From 20ee861e06a41217504a22b4ffb8897549f65b74 Mon Sep 17 00:00:00 2001 From: "Jim Britt (AZURE CXP API)" Date: Wed, 10 Nov 2021 11:40:53 -0800 Subject: [PATCH 1/7] Updates for Azure Diags to support CategoryGroups --- AzureMonitor/Scripts/Create-AzDiagPolicy.ps1 | 44 ++++++++++++++------ 1 file changed, 31 insertions(+), 13 deletions(-) diff --git a/AzureMonitor/Scripts/Create-AzDiagPolicy.ps1 b/AzureMonitor/Scripts/Create-AzDiagPolicy.ps1 index 4f1af2f..9e36239 100644 --- a/AzureMonitor/Scripts/Create-AzDiagPolicy.ps1 +++ b/AzureMonitor/Scripts/Create-AzDiagPolicy.ps1 @@ -1,6 +1,6 @@ <#PSScriptInfo -.VERSION 2.9 +.VERSION 3.0 .GUID e0962947-bf3c-4ed4-be3b-39cb7f6348c6 @@ -628,7 +628,7 @@ function Get-ResourceType ( if($R.properties.categoryType -eq "Logs") { $Logs = $true - $Categories += $r.name + #$Categories += $r.name } } $Kind = $Resource.kind @@ -668,13 +668,13 @@ function Add-IndexNumberToArray ( #Build the Log Array for each Resource Type function New-LogArray ( - [Parameter(Mandatory=$True)] - [array]$logCategories, +# [Parameter(Mandatory=$True)] +# [array]$logCategories, [Parameter(Mandatory=$False)] $Dedicated ) { - $logsArray += ' + <#$logsArray += ' "logs": [' foreach ($element in $logCategories) { $logsArray += " @@ -683,6 +683,20 @@ function New-LogArray `"enabled`": `"[parameters('logsEnabled')]`" }," } + $logsArray = $logsArray.Substring(0,$logsArray.Length-1) + $logsArray += ' + ]'#> + + # Updated to change logic supporting categoryGroup for AllLogs + $logsArray += ' + "logs": [' + +$logsArray += " + { + `"categoryGroup`": `"AllLogs`", + `"enabled`": `"[parameters('logsEnabled')]`" + }," + $logsArray = $logsArray.Substring(0,$logsArray.Length-1) $logsArray += ' ]' @@ -855,7 +869,7 @@ $JSONRULES = @' "resources": [ { "type": "/providers/diagnosticSettings", - "apiVersion": "2017-05-01-preview", + "apiVersion": "2021-05-01-preview", "name": "[concat(parameters('name'), '/', 'Microsoft.Insights/', parameters('profileName'))]", "properties": { "workspaceId": "[parameters('logAnalytics')]", @@ -1014,7 +1028,7 @@ $JSONRULES = @' "resources": [ { "type": "/providers/diagnosticSettings", - "apiVersion": "2017-05-01-preview", + "apiVersion": "2021-05-01-preview", "name": "[concat(parameters('name'), '/', 'Microsoft.Insights/', parameters('profileName'))]", "location": "[parameters('location')]", "properties": { @@ -1294,7 +1308,7 @@ $initParams = @' } } '@ - +# Updated APIVersion for Azure Diags to change logic supporting categoryGroup of AllLogs $JSONRULES = @' { "if": { @@ -1365,7 +1379,7 @@ $JSONRULES = @' "resources": [ { "type": "/providers/diagnosticSettings", - "apiVersion": "2017-05-01-preview", + "apiVersion": "2021-05-01-preview", "name": "[concat(parameters('name'), '/', 'Microsoft.Insights/', parameters('profileName'))]", "location": "[parameters('location')]", "properties": { @@ -1607,7 +1621,7 @@ $initParams = @' } } '@ - +# Updated APIVersion for Azure Diags to change logic supporting categoryGroup of AllLogs $JSONRULES = @' { "if": { @@ -1675,7 +1689,7 @@ $JSONRULES = @' "resources": [ { "type": "/providers/diagnosticSettings", - "apiVersion": "2017-05-01-preview", + "apiVersion": "2021-05-01-preview", "name": "[concat(parameters('name'), '/', 'Microsoft.Insights/', parameters('profileName'))]", "location": "[parameters('location')]", "properties": { @@ -2310,7 +2324,9 @@ IF($($ExportEH) -or ($ExportLA) -or ($ExportStorage)) if($Type.logs) { $Logcategories = $Type.Categories - $logsArray = New-LogArray $Logcategories -Dedicated $Dedicated + #$logsArray = New-LogArray $Logcategories -Dedicated $Dedicated + # Removed LogCategories given we already know we want all categories - no need to analyze + $logsArray = New-LogArray -Dedicated $Dedicated } if($Type.metrics) { @@ -2580,7 +2596,9 @@ IF($($ExportEH) -or ($ExportLA) -or ($ExportStorage)) if($DiagnosticCapable[$ResourceTypeToProcess -1].Logs) { $logcategories = $DiagnosticCapable[$ResourceTypeToProcess -1].Categories - $logsArray = New-LogArray $Logcategories -Dedicated $Dedicated + #$logsArray = New-LogArray $Logcategories -Dedicated $Dedicated + # Removed LogCategories given we already know we want all categories - no need to analyze + $logsArray = New-LogArray -Dedicated $Dedicated } else { From 2f38f1b0bfd8d46ab27df3a891657c04913eda73 Mon Sep 17 00:00:00 2001 From: "Jim Britt (AZURE CXP API)" Date: Wed, 10 Nov 2021 14:23:28 -0800 Subject: [PATCH 2/7] Updates for Azure Diags to support CategoryGroups --- AzureMonitor/Scripts/Create-AzDiagPolicy.ps1 | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/AzureMonitor/Scripts/Create-AzDiagPolicy.ps1 b/AzureMonitor/Scripts/Create-AzDiagPolicy.ps1 index 9e36239..b2165d6 100644 --- a/AzureMonitor/Scripts/Create-AzDiagPolicy.ps1 +++ b/AzureMonitor/Scripts/Create-AzDiagPolicy.ps1 @@ -687,13 +687,13 @@ function New-LogArray $logsArray += ' ]'#> - # Updated to change logic supporting categoryGroup for AllLogs + # Updated to change logic supporting categoryGroup for allLogs $logsArray += ' "logs": [' $logsArray += " { - `"categoryGroup`": `"AllLogs`", + `"categoryGroup`": `"allLogs`", `"enabled`": `"[parameters('logsEnabled')]`" }," @@ -1308,7 +1308,7 @@ $initParams = @' } } '@ -# Updated APIVersion for Azure Diags to change logic supporting categoryGroup of AllLogs +# Updated APIVersion for Azure Diags to change logic supporting categoryGroup of allLogs $JSONRULES = @' { "if": { @@ -1621,7 +1621,7 @@ $initParams = @' } } '@ -# Updated APIVersion for Azure Diags to change logic supporting categoryGroup of AllLogs +# Updated APIVersion for Azure Diags to change logic supporting categoryGroup of allLogs $JSONRULES = @' { "if": { From 5cfd847d452714af1d4a6361594e446edb3d8dfd Mon Sep 17 00:00:00 2001 From: "Jim Britt (AZURE CXP API)" Date: Fri, 12 Nov 2021 16:44:40 -0800 Subject: [PATCH 3/7] Updates to script to support storage proxy resources as wel --- AzureMonitor/Scripts/Create-AzDiagPolicy.ps1 | 95 ++++++++++++-------- 1 file changed, 58 insertions(+), 37 deletions(-) diff --git a/AzureMonitor/Scripts/Create-AzDiagPolicy.ps1 b/AzureMonitor/Scripts/Create-AzDiagPolicy.ps1 index b2165d6..7b9240a 100644 --- a/AzureMonitor/Scripts/Create-AzDiagPolicy.ps1 +++ b/AzureMonitor/Scripts/Create-AzDiagPolicy.ps1 @@ -26,21 +26,21 @@ https://github.com/JimGBritt/AzurePolicy/tree/master/AzureMonitor/Scripts .EXTERNALSCRIPTDEPENDENCIES .RELEASENOTES -September 07, 2021 2.9 +November 11, 2021 3.0 Update - * Updated the API version for both below types. This was recently caught with the help - of ARM TTK: https://github.com/Azure/arm-ttk indicating an old version of an API for Azure Policy - within the ARM template that is generated as part of this script. - - "type": "Microsoft.Authorization/policyDefinitions", - "apiVersion": "2020-09-01" - - and + * This version now supports CategoryGroup allLogs which enables a customer to no longer + be required to pay attention to individual categories for diagnostics and ensures that all + logs are being sent always. + + See: