Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

log activities from subscriptions used in an MLZ deployment into the Operations log analytics workspace #412

Merged
merged 15 commits into from
Sep 16, 2021
Merged

log activities from subscriptions used in an MLZ deployment into the Operations log analytics workspace #412

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
2f121ed
adding activity logging and fixing assignments
shawngib Sep 14, 2021
11a8810
adding module file
shawngib Sep 14, 2021
f895c7f
Update src/bicep/modules/centralLogging.bicep
shawngib Sep 15, 2021
3491797
Update src/bicep/mlz.bicep
shawngib Sep 15, 2021
42868c3
Update src/bicep/modules/policyAssignment.bicep
shawngib Sep 15, 2021
ed55433
Update src/bicep/mlz.bicep
shawngib Sep 15, 2021
372e60b
updated per comments in PR
shawngib Sep 15, 2021
2992e83
correct object declarations
shawngib Sep 15, 2021
7e194df
Update src/bicep/mlz.bicep
shawngib Sep 15, 2021
89404bc
Update src/bicep/mlz.bicep
shawngib Sep 15, 2021
917cf83
Update src/bicep/mlz.bicep
shawngib Sep 15, 2021
3ecac1f
Update src/bicep/mlz.bicep
shawngib Sep 15, 2021
c57608d
Update src/bicep/mlz.bicep
shawngib Sep 15, 2021
c7ab6c7
Update src/bicep/mlz.bicep
shawngib Sep 15, 2021
0b5e4b3
diagnostic name with log analytics workspace name (#414)
glennmusa Sep 16, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
60 changes: 44 additions & 16 deletions src/bicep/mlz.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -253,54 +253,82 @@ module sharedServicesVirtualNetworkPeering './modules/spokeNetworkPeering.bicep'
}

module hubPolicyAssignment './modules/policyAssignment.bicep' = {
name: '${hubResourceGroupName}-policyAssignement'
name: 'deploy-hub-policyAssignement'
shawngib marked this conversation as resolved.
Show resolved Hide resolved
scope: resourceGroup(hubSubscriptionId, hubResourceGroupName)
dependsOn: [
hubResourceGroup
logAnalyticsWorkspace
]
params: {
builtInAssignment: policy
logAnalyticsWorkspaceName: logAnalyticsWorkspace.outputs.name
logAnalyticsWorkspaceResourceGroupName: operationsResourceGroup.outputs.name
opsSubscriptionId: operationsSubscriptionId
shawngib marked this conversation as resolved.
Show resolved Hide resolved
}
}

module operationsPolicyAssignment './modules/policyAssignment.bicep' = {
name: '${operationsResourceGroupName}-policyAssignment'
name: 'deploy-operations-policyAssignment'
shawngib marked this conversation as resolved.
Show resolved Hide resolved
scope: resourceGroup(operationsSubscriptionId, operationsResourceGroupName)
params: {
builtInAssignment: policy
logAnalyticsWorkspaceName: logAnalyticsWorkspace.outputs.name
logAnalyticsWorkspaceResourceGroupName: operationsResourceGroup.outputs.name
opsSubscriptionId: operationsSubscriptionId
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
opsSubscriptionId: operationsSubscriptionId
operationsSubscriptionId: operationsSubscriptionId

}
}

module sharedServicesPolicyAssignment './modules/policyAssignment.bicep' = {
name: '${sharedServicesResourceGroupName}-policyAssignement'
name: 'deploy-shareServices-policyAssignement'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same naming collision concern as the hub assignment

scope: resourceGroup(sharedServicesSubscriptionId, sharedServicesResourceGroupName)
dependsOn: [
sharedServicesResourceGroup
logAnalyticsWorkspace
]
params: {
builtInAssignment: policy
logAnalyticsWorkspaceName: logAnalyticsWorkspace.outputs.name
logAnalyticsWorkspaceResourceGroupName: operationsResourceGroup.outputs.name
opsSubscriptionId: operationsSubscriptionId
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
opsSubscriptionId: operationsSubscriptionId
operationsSubscriptionId: operationsSubscriptionId

}
}

module identityPolicyAssignment './modules/policyAssignment.bicep' = {
name: '${identityResourceGroupName}-policyAssignement'
name: 'deploy-identity-policyAssignement'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same naming collision concern as the hub assignment

scope: resourceGroup(identitySubscriptionId, identityResourceGroupName)
dependsOn: [
identityResourceGroup
logAnalyticsWorkspace
]
params: {
builtInAssignment: policy
logAnalyticsWorkspaceName: logAnalyticsWorkspace.outputs.name
logAnalyticsWorkspaceResourceGroupName: operationsResourceGroup.outputs.name
opsSubscriptionId: operationsSubscriptionId
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
opsSubscriptionId: operationsSubscriptionId
operationsSubscriptionId: operationsSubscriptionId

