + } + ] + }, + "parameters": { + "privateDnsZoneId": { + "value": "[[parameters('privateDnsZoneId')]" + }, + "privateEndpointName": { + "value": "[[field('name')]" + }, + "location": { + "value": "[[field('location')]" + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-FirewallPolicy", + "Properties": { + "Description": "Deploys Azure Firewall Policy/Manager", + "DisplayName": "Deploy-FirewallPolicy", + "Mode": "All", + "Parameters": { + "fwpolicy": { + "type": "Object", + "metadata": { + "displayName": "fwpolicy", + "description": "Object describing Azure Firewall Policy" + }, + "defaultValue": {} + }, + "fwPolicyRegion": { + "type": "String", + "metadata": { + "displayName": "fwPolicyRegion", + "description": "Select Azure region for Azure Firewall Policy", + "strongType": "location" + } + }, + "rgName": { + "type": "String", + "metadata": { + "displayName": "rgName", + "description": "Provide name for resource group." + } + } + }, + "PolicyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + } + ] + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Network/firewallPolicies", + "deploymentScope": "Subscription", + "existenceScope": "ResourceGroup", + "resourceGroupName": "[[parameters('rgName')]", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "location": "northeurope", + "properties": { + "mode": "incremental", + "parameters": { + "rgName": { + "value": "[[parameters('rgName')]" + }, + "fwPolicy": { + "value": "[[parameters('fwPolicy')]" + }, + "fwPolicyRegion": { + "value": "[[parameters('fwPolicyRegion')]" + } + }, + "template": { + "$schema": "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "rgName": { + "type": "string" + }, + "fwPolicy": { + "type": "object" + }, + "fwPolicyRegion": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2018-05-01", + "name": "[[parameters('rgName')]", + "location": "[[deployment().location]", + "properties": {} + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2018-05-01", + "name": "fwpolicies", + "resourceGroup": "[[parameters('rgName')]", + "dependsOn": [ + "[[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/firewallPolicies", + "apiVersion": "2019-09-01", + "name": "[[parameters('fwpolicy').firewallPolicyName]", + "location": "[[parameters('fwpolicy').location]", + "dependsOn": [], + "tags": {}, + "properties": {}, + "resources": [ + { + "type": "ruleGroups", + "apiVersion": "2019-09-01", + "name": "[[parameters('fwpolicy').ruleGroups.name]", + "dependsOn": [ + "[[resourceId('Microsoft.Network/firewallPolicies',parameters('fwpolicy').firewallPolicyName)]" + ], + "properties": { + "priority": "[[parameters('fwpolicy').ruleGroups.properties.priority]", + "rules": "[[parameters('fwpolicy').ruleGroups.properties.rules]" + } + } + ] + } + ], + "outputs": {} + } + } + } + ], + "outputs": {} + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-HUB", + "Properties": { + "Description": "Deploys Azure VNet to be used as hub virtual network in desired regions", + "DisplayName": "Deploy-HUB", + "Mode": "All", + "Parameters": { + "hubName": { + "type": "String", + "metadata": { + "displayName": "hubName", + "description": "Name of the Hub" + } + }, + "HUB": { + "type": "Object", + "metadata": { + "displayName": "HUB", + "description": "Object describing HUB" + } + }, + "vpngw": { + "type": "Object", + "metadata": { + "displayName": "vpngw", + "description": "Object describing VPN gateway" + }, + "defaultValue": {} + }, + "ergw": { + "type": "Object", + "metadata": { + "displayName": "ergw", + "description": "Object describing ExpressRoute gateway" + }, + "defaultValue": {} + }, + "azfw": { + "type": "Object", + "metadata": { + "displayName": "ergw", + "description": "Object describing ExpressRoute gateway" + }, + "defaultValue": {} + }, + "rgName": { + "type": "String", + "metadata": { + "displayName": "rgName", + "description": "Provide name for resource group." + } + } + }, + "PolicyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + } + ] + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Network/virtualNetworks", + "name": "[[parameters('hubName')]", + "deploymentScope": "Subscription", + "existenceScope": "ResourceGroup", + "ResourceGroupName": "[[parameters('rgName')]", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "location": "northeurope", + "properties": { + "mode": "incremental", + "parameters": { + "rgName": { + "value": "[[parameters('rgName')]" + }, + "hubName": { + "value": "[[parameters('hubName')]" + }, + "HUB": { + "value": "[[parameters('HUB')]" + }, + "vpngw": { + "value": "[[parameters('vpngw')]" + }, + "ergw": { + "value": "[[parameters('ergw')]" + }, + "azfw": { + "value": "[[parameters('azfw')]" + } + }, + "template": { + "$schema": "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "hubName": { + "type": "string", + "metadata": { + "description": "Name of the HUB" + } + }, + "HUB": { + "type": "object", + "metadata": { + "description": "Object describing HUB" + } + }, + "vpngw": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Object describing VPN gateway" + } + }, + "ergw": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Object describing ExpressRoute gateway" + } + }, + "azfw": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Object describing the Azure Firewall" + } + }, + "rgName": { + "type": "String", + "metadata": { + "displayName": "rgName", + "description": "Provide name for resource group." + } + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2020-06-01", + "name": "[[parameters('rgName')]", + "location": "[[deployment().location]", + "properties": {} + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[[concat(parameters('hubName'),'-', parameters('HUB').location)]", + "resourceGroup": "[[parameters('rgName')]", + "dependsOn": [ + "[[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https: //schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[[parameters('hubName')]", + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "2020-04-01", + "location": "[[parameters('HUB').location]", + "properties": { + "addressSpace": { + "addressPrefixes": [ + "[[parameters('HUB').addressPrefix]" + ] + }, + "subnets": [ + { + "name": "Infrastructure", + "properties": { + "addressPrefix": "[[if(not(empty(parameters('HUB').subnets.infra)),parameters('HUB').subnets.infra, json('null'))]" + } + }, + { + "name": "AzureFirewallSubnet", + "properties": { + "addressPrefix": "[[if(not(empty(parameters('HUB').subnets.azfw)),parameters('HUB').subnets.azfw, json('null'))]" + } + }, + { + "name": "GatewaySubnet", + "properties": { + "addressPrefix": "[[if(not(empty(parameters('HUB').subnets.gw)),parameters('HUB').subnets.gw, json('null'))]" + } + } + ] + } + } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "condition": "[[greater(length(parameters('vpngw')),0)]", + "resourceGroup": "[[parameters('rgName')]", + "dependsOn": [ + "[[concat(parameters('hubName'),'-', parameters('HUB').location)]" + ], + "name": "[[concat(parameters('hubName'),'-vpngw')]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "apiVersion": "2020-05-01", + "type": "Microsoft.Network/publicIpAddresses", + "location": "[[parameters('HUB').location]", + "name": "[[concat(parameters('vpngw').name,'-pip')]", + "properties": { + "publicIPAllocationMethod": "Dynamic" + }, + "tags": {} + }, + { + "apiVersion": "2020-05-01", + "name": "[[parameters('vpngw').name]", + "type": "Microsoft.Network/virtualNetworkGateways", + "location": "[[parameters('HUB').location]", + "dependsOn": [ + "[[concat('Microsoft.Network/publicIPAddresses/', parameters('vpngw').name,'-pip')]" + ], + "tags": {}, + "properties": { + "gatewayType": "Vpn", + "vpnType": "[[parameters('vpngw').vpnType]", + "ipConfigurations": [ + { + "name": "default", + "properties": { + "privateIPAllocationMethod": "Dynamic", + "subnet": { + "id": "[[concat(subscription().id,'/resourceGroups/',parameters('rgName'), '/providers','/Microsoft.Network/virtualNetworks/', parameters('hubName'),'/subnets/GatewaySubnet')]" + }, + "publicIpAddress": { + "id": "[[concat(subscription().id,'/resourceGroups/',parameters('rgName'), '/providers','/Microsoft.Network/publicIPAddresses/', parameters('vpngw').name,'-pip')]" + } + } + } + ], + "sku": { + "name": "[[parameters('vpngw').sku]", + "tier": "[[parameters('vpngw').sku]" + } + } + } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "condition": "[[greater(length(parameters('ergw')),0)]", + "resourceGroup": "[[parameters('rgName')]", + "dependsOn": [ + "[[concat(parameters('hubName'),'-', parameters('HUB').location)]" + ], + "name": "[[concat(parameters('hubName'),'-ergw')]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "apiVersion": "2020-05-01", + "type": "Microsoft.Network/publicIpAddresses", + "location": "[[parameters('HUB').location]", + "name": "[[concat(parameters('ergw').name,'-pip')]", + "properties": { + "publicIPAllocationMethod": "Dynamic" + }, + "tags": {} + }, + { + "apiVersion": "2020-05-01", + "name": "[[parameters('ergw').name]", + "type": "Microsoft.Network/virtualNetworkGateways", + "location": "[[parameters('HUB').location]", + "dependsOn": [ + "[[concat('Microsoft.Network/publicIPAddresses/', parameters('ergw').name,'-pip')]" + ], + "tags": {}, + "properties": { + "gatewayType": "ExpressRoute", + "ipConfigurations": [ + { + "name": "default", + "properties": { + "privateIPAllocationMethod": "Dynamic", + "subnet": { + "id": "[[concat(subscription().id,'/resourceGroups/',parameters('rgName'), '/providers','/Microsoft.Network/virtualNetworks/', parameters('hubName'),'/subnets/GatewaySubnet')]" + }, + "publicIpAddress": { + "id": "[[concat(subscription().id,'/resourceGroups/',parameters('rgName'), '/providers','/Microsoft.Network/publicIPAddresses/', parameters('ergw').name,'-pip')]" + } + } + } + ], + "sku": { + "name": "[[parameters('ergw').sku]", + "tier": "[[parameters('ergw').sku]" + } + } + } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "condition": "[[greater(length(parameters('azfw')),0)]", + "name": "[[concat(parameters('hubName'),'-azfw')]", + "resourceGroup": "[[parameters('rgName')]", + "dependsOn": [ + "[[concat(parameters('hubName'),'-', parameters('HUB').location)]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "apiVersion": "2020-05-01", + "type": "Microsoft.Network/publicIpAddresses", + "name": "[[concat(parameters('azfw').name,'-pip')]", + "location": "[[parameters('azfw').location]", + "sku": { + "name": "Standard" + }, + "zones": "[[if(contains(parameters('azfw'),'pipZones'),parameters('azfw').pipZones,json('null'))]", + "properties": { + "publicIPAllocationMethod": "Static" + }, + "tags": {} + }, + { + "apiVersion": "2020-05-01", + "type": "Microsoft.Network/azureFirewalls", + "name": "[[parameters('azfw').name]", + "location": "[[parameters('azfw').location]", + "zones": "[[if(contains(parameters('azfw'),'fwZones'),parameters('azfw').fwZones,json('null'))]", + "dependsOn": [ + "[[concat(parameters('azfw').name,'-pip')]" + ], + "properties": { + "threatIntelMode": "[[parameters('azfw').threatIntelMode]", + "additionalProperties": "[[if(contains(parameters('azfw'),'additionalProperties'),parameters('azfw').additionalProperties,json('null'))]", + "sku": "[[if(contains(parameters('azfw'),'sku'),parameters('azfw').sku,json('null'))]", + "ipConfigurations": [ + { + "name": "[[concat(parameters('azfw').name,'-pip')]", + "properties": { + "subnet": { + "id": "[[concat(subscription().id,'/resourceGroups/',parameters('rgName'), '/providers','/Microsoft.Network/virtualNetworks/', parameters('hubName'),'/subnets/AzureFirewallSubnet')]" + }, + "publicIPAddress": { + "id": "[[concat(subscription().id,'/resourceGroups/',parameters('rgName'), '/providers','/Microsoft.Network/publicIPAddresses/', parameters('azfw').name,'-pip')]" + } + } + } + ], + "firewallPolicy": "[[if(contains(parameters('azfw'),'firewallPolicy'),parameters('azfw').firewallPolicy,json('null'))]" + }, + "tags": {} + } + ] + } + } + } + ] + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-LA-Config", + "Properties": { + "Description": null, + "DisplayName": "Deploy-LA-Config", + "Mode": "All", + "Parameters": { + "workspaceName": { + "type": "String", + "metadata": { + "displayName": "workspaceName", + "description": "Provide name of existing Log Analytics workspace" + } + }, + "workspaceRegion": { + "type": "String", + "metadata": { + "displayName": "workspaceRegion", + "description": "Select region of existing Log Analytics workspace" + } + } + }, + "PolicyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.OperationalInsights/workspaces" + } + ] + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.OperationalInsights/workspaces", + "deploymentScope": "resourceGroup", + "existenceScope": "Subscription", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" + ], + "existenceCondition": { + "allOf": [ + { + "field": "name", + "like": "[[parameters('workspaceName')]" + }, + { + "field": "location", + "equals": "[[parameters('workspaceRegion')]" + } + ] + }, + "deployment": { + "properties": { + "mode": "incremental", + "parameters": { + "workspaceName": { + "value": "[[parameters('workspaceName')]" + }, + "workspaceRegion": { + "value": "[[parameters('workspaceRegion')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "workspaceName": { + "type": "string" + }, + "workspaceRegion": { + "type": "string" + } + }, + "variables": { + "vmInsightsPerfCounters": { + "windowsArray": [ + { + "armName": "counter1", + "objectName": "LogicalDisk", + "counterName": "% Free Space", + "instanceName": "*", + "intervalSeconds": 10 + }, + { + "armName": "counter2", + "objectName": "LogicalDisk", + "counterName": "Avg. Disk sec/Read", + "instanceName": "*", + "intervalSeconds": 10 + }, + { + "armName": "counter3", + "objectName": "LogicalDisk", + "counterName": "Avg. Disk sec/Transfer", + "instanceName": "*", + "intervalSeconds": 10 + }, + { + "armName": "counter4", + "objectName": "LogicalDisk", + "counterName": "Avg. Disk sec/Write", + "instanceName": "*", + "intervalSeconds": 10 + }, + { + "armName": "counter5", + "objectName": "LogicalDisk", + "counterName": "Disk Read Bytes/sec", + "instanceName": "*", + "intervalSeconds": 10 + }, + { + "armName": "counter6", + "objectName": "LogicalDisk", + "counterName": "Disk Reads/sec", + "instanceName": "*", + "intervalSeconds": 10 + }, + { + "armName": "counter7", + "objectName": "LogicalDisk", + "counterName": "Disk Transfers/sec", + "instanceName": "*", + "intervalSeconds": 10 + }, + { + "armName": "counter8", + "objectName": "LogicalDisk", + "counterName": "Disk Write Bytes/sec", + "instanceName": "*", + "intervalSeconds": 10 + }, + { + "armName": "counter9", + "objectName": "LogicalDisk", + "counterName": "Disk Writes/sec", + "instanceName": "*", + "intervalSeconds": 10 + }, + { + "armName": "counter10", + "objectName": "LogicalDisk", + "counterName": "Free Megabytes", + "instanceName": "*", + "intervalSeconds": 10 + }, + { + "armName": "counter11", + "objectName": "Memory", + "counterName": "Available MBytes", + "instanceName": "*", + "intervalSeconds": 10 + }, + { + "armName": "counter12", + "objectName": "Network Adapter", + "counterName": "Bytes Received/sec", + "instanceName": "*", + "intervalSeconds": 10 + }, + { + "armName": "counter13", + "objectName": "Network Adapter", + "counterName": "Bytes Sent/sec", + "instanceName": "*", + "intervalSeconds": 10 + }, + { + "armName": "counter14", + "objectName": "Processor", + "counterName": "% Processor Time", + "instanceName": "*", + "intervalSeconds": 10 + } + ], + "linuxDiskArray": [ + { + "counterName": "% Used Inodes" + }, + { + "counterName": "Free Megabytes" + }, + { + "counterName": "% Used Space" + }, + { + "counterName": "Disk Transfers/sec" + }, + { + "counterName": "Disk Reads/sec" + }, + { + "counterName": "Disk writes/sec" + } + ], + "linuxDiskObject": { + "armResourceName": "Disk", + "objectName": "Logical Disk", + "instanceName": "*", + "intervalSeconds": 10 + }, + "linuxMemoryArray": [ + { + "counterName": "Available MBytes Memory" + } + ], + "linuxMemoryObject": { + "armResourceName": "Memory", + "objectName": "Memory", + "instanceName": "*", + "intervalSeconds": 10 + }, + "linuxNetworkArray": [ + { + "counterName": "Total Bytes Received" + }, + { + "counterName": "Total Bytes Transmitted" + } + ], + "linuxNetworkObject": { + "armResourceName": "Network", + "objectName": "Network", + "instanceName": "*", + "intervalSeconds": 10 + }, + "linuxCpuArray": [ + { + "counterName": "% Processor Time" + } + ], + "linuxCpuObject": { + "armResourceName": "Processor", + "objectName": "Processor", + "instanceName": "*", + "intervalSeconds": 10 + } + }, + "batch1": { + "solutions": [ + { + "name": "[[concat('Security', '(', parameters('workspaceName'), ')')]", + "marketplaceName": "Security" + }, + { + "name": "[[concat('AgentHealthAssessment', '(', parameters('workspaceName'), ')')]", + "marketplaceName": "AgentHealthAssessment" + }, + { + "name": "[[concat('ChangeTracking', '(', parameters('workspaceName'), ')')]", + "marketplaceName": "ChangeTracking" + }, + { + "name": "[[concat('Updates', '(', parameters('workspaceName'), ')')]", + "marketplaceName": "Updates" + }, + { + "name": "[[concat('AzureActivity', '(', parameters('workspaceName'), ')')]", + "marketplaceName": "AzureActivity" + }, + { + "name": "[[concat('AzureAutomation', '(', parameters('workspaceName'), ')')]", + "marketplaceName": "AzureAutomation" + }, + { + "name": "[[concat('ADAssessment', '(', parameters('workspaceName'), ')')]", + "marketplaceName": "ADAssessment" + }, + { + "name": "[[concat('SQLAssessment', '(', parameters('workspaceName'), ')')]", + "marketplaceName": "SQLAssessment" + }, + { + "name": "[[concat('VMInsights', '(', parameters('workspaceName'), ')')]", + "marketplaceName": "VMInsights" + }, + { + "name": "[[concat('ServiceMap', '(', parameters('workspaceName'), ')')]", + "marketplaceName": "ServiceMap" + }, + { + "name": "[[concat('SecurityInsights', '(', parameters('workspaceName'), ')')]", + "marketplaceName": "SecurityInsights" + } + ] + } + }, + "resources": [ + { + "apiVersion": "2015-11-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/datasources", + "name": "[[concat(parameters('workspaceName'), '/LinuxPerfCollection')]", + "kind": "LinuxPerformanceCollection", + "properties": { + "state": "Enabled" + } + }, + { + "apiVersion": "2015-11-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/dataSources", + "name": "[[concat(parameters('workspaceName'), '/', variables('vmInsightsPerfCounters').linuxDiskObject.armResourceName)]", + "kind": "LinuxPerformanceObject", + "properties": { + "performanceCounters": "[[variables('vmInsightsPerfCounters').linuxDiskArray]", + "objectName": "[[variables('vmInsightsPerfCounters').linuxDiskObject.objectName]", + "instanceName": "[[variables('vmInsightsPerfCounters').linuxDiskObject.instanceName]", + "intervalSeconds": "[[variables('vmInsightsPerfCounters').linuxDiskObject.intervalSeconds]" + } + }, + { + "apiVersion": "2015-11-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/dataSources", + "name": "[[concat(parameters('workspaceName'), '/', variables('vmInsightsPerfCounters').linuxMemoryObject.armResourceName)]", + "kind": "LinuxPerformanceObject", + "properties": { + "performanceCounters": "[[variables('vmInsightsPerfCounters').linuxMemoryArray]", + "objectName": "[[variables('vmInsightsPerfCounters').linuxMemoryObject.objectName]", + "instanceName": "[[variables('vmInsightsPerfCounters').linuxMemoryObject.instanceName]", + "intervalSeconds": "[[variables('vmInsightsPerfCounters').linuxMemoryObject.intervalSeconds]" + } + }, + { + "apiVersion": "2015-11-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/dataSources", + "name": "[[concat(parameters('workspaceName'), '/', variables('vmInsightsPerfCounters').linuxCpuObject.armResourceName)]", + "kind": "LinuxPerformanceObject", + "properties": { + "performanceCounters": "[[variables('vmInsightsPerfCounters').linuxCpuArray]", + "objectName": "[[variables('vmInsightsPerfCounters').linuxCpuObject.objectName]", + "instanceName": "[[variables('vmInsightsPerfCounters').linuxCpuObject.instanceName]", + "intervalSeconds": "[[variables('vmInsightsPerfCounters').linuxCpuObject.intervalSeconds]" + } + }, + { + "apiVersion": "2015-11-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/dataSources", + "name": "[[concat(parameters('workspaceName'), '/', variables('vmInsightsPerfCounters').linuxNetworkObject.armResourceName)]", + "kind": "LinuxPerformanceObject", + "properties": { + "performanceCounters": "[[variables('vmInsightsPerfCounters').linuxNetworkArray]", + "objectName": "[[variables('vmInsightsPerfCounters').linuxNetworkObject.objectName]", + "instanceName": "[[variables('vmInsightsPerfCounters').linuxNetworkObject.instanceName]", + "intervalSeconds": "[[variables('vmInsightsPerfCounters').linuxNetworkObject.intervalSeconds]" + } + }, + { + "apiVersion": "2015-11-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/dataSources", + "name": "[[concat(parameters('workspaceName'), '/', variables('vmInsightsPerfCounters').windowsArray[copyIndex()].armName)]", + "kind": "WindowsPerformanceCounter", + "copy": { + "name": "counterCopy", + "count": "[[length(variables('vmInsightsPerfCounters').windowsArray)]" + }, + "properties": { + "objectName": "[[variables('vmInsightsPerfCounters').windowsArray[copyIndex()].objectName]", + "instanceName": "[[variables('vmInsightsPerfCounters').windowsArray[copyIndex()].instanceName]", + "intervalSeconds": "[[variables('vmInsightsPerfCounters').windowsArray[copyIndex()].intervalSeconds]", + "counterName": "[[variables('vmInsightsPerfCounters').windowsArray[copyIndex()].counterName]" + } + }, + { + "apiVersion": "2015-11-01-preview", + "type": "Microsoft.OperationsManagement/solutions", + "name": "[[concat(variables('batch1').solutions[copyIndex()].Name)]", + "location": "[[parameters('workspaceRegion')]", + "copy": { + "name": "solutionCopy", + "count": "[[length(variables('batch1').solutions)]" + }, + "properties": { + "workspaceResourceId": "[[resourceId('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]" + }, + "plan": { + "name": "[[variables('batch1').solutions[copyIndex()].name]", + "product": "[[concat('OMSGallery/', variables('batch1').solutions[copyIndex()].marketplaceName)]", + "promotionCode": "", + "publisher": "Microsoft" + } + } + ], + "outputs": {} + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-Log-Analytics", + "Properties": { + "Description": null, + "DisplayName": "Deploy-LogAnalytics", + "Mode": "All", + "Parameters": { + "workspaceName": { + "type": "String", + "metadata": { + "displayName": "workspaceName", + "description": "Provide name for log analytics workspace" + } + }, + "automationAccountName": { + "type": "String", + "metadata": { + "displayName": "automationAccountName", + "description": "Provide name for automation account" + } + }, + "workspaceRegion": { + "type": "String", + "metadata": { + "displayName": "workspaceRegion", + "description": "Select Azure region for Log Analytics" + } + }, + "automationRegion": { + "type": "String", + "metadata": { + "displayName": "automationRegion", + "description": "Select Azure region for Automation account" + } + }, + "rgName": { + "type": "String", + "metadata": { + "displayName": "rgName", + "description": "Provide name for resource group." + } + } + }, + "PolicyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + } + ] + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.OperationalInsights/workspaces", + "deploymentScope": "Subscription", + "existenceScope": "Subscription", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "existenceCondition": { + "allOf": [ + { + "field": "name", + "like": "[[parameters('workspaceName')]" + } + ] + }, + "deployment": { + "location": "northeurope", + "properties": { + "mode": "incremental", + "parameters": { + "rgName": { + "value": "[[parameters('rgName')]" + }, + "workspaceName": { + "value": "[[parameters('workspaceName')]" + }, + "workspaceRegion": { + "value": "[[parameters('workspaceRegion')]" + }, + "automationAccountName": { + "value": "[[parameters('automationAccountName')]" + }, + "automationRegion": { + "value": "[[parameters('automationRegion')]" + } + }, + "template": { + "$schema": "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "rgName": { + "type": "string" + }, + "workspaceName": { + "type": "string" + }, + "workspaceRegion": { + "type": "string" + }, + "automationAccountName": { + "type": "string" + }, + "automationRegion": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2018-05-01", + "name": "[[parameters('rgName')]", + "location": "[[deployment().location]", + "properties": {} + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2018-05-01", + "name": "log-analytics", + "resourceGroup": "[[parameters('rgName')]", + "dependsOn": [ + "[[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "apiversion": "2015-10-31", + "location": "[[parameters('AutomationRegion')]", + "name": "[[parameters('AutomationAccountName')]", + "type": "Microsoft.Automation/automationAccounts", + "comments": "Automation account for ", + "properties": { + "sku": { + "name": "OMS" + } + } + }, + { + "apiVersion": "2017-03-15-preview", + "location": "[[parameters('workspaceRegion')]", + "name": "[[parameters('workspaceName')]", + "type": "Microsoft.OperationalInsights/workspaces", + "properties": { + "sku": { + "name": "pernode" + }, + "enableLogAccessUsingOnlyResourcePermissions": true + }, + "resources": [ + { + "name": "Automation", + "type": "linkedServices", + "apiVersion": "2015-11-01-preview", + "dependsOn": [ + "[[resourceId('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]", + "[[resourceId('Microsoft.Automation/automationAccounts/', parameters('AutomationAccountName'))]" + ], + "properties": { + "resourceId": "[[concat(subscription().id, '/resourceGroups/', parameters('rgName'), '/providers/Microsoft.Automation/automationAccounts/', parameters('AutomationAccountName'))]" + } + } + ] + } + ], + "outputs": {} + } + } + } + ], + "outputs": {} + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-Nsg-FlowLogs", + "Properties": { + "Description": null, + "DisplayName": "Deploy-Nsg-FlowLogs", + "Mode": "All", + "Parameters": { + "retention": { + "type": "Integer", + "metadata": { + "displayName": "Retention" + } + }, + "storageAccountResourceId": { + "type": "String", + "metadata": { + "displayName": "Storage Account Resource Id" + } + } + }, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Network/networkSecurityGroups" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Network/networkWatchers/flowLogs", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "name": "[[concat('NetworkWatcher_', field('location'), '/', 