https://docs.microsoft.com/en-us/rest/api/monitor/diagnostic-settings/create-or-update#logsettings + and https://docs.microsoft.com/en-us/rest/api/monitor/diagnostic-settings-category/get#examples - "type": "Microsoft.Authorization/policySetDefinitions", - "apiVersion": "2020-09-01" + * Now supported are Azure Storage Proxy ResourceType Policy Definition Exports! Please leverage + "-ExportStorageProxyDefinitions" parameter switch to enable exporting these definitions. This is supported + on both individual policy exports or the ARM Template export for a Policy Initiative. - **NOTE**: Previous API version leveraged was 2019-09-01 + Proxy ResoureceTypes: Azure Storage blob/queue/table/file + #> <# @@ -132,7 +132,9 @@ September 07, 2021 2.9 .PARAMETER Dedicated This parameter allows you to specify a dedicated table for Azure Diagnostics for those ResourceTypes that support it - + +.PARAMETER ExportStorageProxyDefinitions + This parameter allows you to export policies to support proxy resources of Azure Storage Accounts (blobs, queues, tables, files) .EXAMPLE .\Create-AzDiagPolicy.ps1 -SubscriptionId "fd2323a9-2324-4d2a-90f6-7e6c2fe03512" -ResourceType "Microsoft.Sql/servers/databases" -ResourceGroup "RGName" -ExportLA -ExportEH @@ -149,6 +151,11 @@ September 07, 2021 2.9 Will prompt for subscriptionID to leverage for analysis, prompt for which resourceTypes to export for policies, and export the policies specific to Log Analytics only +.EXAMPLE + .\Create-AzDiagPolicy.ps1 -ExportLA -ExportAll -ExportStorageProxyDefinitions + Will prompt for subscriptionID to leverage for analysis, export all the policies specific to Log Analytics only, and will export the Storage Proxy + resources policy definitions as well (blob, table, queue, file) + .EXAMPLE .\Create-AzDiagPolicy.ps1 -ExportEH Will prompt for subscriptionID to leverage for analysis, prompt for which resourceTypes to export for policies, and export the policies specific @@ -221,7 +228,22 @@ September 07, 2021 2.9 .NOTES AUTHOR: Jim Britt Principal Program Manager - Azure CXP API (Azure Product Improvement) - LASTEDIT: September 07, 2021 2.9 + LASTEDIT: November 11, 2021 3.0 + Update + * This version now supports CategoryGroup allLogs which enables a customer to no longer + be required to pay attention to individual categories for diagnostics and ensures that all + logs are being sent always. + + See: https://docs.microsoft.com/en-us/rest/api/monitor/diagnostic-settings/create-or-update#logsettings + and https://docs.microsoft.com/en-us/rest/api/monitor/diagnostic-settings-category/get#examples + + * Now supported are Azure Storage Proxy ResourceType Policy Definition Exports! Please leverage + "-ExportStorageProxyDefinitions" parameter switch to enable exporting these definitions. This is supported + on both individual policy exports or the ARM Template export for a Policy Initiative. + + Proxy ResoureceTypes: Azure Storage blob/queue/table/file + + September 07, 2021 2.9 Minor Update * Updated the API version for both below types. This was recently caught with the help of ARM TTK: https://github.com/Azure/arm-ttk indicating an old version of an API for Azure Policy @@ -499,6 +521,9 @@ param # When switch is used, only Azure Policies to capture logs will be exported (metric only resources bypassed) [switch]$LogPolicyOnly=$False, + # When switch is used, Azure Storage Proxy Resource appropriate policy definitions will be exported (table, file, queue, blob) + [switch]$ExportStorageProxyDefinitions=$False, + # AllRegions switch to allow log Analytics