Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Configure Keyvault diagnostic logs #939

Closed
wants to merge 6 commits into from
Closed

Configure Keyvault diagnostic logs #939

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
edc03f5
added key vault logging
jayhaddad Mar 22, 2024
d52da00
update array for diagnostic settings keyvault
jayhaddad Mar 22, 2024
166c3d7
recomplie bicep
jayhaddad Mar 22, 2024
f8bd835
added storageaccount for kv
jayhaddad Mar 26, 2024
3c56388
recompile arm bicep template
jayhaddad Mar 26, 2024
828fe9c
GitHub Action: Build Bicep to JSON
invalid-email-address Mar 27, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions src/bicep/mlz.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -227,6 +227,20 @@ param identityNetworkSecurityGroupDiagnosticsLogs array = [
@description('An array of Network Security Group Metrics to apply to enable for the Identity Virtual Network. See https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#metrics for valid settings.')
param identityNetworkSecurityGroupDiagnosticsMetrics array = []

// KEY VAULT PARAMETERS
@description('An array of Key Vault Diagnostic Logs categories to collect. See "https://learn.microsoft.com/en-us/azure/key-vault/general/logging?tabs=Vault" for valid values.')
param KeyVaultDiagnosticsLogs array = [
{
category: 'AuditEvent'
enabled: true
}
{
category: 'AzurePolicyEvaluationDetails'
enabled: true
}
]


