From a41b05151573cd99a96b1ca04d159246c09c513e Mon Sep 17 00:00:00 2001 From: Glenn Musa <4622125+glennmusa@users.noreply.github.com> Date: Thu, 21 Oct 2021 10:22:13 -0400 Subject: [PATCH] add diagnostics settings for firewall, public IP, and network security groups (#473) --- src/bicep/mlz.bicep | 131 ++- src/bicep/mlz.json | 832 +++++++++++++------ src/bicep/modules/firewall.bicep | 17 + src/bicep/modules/hubNetwork.bicep | 91 +- src/bicep/modules/networkSecurityGroup.bicep | 17 + src/bicep/modules/publicIPAddress.bicep | 17 + src/bicep/modules/spokeNetwork.bicep | 71 +- src/bicep/modules/virtualNetwork.bicep | 9 +- 8 files changed, 794 insertions(+), 391 deletions(-) diff --git a/src/bicep/mlz.bicep b/src/bicep/mlz.bicep index 3f42acded..12fe8b61a 100644 --- a/src/bicep/mlz.bicep +++ b/src/bicep/mlz.bicep @@ -86,6 +86,8 @@ module hub './modules/hubNetwork.bicep' = { networkSecurityGroupName: hubNetworkSecurityGroupName networkSecurityGroupRules: hubNetworkSecurityGroupRules + networkSecurityGroupDiagnosticsLogs: hubNetworkSecurityGroupDiagnosticsLogs + networkSecurityGroupDiagnosticsMetrics: hubNetworkSecurityGroupDiagnosticsMetrics subnetName: hubSubnetName subnetAddressPrefix: hubSubnetAddressPrefix @@ -95,6 +97,8 @@ module hub './modules/hubNetwork.bicep' = { firewallSkuTier: firewallSkuTier firewallPolicyName: firewallPolicyName firewallThreatIntelMode: firewallThreatIntelMode + firewallDiagnosticsLogs: firewallDiagnosticsLogs + firewallDiagnosticsMetrics: firewallDiagnosticsMetrics firewallClientIpConfigurationName: firewallClientIpConfigurationName firewallClientSubnetName: firewallClientSubnetName firewallClientSubnetAddressPrefix: firewallClientSubnetAddressPrefix @@ -111,6 +115,9 @@ module hub './modules/hubNetwork.bicep' = { firewallManagementPublicIPAddressSkuName: firewallManagementPublicIPAddressSkuName firewallManagementPublicIpAllocationMethod: firewallManagementPublicIpAllocationMethod firewallManagementPublicIPAddressAvailabilityZones: firewallManagementPublicIPAddressAvailabilityZones + + publicIPAddressDiagnosticsLogs: publicIPAddressDiagnosticsLogs + publicIPAddressDiagnosticsMetrics: publicIPAddressDiagnosticsMetrics } } @@ -135,6 +142,8 @@ module identity './modules/spokeNetwork.bicep' = { networkSecurityGroupName: identityNetworkSecurityGroupName networkSecurityGroupRules: identityNetworkSecurityGroupRules + networkSecurityGroupDiagnosticsLogs: identityNetworkSecurityGroupDiagnosticsLogs + networkSecurityGroupDiagnosticsMetrics: identityNetworkSecurityGroupDiagnosticsMetrics subnetName: identitySubnetName subnetAddressPrefix: identitySubnetAddressPrefix @@ -163,6 +172,8 @@ module operations './modules/spokeNetwork.bicep' = { networkSecurityGroupName: operationsNetworkSecurityGroupName networkSecurityGroupRules: operationsNetworkSecurityGroupRules + networkSecurityGroupDiagnosticsLogs: operationsNetworkSecurityGroupDiagnosticsLogs + networkSecurityGroupDiagnosticsMetrics: operationsNetworkSecurityGroupDiagnosticsMetrics subnetName: operationsSubnetName subnetAddressPrefix: operationsSubnetAddressPrefix @@ -191,6 +202,8 @@ module sharedServices './modules/spokeNetwork.bicep' = { networkSecurityGroupName: sharedServicesNetworkSecurityGroupName networkSecurityGroupRules: sharedServicesNetworkSecurityGroupRules + networkSecurityGroupDiagnosticsLogs: sharedServicesNetworkSecurityGroupDiagnosticsLogs + networkSecurityGroupDiagnosticsMetrics: sharedServicesNetworkSecurityGroupDiagnosticsMetrics subnetName: sharedServicesSubnetName subnetAddressPrefix: sharedServicesSubnetAddressPrefix @@ -469,8 +482,52 @@ param hubSubnetAddressPrefix string = '10.0.100.128/27' param hubVirtualNetworkDiagnosticsLogs array = [] param hubVirtualNetworkDiagnosticsMetrics array = [] param hubNetworkSecurityGroupName string = 'hub-nsg' -param hubNetworkSecurityGroupRules array = [] -param hubSubnetServiceEndpoints array = [] +param hubNetworkSecurityGroupRules array = [ + { + name: 'allow_ssh' + properties: { + description: 'Allow SSH access from anywhere' + access: 'Allow' + priority: 100 + protocol: 'Tcp' + direction: 'Inbound' + sourcePortRange: '*' + sourceAddressPrefix: '*' + destinationPortRange: '22' + destinationAddressPrefix: '*' + } + } + { + name: 'allow_rdp' + properties: { + description: 'Allow RDP access from anywhere' + access: 'Allow' + priority: 200 + protocol: 'Tcp' + direction: 'Inbound' + sourcePortRange: '*' + sourceAddressPrefix: '*' + destinationPortRange: '3389' + destinationAddressPrefix: '*' + } + } +] +param hubNetworkSecurityGroupDiagnosticsLogs array = [ + { + category: 'NetworkSecurityGroupEvent' + enabled: true + } + { + category: 'NetworkSecurityGroupRuleCounter' + enabled: true + } +] +param hubNetworkSecurityGroupDiagnosticsMetrics array = [] +param hubSubnetServiceEndpoints array = [ + { + service: 'Microsoft.Storage' + } +] param hubLogStorageAccountName string = toLower(take('hublogs${uniqueId}', 24)) param hubLogStorageSkuName string = 'Standard_GRS' @@ -479,6 +536,26 @@ param firewallManagementSubnetAddressPrefix string = '10.0.100.64/26' param firewallClientSubnetAddressPrefix string = '10.0.100.0/26' param firewallPolicyName string = 'firewall-policy' param firewallThreatIntelMode string = 'Alert' +param firewallDiagnosticsLogs array = [ + { + category: 'AzureFirewallApplicationRule' + enabled: true + } + { + category: 'AzureFirewallNetworkRule' + enabled: true + } + { + category: 'AzureFirewallDnsProxy' + enabled: true + } +] +param firewallDiagnosticsMetrics array = [ + { + category: 'AllMetrics' + enabled: true + } +] var firewallClientSubnetName = 'AzureFirewallSubnet' //this must be 'AzureFirewallSubnet' param firewallClientIpConfigurationName string = 'firewall-client-ip-config' param firewallClientSubnetServiceEndpoints array = [] @@ -493,6 +570,26 @@ param firewallManagementPublicIPAddressName string = 'firewall-management-public param firewallManagementPublicIPAddressSkuName string = 'Standard' param firewallManagementPublicIpAllocationMethod string = 'Static' param firewallManagementPublicIPAddressAvailabilityZones array = [] +param publicIPAddressDiagnosticsLogs array = [ + { + category: 'DDoSProtectionNotifications' + enabled: true + } + { + category: 'DDoSMitigationFlowLogs' + enabled: true + } + { + category: 'DDoSMitigationReports' + enabled: true + } +] +param publicIPAddressDiagnosticsMetrics array = [ + { + category: 'AllMetrics' + enabled: true + } +] param identityResourceGroupName string = replace(hubResourceGroupName, 'hub', 'identity') param identityLocation string = hubLocation @@ -500,11 +597,13 @@ param identityVirtualNetworkName string = replace(hubVirtualNetworkName, 'hub', param identitySubnetName string = replace(hubSubnetName, 'hub', 'identity') param identityVirtualNetworkAddressPrefix string = '10.0.110.0/26' param identitySubnetAddressPrefix string = '10.0.110.0/27' -param identityVirtualNetworkDiagnosticsLogs array = [] -param identityVirtualNetworkDiagnosticsMetrics array = [] +param identityVirtualNetworkDiagnosticsLogs array = hubVirtualNetworkDiagnosticsLogs +param identityVirtualNetworkDiagnosticsMetrics array = hubVirtualNetworkDiagnosticsMetrics param identityNetworkSecurityGroupName string = replace(hubNetworkSecurityGroupName, 'hub', 'identity') -param identityNetworkSecurityGroupRules array = [] -param identitySubnetServiceEndpoints array = [] +param identityNetworkSecurityGroupRules array = hubNetworkSecurityGroupRules +param identityNetworkSecurityGroupDiagnosticsLogs array = hubNetworkSecurityGroupDiagnosticsLogs +param identityNetworkSecurityGroupDiagnosticsMetrics array = hubNetworkSecurityGroupDiagnosticsMetrics +param identitySubnetServiceEndpoints array = hubSubnetServiceEndpoints param identityLogStorageAccountName string = toLower(take('idlogs${uniqueId}', 24)) param identityLogStorageSkuName string = hubLogStorageSkuName @@ -512,13 +611,15 @@ param operationsResourceGroupName string = replace(hubResourceGroupName, 'hub', param operationsLocation string = hubLocation param operationsVirtualNetworkName string = replace(hubVirtualNetworkName, 'hub', 'operations') param operationsVirtualNetworkAddressPrefix string = '10.0.115.0/26' -param operationsVirtualNetworkDiagnosticsLogs array = [] -param operationsVirtualNetworkDiagnosticsMetrics array = [] +param operationsVirtualNetworkDiagnosticsLogs array = hubVirtualNetworkDiagnosticsLogs +param operationsVirtualNetworkDiagnosticsMetrics array = hubVirtualNetworkDiagnosticsMetrics param operationsNetworkSecurityGroupName string = replace(hubNetworkSecurityGroupName, 'hub', 'operations') -param operationsNetworkSecurityGroupRules array = [] +param operationsNetworkSecurityGroupRules array = hubNetworkSecurityGroupRules +param operationsNetworkSecurityGroupDiagnosticsLogs array = hubNetworkSecurityGroupDiagnosticsLogs +param operationsNetworkSecurityGroupDiagnosticsMetrics array = hubNetworkSecurityGroupDiagnosticsMetrics param operationsSubnetName string = replace(hubSubnetName, 'hub', 'operations') param operationsSubnetAddressPrefix string = '10.0.115.0/27' -param operationsSubnetServiceEndpoints array = [] +param operationsSubnetServiceEndpoints array = hubSubnetServiceEndpoints param operationsLogStorageAccountName string = toLower(take('opslogs${uniqueId}', 24)) param operationsLogStorageSkuName string = hubLogStorageSkuName @@ -528,11 +629,13 @@ param sharedServicesVirtualNetworkName string = replace(hubVirtualNetworkName, ' param sharedServicesSubnetName string = replace(hubSubnetName, 'hub', 'sharedServices') param sharedServicesVirtualNetworkAddressPrefix string = '10.0.120.0/26' param sharedServicesSubnetAddressPrefix string = '10.0.120.0/27' -param sharedServicesVirtualNetworkDiagnosticsLogs array = [] -param sharedServicesVirtualNetworkDiagnosticsMetrics array = [] +param sharedServicesVirtualNetworkDiagnosticsLogs array = hubVirtualNetworkDiagnosticsLogs +param sharedServicesVirtualNetworkDiagnosticsMetrics array = hubVirtualNetworkDiagnosticsMetrics param sharedServicesNetworkSecurityGroupName string = replace(hubNetworkSecurityGroupName, 'hub', 'sharedServices') -param sharedServicesNetworkSecurityGroupRules array = [] -param sharedServicesSubnetServiceEndpoints array = [] +param sharedServicesNetworkSecurityGroupRules array = hubNetworkSecurityGroupRules +param sharedServicesNetworkSecurityGroupDiagnosticsLogs array = hubNetworkSecurityGroupDiagnosticsLogs +param sharedServicesNetworkSecurityGroupDiagnosticsMetrics array = hubNetworkSecurityGroupDiagnosticsMetrics +param sharedServicesSubnetServiceEndpoints array = hubSubnetServiceEndpoints param sharedServicesLogStorageAccountName string = toLower(take('shrdSvclogs${uniqueId}', 24)) param sharedServicesLogStorageSkuName string = hubLogStorageSkuName diff --git a/src/bicep/mlz.json b/src/bicep/mlz.json index a9da81205..95b092745 100644 --- a/src/bicep/mlz.json +++ b/src/bicep/mlz.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.4.1008.15138", - "templateHash": "1945358306611262395" + "templateHash": "4139258334243862843" } }, "parameters": { @@ -79,12 +79,62 @@ "defaultValue": "hub-nsg" }, "hubNetworkSecurityGroupRules": { + "type": "array", + "defaultValue": [ + { + "name": "allow_ssh", + "properties": { + "description": "Allow SSH access from anywhere", + "access": "Allow", + "priority": 100, + "protocol": "Tcp", + "direction": "Inbound", + "sourcePortRange": "*", + "sourceAddressPrefix": "*", + "destinationPortRange": "22", + "destinationAddressPrefix": "*" + } + }, + { + "name": "allow_rdp", + "properties": { + "description": "Allow RDP access from anywhere", + "access": "Allow", + "priority": 200, + "protocol": "Tcp", + "direction": "Inbound", + "sourcePortRange": "*", + "sourceAddressPrefix": "*", + "destinationPortRange": "3389", + "destinationAddressPrefix": "*" + } + } + ] + }, + "hubNetworkSecurityGroupDiagnosticsLogs": { + "type": "array", + "defaultValue": [ + { + "category": "NetworkSecurityGroupEvent", + "enabled": true + }, + { + "category": "NetworkSecurityGroupRuleCounter", + "enabled": true + } + ] + }, + "hubNetworkSecurityGroupDiagnosticsMetrics": { "type": "array", "defaultValue": [] }, "hubSubnetServiceEndpoints": { "type": "array", - "defaultValue": [] + "defaultValue": [ + { + "service": "Microsoft.Storage" + } + ] }, "hubLogStorageAccountName": { "type": "string", @@ -114,6 +164,32 @@ "type": "string", "defaultValue": "Alert" }, + "firewallDiagnosticsLogs": { + "type": "array", + "defaultValue": [ + { + "category": "AzureFirewallApplicationRule", + "enabled": true + }, + { + "category": "AzureFirewallNetworkRule", + "enabled": true + }, + { + "category": "AzureFirewallDnsProxy", + "enabled": true + } + ] + }, + "firewallDiagnosticsMetrics": { + "type": "array", + "defaultValue": [ + { + "category": "AllMetrics", + "enabled": true + } + ] + }, "firewallClientIpConfigurationName": { "type": "string", "defaultValue": "firewall-client-ip-config" @@ -162,6 +238,32 @@ "type": "array", "defaultValue": [] }, + "publicIPAddressDiagnosticsLogs": { + "type": "array", + "defaultValue": [ + { + "category": "DDoSProtectionNotifications", + "enabled": true + }, + { + "category": "DDoSMitigationFlowLogs", + "enabled": true + }, + { + "category": "DDoSMitigationReports", + "enabled": true + } + ] + }, + "publicIPAddressDiagnosticsMetrics": { + "type": "array", + "defaultValue": [ + { + "category": "AllMetrics", + "enabled": true + } + ] + }, "identityResourceGroupName": { "type": "string", "defaultValue": "[replace(parameters('hubResourceGroupName'), 'hub', 'identity')]" @@ -188,11 +290,11 @@ }, "identityVirtualNetworkDiagnosticsLogs": { "type": "array", - "defaultValue": [] + "defaultValue": "[parameters('hubVirtualNetworkDiagnosticsLogs')]" }, "identityVirtualNetworkDiagnosticsMetrics": { "type": "array", - "defaultValue": [] + "defaultValue": "[parameters('hubVirtualNetworkDiagnosticsMetrics')]" }, "identityNetworkSecurityGroupName": { "type": "string", @@ -200,11 +302,19 @@ }, "identityNetworkSecurityGroupRules": { "type": "array", - "defaultValue": [] + "defaultValue": "[parameters('hubNetworkSecurityGroupRules')]" + }, + "identityNetworkSecurityGroupDiagnosticsLogs": { + "type": "array", + "defaultValue": "[parameters('hubNetworkSecurityGroupDiagnosticsLogs')]" + }, + "identityNetworkSecurityGroupDiagnosticsMetrics": { + "type": "array", + "defaultValue": "[parameters('hubNetworkSecurityGroupDiagnosticsMetrics')]" }, "identitySubnetServiceEndpoints": { "type": "array", - "defaultValue": [] + "defaultValue": "[parameters('hubSubnetServiceEndpoints')]" }, "identityLogStorageAccountName": { "type": "string", @@ -232,11 +342,11 @@ }, "operationsVirtualNetworkDiagnosticsLogs": { "type": "array", - "defaultValue": [] + "defaultValue": "[parameters('hubVirtualNetworkDiagnosticsLogs')]" }, "operationsVirtualNetworkDiagnosticsMetrics": { "type": "array", - "defaultValue": [] + "defaultValue": "[parameters('hubVirtualNetworkDiagnosticsMetrics')]" }, "operationsNetworkSecurityGroupName": { "type": "string", @@ -244,7 +354,15 @@ }, "operationsNetworkSecurityGroupRules": { "type": "array", - "defaultValue": [] + "defaultValue": "[parameters('hubNetworkSecurityGroupRules')]" + }, + "operationsNetworkSecurityGroupDiagnosticsLogs": { + "type": "array", + "defaultValue": "[parameters('hubNetworkSecurityGroupDiagnosticsLogs')]" + }, + "operationsNetworkSecurityGroupDiagnosticsMetrics": { + "type": "array", + "defaultValue": "[parameters('hubNetworkSecurityGroupDiagnosticsMetrics')]" }, "operationsSubnetName": { "type": "string", @@ -256,7 +374,7 @@ }, "operationsSubnetServiceEndpoints": { "type": "array", - "defaultValue": [] + "defaultValue": "[parameters('hubSubnetServiceEndpoints')]" }, "operationsLogStorageAccountName": { "type": "string", @@ -292,11 +410,11 @@ }, "sharedServicesVirtualNetworkDiagnosticsLogs": { "type": "array", - "defaultValue": [] + "defaultValue": "[parameters('hubVirtualNetworkDiagnosticsLogs')]" }, "sharedServicesVirtualNetworkDiagnosticsMetrics": { "type": "array", - "defaultValue": [] + "defaultValue": "[parameters('hubVirtualNetworkDiagnosticsMetrics')]" }, "sharedServicesNetworkSecurityGroupName": { "type": "string", @@ -304,11 +422,19 @@ }, "sharedServicesNetworkSecurityGroupRules": { "type": "array", - "defaultValue": [] + "defaultValue": "[parameters('hubNetworkSecurityGroupRules')]" + }, + "sharedServicesNetworkSecurityGroupDiagnosticsLogs": { + "type": "array", + "defaultValue": "[parameters('hubNetworkSecurityGroupDiagnosticsLogs')]" + }, + "sharedServicesNetworkSecurityGroupDiagnosticsMetrics": { + "type": "array", + "defaultValue": "[parameters('hubNetworkSecurityGroupDiagnosticsMetrics')]" }, "sharedServicesSubnetServiceEndpoints": { "type": "array", - "defaultValue": [] + "defaultValue": "[parameters('hubSubnetServiceEndpoints')]" }, "sharedServicesLogStorageAccountName": { "type": "string", @@ -1055,6 +1181,12 @@ "networkSecurityGroupRules": { "value": "[parameters('hubNetworkSecurityGroupRules')]" }, + "networkSecurityGroupDiagnosticsLogs": { + "value": "[parameters('hubNetworkSecurityGroupDiagnosticsLogs')]" + }, + "networkSecurityGroupDiagnosticsMetrics": { + "value": "[parameters('hubNetworkSecurityGroupDiagnosticsMetrics')]" + }, "subnetName": { "value": "[parameters('hubSubnetName')]" }, @@ -1076,6 +1208,12 @@ "firewallThreatIntelMode": { "value": "[parameters('firewallThreatIntelMode')]" }, + "firewallDiagnosticsLogs": { + "value": "[parameters('firewallDiagnosticsLogs')]" + }, + "firewallDiagnosticsMetrics": { + "value": "[parameters('firewallDiagnosticsMetrics')]" + }, "firewallClientIpConfigurationName": { "value": "[parameters('firewallClientIpConfigurationName')]" }, @@ -1123,6 +1261,12 @@ }, "firewallManagementPublicIPAddressAvailabilityZones": { "value": "[parameters('firewallManagementPublicIPAddressAvailabilityZones')]" + }, + "publicIPAddressDiagnosticsLogs": { + "value": "[parameters('publicIPAddressDiagnosticsLogs')]" + }, + "publicIPAddressDiagnosticsMetrics": { + "value": "[parameters('publicIPAddressDiagnosticsMetrics')]" } }, "template": { @@ -1132,7 +1276,7 @@ "_generator": { "name": "bicep", "version": "0.4.1008.15138", - "templateHash": "1009610201033923691" + "templateHash": "5930925695818856846" } }, "parameters": { @@ -1174,6 +1318,12 @@ "networkSecurityGroupRules": { "type": "array" }, + "networkSecurityGroupDiagnosticsLogs": { + "type": "array" + }, + "networkSecurityGroupDiagnosticsMetrics": { + "type": "array" + }, "subnetName": { "type": "string" }, @@ -1211,6 +1361,12 @@ "firewallThreatIntelMode": { "type": "string" }, + "firewallDiagnosticsLogs": { + "type": "array" + }, + "firewallDiagnosticsMetrics": { + "type": "array" + }, "firewallClientIpConfigurationName": { "type": "string" }, @@ -1258,53 +1414,15 @@ }, "firewallManagementPublicIPAddressAvailabilityZones": { "type": "array" + }, + "publicIPAddressDiagnosticsLogs": { + "type": "array" + }, + "publicIPAddressDiagnosticsMetrics": { + "type": "array" } }, "functions": [], - "variables": { - "defaultVirtualNewtorkDiagnosticsLogs": [], - "defaultVirtualNetworkDiagnosticsMetrics": [ - { - "category": "AllMetrics", - "enabled": true - } - ], - "defaultSubnetServiceEndpoints": [ - { - "service": "Microsoft.Storage" - } - ], - "defaultNetworkSecurityGroupRules": [ - { - "name": "allow_ssh", - "properties": { - "description": "Allow SSH access from anywhere", - "access": "Allow", - "priority": 100, - "protocol": "Tcp", - "direction": "Inbound", - "sourcePortRange": "*", - "sourceAddressPrefix": "*", - "destinationPortRange": "22", - "destinationAddressPrefix": "*" - } - }, - { - "name": "allow_rdp", - "properties": { - "description": "Allow RDP access from anywhere", - "access": "Allow", - "priority": 200, - "protocol": "Tcp", - "direction": "Inbound", - "sourcePortRange": "*", - "sourceAddressPrefix": "*", - "destinationPortRange": "3389", - "destinationAddressPrefix": "*" - } - } - ] - }, "resources": [ { "type": "Microsoft.Network/virtualNetworks/subnets", @@ -1318,7 +1436,7 @@ "routeTable": { "id": "[reference(resourceId('Microsoft.Resources/deployments', 'routeTable'), '2020-06-01').outputs.id.value]" }, - "serviceEndpoints": "[if(empty(parameters('subnetServiceEndpoints')), variables('defaultSubnetServiceEndpoints'), parameters('subnetServiceEndpoints'))]", + "serviceEndpoints": "[parameters('subnetServiceEndpoints')]", "privateEndpointNetworkPolicies": "Disabled", "privateLinkServiceNetworkPolicies": "Enabled" }, @@ -1420,7 +1538,19 @@ "value": "[parameters('tags')]" }, "securityRules": { - "value": "[if(empty(parameters('networkSecurityGroupRules')), variables('defaultNetworkSecurityGroupRules'), parameters('networkSecurityGroupRules'))]" + "value": "[parameters('networkSecurityGroupRules')]" + }, + "logAnalyticsWorkspaceResourceId": { + "value": "[parameters('logAnalyticsWorkspaceResourceId')]" + }, + "logStorageAccountResourceId": { + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'logStorage'), '2020-06-01').outputs.id.value]" + }, + "logs": { + "value": "[parameters('networkSecurityGroupDiagnosticsLogs')]" + }, + "metrics": { + "value": "[parameters('networkSecurityGroupDiagnosticsMetrics')]" } }, "template": { @@ -1430,7 +1560,7 @@ "_generator": { "name": "bicep", "version": "0.4.1008.15138", - "templateHash": "9304664949671097450" + "templateHash": "4497555273030729522" } }, "parameters": { @@ -1446,6 +1576,18 @@ }, "securityRules": { "type": "array" + }, + "logStorageAccountResourceId": { + "type": "string" + }, + "logAnalyticsWorkspaceResourceId": { + "type": "string" + }, + "logs": { + "type": "array" + }, + "metrics": { + "type": "array" } }, "functions": [], @@ -1459,6 +1601,21 @@ "properties": { "securityRules": "[parameters('securityRules')]" } + }, + { + "type": "Microsoft.Insights/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "scope": "[format('Microsoft.Network/networkSecurityGroups/{0}', parameters('name'))]", + "name": "[format('{0}-diagnostics', parameters('name'))]", + "properties": { + "storageAccountId": "[parameters('logStorageAccountResourceId')]", + "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", + "logs": "[parameters('logs')]", + "metrics": "[parameters('metrics')]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('name'))]" + ] } ], "outputs": { @@ -1472,7 +1629,10 @@ } } } - } + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', 'logStorage')]" + ] }, { "type": "Microsoft.Resources/deployments", @@ -1496,12 +1656,6 @@ "addressPrefix": { "value": "[parameters('virtualNetworkAddressPrefix')]" }, - "diagnosticsLogs": { - "value": "[if(empty(parameters('virtualNetworkDiagnosticsLogs')), variables('defaultVirtualNewtorkDiagnosticsLogs'), parameters('virtualNetworkDiagnosticsLogs'))]" - }, - "diagnosticsMetrics": { - "value": "[if(empty(parameters('virtualNetworkDiagnosticsMetrics')), variables('defaultVirtualNetworkDiagnosticsMetrics'), parameters('virtualNetworkDiagnosticsMetrics'))]" - }, "subnets": { "value": [ { @@ -1525,6 +1679,12 @@ }, "logStorageAccountResourceId": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'logStorage'), '2020-06-01').outputs.id.value]" + }, + "logs": { + "value": "[parameters('virtualNetworkDiagnosticsLogs')]" + }, + "metrics": { + "value": "[parameters('virtualNetworkDiagnosticsMetrics')]" } }, "template": { @@ -1534,7 +1694,7 @@ "_generator": { "name": "bicep", "version": "0.4.1008.15138", - "templateHash": "14686239955820792027" + "templateHash": "12119421388421560495" } }, "parameters": { @@ -1560,10 +1720,10 @@ "subnets": { "type": "array" }, - "diagnosticsMetrics": { + "logs": { "type": "array" }, - "diagnosticsLogs": { + "metrics": { "type": "array" } }, @@ -1592,8 +1752,8 @@ "properties": { "storageAccountId": "[parameters('logStorageAccountResourceId')]", "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", - "metrics": "[parameters('diagnosticsMetrics')]", - "logs": "[parameters('diagnosticsLogs')]" + "logs": "[parameters('logs')]", + "metrics": "[parameters('metrics')]" }, "dependsOn": [ "[resourceId('Microsoft.Network/virtualNetworks', parameters('name'))]" @@ -1751,6 +1911,18 @@ }, "availabilityZones": { "value": "[parameters('firewallClientPublicIPAddressAvailabilityZones')]" + }, + "logAnalyticsWorkspaceResourceId": { + "value": "[parameters('logAnalyticsWorkspaceResourceId')]" + }, + "logStorageAccountResourceId": { + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'logStorage'), '2020-06-01').outputs.id.value]" + }, + "logs": { + "value": "[parameters('publicIPAddressDiagnosticsLogs')]" + }, + "metrics": { + "value": "[parameters('publicIPAddressDiagnosticsMetrics')]" } }, "template": { @@ -1760,7 +1932,7 @@ "_generator": { "name": "bicep", "version": "0.4.1008.15138", - "templateHash": "9471207349099328587" + "templateHash": "9624598078084769254" } }, "parameters": { @@ -1782,6 +1954,18 @@ }, "availabilityZones": { "type": "array" + }, + "logStorageAccountResourceId": { + "type": "string" + }, + "logAnalyticsWorkspaceResourceId": { + "type": "string" + }, + "logs": { + "type": "array" + }, + "metrics": { + "type": "array" } }, "functions": [], @@ -1799,6 +1983,21 @@ "publicIPAllocationMethod": "[parameters('publicIpAllocationMethod')]" }, "zones": "[parameters('availabilityZones')]" + }, + { + "type": "Microsoft.Insights/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', parameters('name'))]", + "name": "[format('{0}-diagnostics', parameters('name'))]", + "properties": { + "storageAccountId": "[parameters('logStorageAccountResourceId')]", + "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", + "logs": "[parameters('logs')]", + "metrics": "[parameters('metrics')]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" + ] } ], "outputs": { @@ -1808,7 +2007,10 @@ } } } - } + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', 'logStorage')]" + ] }, { "type": "Microsoft.Resources/deployments", @@ -1837,6 +2039,18 @@ }, "availabilityZones": { "value": "[parameters('firewallManagementPublicIPAddressAvailabilityZones')]" + }, + "logAnalyticsWorkspaceResourceId": { + "value": "[parameters('logAnalyticsWorkspaceResourceId')]" + }, + "logStorageAccountResourceId": { + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'logStorage'), '2020-06-01').outputs.id.value]" + }, + "logs": { + "value": "[parameters('publicIPAddressDiagnosticsLogs')]" + }, + "metrics": { + "value": "[parameters('publicIPAddressDiagnosticsMetrics')]" } }, "template": { @@ -1846,7 +2060,7 @@ "_generator": { "name": "bicep", "version": "0.4.1008.15138", - "templateHash": "9471207349099328587" + "templateHash": "9624598078084769254" } }, "parameters": { @@ -1868,6 +2082,18 @@ }, "availabilityZones": { "type": "array" + }, + "logStorageAccountResourceId": { + "type": "string" + }, + "logAnalyticsWorkspaceResourceId": { + "type": "string" + }, + "logs": { + "type": "array" + }, + "metrics": { + "type": "array" } }, "functions": [], @@ -1885,6 +2111,21 @@ "publicIPAllocationMethod": "[parameters('publicIpAllocationMethod')]" }, "zones": "[parameters('availabilityZones')]" + }, + { + "type": "Microsoft.Insights/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', parameters('name'))]", + "name": "[format('{0}-diagnostics', parameters('name'))]", + "properties": { + "storageAccountId": "[parameters('logStorageAccountResourceId')]", + "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", + "logs": "[parameters('logs')]", + "metrics": "[parameters('metrics')]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" + ] } ], "outputs": { @@ -1894,7 +2135,10 @@ } } } - } + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', 'logStorage')]" + ] }, { "type": "Microsoft.Resources/deployments", @@ -1941,6 +2185,18 @@ }, "managementIpConfigurationPublicIPAddressResourceId": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'firewallManagementPublicIPAddress'), '2020-06-01').outputs.id.value]" + }, + "logAnalyticsWorkspaceResourceId": { + "value": "[parameters('logAnalyticsWorkspaceResourceId')]" + }, + "logStorageAccountResourceId": { + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'logStorage'), '2020-06-01').outputs.id.value]" + }, + "logs": { + "value": "[parameters('firewallDiagnosticsLogs')]" + }, + "metrics": { + "value": "[parameters('firewallDiagnosticsMetrics')]" } }, "template": { @@ -1950,7 +2206,7 @@ "_generator": { "name": "bicep", "version": "0.4.1008.15138", - "templateHash": "8821707208863806383" + "templateHash": "16515753424142002553" } }, "parameters": { @@ -1991,6 +2247,18 @@ }, "firewallPolicyName": { "type": "string" + }, + "logStorageAccountResourceId": { + "type": "string" + }, + "logAnalyticsWorkspaceResourceId": { + "type": "string" + }, + "logs": { + "type": "array" + }, + "metrics": { + "type": "array" } }, "functions": [], @@ -2140,6 +2408,21 @@ "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', split(format('{0}/DefaultNetworkRuleCollectionGroup', parameters('firewallPolicyName')), '/')[0], split(format('{0}/DefaultNetworkRuleCollectionGroup', parameters('firewallPolicyName')), '/')[1])]", "[resourceId('Microsoft.Network/firewallPolicies', parameters('firewallPolicyName'))]" ] + }, + { + "type": "Microsoft.Insights/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "scope": "[format('Microsoft.Network/azureFirewalls/{0}', parameters('name'))]", + "name": "[format('{0}-diagnostics', parameters('name'))]", + "properties": { + "storageAccountId": "[parameters('logStorageAccountResourceId')]", + "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", + "logs": "[parameters('logs')]", + "metrics": "[parameters('metrics')]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/azureFirewalls', parameters('name'))]" + ] } ], "outputs": { @@ -2153,6 +2436,7 @@ "dependsOn": [ "[resourceId('Microsoft.Resources/deployments', 'firewallClientPublicIPAddress')]", "[resourceId('Microsoft.Resources/deployments', 'firewallManagementPublicIPAddress')]", + "[resourceId('Microsoft.Resources/deployments', 'logStorage')]", "[resourceId('Microsoft.Resources/deployments', 'virtualNetwork')]" ] }, @@ -2556,6 +2840,12 @@ "networkSecurityGroupRules": { "value": "[parameters('identityNetworkSecurityGroupRules')]" }, + "networkSecurityGroupDiagnosticsLogs": { + "value": "[parameters('identityNetworkSecurityGroupDiagnosticsLogs')]" + }, + "networkSecurityGroupDiagnosticsMetrics": { + "value": "[parameters('identityNetworkSecurityGroupDiagnosticsMetrics')]" + }, "subnetName": { "value": "[parameters('identitySubnetName')]" }, @@ -2573,7 +2863,7 @@ "_generator": { "name": "bicep", "version": "0.4.1008.15138", - "templateHash": "13423908076245323056" + "templateHash": "17180259987553481892" } }, "parameters": { @@ -2615,6 +2905,12 @@ "networkSecurityGroupRules": { "type": "array" }, + "networkSecurityGroupDiagnosticsLogs": { + "type": "array" + }, + "networkSecurityGroupDiagnosticsMetrics": { + "type": "array" + }, "subnetName": { "type": "string" }, @@ -2646,50 +2942,6 @@ } }, "functions": [], - "variables": { - "defaultVirtualNetworkDiagnosticsLogs": [], - "defaultVirtualNetworkDiagnosticsMetrics": [ - { - "category": "AllMetrics", - "enabled": true - } - ], - "defaultSubnetServiceEndpoints": [ - { - "service": "Microsoft.Storage" - } - ], - "defaultNetworkSecurityGroupRules": [ - { - "name": "allow_ssh", - "properties": { - "description": "Allow SSH access from anywhere", - "access": "Allow", - "priority": 100, - "protocol": "Tcp", - "direction": "Inbound", - "sourcePortRange": "*", - "sourceAddressPrefix": "*", - "destinationPortRange": "22", - "destinationAddressPrefix": "*" - } - }, - { - "name": "allow_rdp", - "properties": { - "description": "Allow RDP access from anywhere", - "access": "Allow", - "priority": 200, - "protocol": "Tcp", - "direction": "Inbound", - "sourcePortRange": "*", - "sourceAddressPrefix": "*", - "destinationPortRange": "3389", - "destinationAddressPrefix": "*" - } - } - ] - }, "resources": [ { "type": "Microsoft.Resources/deployments", @@ -2782,7 +3034,19 @@ "value": "[parameters('tags')]" }, "securityRules": { - "value": "[if(empty(parameters('networkSecurityGroupRules')), variables('defaultNetworkSecurityGroupRules'), parameters('networkSecurityGroupRules'))]" + "value": "[parameters('networkSecurityGroupRules')]" + }, + "logAnalyticsWorkspaceResourceId": { + "value": "[parameters('logAnalyticsWorkspaceResourceId')]" + }, + "logStorageAccountResourceId": { + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'logStorage'), '2020-06-01').outputs.id.value]" + }, + "logs": { + "value": "[parameters('networkSecurityGroupDiagnosticsLogs')]" + }, + "metrics": { + "value": "[parameters('networkSecurityGroupDiagnosticsMetrics')]" } }, "template": { @@ -2792,7 +3056,7 @@ "_generator": { "name": "bicep", "version": "0.4.1008.15138", - "templateHash": "9304664949671097450" + "templateHash": "4497555273030729522" } }, "parameters": { @@ -2808,6 +3072,18 @@ }, "securityRules": { "type": "array" + }, + "logStorageAccountResourceId": { + "type": "string" + }, + "logAnalyticsWorkspaceResourceId": { + "type": "string" + }, + "logs": { + "type": "array" + }, + "metrics": { + "type": "array" } }, "functions": [], @@ -2821,6 +3097,21 @@ "properties": { "securityRules": "[parameters('securityRules')]" } + }, + { + "type": "Microsoft.Insights/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "scope": "[format('Microsoft.Network/networkSecurityGroups/{0}', parameters('name'))]", + "name": "[format('{0}-diagnostics', parameters('name'))]", + "properties": { + "storageAccountId": "[parameters('logStorageAccountResourceId')]", + "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", + "logs": "[parameters('logs')]", + "metrics": "[parameters('metrics')]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('name'))]" + ] } ], "outputs": { @@ -2834,7 +3125,10 @@ } } } - } + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', 'logStorage')]" + ] }, { "type": "Microsoft.Resources/deployments", @@ -2959,12 +3253,6 @@ "addressPrefix": { "value": "[parameters('virtualNetworkAddressPrefix')]" }, - "diagnosticsLogs": { - "value": "[if(empty(parameters('virtualNetworkDiagnosticsLogs')), variables('defaultVirtualNetworkDiagnosticsLogs'), parameters('virtualNetworkDiagnosticsLogs'))]" - }, - "diagnosticsMetrics": { - "value": "[if(empty(parameters('virtualNetworkDiagnosticsMetrics')), variables('defaultVirtualNetworkDiagnosticsMetrics'), parameters('virtualNetworkDiagnosticsMetrics'))]" - }, "subnets": { "value": [ { @@ -2977,7 +3265,7 @@ "routeTable": { "id": "[reference(resourceId('Microsoft.Resources/deployments', 'routeTable'), '2020-06-01').outputs.id.value]" }, - "serviceEndpoints": "[if(empty(parameters('subnetServiceEndpoints')), variables('defaultSubnetServiceEndpoints'), parameters('subnetServiceEndpoints'))]" + "serviceEndpoints": "[parameters('subnetServiceEndpoints')]" } } ] @@ -2987,6 +3275,12 @@ }, "logStorageAccountResourceId": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'logStorage'), '2020-06-01').outputs.id.value]" + }, + "logs": { + "value": "[parameters('virtualNetworkDiagnosticsLogs')]" + }, + "metrics": { + "value": "[parameters('virtualNetworkDiagnosticsMetrics')]" } }, "template": { @@ -2996,7 +3290,7 @@ "_generator": { "name": "bicep", "version": "0.4.1008.15138", - "templateHash": "14686239955820792027" + "templateHash": "12119421388421560495" } }, "parameters": { @@ -3022,10 +3316,10 @@ "subnets": { "type": "array" }, - "diagnosticsMetrics": { + "logs": { "type": "array" }, - "diagnosticsLogs": { + "metrics": { "type": "array" } }, @@ -3054,8 +3348,8 @@ "properties": { "storageAccountId": "[parameters('logStorageAccountResourceId')]", "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", - "metrics": "[parameters('diagnosticsMetrics')]", - "logs": "[parameters('diagnosticsLogs')]" + "logs": "[parameters('logs')]", + "metrics": "[parameters('metrics')]" }, "dependsOn": [ "[resourceId('Microsoft.Network/virtualNetworks', parameters('name'))]" @@ -3170,6 +3464,12 @@ "networkSecurityGroupRules": { "value": "[parameters('operationsNetworkSecurityGroupRules')]" }, + "networkSecurityGroupDiagnosticsLogs": { + "value": "[parameters('operationsNetworkSecurityGroupDiagnosticsLogs')]" + }, + "networkSecurityGroupDiagnosticsMetrics": { + "value": "[parameters('operationsNetworkSecurityGroupDiagnosticsMetrics')]" + }, "subnetName": { "value": "[parameters('operationsSubnetName')]" }, @@ -3187,7 +3487,7 @@ "_generator": { "name": "bicep", "version": "0.4.1008.15138", - "templateHash": "13423908076245323056" + "templateHash": "17180259987553481892" } }, "parameters": { @@ -3229,6 +3529,12 @@ "networkSecurityGroupRules": { "type": "array" }, + "networkSecurityGroupDiagnosticsLogs": { + "type": "array" + }, + "networkSecurityGroupDiagnosticsMetrics": { + "type": "array" + }, "subnetName": { "type": "string" }, @@ -3260,50 +3566,6 @@ } }, "functions": [], - "variables": { - "defaultVirtualNetworkDiagnosticsLogs": [], - "defaultVirtualNetworkDiagnosticsMetrics": [ - { - "category": "AllMetrics", - "enabled": true - } - ], - "defaultSubnetServiceEndpoints": [ - { - "service": "Microsoft.Storage" - } - ], - "defaultNetworkSecurityGroupRules": [ - { - "name": "allow_ssh", - "properties": { - "description": "Allow SSH access from anywhere", - "access": "Allow", - "priority": 100, - "protocol": "Tcp", - "direction": "Inbound", - "sourcePortRange": "*", - "sourceAddressPrefix": "*", - "destinationPortRange": "22", - "destinationAddressPrefix": "*" - } - }, - { - "name": "allow_rdp", - "properties": { - "description": "Allow RDP access from anywhere", - "access": "Allow", - "priority": 