to use all regions instead of being region sensitive [switch]$AllRegions=$False, @@ -628,7 +653,6 @@ function Get-ResourceType ( if($R.properties.categoryType -eq "Logs") { $Logs = $true - #$Categories += $r.name } } $Kind = $Resource.kind @@ -642,6 +666,21 @@ function Get-ResourceType ( } } } + # If you opted to export the storage proxy policy definitions via the switch, this logic will add those to the export array + If($ExportStorageProxyDefinitions) + { + $StorageProxyArray = @() + # Will need to update this if we ever have new storage proxies added by the storage team (or removed) + $StorageProxyArray = ("Microsoft.Storage/storageAccounts/blobServices","Microsoft.Storage/storageAccounts/queueServices","Microsoft.Storage/storageAccounts/fileServices","Microsoft.Storage/storageAccounts/tableServices") + + Foreach($StorageProxy in $StorageProxyArray) + { + $object = New-Object -TypeName PSObject -Property @{'ResourceType' = $StorageProxy; 'Metrics' = "True"; 'Logs' = "True"; 'Categories' = $Categories; 'Kind' = ""} + $analysis += $object # adds to the already created Analysis array we have + } + } + + # Return the list of supported resources # Add the "ALL" option to the tail of the analysis array if we are only going against one subscription if($SubscriptionId) @@ -668,25 +707,11 @@ function Add-IndexNumberToArray ( #Build the Log Array for each Resource Type function New-LogArray ( -# [Parameter(Mandatory=$True)] -# [array]$logCategories, + [Parameter(Mandatory=$False)] $Dedicated ) { - <#$logsArray += ' - "logs": [' - foreach ($element in $logCategories) { - $logsArray += " - { - `"category`": `"$element`", - `"enabled`": `"[parameters('logsEnabled')]`" - }," - } - $logsArray = $logsArray.Substring(0,$logsArray.Length-1) - $logsArray += ' - ]'#> - # Updated to change logic supporting categoryGroup for allLogs $logsArray += ' "logs": [' @@ -1080,7 +1105,7 @@ if(!($ExportInitiative)) $JSONVar = $JSONVar + $JSONType + @' "properties": { "displayName": "", - "mode": "Indexed", + "mode": "All", "description": "This policy automatically deploys diagnostic settings to .", "metadata": { "category": "Monitoring" @@ -1434,7 +1459,7 @@ if(!($ExportInitiative)) $JSONVar = $JSONVar + $JSONType + @' "properties": { "displayName": "", - "mode": "Indexed", + "mode": "All", "description": "This policy automatically deploys diagnostic settings to .", "metadata": { "category": "Monitoring" @@ -1740,7 +1765,7 @@ if(!($ExportInitiative)) $JSONVar = $JSONVar + $JSONType + @' "properties": { "displayName": "", - "mode": "Indexed", + "mode": "All", "description": "This policy automatically deploys diagnostic settings to .", "metadata": { "category": "Monitoring" @@ -2324,8 +2349,6 @@ IF($($ExportEH) -or ($ExportLA) -or ($ExportStorage)) if($Type.logs) { $Logcategories = $Type.Categories - #$logsArray = New-LogArray $Logcategories -Dedicated $Dedicated - # Removed LogCategories given we already know we want all categories - no need to analyze $logsArray = New-LogArray -Dedicated $Dedicated } if($Type.metrics) @@ -2596,8 +2619,6 @@ IF($($ExportEH) -or ($ExportLA) -or ($ExportStorage)) if($DiagnosticCapable[$ResourceTypeToProcess -1].Logs) { $logcategories = $DiagnosticCapable[$ResourceTypeToProcess -1].Categories - #$logsArray = New-LogArray $Logcategories -Dedicated $Dedicated - # Removed LogCategories given we already know we want all categories - no need to analyze $logsArray = New-LogArray -Dedicated $Dedicated } else From 647728175c62f55b32af4424aad9b1c2d4e322b0 Mon Sep 17 