'Microsoft.Network', resourceGroup().name, field('name'))]", + "resourceGroupName": "NetworkWatcherRG", + "existenceCondition": { + "field": "Microsoft.Network/networkWatchers/flowLogs/enabled", + "equals": "true" + }, + "deployment": { + "properties": { + "mode": "incremental", + "parameters": { + "networkSecurityGroupName": { + "value": "[[field('name')]" + }, + "resourceGroupName": { + "value": "[[resourceGroup().name]" + }, + "location": { + "value": "[[field('location')]" + }, + "storageAccountResourceId": { + "value": "[[parameters('storageAccountResourceId')]" + }, + "retention": { + "value": "[[parameters('retention')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "networkSecurityGroupName": { + "type": "string" + }, + "resourceGroupName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "storageAccountResourceId": { + "type": "string" + }, + "retention": { + "type": "int", + "defaultValue": 5 + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/networkWatchers/flowLogs", + "apiVersion": "2019-11-01", + "name": "[[concat('NetworkWatcher_', toLower(parameters('location')), '/', 'flowLogs')]", + "location": "[[parameters('location')]", + "properties": { + "targetResourceId": "[[resourceId(parameters('resourceGroupName'), 'Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroupName'))]", + "storageId": "[[parameters('storageAccountResourceId')]", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[[parameters('retention')]" + }, + "format": { + "type": "JSON", + "version": 2 + } + } + } + ], + "outputs": {} + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-Sql-AuditingSettings", + "Properties": { + "Description": "Configures SQL Server", + "DisplayName": "Deploy-Sql-AuditingSettings", + "Mode": "All", + "Parameters": {}, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Sql/servers/databases" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Sql/servers/databases/auditingSettings", + "name": "default", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Sql/servers/databases/auditingSettings/state", + "equals": "enabled" + }, + { + "field": "Microsoft.Sql/servers/databases/auditingSettings/isAzureMonitorTargetEnabled", + "equals": "true" + } + ] + }, + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "sqlServerName": { + "type": "string" + }, + "sqlServerDataBaseName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "name": "[[concat( parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]", + "type": "Microsoft.Sql/servers/databases/auditingSettings", + "apiVersion": "2017-03-01-preview", + "properties": { + "state": "enabled", + "auditActionsAndGroups": [ + "BATCH_COMPLETED_GROUP", + "DATABASE_OBJECT_CHANGE_GROUP", + "SCHEMA_OBJECT_CHANGE_GROUP", + "BACKUP_RESTORE_GROUP", + "APPLICATION_ROLE_CHANGE_PASSWORD_GROUP", + "DATABASE_PRINCIPAL_CHANGE_GROUP", + "DATABASE_PRINCIPAL_IMPERSONATION_GROUP", + "DATABASE_ROLE_MEMBER_CHANGE_GROUP", + "USER_CHANGE_PASSWORD_GROUP", + "DATABASE_OBJECT_OWNERSHIP_CHANGE_GROUP", + "DATABASE_OBJECT_PERMISSION_CHANGE_GROUP", + "DATABASE_PERMISSION_CHANGE_GROUP", + "SCHEMA_OBJECT_PERMISSION_CHANGE_GROUP", + "SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP", + "FAILED_DATABASE_AUTHENTICATION_GROUP" + ], + "isAzureMonitorTargetEnabled": true + } + } + ], + "outputs": {} + }, + "parameters": { + "location": { + "value": "[[field('location')]" + }, + "sqlServerName": { + "value": "[[first(split(field('fullname'),'/'))]" + }, + "sqlServerDataBaseName": { + "value": "[[field('name')]" + } + } + } + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ] + } + } + } + } + }, + { + "Name": "Deploy-Sql-SecurityAlertPolicies", + "Properties": { + "Description": "Configures SQL DataBases", + "DisplayName": "Deploy-Sql-SecurityAlertPolicies", + "Mode": "All", + "Parameters": {}, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Sql/servers/databases" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Sql/servers/databases/securityAlertPolicies/state", + "equals": "Enabled" + } + ] + }, + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "sqlServerName": { + "type": "string" + }, + "sqlServerDataBaseName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "name": "[[concat(parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]", + "type": "Microsoft.Sql/servers/databases/securityAlertPolicies", + "apiVersion": "2018-06-01-preview", + "properties": { + "state": "Enabled", + "disabledAlerts": [ + "" + ], + "emailAddresses": [ + "admin@contoso.com" + ], + "emailAccountAdmins": true, + "storageEndpoint": null, + "storageAccountAccessKey": "", + "retentionDays": 0 + } + } + ], + "outputs": {} + }, + "parameters": { + "location": { + "value": "[[field('location')]" + }, + "sqlServerName": { + "value": "[[first(split(field('fullname'),'/'))]" + }, + "sqlServerDataBaseName": { + "value": "[[field('name')]" + } + } + } + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ] + } + } + } + } + }, + { + "Name": "Deploy-Sql-Tde", + "Properties": { + "Description": "Configures SQL DataBases", + "DisplayName": "Deploy-Sql-Tde", + "Mode": "All", + "Parameters": {}, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Sql/servers/databases" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Sql/servers/databases/transparentDataEncryption", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Sql/transparentDataEncryption.status", + "equals": "Enabled" + } + ] + }, + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "sqlServerName": { + "type": "string" + }, + "sqlServerDataBaseName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "name": "[[concat( parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/current')]", + "type": "Microsoft.Sql/servers/databases/transparentDataEncryption", + "apiVersion": "2014-04-01", + "properties": { + "status": "Enabled" + } + } + ], + "outputs": {} + }, + "parameters": { + "location": { + "value": "[[field('location')]" + }, + "sqlServerName": { + "value": "[[first(split(field('fullname'),'/'))]" + }, + "sqlServerDataBaseName": { + "value": "[[field('name')]" + } + } + } + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ] + } + } + } + } + }, + { + "Name": "Deploy-Sql-vulnerabilityAssessments", + "Properties": { + "Description": "Configures SQL DataBases", + "DisplayName": "Deploy-Sql-vulnerabilityAssessments", + "Mode": "All", + "Parameters": { + "vulnerabilityAssessmentsEmail": { + "type": "String", + "metadata": { + "description": "The email address to send alerts", + "displayName": "The email address to send alerts" + } + }, + "vulnerabilityAssessmentsStorageID": { + "type": "String", + "metadata": { + "description": "The storage account to store assessments", + "displayName": "The storage account to store assessments" + } + } + }, + "PolicyRule": { + "if": { + "field": "type", + "equals": "Microsoft.Sql/servers/databases" + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Sql/servers/databases/vulnerabilityAssessments", + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.emails", + "equals": "[[parameters('vulnerabilityAssessmentsEmail')]" + }, + { + "field": "Microsoft.Sql/servers/databases/vulnerabilityAssessments/recurringScans.isEnabled", + "equals": true + } + ] + }, + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "location": { + "type": "string" + }, + "sqlServerName": { + "type": "string" + }, + "sqlServerDataBaseName": { + "type": "string" + }, + "vulnerabilityAssessmentsEmail": { + "type": "string" + }, + "vulnerabilityAssessmentsStorageID": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "name": "[[concat(parameters('sqlServerName'),'/',parameters('sqlServerDataBaseName'),'/default')]", + "type": "Microsoft.Sql/servers/databases/vulnerabilityAssessments", + "apiVersion": "2017-03-01-preview", + "properties": { + "storageContainerPath": "[[concat('https://', last( split(parameters('vulnerabilityAssessmentsStorageID') , '/') ) , '.blob.core.windows.net/vulneraabilitylogs')]", + "storageAccountAccessKey": "[[listkeys(parameters('vulnerabilityAssessmentsStorageID'), providers('Microsoft.Storage', 'storageAccounts').apiVersions[0]).keys[0].value]", + "recurringScans": { + "isEnabled": true, + "emailSubscriptionAdmins": false, + "emails": [ + "[[parameters('vulnerabilityAssessmentsEmail')]" + ] + } + } + } + ], + "outputs": {} + }, + "parameters": { + "location": { + "value": "[[field('location')]" + }, + "sqlServerName": { + "value": "[[first(split(field('fullname'),'/'))]" + }, + "sqlServerDataBaseName": { + "value": "[[field('name')]" + }, + "vulnerabilityAssessmentsEmail": { + "value": "[[parameters('vulnerabilityAssessmentsEmail')]" + }, + "vulnerabilityAssessmentsStorageID": { + "value": "[[parameters('vulnerabilityAssessmentsStorageID')]" + } + } + } + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ] + } + } + } + } + }, + { + "Name": "Deploy-vHUB", + "Properties": { + "Description": "Deploys Azure Virtual WAN vHUB in desired regions", + "DisplayName": "Deploy-vHUB", + "Mode": "All", + "Parameters": { + "vwanname": { + "type": "String", + "metadata": { + "displayName": "vwanname", + "description": "Name of the Virtual WAN" + } + }, + "vHubName": { + "type": "String", + "metadata": { + "displayName": "vHubName", + "description": "Name of the vHUB" + }, + "defaultValue": "" + }, + "vHUB": { + "type": "Object", + "metadata": { + "displayName": "vHUB", + "description": "Object describing Virtual WAN vHUB" + } + }, + "vpngw": { + "type": "Object", + "metadata": { + "displayName": "vpngw", + "description": "Object describing VPN gateway" + }, + "defaultValue": {} + }, + "ergw": { + "type": "Object", + "metadata": { + "displayName": "ergw", + "description": "Object describing ExpressRoute gateway" + }, + "defaultValue": {} + }, + "azfw": { + "type": "Object", + "metadata": { + "displayName": "azfw", + "description": "Object describing the Azure Firewall in vHUB" + }, + "defaultValue": {} + }, + "rgName": { + "type": "String", + "metadata": { + "displayName": "rgName", + "description": "Provide name for resource group." + } + } + }, + "PolicyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + } + ] + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Network/virtualHubs", + "name": "[[parameters('vHubName')]", + "deploymentScope": "Subscription", + "existenceScope": "ResourceGroup", + "ResourceGroupName": "[[parameters('rgName')]", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "location": "northeurope", + "properties": { + "mode": "incremental", + "parameters": { + "rgName": { + "value": "[[parameters('rgName')]" + }, + "vwanname": { + "value": "[[parameters('vwanname')]" + }, + "vHUB": { + "value": "[[parameters('vHUB')]" + }, + "vpngw": { + "value": "[[parameters('vpngw')]" + }, + "ergw": { + "value": "[[parameters('ergw')]" + }, + "azfw": { + "value": "[[parameters('azfw')]" + }, + "vHUBName": { + "value": "[[parameters('vHUBName')]" + } + }, + "template": { + "$schema": "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "vwanname": { + "type": "string", + "metadata": { + "description": "Name of the Virtual WAN" + } + }, + "vHUB": { + "type": "object", + "metadata": { + "description": "Object describing Virtual WAN vHUB" + } + }, + "vpngw": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Object describing VPN gateway" + } + }, + "ergw": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Object describing ExpressRoute gateway" + } + }, + "azfw": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Object describing the Azure Firewall in vHUB" + } + }, + "rgName": { + "type": "String", + "metadata": { + "displayName": "rgName", + "description": "Provide name for resource group." + } + }, + "vHUBName": { + "type": "String", + "metadata": { + "displayName": "vHUBName", + "description": "Name of the vHUB" + } + } + }, + "variables": { + "vwanresourceid": "[[concat(subscription().id,'/resourceGroups/',parameters('rgName'),'/providers/Microsoft.Network/virtualWans/',parameters('vwanname'))]", + "vwanhub": "[[concat(subscription().id,'/resourceGroups/',parameters('rgName'),'/providers/Microsoft.Network/virtualHubs/',parameters('vHUBName'))]" + }, + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2018-05-01", + "name": "[[parameters('rgName')]", + "location": "[[deployment().location]", + "properties": {} + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2018-05-01", + "name": "[[concat('vHUBdeploy-',parameters('vHUB').location)]", + "resourceGroup": "[[parameters('rgName')]", + "dependsOn": [ + "[[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/virtualHubs", + "apiVersion": "2020-05-01", + "location": "[[parameters('vHUB').location]", + "name": "[[parameters('vHUBname')]", + "properties": { + "virtualWan": { + "id": "[[variables('vwanresourceid')]" + }, + "addressPrefix": "[[parameters('vHUB').addressPrefix]", + "vpnGateway": "[[if(not(empty(parameters('vHUB').vpnGateway)),parameters('vHUB').vpnGateway, json('null'))]" + } + } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2018-05-01", + "condition": "[[greater(length(parameters('vpngw')),0)]", + "resourceGroup": "[[parameters('rgName')]", + "dependsOn": [ + "[[concat('vHUBdeploy-',parameters('vHUB').location)]" + ], + "name": "[[concat(parameters('vHUBName'),'-vpngw')]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/vpnGateways", + "apiVersion": "2019-09-01", + "location": "[[parameters('vHUB').location]", + "name": "[[parameters('vpngw').name]", + "properties": { + "virtualHub": { + "id": "[[variables('vwanhub')]" + }, + "bgpSettings": "[[parameters('vpngw').bgpSettings]", + "vpnGatewayScaleUnit": "[[parameters('vpngw').vpnGatewayScaleUnit]" + } + } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2018-05-01", + "condition": "[[greater(length(parameters('ergw')),0)]", + "resourceGroup": "[[parameters('rgName')]", + "dependsOn": [ + "[[concat('vHUBdeploy-',parameters('vHUB').location)]" + ], + "name": "[[concat(parameters('vHUBName'),'-ergw')]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/expressRouteGateways", + "apiVersion": "2019-09-01", + "location": "[[parameters('vHUB').location]", + "name": "[[parameters('ergw').name]", + "properties": { + "virtualHub": { + "id": "[[variables('vwanhub')]" + }, + "autoScaleConfiguration": "[[parameters('ergw').autoScaleConfiguration]", + "expressRouteConnections": "[[parameters('ergw').expressRouteConnections]" + } + } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2018-05-01", + "condition": "[[greater(length(parameters('azfw')),0)]", + "resourceGroup": "[[parameters('rgName')]", + "dependsOn": [ + "[[concat('vHUBdeploy-',parameters('vHUB').location)]" + ], + "name": "[[concat(parameters('vHUBName'),'-azfw')]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "resources": [ + { + "apiVersion": "2019-09-01", + "type": "Microsoft.Network/azureFirewalls", + "name": "[[parameters('azfw').name]", + "location": "[[parameters('vHUB').location]", + "properties": { + "virtualHub": { + "id": "[[variables('vwanhub')]" + }, + "sku": { + "Name": "AZFW_Hub", + "Tier": "Standard" + }, + "firewallPolicy": { + "id": "[[if(not(empty(parameters('azfw').firewallPolicy.id)),parameters('azfw').firewallPolicy.id, json('null'))]" + } + } + } + ] + } + } + } + ] + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-vNet", + "Properties": { + "Description": "Deploy-vNet", + "DisplayName": "Deploy-vNet", + "Mode": "All", + "Parameters": { + "ipam": { + "type": "Array", + "metadata": { + "displayName": "ipam", + "description": null + }, + "defaultValue": [] + } + }, + "PolicyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + } + ] + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Resources/resourceGroups", + "deploymentScope": "Subscription", + "existenceScope": "Subscription", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635" + ], + "existenceCondition": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions/resourceGroups" + }, + { + "field": "name", + "like": "[[concat(subscription().displayName, '-network')]" + } + ] + }, + "deployment": { + "location": "northeurope", + "properties": { + "mode": "incremental", + "parameters": { + "ipam": { + "value": "[[parameters('ipam')]", + "defaultValue": [] + } + }, + "template": { + "$schema": "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "ipam": { + "defaultValue": [ + { + "name": "bu1-weu-msx3-vNet1", + "location": "westeurope", + "virtualNetworks": { + "properties": { + "addressSpace": { + "addressPrefixes": [ + "10.51.217.0/24" + ] + } + } + }, + "networkSecurityGroups": { + "properties": { + "securityRules": [] + } + }, + "routeTables": { + "properties": { + "routes": [] + } + }, + "hubVirtualNetworkConnection": { + "vWanVhubResourceId": "/subscriptions/99c2838f-a548-4884-a6e2-38c1f8fb4c0b/resourceGroups/contoso-global-vwan/providers/Microsoft.Network/virtualHubs/contoso-vhub-weu", + "properties": { + "allowHubToRemoteVnetTransit": true, + "allowRemoteVnetToUseHubVnetGateways": false, + "enableInternetSecurity": true + } + } + } + ], + "type": "Array" + } + }, + "variables": { + "vNetRgName": "[[concat(subscription().displayName, '-network')]", + "vNetName": "[[concat(subscription().displayName, '-vNet')]", + "vNetSubId": "[[subscription().subscriptionId]" + }, + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[[concat('es-ipam-',subscription().displayName,'-RG-',copyIndex())]", + "location": "[[parameters('ipam')[copyIndex()].location]", + "dependsOn": [], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2020-06-01", + "name": "[[variables('vNetRgName')]", + "location": "[[parameters('ipam')[copyIndex()].location]", + "properties": {} + }, + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2020-06-01", + "name": "NetworkWatcherRG", + "location": "[[parameters('ipam')[copyIndex()].location]", + "properties": {} + } + ], + "outputs": {} + } + }, + "copy": { + "name": "ipam-rg-loop", + "count": "[[length(parameters('ipam'))]" + }, + "condition": "[[if(and(not(empty(parameters('ipam'))), equals(toLower(parameters('ipam')[copyIndex()].name),toLower(variables('vNetName')))),bool('true'),bool('false'))]" + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[[concat('es-ipam-',subscription().displayName,'-nsg-udr-vnet-hub-vwan-peering-',copyIndex())]", + "dependsOn": [ + "[[concat('es-ipam-',subscription().displayName,'-RG-',copyIndex())]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "variables": {}, + "resources": [ + { + "condition": "[[contains(parameters('ipam')[copyIndex()],'networkSecurityGroups')]", + "apiVersion": "2020-05-01", + "type": "Microsoft.Network/networkSecurityGroups", + "name": "[[concat(subscription().displayName, '-nsg')]", + "location": "[[parameters('ipam')[copyIndex()].location]", + "properties": "[[if(contains(parameters('ipam')[copyIndex()],'networkSecurityGroups'),parameters('ipam')[copyIndex()].networkSecurityGroups.properties,json('null'))]" + }, + { + "condition": "[[contains(parameters('ipam')[copyIndex()],'routeTables')]", + "apiVersion": "2020-05-01", + "type": "Microsoft.Network/routeTables", + "name": "[[concat(subscription().displayName, '-udr')]", + "location": "[[parameters('ipam')[copyIndex()].location]", + "properties": "[[if(contains(parameters('ipam')[copyIndex()],'routeTables'),parameters('ipam')[copyIndex()].routeTables.properties,json('null'))]" + }, + { + "condition": "[[contains(parameters('ipam')[copyIndex()],'virtualNetworks')]", + "type": "Microsoft.Network/virtualNetworks", + "apiVersion": "2020-05-01", + "name": "[[concat(subscription().displayName, '-vnet')]", + "location": "[[parameters('ipam')[copyIndex()].location]", + "dependsOn": [ + "[[concat(subscription().displayName, '-nsg')]", + "[[concat(subscription().displayName, '-udr')]" + ], + "properties": "[[if(contains(parameters('ipam')[copyIndex()],'virtualNetworks'),parameters('ipam')[copyIndex()].virtualNetworks.properties,json('null'))]" + }, + { + "condition": "[[contains(parameters('ipam')[copyIndex()],'virtualNetworkPeerings')]", + "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings", + "apiVersion": "2020-05-01", + "name": "[[concat(variables('vNetName'), '/peerToHub')]", + "dependsOn": [ + "[[concat(subscription().displayName, '-vnet')]" + ], + "properties": "[[if(contains(parameters('ipam')[copyIndex()],'virtualNetworkPeerings'),parameters('ipam')[copyIndex()].virtualNetworkPeerings.properties,json('null'))]" + }, + { + "condition": "[[and(contains(parameters('ipam')[copyIndex()],'virtualNetworks'),contains(parameters('ipam')[copyIndex()],'hubVirtualNetworkConnection'),contains(parameters('ipam')[copyIndex()].hubVirtualNetworkConnection,'vWanVhubResourceId'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[[concat('es-ipam-vWan-',subscription().displayName,'-peering-',copyIndex())]", + "subscriptionId": "[[if(and(contains(parameters('ipam')[copyIndex()],'hubVirtualNetworkConnection'),contains(parameters('ipam')[copyIndex()].hubVirtualNetworkConnection,'vWanVhubResourceId')),split(parameters('ipam')[copyIndex()].hubVirtualNetworkConnection.vWanVhubResourceId,'/')[2],json('null'))]", + "resourceGroup": "[[if(and(contains(parameters('ipam')[copyIndex()],'hubVirtualNetworkConnection'),contains(parameters('ipam')[copyIndex()].hubVirtualNetworkConnection,'vWanVhubResourceId')),split(parameters('ipam')[copyIndex()].hubVirtualNetworkConnection.vWanVhubResourceId,'/')[4],json('null'))]", + "dependsOn": [ + "[[concat(subscription().displayName, '-vnet')]" + ], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "remoteVirtualNetwork": { + "type": "string" + }, + "vWanVhubName": { + "Type": "string", + "defaultValue": "" + }, + "allowHubToRemoteVnetTransit": { + "Type": "bool", + "defaultValue": true + }, + "allowRemoteVnetToUseHubVnetGateways": { + "Type": "bool", + "defaultValue": false + }, + "enableInternetSecurity": { + "Type": "bool", + "defaultValue": true + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/virtualHubs/hubVirtualNetworkConnections", + "apiVersion": "2020-05-01", + "name": "[[concat(parameters('vWanVhubName'),'/',last(split(parameters('remoteVirtualNetwork'),'/')))]", + "properties": { + "remoteVirtualNetwork": { + "id": "[[parameters('remoteVirtualNetwork')]" + }, + "allowHubToRemoteVnetTransit": "[[parameters('allowHubToRemoteVnetTransit')]", + "allowRemoteVnetToUseHubVnetGateways": "[[parameters('allowRemoteVnetToUseHubVnetGateways')]", + "enableInternetSecurity": "[[parameters('enableInternetSecurity')]" + } + } + ], + "outputs": {} + }, + "parameters": { + "remoteVirtualNetwork": { + "value": "[[concat(subscription().id,'/resourceGroups/',variables('vNetRgName'), '/providers/','Microsoft.Network/virtualNetworks/', concat(subscription().displayName, '-vnet'))]" + }, + "vWanVhubName": { + "value": "[[if(and(contains(parameters('ipam')[copyIndex()],'hubVirtualNetworkConnection'),contains(parameters('ipam')[copyIndex()].hubVirtualNetworkConnection,'vWanVhubResourceId')),split(parameters('ipam')[copyIndex()].hubVirtualNetworkConnection.vWanVhubResourceId,'/')[8],json('null'))]" + }, + "allowHubToRemoteVnetTransit": { + "value": "[[if(and(contains(parameters('ipam')[copyIndex()],'hubVirtualNetworkConnection'),contains(parameters('ipam')[copyIndex()].hubVirtualNetworkConnection,'vWanVhubResourceId')),parameters('ipam')[copyIndex()].hubVirtualNetworkConnection.properties.allowHubToRemoteVnetTransit,json('null'))]" + }, + "allowRemoteVnetToUseHubVnetGateways": { + "value": "[[if(and(contains(parameters('ipam')[copyIndex()],'hubVirtualNetworkConnection'),contains(parameters('ipam')[copyIndex()].hubVirtualNetworkConnection,'vWanVhubResourceId')),parameters('ipam')[copyIndex()].hubVirtualNetworkConnection.properties.allowRemoteVnetToUseHubVnetGateways,json('null'))]" + }, + "enableInternetSecurity": { + "value": "[[if(and(contains(parameters('ipam')[copyIndex()],'hubVirtualNetworkConnection'),contains(parameters('ipam')[copyIndex()].hubVirtualNetworkConnection,'vWanVhubResourceId')),parameters('ipam')[copyIndex()].hubVirtualNetworkConnection.properties.enableInternetSecurity,json('null'))]" + } + } + } + }, + { + "condition": "[[and(contains(parameters('ipam')[copyIndex()],'virtualNetworks'),contains(parameters('ipam')[copyIndex()],'virtualNetworkPeerings'),contains(parameters('ipam')[copyIndex()].virtualNetworkPeerings.properties.remoteVirtualNetwork,'id'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[[concat('es-ipam-hub-',subscription().displayName,'-peering-',copyIndex())]", + "subscriptionId": "[[if(and(contains(parameters('ipam')[copyIndex()],'virtualNetworkPeerings'),contains(parameters('ipam')[copyIndex()].virtualNetworkPeerings.properties.remoteVirtualNetwork,'id')),split(parameters('ipam')[copyIndex()].virtualNetworkPeerings.properties.remoteVirtualNetwork.id,'/')[2],json('null'))]", + "resourceGroup": "[[if(and(contains(parameters('ipam')[copyIndex()],'virtualNetworkPeerings'),contains(parameters('ipam')[copyIndex()].virtualNetworkPeerings.properties.remoteVirtualNetwork,'id')),split(parameters('ipam')[copyIndex()].virtualNetworkPeerings.properties.remoteVirtualNetwork.id,'/')[4],json('null'))]", + "dependsOn": [ + "[[concat(subscription().displayName, '-vnet')]" + ], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "remoteVirtualNetwork": { + "Type": "string", + "defaultValue": false + }, + "hubName": { + "Type": "string", + "defaultValue": false + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings", + "name": "[[concat(parameters('hubName'),'/',last(split(parameters('remoteVirtualNetwork'),'/')))]", + "apiVersion": "2020-05-01", + "properties": { + "allowVirtualNetworkAccess": true, + "allowForwardedTraffic": true, + "allowGatewayTransit": true, + "useRemoteGateways": false, + "remoteVirtualNetwork": { + "id": "[[parameters('remoteVirtualNetwork')]" + } + } + } + ], + "outputs": {} + }, + "parameters": { + "remoteVirtualNetwork": { + "value": "[[concat(subscription().id,'/resourceGroups/',variables('vNetRgName'), '/providers/','Microsoft.Network/virtualNetworks/', concat(subscription().displayName, '-vnet'))]" + }, + "hubName": { + "value": "[[if(and(contains(parameters('ipam')[copyIndex()],'virtualNetworkPeerings'),contains(parameters('ipam')[copyIndex()].virtualNetworkPeerings.properties.remoteVirtualNetwork,'id')),split(parameters('ipam')[copyIndex()].virtualNetworkPeerings.properties.remoteVirtualNetwork.id,'/')[8],json('null'))]" + } + } + } + } + ], + "outputs": {} + } + }, + "resourceGroup": "[[variables('vNetRgName')]", + "copy": { + "name": "ipam-loop", + "count": "[[length(parameters('ipam'))]" + }, + "condition": "[[if(and(not(empty(parameters('ipam'))), equals(toLower(parameters('ipam')[copyIndex()].name),toLower(variables('vNetName')))),bool('true'),bool('false'))]" + } + ], + "outputs": { + "ipam": { + "condition": "[[bool('true')]", + "type": "Int", + "value": "[[length(parameters('ipam'))]" + } + } + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-vWAN", + "Properties": { + "Description": null, + "DisplayName": "Deploy-vWAN", + "Mode": "All", + "Parameters": { + "vwanname": { + "type": "String", + "metadata": { + "displayName": "vwanname", + "description": "Name