// OPERATIONS PARAMETERS

@description('An array of Network Diagnostic Logs to enable for the Operations Virtual Network. See https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#logs for valid settings.')
Expand Down Expand Up @@ -669,6 +683,8 @@ module diagnostics 'modules/diagnostics.bicep' = {
deploymentNameSuffix: deploymentNameSuffix
firewallDiagnosticsLogs: firewallDiagnosticsLogs
firewallDiagnosticsMetrics: firewallDiagnosticsMetrics
KeyVaultName: customerManagedKeys.outputs.KeyVaultName
keyVaultDiagnosticLogs: KeyVaultDiagnosticsLogs
logAnalyticsWorkspaceResourceId: monitoring.outputs.logAnalyticsWorkspaceResourceId
networks: logic.outputs.networks
networkSecurityGroupDiagnosticsLogs: hubNetworkSecurityGroupDiagnosticsLogs
Expand Down
114 changes: 110 additions & 4 deletions src/bicep/mlz.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
"_generator": {
"name": "bicep",
"version": "0.26.54.24096",
"templateHash": "459691962602818850"
"templateHash": "8272435085123749899"
}
},
"parameters": {
Expand Down Expand Up @@ -395,6 +395,22 @@
"description": "An array of Network Security Group Metrics to apply to enable for the Identity Virtual Network. See https://docs.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings?tabs=CMD#metrics for valid settings."
}
},
"KeyVaultDiagnosticsLogs": {
"type": "array",
"defaultValue": [
{
"category": "AuditEvent",
"enabled": true
},
{
"category": "AzurePolicyEvaluationDetails",
"enabled": true
}
],
"metadata": {
"description": "An array of Key Vault Diagnostic Logs categories to collect. See \"https://learn.microsoft.com/en-us/azure/key-vault/general/logging?tabs=Vault\" for valid values."
}
},
"operationsVirtualNetworkDiagnosticsLogs": {
"type": "array",
"defaultValue": [],
Expand Down Expand Up @@ -4584,7 +4600,7 @@
"_generator": {
"name": "bicep",
"version": "0.26.54.24096",
"templateHash": "528320706664403182"
"templateHash": "3912836360709277206"
}
},
"parameters": {
Expand Down Expand Up @@ -4649,7 +4665,7 @@
"_generator": {
"name": "bicep",
"version": "0.26.54.24096",
"templateHash": "12445413457654566620"
"templateHash": "17697959832977472677"
}
},
"parameters": {
Expand Down Expand Up @@ -4839,6 +4855,10 @@
"type": "string",
"value": "[resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName'))]"
},
"keyVaultName": {
"type": "string",
"value": "[parameters('keyVaultName')]"
},
"keyVaultUri": {
"type": "string",
"value": "[reference(resourceId('Microsoft.KeyVault/vaults', parameters('keyVaultName')), '2022-07-01').vaultUri]"
Expand Down Expand Up @@ -5165,10 +5185,18 @@
"type": "string",
"value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('networkProperties').subscriptionId, parameters('networkProperties').resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-disk-encryption-set_{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.resourceId.value]"
},
"KeyVaultName": {
"type": "string",
"value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('networkProperties').subscriptionId, parameters('networkProperties').resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-key-vault-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.keyVaultName.value]"
},
"keyVaultUri": {
"type": "string",
"value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('networkProperties').subscriptionId, parameters('networkProperties').resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-key-vault-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.keyVaultUri.value]"
},
"keyVaultResourceId": {
"type": "string",
"value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('networkProperties').subscriptionId, parameters('networkProperties').resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-key-vault-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.keyVaultResourceId.value]"
},
"storageKeyName": {
"type": "string",
"value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', parameters('networkProperties').subscriptionId, parameters('networkProperties').resourceGroupName), 'Microsoft.Resources/deployments', format('deploy-key-vault-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.storageKeyName.value]"
Expand Down Expand Up @@ -7276,6 +7304,12 @@
"firewallDiagnosticsMetrics": {
"value": "[parameters('firewallDiagnosticsMetrics')]"
},
"KeyVaultName": {
"value": "[reference(subscriptionResourceId('Microsoft.Resources/deployments', format('deploy-cmk-hub-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.KeyVaultName.value]"
},
"keyVaultDiagnosticLogs": {
"value": "[parameters('KeyVaultDiagnosticsLogs')]"
},
"logAnalyticsWorkspaceResourceId": {
"value": "[reference(subscriptionResourceId('Microsoft.Resources/deployments', format('deploy-monitoring-{0}', parameters('deploymentNameSuffix'))), '2022-09-01').outputs.logAnalyticsWorkspaceResourceId.value]"
},
Expand Down Expand Up @@ -7314,7 +7348,7 @@
"_generator": {
"name": "bicep",
"version": "0.26.54.24096",
"templateHash": "11489480336272395502"
"templateHash": "49100111797787087"
}
},
"parameters": {
Expand All @@ -7327,6 +7361,12 @@
"firewallDiagnosticsMetrics": {
"type": "array"
},
"KeyVaultName": {
"type": "string"
},
"keyVaultDiagnosticLogs": {
"type": "array"
},
"logAnalyticsWorkspaceResourceId": {
"type": "string"
},
Expand Down Expand Up @@ -7835,11 +7875,77 @@
}
}
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2022-09-01",
"name": "[format('deploy-kv-diags-{0}', parameters('deploymentNameSuffix'))]",
"subscriptionId": "[variables('hubSubscriptionId')]",
"resourceGroup": "[variables('hubResourceGroupName')]",
"properties": {
"expressionEvaluationOptions": {
"scope": "inner"
},
"mode": "Incremental",
"parameters": {
"logAnalyticsWorkspaceResourceId": {
"value": "[parameters('logAnalyticsWorkspaceResourceId')]"
},
"logs": {
"value": "[parameters('keyVaultDiagnosticLogs')]"
},
"keyVaultstorageAccountId": {
"value": "[parameters('storageAccountResourceIds')[0]]"
},
"name": {
"value": "[parameters('KeyVaultName')]"
}
},
"template": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.26.54.24096",
"templateHash": "9848944155815832346"
}
},
"parameters": {
"logAnalyticsWorkspaceResourceId": {
"type": "string"
},
"logs": {
"type": "array"
},
"name": {
"type": "string"
},
"keyVaultstorageAccountId": {
"type": "string"
}
},
"resources": [
{
"type": "Microsoft.Insights/diagnosticSettings",
"apiVersion": "2017-05-01-preview",
"scope": "[format('Microsoft.KeyVault/vaults/{0}', parameters('name'))]",
"name": "[format('{0}-diagnostics', parameters('name'))]",
"properties": {
"storageAccountId": "[parameters('keyVaultstorageAccountId')]",
"workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]",
"logs": "[parameters('logs')]"
}
}
]
}
}
}
]
}
},
"dependsOn": [
"[subscriptionResourceId('Microsoft.Resources/deployments', format('deploy-cmk-hub-{0}', parameters('deploymentNameSuffix')))]",
"[subscriptionResourceId('Microsoft.Resources/deployments', format('get-logic-{0}', parameters('deploymentNameSuffix')))]",
"[subscriptionResourceId('Microsoft.Resources/deployments', format('deploy-monitoring-{0}', parameters('deploymentNameSuffix')))]",
"[subscriptionResourceId('Microsoft.Resources/deployments', format('deploy-networking-{0}', parameters('deploymentNameSuffix')))]",
Expand Down
2 changes: 2 additions & 0 deletions src/bicep/modules/customer-managed-keys.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,8 @@ module userAssignedIdentity 'user-assigned-identity.bicep' = {
}