00:00:00 2001 From: "Jim Britt (AZURE CXP API)" Date: Tue, 30 Nov 2021 08:17:46 -0800 Subject: [PATCH 4/7] Updates for Azure Diags to support CategoryGroups and storage Proxies --- AzureMonitor/Scripts/Create-AzDiagPolicy.ps1 | 162 +++++++++++++++---- 1 file changed, 133 insertions(+), 29 deletions(-) diff --git a/AzureMonitor/Scripts/Create-AzDiagPolicy.ps1 b/AzureMonitor/Scripts/Create-AzDiagPolicy.ps1 index 7b9240a..f371309 100644 --- a/AzureMonitor/Scripts/Create-AzDiagPolicy.ps1 +++ b/AzureMonitor/Scripts/Create-AzDiagPolicy.ps1 @@ -26,8 +26,16 @@ https://github.com/JimGBritt/AzurePolicy/tree/master/AzureMonitor/Scripts .EXTERNALSCRIPTDEPENDENCIES .RELEASENOTES -November 11, 2021 3.0 +November 30, 2021 3.0 Update + Kudos to collaborators in this update! + Senthuran Sivananthan (Principal Cloud Solution Architect at Microsoft) https://github.com/SenthuranSivananthan + for raising up an immediate bug found preventing proper evaluation of categoryGroup compliance. Thank you! + + Thank you to David Coulter (SR Program Manager at Microsoft and a frequent collaborator) https://github.com/DCtheGeek + for his big brain and support in working out the additional logic for CategoryGroup existence conditions in the Policy + analysis. Without your support, this would have taken way longer so thank you :). + * This version now supports CategoryGroup allLogs which enables a customer to no longer be required to pay attention to individual categories for diagnostics and ensures that all logs are being sent always. @@ -228,8 +236,16 @@ November 11, 2021 3.0 .NOTES AUTHOR: Jim Britt Principal Program Manager - Azure CXP API (Azure Product Improvement) - LASTEDIT: November 11, 2021 3.0 + LASTEDIT: November 30, 2021 3.0 Update + Kudos to collaborators in this update! + Senthuran Sivananthan (Principal Cloud Solution Architect at Microsoft) https://github.com/SenthuranSivananthan + for raising up an immediate bug found preventing proper evaluation of categoryGroup compliance. Thank you! + + Thank you to David Coulter (SR Program Manager at Microsoft and a frequent collaborator) https://github.com/DCtheGeek + for his big brain and support in working out the additional logic for CategoryGroup existence conditions in the Policy + analysis. Without your support, this would have taken way longer so thank you :). + * This version now supports CategoryGroup allLogs which enables a customer to no longer be required to pay attention to individual categories for diagnostics and ensures that all logs are being sent always. @@ -850,20 +866,44 @@ $JSONRULES = @' "type": "Microsoft.Insights/diagnosticSettings", "existenceCondition": { "allOf": [ + { + "anyOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "[parameters('LogsEnabled')]" - }, - { - "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "[parameters('MetricsEnabled')]" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]" + }, + "equals": 0 }, { - "field": "Microsoft.Insights/diagnosticSettings/workspaceId", - "equals": "[parameters('logAnalytics')]" - } + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('LogsEnabled')]" + }, + { + "field": "microsoft.insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + } + ] + } + }, + "equals": 1 + } + ] + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics[*].enabled", + "equals": "[parameters('MetricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } ] - }, + }, "roleDefinitionIds": [ "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293" ], @@ -1006,18 +1046,42 @@ $JSONRULES = @' "type": "Microsoft.Insights/diagnosticSettings", "existenceCondition": { "allOf": [ + { + "anyOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "[parameters('LogsEnabled')]" - }, - { - "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "[parameters('MetricsEnabled')]" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]" + }, + "equals": 0 }, { - "field": "Microsoft.Insights/diagnosticSettings/workspaceId", - "equals": "[parameters('logAnalytics')]" - } + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('LogsEnabled')]" + }, + { + "field": "microsoft.insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + } + ] + } + }, + "equals": 1 + } + ] + }, + { + "field": "Microsoft.Insights/diagnosticSettings/metrics[*].enabled", + "equals": "[parameters('MetricsEnabled')]" + }, + { + "field": "Microsoft.Insights/diagnosticSettings/workspaceId", + "equals": "[parameters('logAnalytics')]" + } ] }, "roleDefinitionIds": [ @@ -1354,13 +1418,33 @@ $JSONRULES = @' "type": "Microsoft.Insights/diagnosticSettings", "existenceCondition": { "allOf": [ + { + "anyOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "[parameters('logsEnabled')]" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]" + }, + "equals": 0 }, { - "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "[parameters('metricsEnabled')]" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('LogsEnabled')]" + }, + { + "field": "microsoft.insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + } + ] + } + }, + "equals": 1 + } + ] }, { "field": "Microsoft.Insights/diagnosticSettings/eventHubName", @@ -1667,13 +1751,33 @@ $JSONRULES = @' "type": "Microsoft.Insights/diagnosticSettings", "existenceCondition": { "allOf": [ + { + "anyOf": [ { - "field": "Microsoft.Insights/diagnosticSettings/logs.enabled", - "equals": "[parameters('logsEnabled')]" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]" + }, + "equals": 0 }, { - "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled", - "equals": "[parameters('metricsEnabled')]" + "count": { + "field": "Microsoft.Insights/diagnosticSettings/logs[*]", + "where": { + "allOf": [ + { + "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled", + "equals": "[parameters('LogsEnabled')]" + }, + { + "field": "microsoft.insights/diagnosticSettings/logs[*].categoryGroup", + "equals": "allLogs" + } + ] + } + }, + "equals": 1 + } + ] }, { "field": "Microsoft.Insights/diagnosticSettings/storageAccountId", From a05332a549e8e7f38f43d8f9e648abfda398f367 Mon Sep 17 00:00:00 2001 From: "Jim Britt (AZURE CXP API)" Date: Sun, 5 Dec 2021 07:48:36 -0800 Subject: [PATCH 5/7] Updates for Dup errors --- AzureMonitor/Scripts/Create-AzDiagPolicy.ps1 | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/AzureMonitor/Scripts/Create-AzDiagPolicy.ps1 b/AzureMonitor/Scripts/Create-AzDiagPolicy.ps1 index f371309..0e66999 100644 --- a/AzureMonitor/Scripts/Create-AzDiagPolicy.ps1 +++ b/AzureMonitor/Scripts/Create-AzDiagPolicy.ps1 @@ -600,6 +600,19 @@ function Get-ResourceType ( If(!