of the Virtual WAN" + } + }, + "vwanRegion": { + "type": "String", + "metadata": { + "displayName": "vwanRegion", + "description": "Select Azure region for Virtual WAN", + "strongType": "location" + } + }, + "rgName": { + "type": "String", + "metadata": { + "displayName": "rgName", + "description": "Provide name for resource group." + } + } + }, + "PolicyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + } + ] + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Network/virtualWans", + "deploymentScope": "Subscription", + "existenceScope": "ResourceGroup", + "name": "[[parameters('vwanname')]", + "resourceGroupName": "[[parameters('rgName')]", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "deployment": { + "location": "northeurope", + "properties": { + "mode": "incremental", + "parameters": { + "rgName": { + "value": "[[parameters('rgName')]" + }, + "vwanname": { + "value": "[[parameters('vwanname')]" + }, + "vwanRegion": { + "value": "[[parameters('vwanRegion')]" + } + }, + "template": { + "$schema": "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": { + "rgName": { + "type": "string" + }, + "vwanname": { + "type": "string" + }, + "vwanRegion": { + "type": "string" + } + }, + "variables": { + "vwansku": "Standard" + }, + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2018-05-01", + "name": "[[parameters('rgName')]", + "location": "[deployment().location]", + "properties": {} + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2018-05-01", + "name": "vwan", + "resourceGroup": "[[parameters('rgName')]", + "dependsOn": [ + "[[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json", + "contentVersion": "1.0.0.0", + "parameters": {}, + "resources": [ + { + "type": "Microsoft.Network/virtualWans", + "apiVersion": "2020-05-01", + "location": "[[parameters('vwanRegion')]", + "name": "[[parameters('vwanname')]", + "properties": { + "virtualHubs": [], + "vpnSites": [], + "type": "[[variables('vwansku')]" + } + } + ], + "outputs": {} + } + } + } + ], + "outputs": {} + } + } + } + } + } + } + } + }, + { + "Name": "Deploy-Windows-DomainJoin", + "Properties": { + "Description": null, + "DisplayName": "Deploy-Windows-DomainJoin", + "Mode": "All", + "Parameters": { + "domainUsername": { + "type": "String", + "metadata": { + "displayName": "domainUsername", + "description": null + } + }, + "domainPassword": { + "type": "String", + "metadata": { + "displayName": "domainPassword", + "description": null + } + }, + "domainFQDN": { + "type": "String", + "metadata": { + "displayName": "domainFQDN", + "description": null + } + }, + "domainOUPath": { + "type": "String", + "metadata": { + "displayName": "domainOUPath", + "description": null + } + }, + "keyVaultResourceId": { + "type": "String", + "metadata": { + "displayName": "keyVaultResourceId", + "description": null + } + } + }, + "PolicyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Compute/virtualMachines" + }, + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftWindowsServer" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "WindowsServer" + }, + { + "field": "Microsoft.Compute/imageSKU", + "in": [ + "2008-R2-SP1", + "2008-R2-SP1-smalldisk", + "2008-R2-SP1-zhcn", + "2012-Datacenter", + "2012-datacenter-gensecond", + "2012-Datacenter-smalldisk", + "2012-datacenter-smalldisk-g2", + "2012-Datacenter-zhcn", + "2012-datacenter-zhcn-g2", + "2012-R2-Datacenter", + "2012-r2-datacenter-gensecond", + "2012-R2-Datacenter-smalldisk", + "2012-r2-datacenter-smalldisk-g2", + "2012-R2-Datacenter-zhcn", + "2012-r2-datacenter-zhcn-g2", + "2016-Datacenter", + "2016-datacenter-gensecond", + "2016-datacenter-gs", + "2016-Datacenter-Server-Core", + "2016-datacenter-server-core-g2", + "2016-Datacenter-Server-Core-smalldisk", + "2016-datacenter-server-core-smalldisk-g2", + "2016-Datacenter-smalldisk", + "2016-datacenter-smalldisk-g2", + "2016-Datacenter-with-Containers", + "2016-datacenter-with-containers-g2", + "2016-Datacenter-with-RDSH", + "2016-Datacenter-zhcn", + "2016-datacenter-zhcn-g2", + "2019-Datacenter", + "2019-Datacenter-Core", + "2019-datacenter-core-g2", + "2019-Datacenter-Core-smalldisk", + "2019-datacenter-core-smalldisk-g2", + "2019-Datacenter-Core-with-Containers", + "2019-datacenter-core-with-containers-g2", + "2019-Datacenter-Core-with-Containers-smalldisk", + "2019-datacenter-core-with-containers-smalldisk-g2", + "2019-datacenter-gensecond", + "2019-datacenter-gs", + "2019-Datacenter-smalldisk", + "2019-datacenter-smalldisk-g2", + "2019-Datacenter-with-Containers", + "2019-datacenter-with-containers-g2", + "2019-Datacenter-with-Containers-smalldisk", + "2019-datacenter-with-containers-smalldisk-g2", + "2019-Datacenter-zhcn", + "2019-datacenter-zhcn-g2", + "Datacenter-Core-1803-with-Containers-smalldisk", + "datacenter-core-1803-with-containers-smalldisk-g2", + "Datacenter-Core-1809-with-Containers-smalldisk", + "datacenter-core-1809-with-containers-smalldisk-g2", + "Datacenter-Core-1903-with-Containers-smalldisk", + "datacenter-core-1903-with-containers-smalldisk-g2", + "datacenter-core-1909-with-containers-smalldisk", + "datacenter-core-1909-with-containers-smalldisk-g1", + "datacenter-core-1909-with-containers-smalldisk-g2" + ] + } + ] + }, + "then": { + "effect": "deployIfNotExists", + "details": { + "type": "Microsoft.Compute/virtualMachines/extensions", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Compute/virtualMachines/extensions/type", + "equals": "JsonADDomainExtension" + }, + { + "field": "Microsoft.Compute/virtualMachines/extensions/publisher", + "equals": "Microsoft.Compute" + } + ] + }, + "deployment": { + "properties": { + "mode": "incremental", + "parameters": { + "vmName": { + "value": "[[field('name')]" + }, + "location": { + "value": "[[field('location')]" + }, + "domainUsername": { + "reference": { + "keyVault": { + "id": "[[parameters('keyVaultResourceId')]" + }, + "secretName": "[[parameters('domainUsername')]" + } + }, + "domainPassword": { + "reference": { + "keyVault": { + "id": "[[parameters('keyVaultResourceId')]" + }, + "secretName": "[[parameters('domainPassword')]" + } + }, + "domainOUPath": { + "value": "[[parameters('domainOUPath')]" + }, + "domainFQDN": { + "value": "[[parameters('domainFQDN')]" + }, + "keyVaultResourceId": { + "value": "[[parameters('keyVaultResourceId')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "vmName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "domainUsername": { + "type": "string" + }, + "domainPassword": { + "type": "securestring" + }, + "domainFQDN": { + "type": "string" + }, + "domainOUPath": { + "type": "string" + }, + "keyVaultResourceId": { + "type": "string" + } + }, + "variables": { + "domainJoinOptions": 3, + "vmName": "[[parameters('vmName')]" + }, + "resources": [ + { + "apiVersion": "2015-06-15", + "type": "Microsoft.Compute/virtualMachines/extensions", + "name": "[[concat(variables('vmName'),'/joindomain')]", + "location": "[[resourceGroup().location]", + "properties": { + "publisher": "Microsoft.Compute", + "type": "JsonADDomainExtension", + "typeHandlerVersion": "1.3", + "autoUpgradeMinorVersion": true, + "settings": { + "Name": "[[parameters('domainFQDN')]", + "User": "[[parameters('domainUserName')]", + "Restart": "true", + "Options": "[[variables('domainJoinOptions')]", + "OUPath": "[[parameters('domainOUPath')]" + }, + "protectedSettings": { + "Password": "[[parameters('domainPassword')]" + } + } + } + ], + "outputs": {} + } + } + } + } + } + } + } + } + ] + }, + "initiatives": { + "policySetDefinitions": [ + { + "Name": "Deny-PublicEndpoints", + "Properties": { + "Description": null, + "DisplayName": "Deny-Public-Endpoints-for-PaaS-Services", + "Parameters": {}, + "PolicyDefinitionGroups": null, + "PolicyDefinitions": [ + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-CosmosDB')]", + "parameters": {} + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB')]", + "parameters": {} + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MySQL')]", + "parameters": {} + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-PostgreSql')]", + "parameters": {} + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-KeyVault')]", + "parameters": {} + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-Sql')]", + "parameters": {} + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-Storage')]", + "parameters": {} + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-Aks')]", + "parameters": {} + } + ] + } + }, + { + "Name": "Deploy-Diag-LogAnalytics", + "Properties": { + "Description": "This initiative configures application Azure resources to forward diagnostic logs and metrics to an Azure Log Analytics workspace.", + "DisplayName": "Deploy-Diag-LogAnalytics", + "Parameters": { + "logAnalytics": { + "type": "String", + "metadata": { + "displayName": "Log Analytics workspace", + "description": "Select the Log Analytics workspace from dropdown list", + "strongType": "omsWorkspace" + } + } + }, + "PolicyDefinitions": [ + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC')]", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA')]", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PublicIP')]", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer')]", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups')]", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-KeyVault')]", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices')]", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics')]", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataLakeStore')]", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventHub')]", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub')]", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsWF')]", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE')]", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RecoveryVault')]", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SearchServices')]", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ServiceBus')]", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLDBs')]", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools')]", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt')]", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway')]", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Batch')]", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL')]", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL')]", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints')]", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB')]", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory')]", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall')]", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded')]", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-StreamAnalytics')]", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute')]", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI')]", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR')]", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork')]", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM')]", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS')]", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW')]", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AKS')]", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website')]", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService')]", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic')]", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub')]", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight')]", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache')]", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay')]", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR')]", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager')]", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm')]", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI')]", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights')]", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + } + } + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace')]", + "parameters": { + "logAnalytics": { + "value": "[[parameters('logAnalytics')]" + } + } + } + ] + } + }, + { + "Name": "Deploy-Sql-Security", + "Properties": { + "Description": "Recommended built-in security policies for the North Star architecture", + "DisplayName": "Deploy-Sql-Security", + "Parameters": { + "vulnerabilityAssessmentsEmail": { + "type": "String", + "metadata": { + "description": "The email address to send alerts", + "displayName": "The email address to send alerts" + } + }, + "vulnerabilityAssessmentsStorageID": { + "type": "String", + "metadata": { + "description": "The storage account to store assessments", + "displayName": "The storage account to store assessments" + } + } + }, + "PolicyDefinitionGroups": null, + "PolicyDefinitions": [ + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-Tde')]", + "parameters": {} + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-SecurityAlertPolicies')]", + "parameters": {} + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-AuditingSettings')]", + "parameters": {} + }, + { + "policyDefinitionId": "[concat(variables('scope'), '/providers/Microsoft.Authorization/policyDefinitions/Deploy-Sql-vulnerabilityAssessments')]", + "parameters": { + "vulnerabilityAssessmentsEmail": { + "value": "[[parameters('vulnerabilityAssessmentsEmail')]" + }, + "vulnerabilityAssessmentsStorageID": { + "value": "[[parameters('vulnerabilityAssessmentsStorageID')]" + } + } + } + ] + } + } + ] + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/policyDefinitions", + "name": "[variables('policies').policyDefinitions[copyIndex()].name]", + "apiVersion": "2019-09-01", + "copy": { + "name": "policyDefinitionCopy", + "count": "[length(variables('policies').policyDefinitions)]" + }, + "properties": { + "displayName": "[variables('policies').policyDefinitions[copyIndex()].properties.displayName]", + "description": "[variables('policies').policyDefinitions[copyIndex()].properties.description]", + "mode": "All", + "policyType": "Custom", + "parameters": "[variables('policies').policyDefinitions[copyIndex()].properties.parameters]", + "policyRule": "[variables('policies').policyDefinitions[copyIndex()].properties.policyRule]" + } + }, + { + "type": "Microsoft.Authorization/policySetDefinitions", + "name": "[variables('initiatives').policySetDefinitions[copyIndex()].name]", + "apiVersion": "2019-09-01", + "dependsOn": [ + "policyDefinitionCopy" + ], + "copy": { + "name": "policySetDefinitionCopy", + "count": "[length(variables('initiatives').policySetDefinitions)]" + }, + "properties": { + "displayName": "[variables('initiatives').policySetDefinitions[copyIndex()].properties.displayName]", + "description": "[variables('initiatives').policySetDefinitions[copyIndex()].properties.description]", + "parameters": "[variables('initiatives').policySetDefinitions[copyIndex()].properties.parameters]", + "policyDefinitions": "[variables('initiatives').policySetDefinitions[copyIndex()].properties.policyDefinitions]" + } + } + ] +} \ No newline at end of file diff --git a/docs/reference/contoso/armTemplates/auxiliary/vwan-connectivity.json b/docs/reference/contoso/armTemplates/auxiliary/vwan-connectivity.json new file mode 100644 index 0000000000..f02992f639 --- /dev/null +++ b/docs/reference/contoso/armTemplates/auxiliary/vwan-connectivity.json @@ -0,0 +1,213 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "topLevelManagementGroupPrefix": { + "type": "string", + "maxLength": 5 + }, + "addressPrefix": { + "type": "string", + "metadata": { + "displayName": "addressPrefix", + "description": "Address prefix of the VHUB" + }, + "defaultValue": "192.168.0.0/24" + }, + "location": { + "type": "string", + "metadata": { + "displayName": "location", + "description": "Location of the VHUB" + }, + "defaultValue": "[deployment().location]" + }, + "enableVwan": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "enableAzFw": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "enableVpnGw": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "enableErGw": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "connectivitySubscriptionId": { + "type": "string" + } + }, + "variables": { + "vWanName": "[concat(parameters('topLevelManagementGroupPrefix'), '-vwan-', parameters('location'))]", + "vpngwname": "[concat(parameters('topLevelManagementGroupPrefix'), '-vpngw-', parameters('location'))]", + "erGwName": "[concat(parameters('topLevelManagementGroupPrefix'), '-ergw-', parameters('location'))]", + "rgName": "[concat(parameters('topLevelManagementGroupPrefix'), '-connectivity')]", + "vHubName": "[concat(parameters('topLevelManagementGroupPrefix'), '-vhub-', parameters('location'))]", + "azFwName": "[concat(parameters('topLevelManagementGroupPrefix'), '-fw-', parameters('location'))]", + "vWanSku": "Standard", + "vwanresourceid": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/' ,variables('rgName'),'/providers/Microsoft.Network/virtualWans/', variables('vwanname'))]", + "vwanhub": "[concat('/subscriptions/', parameters('connectivitySubscriptionId'), '/resourceGroups/', variables('rgName'),'/providers/Microsoft.Network/virtualHubs/', variables('vhubname'))]", + "vhubsku": "Standard", + "vpnbgpasn": 65515, + "resourceDeploymentName": "[take(concat(deployment().name, '-vwan'), 64)]" + }, + "resources": [ + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "location": "[deployment().location]", + "name": "[concat('EntScale', '-connectivitySub')]", + "subscriptionId": "[parameters('connectivitySubscriptionId')]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2019-10-01", + "location": "[deployment().location]", + "name": "[variables('rgName')]", + "properties": {} + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('resourceDeploymentName')]", + "resourceGroup": "[variables('rgName')]", + "dependsOn": [ + "[concat('Microsoft.Resources/resourceGroups/', variables('rgName'))]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": {}, + "resources": [ + { + "type": "Microsoft.Network/virtualWans", + "apiVersion": "2020-05-01", + "name": "[variables('vWanName')]", + "location": "[parameters('location')]", + "properties": { + "virtualHubs": [], + "vpnSites": [], + "type": "[variables('vwansku')]" + } + }, + { + "condition": "[and(equals(parameters('enableVwan'), 'Yes'), not(empty(parameters('addressPrefix'))))]", + "type": "Microsoft.Network/virtualHubs", + "apiVersion": "2020-05-01", + "location": "[parameters('location')]", + "name": "[variables('vhubname')]", + "properties": { + "virtualWan": { + "id": "[variables('vwanresourceid')]" + }, + "addressPrefix": "[parameters('addressPrefix')]", + "sku": "[variables('vhubsku')]" + } + }, + { + "condition": "[and(equals(parameters('enableVwan'), 'Yes'), equals(parameters('enableVpnGw'), 'Yes'))]", + "type": "Microsoft.Network/vpnGateways", + "apiVersion": "2020-05-01", + "location": "[parameters('location')]", + "name": "[variables('vpngwname')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualHubs/',variables('vhubname'))]" + ], + "properties": { + "virtualHub": { + "id": "[variables('vwanhub')]" + }, + "bgpSettings": { + "asn": "[variables('vpnbgpasn')]" + }, + "vpnGatewayScaleUnit": 1 + } + }, + { + "condition": "[and(equals(parameters('enableVwan'), 'Yes'), equals(parameters('enableErGw'), 'Yes'))]", + "type": "Microsoft.Network/expressRouteGateways", + "apiVersion": "2020-05-01", + "location": "[parameters('location')]", + "name": "[variables('ergwname')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualHubs/', variables('vhubname'))]" + ], + "properties": { + "virtualHub": { + "id": "[variables('vwanhub')]" + }, + "autoScaleConfiguration": { + "bounds": { + "min": 1, + "max": 1 + } + } + } + }, + { + "condition": "[equals(parameters('enableAzFw'), 'Yes')]", + "apiVersion": "2020-05-01", + "type": "Microsoft.Network/azureFirewalls", + "name": "[variables('azfwname')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[concat('Microsoft.Network/virtualHubs/',variables('vhubname'))]" + ], + "properties": { + "sku": { + "Name": "AZFW_Hub", + "Tier": "Standard" + }, + "hubIPAddresses": { + "publicIPs": { + "addresses": "[json('[]')]", + "count": 1 + } + }, + "virtualHub": { + "id": "[variables('vwanhub')]" + }, + "firewallPolicy": { + "id": "[json('null')]" + } + } + } + ] + } + } + } + ] + } + } + } + ] +} \ No newline at end of file diff --git a/docs/reference/contoso/armTemplates/es-vwan.json b/docs/reference/contoso/armTemplates/es-vwan.json new file mode 100644 index 0000000000..c51afed1f4 --- /dev/null +++ b/docs/reference/contoso/armTemplates/es-vwan.json @@ -0,0 +1,551 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "enterpriseScaleCompanyPrefix": { + "type": "string", + "maxLength": 5, + "metadata": { + "description": "Provide the prefix (max 5 characters) to the management group hierarchy that will be created" + } + }, + "managementSubscriptionId": { + "type": "string", + "defaultValue": "", + "maxLength": 36, + "metadata": { + "description": "Provide the subscription id of an existing, empty subscription you want to dedicate for management. If you don't want to bring a subscription, leave this parameter empty as is." + } + }, + "connectivitySubscriptionId": { + "type": "string", + "defaultValue": "", + "maxLength": 36, + "metadata": { + "description": "Provide the subscription id of an existing, empty subscription you want to dedicate for networking." + } + }, + "lzSubscriptionId": { + "type": "string", + "defaultValue": "", + "maxLength": 36, + "metadata": { + "description": "Provide the subscription id fo an existing, empty subscription you want to move in as your first landing zone." + } + }, + "enableLogAnalytics": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ], + "metadata": { + "description": "If 'Yes' is selected when also adding a subscription for management, ARM will assign two policies to enable auditing in your environment, into the Log Analytics workspace for platform monitoring. If 'No', it will be ignored." + } + }, + "enableAsc": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Standard", + "Free", + "No" + ], + "metadata": { + "description": "If 'Yes' is selected when also adding a subscription for management, ARM will assign two policies to enable auditing in your environment, into the Log Analytics workspace for platform monitoring. If 'No', it will be ignored." + } + }, + "enableSqlAudit": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "enableSqlEncryption": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "enableVmBackup": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "denyRdp": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "enableStorageHttps": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "denyIpForwarding": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "denySubnetWithoutNsg": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "enableVwan": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "enableAzFw": { + "type": "string", + "allowedValues": [ + "Yes", + "No" + ], + "defaultValue": "No" + }, + "addressPrefix": { + "type": "string", + "defaultValue": "" + }, + "enableVpnGw": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "enableErGw": { + "type": "string", + "defaultValue": "No", + "allowedValues": [ + "Yes", + "No" + ] + }, + "location": { + "type": "string", + "defaultValue": "[deployment().location]" + } + }, + "variables": { + "policyDefinitions": "[uri(deployment().properties.templateLink.uri, 'auxiliary/policies.json')]", + "monitoring": "[uri(deployment().properties.templateLink.uri, 'auxiliary/logAnalytics.json')]", + "diagnosticsAndSecurity": "[uri(deployment().properties.templateLink.uri, 'auxiliary/diagnosticsAndSecurity.json')]", + "connectivity": "[uri(deployment().properties.templateLink.uri, 'auxiliary/vwan-connectivity.json')]", + "landingZone": "[uri(deployment().properties.templateLink.uri, 'auxiliary/lz.json')]", + "moveSubscription": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-management', '/', parameters('managementSubscriptionId'))]", + "noSubscription": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-management', '/', 'na')]", + "lzMoveSubscription": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-online', '/', parameters('lzSubscriptionId'))]", + "noLzSubscription": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-online', '/', 'nalz')]", + "connectivityMoveSubscription": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-connectivity', '/', parameters('connectivitySubscriptionId'))]", + "noConnectivitySubscription": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-connectivity', '/', 'naconn')]", + "policyDeploymentName": "[take(concat('EntScale-Policy', '-', deployment().location, guid(parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "monitoringDeploymentName": "[take(concat('EntScale-Monitoring', '-', deployment().location, guid(parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "diagAndSecDeploymentName": "[take(concat('EntScale-DiagSec', '-', deployment().location, guid(parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "connectivityDeploymentName": "[take(concat('EntScale-conn', '-', deployment().location, guid(parameters('enterpriseScaleCompanyPrefix'))), 64)]", + "lzDeploymentName": "[take(concat('EntScale-lz', '-', deployment().location, guid(parameters('enterpriseScaleCompanyPrefix'))), 64)]" + }, + "resources": [ + { + "type": "Microsoft.Management/managementGroups", + "apiVersion": "2020-05-01", + "name": "[parameters('enterpriseScaleCompanyPrefix')]", + "properties": {} + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-10-01", + "name": "[variables('policyDeploymentName')]", + "location": "[deployment().location]", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('enterpriseScaleCompanyPrefix'))]", + "dependsOn": [ + "[tenantResourceId('Microsoft.Management/managementGroups', parameters('enterpriseScaleCompanyPrefix'))]" + ], + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('policyDefinitions')]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + } + } + } + }, + { + "type": "Microsoft.Management/managementGroups", + "apiVersion": "2020-05-01", + "name": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-platform')]", + "dependsOn": [ + "[tenantResourceId('Microsoft.Management/managementGroups', parameters('enterpriseScaleCompanyPrefix'))]" + ], + "properties": { + "details": { + "parent": { + "id": "[tenantResourceId('Microsoft.Management/managementGroups/', parameters('enterpriseScaleCompanyPrefix'))]" + } + } + } + }, + { + "type": "Microsoft.Management/managementGroups", + "apiVersion": "2020-05-01", + "name": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-management')]", + "dependsOn": [ + "[tenantResourceId('Microsoft.Management/managementGroups', concat(parameters('enterpriseScaleCompanyPrefix'), '-platform'))]" + ], + "properties": { + "details": { + "parent": { + "id": "[tenantResourceId('Microsoft.Management/managementGroups/', concat(parameters('enterpriseScaleCompanyPrefix'), '-platform'))]" + } + } + } + }, + { + "type": "Microsoft.Management/managementGroups", + "apiVersion": "2020-05-01", + "name": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-identity')]", + "dependsOn": [ + "[tenantResourceId('Microsoft.Management/managementGroups', concat(parameters('enterpriseScaleCompanyPrefix'), '-platform'))]" + ], + "properties": { + "details": { + "parent": { + "id": "[tenantResourceId('Microsoft.Management/managementGroups/', concat(parameters('enterpriseScaleCompanyPrefix'), '-platform'))]" + } + } + } + }, + { + "type": "Microsoft.Management/managementGroups", + "apiVersion": "2020-05-01", + "name": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-connectivity')]", + "dependsOn": [ + "[tenantResourceId('Microsoft.Management/managementGroups', concat(parameters('enterpriseScaleCompanyPrefix'), '-platform'))]" + ], + "properties": { + "details": { + "parent": { + "id": "[tenantResourceId('Microsoft.Management/managementGroups/', concat(parameters('enterpriseScaleCompanyPrefix'), '-platform'))]" + } + } + } + }, + { + "type": "Microsoft.Management/managementGroups", + "apiVersion": "2020-05-01", + "name": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-decomissioned')]", + "dependsOn": [ + "[tenantResourceId('Microsoft.Management/managementGroups', parameters('enterpriseScaleCompanyPrefix'))]" + ], + "properties": { + "details": { + "parent": { + "id": "[tenantResourceId('Microsoft.Management/managementGroups/', parameters('enterpriseScaleCompanyPrefix'))]" + } + } + } + }, + { + "type": "Microsoft.Management/managementGroups", + "apiVersion": "2020-05-01", + "name": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-sandboxes')]", + "dependsOn": [ + "[tenantResourceId('Microsoft.Management/managementGroups', parameters('enterpriseScaleCompanyPrefix'))]" + ], + "properties": { + "details": { + "parent": { + "id": "[tenantResourceId('Microsoft.Management/managementGroups/', parameters('enterpriseScaleCompanyPrefix'))]" + } + } + } + }, + { + "type": "Microsoft.Management/managementGroups", + "apiVersion": "2020-05-01", + "name": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-landingzones')]", + "dependsOn": [ + "[tenantResourceId('Microsoft.Management/managementGroups', parameters('enterpriseScaleCompanyPrefix'))]" + ], + "properties": { + "details": { + "parent": { + "id": "[tenantResourceId('Microsoft.Management/managementGroups/', parameters('enterpriseScaleCompanyPrefix'))]" + } + } + } + }, + { + "type": "Microsoft.Management/managementGroups", + "apiVersion": "2020-05-01", + "name": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-online')]", + "dependsOn": [ + "[tenantResourceId('Microsoft.Management/managementGroups', concat(parameters('enterpriseScaleCompanyPrefix'), '-landingzones'))]" + ], + "properties": { + "details": { + "parent": { + "id": "[tenantResourceId('Microsoft.Management/managementGroups/', concat(parameters('enterpriseScaleCompanyPrefix'), '-landingzones'))]" + } + } + } + }, + { + "type": "Microsoft.Management/managementGroups", + "apiVersion": "2020-05-01", + "name": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-corp')]", + "dependsOn": [ + "[tenantResourceId('Microsoft.Management/managementGroups', concat(parameters('enterpriseScaleCompanyPrefix'), '-landingzones'))]" + ], + "properties": { + "details": { + "parent": { + "id": "[tenantResourceId('Microsoft.Management/managementGroups/', concat(parameters('enterpriseScaleCompanyPrefix'), '-landingzones'))]" + } + } + } + }, + { + "type": "Microsoft.Management/managementGroups", + "apiVersion": "2020-05-01", + "name": "[concat(parameters('enterpriseScaleCompanyPrefix'), '-sap')]", + "dependsOn": [ + "[tenantResourceId('Microsoft.Management/managementGroups', concat(parameters('enterpriseScaleCompanyPrefix'), '-landingzones'))]" + ], + "properties": { + "details": { + "parent": { + "id": "[tenantResourceId('Microsoft.Management/managementGroups/', concat(parameters('enterpriseScaleCompanyPrefix'), '-landingzones'))]" + } + } + } + }, + { + "condition": "[not(empty(parameters('managementSubscriptionId')))]", + "type": "Microsoft.Management/managementGroups/subscriptions", + "apiVersion": "2020-05-01", + "name": "[if(not(empty(parameters('managementSubscriptionId'))), variables('moveSubscription'), variables('noSubscription'))]", + "dependsOn": [ + "[tenantResourceId('Microsoft.Management/managementGroups', concat(parameters('enterpriseScaleCompanyPrefix'), '-management'))]" + ], + "properties": {} + }, + { + "condition": "[not(empty(parameters('lzSubscriptionId')))]", + "type": "Microsoft.Management/managementGroups/subscriptions", + "apiVersion": "2020-05-01", + "name": "[if(not(empty(parameters('lzSubscriptionId'))), variables('lzMoveSubscription'), variables('noLzSubscription'))]", + "dependsOn": [ + + "[tenantResourceId('Microsoft.Management/managementGroups', concat(parameters('enterpriseScaleCompanyPrefix'), '-online'))]" + ], + "properties": {} + }, + { + "condition": "[not(empty(parameters('connectivitySubscriptionId')))]", + "type": "Microsoft.Management/managementGroups/subscriptions", + "apiVersion": "2020-05-01", + "name": "[if(not(empty(parameters('connectivitySubscriptionId'))), variables('connectivityMoveSubscription'), variables('noConnectivitySubscription'))]", + "dependsOn": [ + "[tenantResourceId('Microsoft.Management/managementGroups', concat(parameters('enterpriseScaleCompanyPrefix'), '-connectivity'))]" + ], + "properties": {} + }, + { + "condition": "[and(not(empty(parameters('connectivitySubscriptionId'))),equals(parameters('enableVwan'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-05-01", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('enterpriseScaleCompanyPrefix'), '-connectivity')]", + "name": "[variables('connectivityDeploymentName')]", + "dependsOn": [ + "[variables('monitoringDeploymentName')]", + "[tenantResourceId('Microsoft.Management/managementGroups/subscriptions/', concat(parameters('enterpriseScaleCompanyPrefix'), '-connectivity'), parameters('connectivitySubscriptionId'))]" + ], + "location": "[deployment().location]", + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('connectivity')]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "enableVwan": { + "value": "[parameters('enableVwan')]" + }, + "enableAzFw": { + "value": "[parameters('enableAzFw')]" + }, + "addressPrefix": { + "value": "[parameters('addressPrefix')]" + }, + "enableVpnGw": { + "value": "[parameters('enableVpnGw')]" + }, + "enableErGw": { + "value": "[parameters('enableErGw')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + } + } + } + }, + { + "condition": "[and(not(empty(parameters('managementSubscriptionId'))),equals(parameters('enableLogAnalytics'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-05-01", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('enterpriseScaleCompanyPrefix'), '-management')]", + "name": "[variables('monitoringDeploymentName')]", + "dependsOn": [ + "[variables('policyDeploymentName')]", + "[tenantResourceId('Microsoft.Management/managementGroups/subscriptions/', concat(parameters('enterpriseScaleCompanyPrefix'), '-management'), parameters('managementSubscriptionId'))]", + "[tenantResourceId('Microsoft.Management/managementGroups/subscriptions/', concat(parameters('enterpriseScaleCompanyPrefix'), '-connectivity'), parameters('connectivitySubscriptionId'))]", + "[tenantResourceId('Microsoft.Management/managementGroups/subscriptions/', concat(parameters('enterpriseScaleCompanyPrefix'), '-online'), parameters('lzSubscriptionId'))]" + ], + "location": "[deployment().location]", + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('monitoring')]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "enableLogAnalytics": { + "value": "[parameters('enableLogAnalytics')]" + }, + "managementSubscriptionId": { + "value": "[parameters('managementSubscriptionId')]" + } + } + } + }, + { + "condition": "[or(or(equals(parameters('enableVmBackup'), 'Yes'), equals(parameters('enableSqlAudit'), 'Yes')), equals(parameters('enableSqlEncryption'), 'Yes'), equals(parameters('enableStorageHttps'), 'Yes'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-05-01", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('enterpriseScaleCompanyPrefix'), '-landingzones')]", + "name": "[variables('lzDeploymentName')]", + "dependsOn": [ + "[variables('policyDeploymentName')]", + "[tenantResourceId('Microsoft.Management/managementGroups/subscriptions/', concat(parameters('enterpriseScaleCompanyPrefix'), '-management'), parameters('managementSubscriptionId'))]" + ], + "location": "[deployment().location]", + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('landingZone')]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "enableSqlAudit": { + "value": "[parameters('enableSqlAudit')]" + }, + "enableSqlEncryption": { + "value": "[parameters('enableSqlEncryption')]" + }, + "enableVmBackup": { + "value": "[parameters('enableVmBackup')]" + }, + "denyRdp": { + "value": "[parameters('denyRdp')]" + }, + "enableStorageHttps": { + "value": "[parameters('enableStorageHttps')]" + }, + "denyIpForwarding": { + "value": "[parameters('denyIpForwarding')]" + }, + "denySubnetWithoutNsg": { + "value": "[parameters('denySubnetWithoutNsg')]" + } + } + } + }, + { + "condition": "[and(not(empty(parameters('managementSubscriptionId'))), or(equals(parameters('enableLogAnalytics'), 'Yes'), and(equals(parameters('enableAsc'), 'Standard'), equals(parameters('enableAsc'), 'Free'))))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2019-05-01", + "scope": "[concat('Microsoft.Management/managementGroups/', parameters('enterpriseScaleCompanyPrefix'))]", + "name": "[variables('diagAndSecDeploymentName')]", + "dependsOn": [ + "[variables('monitoringDeploymentName')]" + ], + "location": "[deployment().location]", + "properties": { + "mode": "Incremental", + "templateLink": { + "contentVersion": "1.0.0.0", + "uri": "[variables('diagnosticsAndSecurity')]" + }, + "parameters": { + "topLevelManagementGroupPrefix": { + "value": "[parameters('enterpriseScaleCompanyPrefix')]" + }, + "enableLogAnalytics": { + "value": "[parameters('enableLogAnalytics')]" + }, + "enableAsc": { + "value": "[parameters('enableAsc')]" + }, + "managementSubscriptionId": { + "value": "[parameters('managementSubscriptionId')]" + }, + "connectivitySubscriptionId": { + "value": "[parameters('connectivitySubscriptionId')]" + }, + "lzSubscriptionId": { + "value": "[parameters('lzSubscriptionId')]" + } + } + } + } + ], + "outputs": { + "deployment": { + "type": "string", + "value": "[concat(deployment().name, ' has successfully deployed. Welcome to Enterprise-Scale!')]" + } + } +} \ No newline at end of file diff --git a/docs/reference/contoso/armTemplates/portal-es-vwan.json b/docs/reference/contoso/armTemplates/portal-es-vwan.json new file mode 100644 index 0000000000..33bd54fdd5 --- /dev/null +++ b/docs/reference/contoso/armTemplates/portal-es-vwan.json @@ -0,0 +1,605 @@ +{ + "handler": "Microsoft.Azure.CreateUIDef", + "version": "0.1.2-preview", + "parameters": { + "basics": [ + {} + ], + "steps": [ + { + "name": "lzSettings", + "label": "Enterprise-Scale Company prefix", + "subLabel": { + "preValidation": "Provide a company prefix for the management group structure that will be created.", + "postValidation": "Done" + }, + "bladeTitle": "Company prefix", + "elements": [ + { + "name": "infoBox1", + "type": "Microsoft.Common.InfoBox", + "visible": true, + "options": { + "icon": "Info", + "text": "Enterprise-Scale ARM deployment requires access at the tenant root (/) scope. Visit this link to ensure you have the appropriate RBAC permission to complete the deployment", + "uri": "https://docs.microsoft.com/azure/role-based-access-control/elevate-access-global-admin" + } + }, + { + "name": "esMgmtGroup", + "type": "Microsoft.Common.TextBox", + "label": "Management Group prefix", + "toolTip": "Provide a prefix for management group structure, 1-5 characters.", + "defaultValue": "", + "constraints": { + "required": true, + "regex": "^[a-z0-9A-Z-]{1,5}$", + "validationMessage": "The prefix must be 1-5 characters." + } + } + ] + }, + { + "name": "esGoalState", + "label": "Platform management, security, and governance", + "subLabel": { + "preValidation": "Select 'Yes' if goal state should be enforced during deployment. Select 'No' if you want to do it post deployment using Azure Policy.", + "postValidation": "Done" + }, + "bladeTitle": "lzGs", + "elements": [ + { + "name": "infoBox1", + "type": "Microsoft.Common.InfoBox", + "visible": true, + "options": { + "icon": "Info", + "text": "If you want to deploy Log Analytics and platform monitoring and requisite settings, you must also provide a subscriptionId that will be dedicated for management, which will be placed into the platform management management group", + "uri": "https://github.com/Azure/Enterprise-Scale/blob/main/docs/reference/Readme.md" + } + }, + { + "name": "esLogAnalytics", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy Log Analytics workspace and enable monitoring for your platform and resources", + "defaultValue": "No", + "toolTip": "If 'Yes' is selected when also adding a subscription for management, ARM will deploy resources and enable them for continious compliance.