Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

log activities from subscriptions used in an MLZ deployment into the Operations log analytics workspace #412

Merged
merged 15 commits into from
Sep 16, 2021
Merged

log activities from subscriptions used in an MLZ deployment into the Operations log analytics workspace #412

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
2f121ed
adding activity logging and fixing assignments
shawngib Sep 14, 2021
11a8810
adding module file
shawngib Sep 14, 2021
f895c7f
Update src/bicep/modules/centralLogging.bicep
shawngib Sep 15, 2021
3491797
Update src/bicep/mlz.bicep
shawngib Sep 15, 2021
42868c3
Update src/bicep/modules/policyAssignment.bicep
shawngib Sep 15, 2021
ed55433
Update src/bicep/mlz.bicep
shawngib Sep 15, 2021
372e60b
updated per comments in PR
shawngib Sep 15, 2021
2992e83
correct object declarations
shawngib Sep 15, 2021
7e194df
Update src/bicep/mlz.bicep
shawngib Sep 15, 2021
89404bc
Update src/bicep/mlz.bicep
shawngib Sep 15, 2021
917cf83
Update src/bicep/mlz.bicep
shawngib Sep 15, 2021
3ecac1f
Update src/bicep/mlz.bicep
shawngib Sep 15, 2021
c57608d
Update src/bicep/mlz.bicep
shawngib Sep 15, 2021
c7ab6c7
Update src/bicep/mlz.bicep
shawngib Sep 15, 2021
0b5e4b3
diagnostic name with log analytics workspace name (#414)
glennmusa Sep 16, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 41 additions & 13 deletions src/bicep/mlz.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -253,16 +253,13 @@ module sharedServicesVirtualNetworkPeering './modules/spokeNetworkPeering.bicep'
}

module hubPolicyAssignment './modules/policyAssignment.bicep' = {
name: '${hubResourceGroupName}-policyAssignement'
name: '${hubResourceGroupName}-policyAssignment'
scope: resourceGroup(hubSubscriptionId, hubResourceGroupName)
dependsOn: [
hubResourceGroup
logAnalyticsWorkspace
]
params: {
builtInAssignment: policy
logAnalyticsWorkspaceName: logAnalyticsWorkspace.outputs.name
logAnalyticsWorkspaceResourceGroupName: operationsResourceGroup.outputs.name
operationsSubscriptionId: operationsSubscriptionId
}
}

Expand All @@ -273,34 +270,65 @@ module operationsPolicyAssignment './modules/policyAssignment.bicep' = {
builtInAssignment: policy
logAnalyticsWorkspaceName: logAnalyticsWorkspace.outputs.name
logAnalyticsWorkspaceResourceGroupName: operationsResourceGroup.outputs.name
operationsSubscriptionId: operationsSubscriptionId
}
}

module sharedServicesPolicyAssignment './modules/policyAssignment.bicep' = {
name: '${sharedServicesResourceGroupName}-policyAssignement'
scope: resourceGroup(sharedServicesSubscriptionId, sharedServicesResourceGroupName)
dependsOn: [
sharedServicesResourceGroup
logAnalyticsWorkspace
]
params: {
builtInAssignment: policy
logAnalyticsWorkspaceName: logAnalyticsWorkspace.outputs.name
logAnalyticsWorkspaceResourceGroupName: operationsResourceGroup.outputs.name
operationsSubscriptionId: operationsSubscriptionId
}
}

module identityPolicyAssignment './modules/policyAssignment.bicep' = {
name: '${identityResourceGroupName}-policyAssignement'
scope: resourceGroup(identitySubscriptionId, identityResourceGroupName)
dependsOn: [
identityResourceGroup
logAnalyticsWorkspace
]
params: {
builtInAssignment: policy
logAnalyticsWorkspaceName: logAnalyticsWorkspace.outputs.name
logAnalyticsWorkspaceResourceGroupName: operationsResourceGroup.outputs.name
operationsSubscriptionId: operationsSubscriptionId
}
}

module hubSubscriptionCreateActivityLogging './modules/centralLogging.bicep' = {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's be consistent with the module names "<hub/identity/operations/sharedServices>Thing"

Suggested change
module hubSubscriptionCreateActivityLogging './modules/centralLogging.bicep' = {
module hubLogging './modules/centralLogging.bicep' = {

name: 'deploy-hub-sub-activity-logging'
scope: subscription(hubSubscriptionId)
params: {
diagnosticSettingName: 'log-hub-sub-activity-to-${logAnalyticsWorkspace.outputs.name}'
logAnalyticsWorkspaceId: logAnalyticsWorkspace.outputs.id
}
}

module operationsSubscriptionCreateActivityLogging './modules/centralLogging.bicep' = if(hubSubscriptionId != operationsSubscriptionId) {
name: 'deploy-operations-sub-activity-logging'
scope: subscription(operationsSubscriptionId)
params: {
diagnosticSettingName: 'log-operations-sub-activity-to-${logAnalyticsWorkspace.outputs.name}'
logAnalyticsWorkspaceId: logAnalyticsWorkspace.outputs.id
}
}

module identitySubscriptionCreateActivityLogging './modules/centralLogging.bicep' = if(hubSubscriptionId != identitySubscriptionId) {
name: 'deploy-identity-sub-activity-logging'
scope: subscription(identitySubscriptionId)
params: {
diagnosticSettingName: 'log-identity-sub-activity-to-${logAnalyticsWorkspace.outputs.name}'
logAnalyticsWorkspaceId: logAnalyticsWorkspace.outputs.id
}
}

module sharedServicesSubscriptionCreateActivityLogging './modules/centralLogging.bicep' = if(hubSubscriptionId != sharedServicesSubscriptionId) {
name: 'deploy-sharedServices-sub-activity-logging'
scope: subscription(sharedServicesSubscriptionId)
params: {
diagnosticSettingName: 'log-sharedServices-sub-activity-to-${logAnalyticsWorkspace.outputs.name}'
logAnalyticsWorkspaceId: logAnalyticsWorkspace.outputs.id
}
}

Expand Down
48 changes: 48 additions & 0 deletions src/bicep/modules/centralLogging.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
// scope
targetScope = 'subscription'

param diagnosticSettingName string
param logAnalyticsWorkspaceId string

//// Central activity logging to LAWS
resource centralLoggingDiagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
name: diagnosticSettingName
properties: {
workspaceId: logAnalyticsWorkspaceId
logs: [
{
category: 'Administrative'
enabled: true
}
{
category: 'Security'
enabled: true
}
{
category: 'ServiceHealth'
enabled: true
}
{
category: 'Alert'
enabled: true
}
{
category: 'Recommendation'
enabled: true
}
{
category: 'Policy'
enabled: true
}
{
category: 'Autoscale'
enabled: true
}
{
category: 'ResourceHealth'
enabled: true
}
]
}

}
3 changes: 2 additions & 1 deletion src/bicep/modules/policyAssignment.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,12 @@
param builtInAssignment string = ''
param logAnalyticsWorkspaceName string
param logAnalyticsWorkspaceResourceGroupName string
param operationsSubscriptionId string

// Creating a symbolic name for an existing resource
resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2021-06-01' existing = {
name: logAnalyticsWorkspaceName
scope: resourceGroup(logAnalyticsWorkspaceResourceGroupName)
scope: resourceGroup(operationsSubscriptionId, logAnalyticsWorkspaceResourceGroupName)
}

var policyDefinitionID = {
Expand Down