[Question/Feedback]: Challenges Deploying Custom Resource Alerts and Expanding AMBA Alerts

[jonnedev]

Check for previous/existing GitHub issues

• I have checked for previous/existing GitHub issues

Description

Question 1:

Resource alerts that are not currently part of an initiative cannot be manually deployed using the provided policy template on the site. For example, if I want to create a policy definition for fileServices - FileShareCapacityQuota - Metric Alert and I copy the syntax directly from services/Storage/storageAccounts/templates/policy/fileServices-FileCapacity_26e09eae-c784-4e8f-a225-d3f13efff76f.json and attempt to create it via the Azure Portal, I get the following error message:
"A function or parameter in policy '936cda79-c1bb-4b08-bdb8-a69c40137474' could not be validated. If using template functions, try following the tips in: https://aka.ms/policy-avoiding-template-failures. The inner exception 'Evaluation result of language expression '[[parameters('MonitorDisableTagValues')]' is type 'String', expected type is 'Array'.'."

If I modify the code slightly, it does work, but now I’m wondering: how should or can this be done correctly?

Question 2:

Is it possible to roll out the available alert templates for resources within AMBA, which are not included by default in the ALZ deployment, for example by using an initiative? For instance, with the Microsoft.Storage/storageaccounts resource, there are 18 available alert templates, but only 2 are deployed in the AMBA ALZ deployment.

[Brunoga-MS]

Hello @jonnedev ,
thanks for your question. For question one, I would like to get @JoeyBarnes's opinion . For question 2 instead, We have a data driven selection of alerts which are relevant for the vast majority of customers. We're not aiming at including all possible alerts listed under the given resource type. However, we constantly look to see if there are other useful alerts, but no ETA for those you mentioned.

Hope that helps,
Bruno.

[arjenhuitema]

Hi @jonnedev, Thank you for your feedback.

The policy files are designed to be deployed as an ARM template. It's similar to how the ALZ pattern implements and utilises the Policies. While copying and pasting the policies, it is necessary to make some modifications; namely, you should copy only the parameters and policyRule sections and remove the additional [ character used as an escape character when referencing a parameter.

We are escaping the parameters by design, as this must be parameterized in the Policy and Initiative definitions, therefore, we need to pass the literal string rather than interpret the expression, for example [[parameters('effect')] is used so the policy definition that is deployed has [parameters('effect')].

Deploying additional policies not included in the ALZ pattern is certainly feasible. The intention was not for these Policies to be utilised independently but to facilitate the creation of Initiatives by other patterns based on those policies.

No new initiatives have been developed by other patterns so far. If you wish, you can utilize the policies to create your own.

The ALZ pattern's approach:

1. Develop the Policy Set Definition for the policies you intend to implement. You can refer to Deploy-Connectivity-Alerts.json as an example.

2. I suggest starting with a bicep template and using policies-Network.bicep as a reference.

3. Within your bicep template, each Policy Definition should be added to the variable loadPolicyDefinitions, while the Policy Set Definition should be included in the variable loadPolicySetDefinitions.

4. Execute the following command to compile the ARM template. (This is an example; you will need to modify the input and output files accordingly.)

   bicep build .\patterns\alz\templates\policies-Network.bicep --outfile .\patterns\alz\policyDefinitions\policies-Network.json

5. Utilise this command to deploy the ARM template that includes the policies and initiative. (This serves as an example; you will need to adjust the input and output files as required.)

   az deployment mg create --location swedencentral --template-file .\policies-Network.json --management-group contoso

Thanks once more for your feedback; it's a chance for us to enhance and refine the documentation. Feel free to ask if you have further questions or need assistance with setting up your initiative.

[jonnedev]

Thanks for the quick responses! We aim to work as standardized as possible and stick to the baseline, so we can roll out across multiple client environments without too many adjustments. If I understand correctly, this means that the most commonly used alerts are included in the ALZ pattern based on data. For custom alerts, like additional alerts for a storage account, we would need to create our own initiative as you described.

Thanks again, and keep up the good work!

[arjenhuitema]

The ALZ pattern offers a baseline for monitoring your platform, presenting an opinionated view on what should be monitored in your Azure Landing Zone. It emphasizes the essential components of your Azure platform setup rather than the most common alert rules.

Yes, if you need more alerts for a storage account, you'll currently have to set up a custom configuration. However, new developments may introduce alternative options in the future. Other patterns already provide various methods for setting up alert rules for monitoring application workloads.

Thank you once more for your feedback. It seems from your last message that we have addressed your question. If not, please let me know.