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "esMgmtSub", + "type": "Microsoft.Common.TextBox", + "label": "Management subscription id", + "toolTip": "Deployment of Log Analytics and platform monitoring requires you to provide the subscriptionId of an existing, empty subscription that you want to dedicate for management, which will be moved into the management group for platform management. If you don't want to bring a subscription at this time, leave this parameter empty as is.", + "defaultValue": "", + "visible": "[equals(steps('esGoalState').esLogAnalytics, 'Yes')]", + "constraints": { + "required": false, + "regex": "^[a-z0-9A-Z-]{36}$", + "validationMessage": "A valid subscription id must contain 36 characters. If you don't want to bring a subscription at this point, leave the parameter completely empty." + } + }, + { + "name": "esAsc", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy Azure Security Center and enable security monitoring for your platform and resources", + "defaultValue": "No", + "toolTip": "If 'Yes' is selected when also adding a subscription for management, ARM will deploy resources and enable them for continous compliance", + "constraints": { + "allowedValues": [ + { + "label": "Yes, Standard Tier (recommended)", + "value": "Standard" + }, + { + "label": "Yes, Free Tier", + "value": "Free" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": "[equals(steps('esGoalState').esLogAnalytics, 'Yes')]" + } + ] + }, + { + "name": "esConnectivityGoalState", + "label": "Connectivity (Virtual WAN)", + "subLabel": { + "preValidation": "Select 'Yes' if goal state should be enforced during deployment. Select 'No' if you want to do it post deployment using Azure Policy.", + "postValidation": "Done" + }, + "bladeTitle": "lzGs", + "elements": [ + { + "name": "infoBox1", + "type": "Microsoft.Common.InfoBox", + "visible": true, + "options": { + "icon": "Info", + "text": "If you want to deploy Virtual WAN and requisite settings, you must also provide a subscriptionId that will be dedicated for connectivity, which will be placed into the connectivity management group", + "uri": "https://github.com/Azure/Enterprise-Scale/blob/main/docs/reference/Readme.md" + } + }, + { + "name": "esVwan", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy Virtual WAN", + "defaultValue": "No", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy Virtual WAN", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "esConnectivitySub", + "type": "Microsoft.Common.TextBox", + "label": "Connectivity subscription id", + "toolTip": "Provide the subscription id of an existing, empty subscription that you want to dedicate for connectivity, which will be moved into the management group for platform connectivity. If you don't want to bring a subscription at this time, leave this parameter empty as is.", + "defaultValue": "", + "visible": "[equals(steps('esConnectivityGoalState').esVwan, 'Yes')]", + "constraints": { + "required": false, + "regex": "^[a-z0-9A-Z-]{36}$", + "validationMessage": "A valid subscription id must contain 36 characters. If you don't want to bring a subscription at this point, leave the parameter completely empty." + } + }, + { + "name": "esAddress", + "type": "Microsoft.Common.TextBox", + "label": "Address space (required for Virtual Hub)", + "toolTip": "Provide address prefix in CIDR notation (e.g 192.168.1.0/24)", + "defaultValue": "192.168.0.0/16", + "visible": "[equals(steps('esConnectivityGoalState').esVwan, 'Yes')]", + "constraints": { + "required": false, + "validationMessage": "The virtual hubs network's address space, specified as one address prefixes in CIDR notation (e.g. 192.168.1.0/24)" + } + }, + { + "name": "esRegions", + "type": "Microsoft.Common.DropDown", + "label": "Region for first virtual hub", + "defaultValue": "", + "visible": "[equals(steps('esConnectivityGoalState').esVwan, 'Yes')]", + "toolTip": "Select the target region for you connectivity deployment (requires you to provide a subscriptionId for connectivity)", + "constraints": { + "allowedValues": [ + { + "label": "East Asia", + "value": "eastasia" + }, + { + "label": "Southeast Asia", + "value": "southeastasia" + }, + { + "label": "Central US", + "value": "centralus" + }, + { + "label": "East US", + "value": "eastus" + }, + { + "label": "East US 2", + "value": "eastus2" + }, + { + "label": "West US", + "value": "westus" + }, + { + "label": "North Central US", + "value": "northcentralus" + }, + { + "label": "South Central US", + "value": "southcentralus" + }, + { + "label": "North Europe", + "value": "northeurope" + }, + { + "label": "West Europe", + "value": "westeurope" + }, + { + "label": "Japan West", + "value": "japanwest" + }, + { + "label": "Japan East", + "value": "japaneast" + }, + { + "label": "Brazil South", + "value": "brazilsouth" + }, + { + "label": "Australia East", + "value": "australiaeast" + }, + { + "label": "Australia Southeast", + "value": "australiasoutheast" + }, + { + "label": "South India", + "value": "southindia" + }, + { + "label": "Central India", + "value": "centralindia" + }, + { + "label": "Canada East", + "value": "canadaeast" + }, + { + "label": "UK South", + "value": "uksouth" + }, + { + "label": "UK West", + "value": "ukwest" + }, + { + "label": "West Central US", + "value": "westcentralus" + }, + { + "label": "West US 2", + "value": "westus2" + }, + { + "label": "Korea Central", + "value": "koreacentral" + }, + { + "label": "Korea South", + "value": "koreasouth" + }, + { + "label": "France Central", + "value": "francecentral" + }, + { + "label": "France South", + "value": "francesouth" + }, + { + "label": "Australia Central", + "value": "australiacentral" + }, + { + "label": "UAE Central", + "value": "uaecentral" + }, + { + "label": "UAE North", + "value": "uaenorth" + }, + { + "label": "South Africa North", + "value": "southafricanorth" + }, + { + "label": "South Africa West", + "value": "southafricawest" + }, + { + "label": "Switzerland North", + "value": "switzerlandnorth" + }, + { + "label": "Switzerland West", + "value": "switzerlandwest" + }, + { + "label": "Germany North", + "value": "germanynorth" + }, + { + "label": "Germany West Central", + "value": "germanywestcentral" + }, + { + "label": "Norway West", + "value": "norwaywest" + }, + { + "label": "Norway East", + "value": "norwayeast" + } + ], + "required": false + } + }, + { + "name": "esVpnGw", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy VPN Gateway", + "defaultValue": "No", + "visible": "[equals(steps('esConnectivityGoalState').esVwan, 'Yes')]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy VPN gateway", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "esErGw", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy ExpressRoute Gateway", + "defaultValue": "No", + "visible": "[equals(steps('esConnectivityGoalState').esVwan, 'Yes')]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy Express Route gateway", + "constraints": { + "allowedValues": [ + { + "label": "Yes", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + }, + { + "name": "esAzFw", + "type": "Microsoft.Common.OptionsGroup", + "label": "Deploy Azure Firewall", + "defaultValue": "No", + "visible": "[equals(steps('esConnectivityGoalState').esVwan, 'Yes')]", + "toolTip": "If 'Yes' is selected when also adding a subscription for connectivity, ARM will deploy Azure Firewall", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + } + } + ] + }, + { + "name": "lzGoalState", + "label": "Landing zone configuration", + "subLabel": { + "preValidation": "Select 'Yes' if goal state should be enforced during deployment. Select 'No' if you want to do it post deployment using Azure Policy.", + "postValidation": "Done" + }, + "bladeTitle": "lzGs", + "elements": [ + { + "name": "infoBox1", + "type": "Microsoft.Common.InfoBox", + "visible": true, + "options": { + "icon": "Info", + "text": "You can optionally provide a subscriptionId for your first landing zone, and also assign recommended policies that will ensure workloads will be secure, monitored, and protected according to best practices.", + "uri": "https://github.com/Azure/Enterprise-Scale/blob/main/docs/Deploy/ES-schema.md" + } + }, + { + "name": "esLzSub", + "type": "Microsoft.Common.TextBox", + "label": "Landing zone subscription id (optional)", + "toolTip": "Provide the subscription id of an existing, empty subscription that you want to use as landing zone for your workload deployments.", + "defaultValue": "", + "constraints": { + "required": false, + "regex": "^[a-z0-9A-Z-]{36}$", + "validationMessage": "A valid subscription id must contain 36 characters. If you don't want to bring a subscription at this point, leave the parameter completely empty." + } + }, + { + "name": "esAzBackup", + "type": "Microsoft.Common.OptionsGroup", + "label": "Ensure VMs are enabled for backup", + "defaultValue": "No", + "toolTip": "If 'Yes' is selected, Azure Policy will be assigned and enable Azure Backup on all VMs in the landing zones.", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "esDenyRdp", + "type": "Microsoft.Common.OptionsGroup", + "label": "Prevent inbound RDP from internet", + "defaultValue": "No", + "toolTip": "If 'Yes' is selected, Azure Policy will be assigned and prevent inbound RDP from internet", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "esNsg", + "type": "Microsoft.Common.OptionsGroup", + "label": "Ensure subnets are associated with NSG", + "defaultValue": "No", + "toolTip": "If 'Yes' is selected, Azure Policy will be assigned to ensure NSGs must be associated with subnets being created", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "esIpForwarding", + "type": "Microsoft.Common.OptionsGroup", + "label": "Prevent IP forwarding", + "defaultValue": "No", + "toolTip": "If 'Yes' is selected, Azure Policy will be assigned and prevent IP forwarding", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "esSqlEncryption", + "type": "Microsoft.Common.OptionsGroup", + "label": "Ensure Azure SQL is enabled with transparent data encryption", + "defaultValue": "No", + "toolTip": "If 'Yes' is selected when also adding a subscription for management, ARM will deploy resources and enable them for continous compliance", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "esSqlAudit", + "type": "Microsoft.Common.OptionsGroup", + "label": "Ensure auditing is enabled on Azure SQL", + "defaultValue": "No", + "toolTip": "If 'Yes' is selected, Azure Policy will be assigned to ensure auditing is enabled on Azure SQLs", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + }, + { + "name": "esHttpsStorage", + "type": "Microsoft.Common.OptionsGroup", + "label": "Ensure secure connections (HTTPS) to storage accounts", + "defaultValue": "No", + "toolTip": "If 'Yes' is selected, Azure Policy will be assigned to ensure storage can only be accessed using HTTPS", + "constraints": { + "allowedValues": [ + { + "label": "Yes (recommended)", + "value": "Yes" + }, + { + "label": "No", + "value": "No" + } + ] + }, + "visible": true + } + ] + } + ], + "outputs": { + "enableErGw": "[steps('esConnectivityGoalState').esErGw]", + "enableVpnGw": "[steps('esConnectivityGoalState').esVpnGw]", + "enableVwan": "[steps('esConnectivityGoalState').esVwan]", + "connectivitySubscriptionId": "[steps('esConnectivityGoalState').esConnectivitySub]", + "enableAzFw": "[steps('esConnectivityGoalState').esAzFw]", + "addressPrefix": "[steps('esConnectivityGoalState').esAddress]", + "location": "[steps('esConnectivityGoalState').esRegions]", + "managementSubscriptionId": "[steps('esGoalState').esMgmtSub]", + "lzSubscriptionId": "[steps('lzGoalState').esLzSub]", + "enableLogAnalytics": "[steps('esGoalState').esLogAnalytics]", + "enableAsc": "[steps('esGoalState').esAsc]", + "enablePrivateEndpoint": "[steps('esGoalState').esPrivateEndpoint]", + "enableAzBackup": "[steps('esGoalState').esAzBackup]", + "enterpriseScaleCompanyPrefix": "[steps('lzSettings').esMgmtGroup]", + "enableSqlAudit": "[steps('lzGoalState').esSqlAudit]", + "enableSqlEncryption": "[steps('lzGoalState').esSqlEncryption]", + "enableVmBackup": "[steps('lzGoalState').esAzBackup]", + "denyRdp": "[steps('lzGoalState').esDenyRdp]", + "enableStorageHttps": "[steps('lzGoalState').esHttpsStorage]", + "denyIpForwarding": "[steps('lzGoalState').esIpForwarding]", + "denySubnetWithoutNsg": "[steps('lzGoalState').esNsg]" + } + } +} \ No newline at end of file