diff --git a/src/bicep/mlz.bicep b/src/bicep/mlz.bicep index 2250ff126..751b13bff 100644 --- a/src/bicep/mlz.bicep +++ b/src/bicep/mlz.bicep @@ -227,6 +227,20 @@ param identityNetworkSecurityGroupDiagnosticsLogs array = [ @description('An array of Network Security Group Metrics to apply to enable for the Identity Virtual Network. See https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#metrics for valid settings.') param identityNetworkSecurityGroupDiagnosticsMetrics array = [] +// KEY VAULT PARAMETERS +@description('An array of Key Vault Diagnostic Logs categories to collect. See "https://learn.microsoft.com/en-us/azure/key-vault/general/logging?tabs=Vault" for valid values.') +param KeyVaultDiagnosticsLogs array = [ + { + category: 'AuditEvent' + enabled: true + } + { + category: 'AzurePolicyEvaluationDetails' + enabled: true + } +] + + // OPERATIONS PARAMETERS @description('An array of Network Diagnostic Logs to enable for the Operations Virtual Network. See https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#logs for valid settings.') @@ -669,6 +683,8 @@ module diagnostics 'modules/diagnostics.bicep' = { deploymentNameSuffix: deploymentNameSuffix firewallDiagnosticsLogs: firewallDiagnosticsLogs firewallDiagnosticsMetrics: firewallDiagnosticsMetrics + KeyVaultName: customerManagedKeys.outputs.KeyVaultName + keyVaultDiagnosticLogs: KeyVaultDiagnosticsLogs logAnalyticsWorkspaceResourceId: monitoring.outputs.logAnalyticsWorkspaceResourceId networks: logic.outputs.networks networkSecurityGroupDiagnosticsLogs: hubNetworkSecurityGroupDiagnosticsLogs diff --git a/src/bicep/mlz.json b/src/bicep/mlz.json index abf6e1bf0..a6b4663b4 100644 --- a/src/bicep/mlz.json +++ b/src/bicep/mlz.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.26.54.24096", - "templateHash": "459691962602818850" + "templateHash": "8272435085123749899" } }, "parameters": { @@ -395,6 +395,22 @@ "description": "An array of Network Security Group Metrics to apply to enable for the Identity Virtual Network. See https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#metrics for valid settings." } }, + "KeyVaultDiagnosticsLogs": { + "type": "array", + "defaultValue": [ + { + "category": "AuditEvent", + "enabled": true + }, + { + "category": "AzurePolicyEvaluationDetails", + "enabled": true + } + ], + "metadata": { + "description": "An array of Key Vault Diagnostic Logs categories to collect. See \"https://learn.microsoft.com/en-us/azure/key-vault/general/logging?tabs=Vault\" for valid values." + } + }, "operationsVirtualNetworkDiagnosticsLogs": { "type": "array", "defaultValue": [], @@ -4584,7 +4600,7 @@ "_generator": { "name": "bicep", "version": "0.26.54.24096", - "templateHash": "528320706664403182" + "templateHash": "3912836360709277206" } }, "parameters": { @@ -4649,7 +4665,7 @@ "_generator": { "name": "bicep", "version": "0.26.54.24096", - "templateHash": "12445413457654566620" + "templateHash": "17697959832977472677" } }, "parameters": { @@ -4839,6 +4855,10 @@ "type": "string", "value": "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]" }, + "keyVaultName": { + "type": "string", + "value": "[parameters('keyVaultName')]" + }, "keyVaultUri": { "type": "string", "value": "[reference(resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName')), '2022-07-01').vaultUri]" @@ -5165,10 +5185,18 @@ "type": "string", "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('networkProperties').subscriptionId, parameters('networkProperties').resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-disk-encryption-set_{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.resourceId.value]" }, + "KeyVaultName": { + "type": "string", + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('networkProperties').subscriptionId, parameters('networkProperties').resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-key-vault-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.keyVaultName.value]" + }, "keyVaultUri": { "type": "string", "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('networkProperties').subscriptionId, parameters('networkProperties').resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-key-vault-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.keyVaultUri.value]" }, + "keyVaultResourceId": { + "type": "string", + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('networkProperties').subscriptionId, parameters('networkProperties').resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-key-vault-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.keyVaultResourceId.value]" + }, "storageKeyName": { "type": "string", "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('networkProperties').subscriptionId, parameters('networkProperties').resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-key-vault-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.storageKeyName.value]" @@ -7276,6 +7304,12 @@ "firewallDiagnosticsMetrics": { "value": "[parameters('firewallDiagnosticsMetrics')]" }, + "KeyVaultName": { + "value": "[reference(subscriptionResourceId('Microsoft.Resources/deployments', format('deploy-cmk-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.KeyVaultName.value]" + }, + "keyVaultDiagnosticLogs": { + "value": "[parameters('KeyVaultDiagnosticsLogs')]" + }, "logAnalyticsWorkspaceResourceId": { "value": "[reference(subscriptionResourceId('Microsoft.Resources/deployments', format('deploy-monitoring-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.logAnalyticsWorkspaceResourceId.value]" }, @@ -7314,7 +7348,7 @@ "_generator": { "name": "bicep", "version": "0.26.54.24096", - "templateHash": "11489480336272395502" + "templateHash": "49100111797787087" } }, "parameters": { @@ -7327,6 +7361,12 @@ "firewallDiagnosticsMetrics": { "type": "array" }, + "KeyVaultName": { + "type": "string" + }, + "keyVaultDiagnosticLogs": { + "type": "array" + }, "logAnalyticsWorkspaceResourceId": { "type": "string" }, @@ -7835,11 +7875,77 @@ } } } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('deploy-kv-diags-{0}', parameters('deploymentNameSuffix'))]", + "subscriptionId": "[variables('hubSubscriptionId')]", + "resourceGroup": "[variables('hubResourceGroupName')]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "logAnalyticsWorkspaceResourceId": { + "value": "[parameters('logAnalyticsWorkspaceResourceId')]" + }, + "logs": { + "value": "[parameters('keyVaultDiagnosticLogs')]" + }, + "keyVaultstorageAccountId": { + "value": "[parameters('storageAccountResourceIds')[0]]" + }, + "name": { + "value": "[parameters('KeyVaultName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.26.54.24096", + "templateHash": "9848944155815832346" + } + }, + "parameters": { + "logAnalyticsWorkspaceResourceId": { + "type": "string" + }, + "logs": { + "type": "array" + }, + "name": { + "type": "string" + }, + "keyVaultstorageAccountId": { + "type": "string" + } + }, + "resources": [ + { + "type": "Microsoft.Insights/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "scope": "[format('Microsoft.KeyVault/vaults/{0}', parameters('name'))]", + "name": "[format('{0}-diagnostics', parameters('name'))]", + "properties": { + "storageAccountId": "[parameters('keyVaultstorageAccountId')]", + "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", + "logs": "[parameters('logs')]" + } + } + ] + } + } } ] } }, "dependsOn": [ + "[subscriptionResourceId('Microsoft.Resources/deployments', format('deploy-cmk-hub-{0}', parameters('deploymentNameSuffix')))]", "[subscriptionResourceId('Microsoft.Resources/deployments', format('get-logic-{0}', parameters('deploymentNameSuffix')))]", "[subscriptionResourceId('Microsoft.Resources/deployments', format('deploy-monitoring-{0}', parameters('deploymentNameSuffix')))]", "[subscriptionResourceId('Microsoft.Resources/deployments', format('deploy-networking-{0}', parameters('deploymentNameSuffix')))]", diff --git a/src/bicep/modules/customer-managed-keys.bicep b/src/bicep/modules/customer-managed-keys.bicep index a76ea4d17..d50a078d1 100644 --- a/src/bicep/modules/customer-managed-keys.bicep +++ b/src/bicep/modules/customer-managed-keys.bicep @@ -49,6 +49,8 @@ module userAssignedIdentity 'user-assigned-identity.bicep' = { } output diskEncryptionSetResourceId string = diskEncryptionSet.outputs.resourceId +output KeyVaultName string = keyVault.outputs.keyVaultName output keyVaultUri string = keyVault.outputs.keyVaultUri +output keyVaultResourceId string = keyVault.outputs.keyVaultResourceId output storageKeyName string = keyVault.outputs.storageKeyName output userAssignedIdentityResourceId string = userAssignedIdentity.outputs.resourceId diff --git a/src/bicep/modules/diagnostics.bicep b/src/bicep/modules/diagnostics.bicep index 8003217e9..6dc192990 100644 --- a/src/bicep/modules/diagnostics.bicep +++ b/src/bicep/modules/diagnostics.bicep @@ -3,6 +3,8 @@ targetScope = 'subscription' param deploymentNameSuffix string param firewallDiagnosticsLogs array param firewallDiagnosticsMetrics array +param KeyVaultName string +param keyVaultDiagnosticLogs array param logAnalyticsWorkspaceResourceId string param networks array param networkSecurityGroupDiagnosticsLogs array @@ -89,3 +91,14 @@ module firewallDiagnostics '../modules/firewall-diagnostics.bicep' = { name: hub.firewallName } } + +module keyvaultDiagnostics '../modules/key-vault-diagnostics.bicep' = { + name: 'deploy-kv-diags-${deploymentNameSuffix}' + scope: resourceGroup(hubSubscriptionId, hubResourceGroupName) + params: { + logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId + logs: keyVaultDiagnosticLogs + keyVaultstorageAccountId: storageAccountResourceIds[0] + name: KeyVaultName + } +} diff --git a/src/bicep/modules/key-vault-diagnostics.bicep b/src/bicep/modules/key-vault-diagnostics.bicep new file mode 100644 index 000000000..e6ae2174f --- /dev/null +++ b/src/bicep/modules/key-vault-diagnostics.bicep @@ -0,0 +1,23 @@ +/* +Copyright (c) Microsoft Corporation. +Licensed under the MIT License. +*/ + +param logAnalyticsWorkspaceResourceId string +param logs array +param name string +param keyVaultstorageAccountId string + +resource keyvault 'Microsoft.KeyVault/vaults@2022-07-01' existing = { + name: name +} + +resource diagnostics 'Microsoft.Insights/diagnosticSettings@2017-05-01-preview' = { + scope: keyvault + name: '${keyvault.name}-diagnostics' + properties: { + storageAccountId: keyVaultstorageAccountId + workspaceId: logAnalyticsWorkspaceResourceId + logs: logs + } +} diff --git a/src/bicep/modules/key-vault.bicep b/src/bicep/modules/key-vault.bicep index 954bd33f6..19358279c 100644 --- a/src/bicep/modules/key-vault.bicep +++ b/src/bicep/modules/key-vault.bicep @@ -144,5 +144,6 @@ resource key_storageAccounts 'Microsoft.KeyVault/vaults/keys@2022-07-01' = { output keyUriWithVersion string = key_disks.properties.keyUriWithVersion output keyVaultResourceId string = vault.id +output keyVaultName string = vault.name output keyVaultUri string = vault.properties.vaultUri output storageKeyName string = key_storageAccounts.name