}
}

module hubSubscriptionCreateActivityLogging './modules/centralLogging.bicep' = {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's be consistent with the module names "<hub/identity/operations/sharedServices>Thing"

Suggested change
module hubSubscriptionCreateActivityLogging './modules/centralLogging.bicep' = {
module hubLogging './modules/centralLogging.bicep' = {

name: 'deploy-hub-sub-activity-logging'
scope: subscription(hubSubscriptionId)
params: {
logAnalyticsWorkspaceId: logAnalyticsWorkspace.outputs.id
deploymentName: resourcePrefix
}
}

module opsSubscriptionCreateActivityLogging './modules/centralLogging.bicep' = if(!(hubSubscriptionId == operationsSubscriptionId)) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's be consistent with the module names "<hub/identity/operations/sharedServices>Thing"

Also, could these comparisons could be simplified as if(value1 != value2)?

Suggested change
module opsSubscriptionCreateActivityLogging './modules/centralLogging.bicep' = if(!(hubSubscriptionId == operationsSubscriptionId)) {
module operationsLogging './modules/centralLogging.bicep' = if(operationsSubscriptionId != hubSubscriptionId) {

name: 'deploy-ops-sub-activity-logging'
shawngib marked this conversation as resolved.
Show resolved Hide resolved
shawngib marked this conversation as resolved.
Show resolved Hide resolved
scope: subscription(operationsSubscriptionId)
params: {
logAnalyticsWorkspaceId: logAnalyticsWorkspace.outputs.id
deploymentName: resourcePrefix
}
}

module identSubscriptionCreateActivityLogging './modules/centralLogging.bicep' = if(!(hubSubscriptionId == identitySubscriptionId)) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's be consistent with the module names "<hub/identity/operations/sharedServices>Thing"

Also, could these comparisons could be simplified as if(value1 != value2)?

Suggested change
module identSubscriptionCreateActivityLogging './modules/centralLogging.bicep' = if(!(hubSubscriptionId == identitySubscriptionId)) {
module identityLogging './modules/centralLogging.bicep' = if(identitySubscriptionId != hubSubscriptionId) {

name: 'deploy-ident-sub-activity-logging'
shawngib marked this conversation as resolved.
Show resolved Hide resolved
shawngib marked this conversation as resolved.
Show resolved Hide resolved
scope: subscription(identitySubscriptionId)
params: {
logAnalyticsWorkspaceId: logAnalyticsWorkspace.outputs.id
deploymentName: resourcePrefix
}
}

module sharedSubscriptionCreateActivityLogging './modules/centralLogging.bicep' = if(!(hubSubscriptionId == sharedServicesSubscriptionId)) {
shawngib marked this conversation as resolved.
Show resolved Hide resolved
name: 'deploy-shared-sub-activity-logging'
shawngib marked this conversation as resolved.
Show resolved Hide resolved
shawngib marked this conversation as resolved.
Show resolved Hide resolved
scope: subscription(sharedServicesSubscriptionId)
params: {
logAnalyticsWorkspaceId: logAnalyticsWorkspace.outputs.id
deploymentName: resourcePrefix
}
}

Expand Down
48 changes: 48 additions & 0 deletions src/bicep/modules/centralLogging.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
// scope
targetScope = 'subscription'

param logAnalyticsWorkspaceId string
param deploymentName string

//// Central activity logging to LAWS
resource somethingNew 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
shawngib marked this conversation as resolved.
Show resolved Hide resolved
name: 'LoggingToLA-${deploymentName}'
properties: {
workspaceId: logAnalyticsWorkspaceId
logs: [
{
category: 'Administrative'
enabled: true
}
{
category: 'Security'
enabled: true
}
{
category: 'ServiceHealth'
enabled: true
}
{
category: 'Alert'
enabled: true
}
{
category: 'Recommendation'
enabled: true
}
{
category: 'Policy'
enabled: true
}
{
category: 'Autoscale'
enabled: true
}
{
category: 'ResourceHealth'
enabled: true
}
]
}

}
3 changes: 2 additions & 1 deletion src/bicep/modules/policyAssignment.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,12 @@
param builtInAssignment string = ''
param logAnalyticsWorkspaceName string
param logAnalyticsWorkspaceResourceGroupName string
param opsSubscriptionId string
shawngib marked this conversation as resolved.
Show resolved Hide resolved

// Creating a symbolic name for an existing resource
resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2021-06-01' existing = {
name: logAnalyticsWorkspaceName
scope: resourceGroup(logAnalyticsWorkspaceResourceGroupName)
scope: resourceGroup(opsSubscriptionId, logAnalyticsWorkspaceResourceGroupName)
shawngib marked this conversation as resolved.
Show resolved Hide resolved
}

var policyDefinitionID = {
Expand Down