output diskEncryptionSetResourceId string = diskEncryptionSet.outputs.resourceId
output KeyVaultName string = keyVault.outputs.keyVaultName
output keyVaultUri string = keyVault.outputs.keyVaultUri
output keyVaultResourceId string = keyVault.outputs.keyVaultResourceId
output storageKeyName string = keyVault.outputs.storageKeyName
output userAssignedIdentityResourceId string = userAssignedIdentity.outputs.resourceId
13 changes: 13 additions & 0 deletions src/bicep/modules/diagnostics.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,8 @@ targetScope = 'subscription'
param deploymentNameSuffix string
param firewallDiagnosticsLogs array
param firewallDiagnosticsMetrics array
param KeyVaultName string
param keyVaultDiagnosticLogs array
param logAnalyticsWorkspaceResourceId string
param networks array
param networkSecurityGroupDiagnosticsLogs array
Expand Down Expand Up @@ -89,3 +91,14 @@ module firewallDiagnostics '../modules/firewall-diagnostics.bicep' = {
name: hub.firewallName
}
}

module keyvaultDiagnostics '../modules/key-vault-diagnostics.bicep' = {
name: 'deploy-kv-diags-${deploymentNameSuffix}'
scope: resourceGroup(hubSubscriptionId, hubResourceGroupName)
params: {
logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId
logs: keyVaultDiagnosticLogs
keyVaultstorageAccountId: storageAccountResourceIds[0]
name: KeyVaultName
}
}
23 changes: 23 additions & 0 deletions src/bicep/modules/key-vault-diagnostics.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
/*
Copyright (c) Microsoft Corporation.
Licensed under the MIT License.
*/

param logAnalyticsWorkspaceResourceId string
param logs array
param name string
param keyVaultstorageAccountId string

resource keyvault 'Microsoft.KeyVault/vaults@2022-07-01' existing = {
name: name
}

resource diagnostics 'Microsoft.Insights/diagnosticSettings@2017-05-01-preview' = {
scope: keyvault
name: '${keyvault.name}-diagnostics'
properties: {
storageAccountId: keyVaultstorageAccountId
workspaceId: logAnalyticsWorkspaceResourceId
logs: logs
}
}
1 change: 1 addition & 0 deletions src/bicep/modules/key-vault.bicep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -144,5 +144,6 @@ resource key_storageAccounts 'Microsoft.KeyVault/vaults/keys@2022-07-01' = {

output keyUriWithVersion string = key_disks.properties.keyUriWithVersion
output keyVaultResourceId string = vault.id
output keyVaultName string = vault.name
output keyVaultUri string = vault.properties.vaultUri
output storageKeyName string = key_storageAccounts.name