200, - "protocol": "Tcp", - "direction": "Inbound", - "sourcePortRange": "*", - "sourceAddressPrefix": "*", - "destinationPortRange": "3389", - "destinationAddressPrefix": "*" - } - } - ] - }, "resources": [ { "type": "Microsoft.Resources/deployments", @@ -3396,7 +3658,19 @@ "value": "[parameters('tags')]" }, "securityRules": { - "value": "[if(empty(parameters('networkSecurityGroupRules')), variables('defaultNetworkSecurityGroupRules'), parameters('networkSecurityGroupRules'))]" + "value": "[parameters('networkSecurityGroupRules')]" + }, + "logAnalyticsWorkspaceResourceId": { + "value": "[parameters('logAnalyticsWorkspaceResourceId')]" + }, + "logStorageAccountResourceId": { + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'logStorage'), '2020-06-01').outputs.id.value]" + }, + "logs": { + "value": "[parameters('networkSecurityGroupDiagnosticsLogs')]" + }, + "metrics": { + "value": "[parameters('networkSecurityGroupDiagnosticsMetrics')]" } }, "template": { @@ -3406,7 +3680,7 @@ "_generator": { "name": "bicep", "version": "0.4.1008.15138", - "templateHash": "9304664949671097450" + "templateHash": "4497555273030729522" } }, "parameters": { @@ -3422,6 +3696,18 @@ }, "securityRules": { "type": "array" + }, + "logStorageAccountResourceId": { + "type": "string" + }, + "logAnalyticsWorkspaceResourceId": { + "type": "string" + }, + "logs": { + "type": "array" + }, + "metrics": { + "type": "array" } }, "functions": [], @@ -3435,6 +3721,21 @@ "properties": { "securityRules": "[parameters('securityRules')]" } + }, + { + "type": "Microsoft.Insights/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "scope": "[format('Microsoft.Network/networkSecurityGroups/{0}', parameters('name'))]", + "name": "[format('{0}-diagnostics', parameters('name'))]", + "properties": { + "storageAccountId": "[parameters('logStorageAccountResourceId')]", + "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", + "logs": "[parameters('logs')]", + "metrics": "[parameters('metrics')]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('name'))]" + ] } ], "outputs": { @@ -3448,7 +3749,10 @@ } } } - } + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', 'logStorage')]" + ] }, { "type": "Microsoft.Resources/deployments", @@ -3573,12 +3877,6 @@ "addressPrefix": { "value": "[parameters('virtualNetworkAddressPrefix')]" }, - "diagnosticsLogs": { - "value": "[if(empty(parameters('virtualNetworkDiagnosticsLogs')), variables('defaultVirtualNetworkDiagnosticsLogs'), parameters('virtualNetworkDiagnosticsLogs'))]" - }, - "diagnosticsMetrics": { - "value": "[if(empty(parameters('virtualNetworkDiagnosticsMetrics')), variables('defaultVirtualNetworkDiagnosticsMetrics'), parameters('virtualNetworkDiagnosticsMetrics'))]" - }, "subnets": { "value": [ { @@ -3591,7 +3889,7 @@ "routeTable": { "id": "[reference(resourceId('Microsoft.Resources/deployments', 'routeTable'), '2020-06-01').outputs.id.value]" }, - "serviceEndpoints": "[if(empty(parameters('subnetServiceEndpoints')), variables('defaultSubnetServiceEndpoints'), parameters('subnetServiceEndpoints'))]" + "serviceEndpoints": "[parameters('subnetServiceEndpoints')]" } } ] @@ -3601,6 +3899,12 @@ }, "logStorageAccountResourceId": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'logStorage'), '2020-06-01').outputs.id.value]" + }, + "logs": { + "value": "[parameters('virtualNetworkDiagnosticsLogs')]" + }, + "metrics": { + "value": "[parameters('virtualNetworkDiagnosticsMetrics')]" } }, "template": { @@ -3610,7 +3914,7 @@ "_generator": { "name": "bicep", "version": "0.4.1008.15138", - "templateHash": "14686239955820792027" + "templateHash": "12119421388421560495" } }, "parameters": { @@ -3636,10 +3940,10 @@ "subnets": { "type": "array" }, - "diagnosticsMetrics": { + "logs": { "type": "array" }, - "diagnosticsLogs": { + "metrics": { "type": "array" } }, @@ -3668,8 +3972,8 @@ "properties": { "storageAccountId": "[parameters('logStorageAccountResourceId')]", "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", - "metrics": "[parameters('diagnosticsMetrics')]", - "logs": "[parameters('diagnosticsLogs')]" + "logs": "[parameters('logs')]", + "metrics": "[parameters('metrics')]" }, "dependsOn": [ "[resourceId('Microsoft.Network/virtualNetworks', parameters('name'))]" @@ -3784,6 +4088,12 @@ "networkSecurityGroupRules": { "value": "[parameters('sharedServicesNetworkSecurityGroupRules')]" }, + "networkSecurityGroupDiagnosticsLogs": { + "value": "[parameters('sharedServicesNetworkSecurityGroupDiagnosticsLogs')]" + }, + "networkSecurityGroupDiagnosticsMetrics": { + "value": "[parameters('sharedServicesNetworkSecurityGroupDiagnosticsMetrics')]" + }, "subnetName": { "value": "[parameters('sharedServicesSubnetName')]" }, @@ -3801,7 +4111,7 @@ "_generator": { "name": "bicep", "version": "0.4.1008.15138", - "templateHash": "13423908076245323056" + "templateHash": "17180259987553481892" } }, "parameters": { @@ -3843,6 +4153,12 @@ "networkSecurityGroupRules": { "type": "array" }, + "networkSecurityGroupDiagnosticsLogs": { + "type": "array" + }, + "networkSecurityGroupDiagnosticsMetrics": { + "type": "array" + }, "subnetName": { "type": "string" }, @@ -3874,50 +4190,6 @@ } }, "functions": [], - "variables": { - "defaultVirtualNetworkDiagnosticsLogs": [], - "defaultVirtualNetworkDiagnosticsMetrics": [ - { - "category": "AllMetrics", - "enabled": true - } - ], - "defaultSubnetServiceEndpoints": [ - { - "service": "Microsoft.Storage" - } - ], - "defaultNetworkSecurityGroupRules": [ - { - "name": "allow_ssh", - "properties": { - "description": "Allow SSH access from anywhere", - "access": "Allow", - "priority": 100, - "protocol": "Tcp", - "direction": "Inbound", - "sourcePortRange": "*", - "sourceAddressPrefix": "*", - "destinationPortRange": "22", - "destinationAddressPrefix": "*" - } - }, - { - "name": "allow_rdp", - "properties": { - "description": "Allow RDP access from anywhere", - "access": "Allow", - "priority": 200, - "protocol": "Tcp", - "direction": "Inbound", - "sourcePortRange": "*", - "sourceAddressPrefix": "*", - "destinationPortRange": "3389", - "destinationAddressPrefix": "*" - } - } - ] - }, "resources": [ { "type": "Microsoft.Resources/deployments", @@ -4010,7 +4282,19 @@ "value": "[parameters('tags')]" }, "securityRules": { - "value": "[if(empty(parameters('networkSecurityGroupRules')), variables('defaultNetworkSecurityGroupRules'), parameters('networkSecurityGroupRules'))]" + "value": "[parameters('networkSecurityGroupRules')]" + }, + "logAnalyticsWorkspaceResourceId": { + "value": "[parameters('logAnalyticsWorkspaceResourceId')]" + }, + "logStorageAccountResourceId": { + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'logStorage'), '2020-06-01').outputs.id.value]" + }, + "logs": { + "value": "[parameters('networkSecurityGroupDiagnosticsLogs')]" + }, + "metrics": { + "value": "[parameters('networkSecurityGroupDiagnosticsMetrics')]" } }, "template": { @@ -4020,7 +4304,7 @@ "_generator": { "name": "bicep", "version": "0.4.1008.15138", - "templateHash": "9304664949671097450" + "templateHash": "4497555273030729522" } }, "parameters": { @@ -4036,6 +4320,18 @@ }, "securityRules": { "type": "array" + }, + "logStorageAccountResourceId": { + "type": "string" + }, + "logAnalyticsWorkspaceResourceId": { + "type": "string" + }, + "logs": { + "type": "array" + }, + "metrics": { + "type": "array" } }, "functions": [], @@ -4049,6 +4345,21 @@ "properties": { "securityRules": "[parameters('securityRules')]" } + }, + { + "type": "Microsoft.Insights/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "scope": "[format('Microsoft.Network/networkSecurityGroups/{0}', parameters('name'))]", + "name": "[format('{0}-diagnostics', parameters('name'))]", + "properties": { + "storageAccountId": "[parameters('logStorageAccountResourceId')]", + "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", + "logs": "[parameters('logs')]", + "metrics": "[parameters('metrics')]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/networkSecurityGroups', parameters('name'))]" + ] } ], "outputs": { @@ -4062,7 +4373,10 @@ } } } - } + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', 'logStorage')]" + ] }, { "type": "Microsoft.Resources/deployments", @@ -4187,12 +4501,6 @@ "addressPrefix": { "value": "[parameters('virtualNetworkAddressPrefix')]" }, - "diagnosticsLogs": { - "value": "[if(empty(parameters('virtualNetworkDiagnosticsLogs')), variables('defaultVirtualNetworkDiagnosticsLogs'), parameters('virtualNetworkDiagnosticsLogs'))]" - }, - "diagnosticsMetrics": { - "value": "[if(empty(parameters('virtualNetworkDiagnosticsMetrics')), variables('defaultVirtualNetworkDiagnosticsMetrics'), parameters('virtualNetworkDiagnosticsMetrics'))]" - }, "subnets": { "value": [ { @@ -4205,7 +4513,7 @@ "routeTable": { "id": "[reference(resourceId('Microsoft.Resources/deployments', 'routeTable'), '2020-06-01').outputs.id.value]" }, - "serviceEndpoints": "[if(empty(parameters('subnetServiceEndpoints')), variables('defaultSubnetServiceEndpoints'), parameters('subnetServiceEndpoints'))]" + "serviceEndpoints": "[parameters('subnetServiceEndpoints')]" } } ] @@ -4215,6 +4523,12 @@ }, "logStorageAccountResourceId": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'logStorage'), '2020-06-01').outputs.id.value]" + }, + "logs": { + "value": "[parameters('virtualNetworkDiagnosticsLogs')]" + }, + "metrics": { + "value": "[parameters('virtualNetworkDiagnosticsMetrics')]" } }, "template": { @@ -4224,7 +4538,7 @@ "_generator": { "name": "bicep", "version": "0.4.1008.15138", - "templateHash": "14686239955820792027" + "templateHash": "12119421388421560495" } }, "parameters": { @@ -4250,10 +4564,10 @@ "subnets": { "type": "array" }, - "diagnosticsMetrics": { + "logs": { "type": "array" }, - "diagnosticsLogs": { + "metrics": { "type": "array" } }, @@ -4282,8 +4596,8 @@ "properties": { "storageAccountId": "[parameters('logStorageAccountResourceId')]", "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", - "metrics": "[parameters('diagnosticsMetrics')]", - "logs": "[parameters('diagnosticsLogs')]" + "logs": "[parameters('logs')]", + "metrics": "[parameters('metrics')]" }, "dependsOn": [ "[resourceId('Microsoft.Network/virtualNetworks', parameters('name'))]" diff --git a/src/bicep/modules/firewall.bicep b/src/bicep/modules/firewall.bicep index 4ba1547b1..1efc74817 100644 --- a/src/bicep/modules/firewall.bicep +++ b/src/bicep/modules/firewall.bicep @@ -15,6 +15,12 @@ param managementIpConfigurationPublicIPAddressResourceId string param firewallPolicyName string +param logStorageAccountResourceId string +param logAnalyticsWorkspaceResourceId string + +param logs array +param metrics array + resource firewallPolicy 'Microsoft.Network/firewallPolicies@2021-02-01' = { name: firewallPolicyName location: location @@ -156,4 +162,15 @@ resource firewall 'Microsoft.Network/azureFirewalls@2021-02-01' = { } } +resource diagnostics 'Microsoft.Insights/diagnosticSettings@2017-05-01-preview' = { + scope: firewall + name: '${firewall.name}-diagnostics' + properties: { + storageAccountId: logStorageAccountResourceId + workspaceId: logAnalyticsWorkspaceResourceId + logs: logs + metrics: metrics + } +} + output privateIPAddress string = firewall.properties.ipConfigurations[0].properties.privateIPAddress diff --git a/src/bicep/modules/hubNetwork.bicep b/src/bicep/modules/hubNetwork.bicep index f76f72bf2..1f38d3395 100644 --- a/src/bicep/modules/hubNetwork.bicep +++ b/src/bicep/modules/hubNetwork.bicep @@ -14,6 +14,8 @@ param virtualNetworkDiagnosticsMetrics array param networkSecurityGroupName string param networkSecurityGroupRules array +param networkSecurityGroupDiagnosticsLogs array +param networkSecurityGroupDiagnosticsMetrics array param subnetName string param subnetAddressPrefix string @@ -28,6 +30,8 @@ param firewallName string param firewallSkuTier string param firewallPolicyName string param firewallThreatIntelMode string +param firewallDiagnosticsLogs array +param firewallDiagnosticsMetrics array param firewallClientIpConfigurationName string param firewallClientSubnetName string param firewallClientSubnetAddressPrefix string @@ -45,57 +49,8 @@ param firewallManagementPublicIPAddressSkuName string param firewallManagementPublicIpAllocationMethod string param firewallManagementPublicIPAddressAvailabilityZones array -var defaultVirtualNewtorkDiagnosticsLogs = [ - // TODO: 'VMProtectionAlerts' is not supported in AzureUsGovernment - // { - // category: 'VMProtectionAlerts' - // enabled: true - // } -] - -var defaultVirtualNetworkDiagnosticsMetrics = [ - { - category: 'AllMetrics' - enabled: true - } -] - -var defaultSubnetServiceEndpoints = [ - { - service: 'Microsoft.Storage' - } -] - -var defaultNetworkSecurityGroupRules = [ - { - name: 'allow_ssh' - properties: { - description: 'Allow SSH access from anywhere' - access: 'Allow' - priority: 100 - protocol: 'Tcp' - direction: 'Inbound' - sourcePortRange: '*' - sourceAddressPrefix: '*' - destinationPortRange: '22' - destinationAddressPrefix: '*' - } - } - { - name: 'allow_rdp' - properties: { - description: 'Allow RDP access from anywhere' - access: 'Allow' - priority: 200 - protocol: 'Tcp' - direction: 'Inbound' - sourcePortRange: '*' - sourceAddressPrefix: '*' - destinationPortRange: '3389' - destinationAddressPrefix: '*' - } - } -] +param publicIPAddressDiagnosticsLogs array +param publicIPAddressDiagnosticsMetrics array module logStorage './storageAccount.bicep' = { name: 'logStorage' @@ -114,7 +69,13 @@ module networkSecurityGroup './networkSecurityGroup.bicep' = { location: location tags: tags - securityRules: empty(networkSecurityGroupRules) ? defaultNetworkSecurityGroupRules : networkSecurityGroupRules + securityRules: networkSecurityGroupRules + + logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId + logStorageAccountResourceId: logStorage.outputs.id + + logs: networkSecurityGroupDiagnosticsLogs + metrics: networkSecurityGroupDiagnosticsMetrics } } @@ -127,9 +88,6 @@ module virtualNetwork './virtualNetwork.bicep' = { addressPrefix: virtualNetworkAddressPrefix - diagnosticsLogs: empty(virtualNetworkDiagnosticsLogs) ? defaultVirtualNewtorkDiagnosticsLogs : virtualNetworkDiagnosticsLogs - diagnosticsMetrics: empty(virtualNetworkDiagnosticsMetrics) ? defaultVirtualNetworkDiagnosticsMetrics : virtualNetworkDiagnosticsMetrics - subnets: [ { name: firewallClientSubnetName @@ -149,6 +107,9 @@ module virtualNetwork './virtualNetwork.bicep' = { logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId logStorageAccountResourceId: logStorage.outputs.id + + logs: virtualNetworkDiagnosticsLogs + metrics: virtualNetworkDiagnosticsMetrics } } @@ -176,7 +137,7 @@ resource subnet 'Microsoft.Network/virtualNetworks/subnets@2021-02-01' = { routeTable: { id: routeTable.outputs.id } - serviceEndpoints: empty(subnetServiceEndpoints) ? defaultSubnetServiceEndpoints : subnetServiceEndpoints + serviceEndpoints: subnetServiceEndpoints privateEndpointNetworkPolicies: 'Disabled' privateLinkServiceNetworkPolicies: 'Enabled' } @@ -196,6 +157,12 @@ module firewallClientPublicIPAddress './publicIPAddress.bicep' = { skuName: firewallClientPublicIPAddressSkuName publicIpAllocationMethod: firewallClientPublicIpAllocationMethod availabilityZones: firewallClientPublicIPAddressAvailabilityZones + + logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId + logStorageAccountResourceId: logStorage.outputs.id + + logs: publicIPAddressDiagnosticsLogs + metrics: publicIPAddressDiagnosticsMetrics } } @@ -209,6 +176,12 @@ module firewallManagementPublicIPAddress './publicIPAddress.bicep' = { skuName: firewallManagementPublicIPAddressSkuName publicIpAllocationMethod: firewallManagementPublicIpAllocationMethod availabilityZones: firewallManagementPublicIPAddressAvailabilityZones + + logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId + logStorageAccountResourceId: logStorage.outputs.id + + logs: publicIPAddressDiagnosticsLogs + metrics: publicIPAddressDiagnosticsMetrics } } @@ -231,6 +204,12 @@ module firewall './firewall.bicep' = { managementIpConfigurationName: firewallManagementIpConfigurationName managementIpConfigurationSubnetResourceId: '${virtualNetwork.outputs.id}/subnets/${firewallManagementSubnetName}' managementIpConfigurationPublicIPAddressResourceId: firewallManagementPublicIPAddress.outputs.id + + logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId + logStorageAccountResourceId: logStorage.outputs.id + + logs: firewallDiagnosticsLogs + metrics: firewallDiagnosticsMetrics } } diff --git a/src/bicep/modules/networkSecurityGroup.bicep b/src/bicep/modules/networkSecurityGroup.bicep index 06bd1422c..dc044f6ed 100644 --- a/src/bicep/modules/networkSecurityGroup.bicep +++ b/src/bicep/modules/networkSecurityGroup.bicep @@ -4,6 +4,12 @@ param tags object = {} param securityRules array +param logStorageAccountResourceId string +param logAnalyticsWorkspaceResourceId string + +param logs array +param metrics array + resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2021-02-01' = { name: name location: location @@ -14,5 +20,16 @@ resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2021-02-0 } } +resource diagnostics 'Microsoft.Insights/diagnosticSettings@2017-05-01-preview' = { + scope: networkSecurityGroup + name: '${networkSecurityGroup.name}-diagnostics' + properties: { + storageAccountId: logStorageAccountResourceId + workspaceId: logAnalyticsWorkspaceResourceId + logs: logs + metrics: metrics + } +} + output id string = networkSecurityGroup.id output name string = networkSecurityGroup.name diff --git a/src/bicep/modules/publicIPAddress.bicep b/src/bicep/modules/publicIPAddress.bicep index d29257507..eeb193a2e 100644 --- a/src/bicep/modules/publicIPAddress.bicep +++ b/src/bicep/modules/publicIPAddress.bicep @@ -6,6 +6,12 @@ param skuName string param publicIpAllocationMethod string param availabilityZones array +param logStorageAccountResourceId string +param logAnalyticsWorkspaceResourceId string + +param logs array +param metrics array + resource publicIPAddress 'Microsoft.Network/publicIPAddresses@2021-02-01' = { name: name location: location @@ -22,4 +28,15 @@ resource publicIPAddress 'Microsoft.Network/publicIPAddresses@2021-02-01' = { zones: availabilityZones } +resource diagnostics 'Microsoft.Insights/diagnosticSettings@2017-05-01-preview' = { + scope: publicIPAddress + name: '${publicIPAddress.name}-diagnostics' + properties: { + storageAccountId: logStorageAccountResourceId + workspaceId: logAnalyticsWorkspaceResourceId + logs: logs + metrics: metrics + } +} + output id string = publicIPAddress.id diff --git a/src/bicep/modules/spokeNetwork.bicep b/src/bicep/modules/spokeNetwork.bicep index 65ec539fa..285f76f05 100644 --- a/src/bicep/modules/spokeNetwork.bicep +++ b/src/bicep/modules/spokeNetwork.bicep @@ -16,6 +16,9 @@ param virtualNetworkDiagnosticsMetrics array param networkSecurityGroupName string param networkSecurityGroupRules array +param networkSecurityGroupDiagnosticsLogs array +param networkSecurityGroupDiagnosticsMetrics array + param subnetName string param subnetAddressPrefix string param subnetServiceEndpoints array @@ -26,58 +29,6 @@ param routeTableRouteAddressPrefix string = '0.0.0.0/0' param routeTableRouteNextHopIpAddress string = firewallPrivateIPAddress param routeTableRouteNextHopType string = 'VirtualAppliance' -var defaultVirtualNetworkDiagnosticsLogs = [ - // TODO: 'VMProtectionAlerts' is not supported in AzureUsGovernment - // { - // category: 'VMProtectionAlerts' - // enabled: true - // } -] - -var defaultVirtualNetworkDiagnosticsMetrics = [ - { - category: 'AllMetrics' - enabled: true - } -] - -var defaultSubnetServiceEndpoints = [ - { - service: 'Microsoft.Storage' - } -] - -var defaultNetworkSecurityGroupRules = [ - { - name: 'allow_ssh' - properties: { - description: 'Allow SSH access from anywhere' - access: 'Allow' - priority: 100 - protocol: 'Tcp' - direction: 'Inbound' - sourcePortRange: '*' - sourceAddressPrefix: '*' - destinationPortRange: '22' - destinationAddressPrefix: '*' - } - } - { - name: 'allow_rdp' - properties: { - description: 'Allow RDP access from anywhere' - access: 'Allow' - priority: 200 - protocol: 'Tcp' - direction: 'Inbound' - sourcePortRange: '*' - sourceAddressPrefix: '*' - destinationPortRange: '3389' - destinationAddressPrefix: '*' - } - } -] - module logStorage './storageAccount.bicep' = { name: 'logStorage' params: { @@ -95,7 +46,13 @@ module networkSecurityGroup './networkSecurityGroup.bicep' = { location: location tags: tags - securityRules: empty(networkSecurityGroupRules) ? defaultNetworkSecurityGroupRules : networkSecurityGroupRules + securityRules: networkSecurityGroupRules + + logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId + logStorageAccountResourceId: logStorage.outputs.id + + logs: networkSecurityGroupDiagnosticsLogs + metrics: networkSecurityGroupDiagnosticsMetrics } } @@ -122,9 +79,6 @@ module virtualNetwork './virtualNetwork.bicep' = { addressPrefix: virtualNetworkAddressPrefix - diagnosticsLogs: empty(virtualNetworkDiagnosticsLogs) ? defaultVirtualNetworkDiagnosticsLogs : virtualNetworkDiagnosticsLogs - diagnosticsMetrics: empty(virtualNetworkDiagnosticsMetrics) ? defaultVirtualNetworkDiagnosticsMetrics : virtualNetworkDiagnosticsMetrics - subnets: [ { name: subnetName @@ -136,13 +90,16 @@ module virtualNetwork './virtualNetwork.bicep' = { routeTable: { id: routeTable.outputs.id } - serviceEndpoints: empty(subnetServiceEndpoints) ? defaultSubnetServiceEndpoints : subnetServiceEndpoints + serviceEndpoints: subnetServiceEndpoints } } ] logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId logStorageAccountResourceId: logStorage.outputs.id + + logs: virtualNetworkDiagnosticsLogs + metrics: virtualNetworkDiagnosticsMetrics } } diff --git a/src/bicep/modules/virtualNetwork.bicep b/src/bicep/modules/virtualNetwork.bicep index ab51e3e1e..9908a96b7 100644 --- a/src/bicep/modules/virtualNetwork.bicep +++ b/src/bicep/modules/virtualNetwork.bicep @@ -7,9 +7,8 @@ param logAnalyticsWorkspaceResourceId string param logStorageAccountResourceId string param subnets array -param diagnosticsMetrics array - -param diagnosticsLogs array +param logs array +param metrics array resource virtualNetwork 'Microsoft.Network/virtualNetworks@2021-02-01' = { name: name @@ -32,8 +31,8 @@ resource diagnostics 'Microsoft.Insights/diagnosticSettings@2017-05-01-preview' properties: { storageAccountId: logStorageAccountResourceId workspaceId: logAnalyticsWorkspaceResourceId - metrics: diagnosticsMetrics - logs: diagnosticsLogs + logs: logs + metrics: metrics } }