($analysis)) { $analysis = @() + # If you opted to export the storage proxy policy definitions via the switch, this logic will add those to the export array + If($ExportStorageProxyDefinitions) + { + $StorageProxyArray = @() + # Will need to update this if we ever have new storage proxies added by the storage team (or removed) + $StorageProxyArray = ("Microsoft.Storage/storageAccounts/blobServices","Microsoft.Storage/storageAccounts/queueServices","Microsoft.Storage/storageAccounts/fileServices","Microsoft.Storage/storageAccounts/tableServices") + + Foreach($StorageProxy in $StorageProxyArray) + { + $object = New-Object -TypeName PSObject -Property @{'ResourceType' = $StorageProxy; 'Metrics' = "True"; 'Logs' = "True"; 'Categories' = $Categories; 'Kind' = ""} + $analysis += $object # adds to the already created Analysis array we have + } + } } $GetScanDetails = @{ @@ -682,7 +695,7 @@ function Get-ResourceType ( } } } - # If you opted to export the storage proxy policy definitions via the switch, this logic will add those to the export array +<# # If you opted to export the storage proxy policy definitions via the switch, this logic will add those to the export array If($ExportStorageProxyDefinitions) { $StorageProxyArray = @() @@ -695,7 +708,7 @@ function Get-ResourceType ( $analysis += $object # adds to the already created Analysis array we have } } - +#> # Return the list of supported resources # Add the "ALL" option to the tail of the analysis array if we are only going against one subscription From d874fa5e23365c1140a79ca407562b2d0ac142eb Mon Sep 17 00:00:00 2001 From: "Jim Britt (AZURE CXP API)" Date: Mon, 6 Dec 2021 13:12:27 -0800 Subject: [PATCH 6/7] Updates for Kind menu and improved array logic for diags --- AzureMonitor/Scripts/Create-AzDiagPolicy.ps1 | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/AzureMonitor/Scripts/Create-AzDiagPolicy.ps1 b/AzureMonitor/Scripts/Create-AzDiagPolicy.ps1 index 0e66999..fdb93bf 100644 --- a/AzureMonitor/Scripts/Create-AzDiagPolicy.ps1 +++ b/AzureMonitor/Scripts/Create-AzDiagPolicy.ps1 @@ -26,7 +26,7 @@ https://github.com/JimGBritt/AzurePolicy/tree/master/AzureMonitor/Scripts .EXTERNALSCRIPTDEPENDENCIES .RELEASENOTES -November 30, 2021 3.0 +December 06, 2021 3.0 Update Kudos to collaborators in this update! Senthuran Sivananthan (Principal Cloud Solution Architect at Microsoft) https://github.com/SenthuranSivananthan @@ -49,6 +49,8 @@ November 30, 2021 3.0 Proxy ResoureceTypes: Azure Storage blob/queue/table/file + * Added "Kind" to the Menu that prompts to select ResourceTypes for clarity (many resourceTypes leverage Kind and this + script adds specific policies for each) #> <# @@ -236,7 +238,7 @@ November 30, 2021 3.0 .NOTES AUTHOR: Jim Britt Principal Program Manager - Azure CXP API (Azure Product Improvement) - LASTEDIT: November 30, 2021 3.0 + LASTEDIT: December 06, 2021 3.0 Update Kudos to collaborators in this update! Senthuran Sivananthan (Principal Cloud Solution Architect at Microsoft) https://github.com/SenthuranSivananthan @@ -259,6 +261,9 @@ November 30, 2021 3.0 Proxy ResoureceTypes: Azure Storage blob/queue/table/file + * Added "Kind" to the Menu that prompts to select ResourceTypes for clarity (many resourceTypes leverage Kind and this + script adds specific policies for each) + September 07, 2021 2.9 Minor Update * Updated the API version for both below types. This was recently caught with the help @@ -690,8 +695,11 @@ function Get-ResourceType ( catch {} finally { - $object = New-Object -TypeName PSObject -Property @{'ResourceType' = $resource.ResourceType; 'Metrics' = $metrics; 'Logs' = $logs; 'Categories' = $Categories; 'Kind' = $Kind} - $analysis += $object + if(!($Exists)) + { + $object = New-Object -TypeName PSObject -Property @{'ResourceType' = $resource.ResourceType; 'Metrics' = $metrics; 'Logs' = $logs; 'Categories' = $Categories; 'Kind' = $Kind} + $analysis += $object + } } } } @@ -2434,7 +2442,7 @@ IF($($ExportEH) -or ($ExportLA) -or ($ExportStorage)) while($ResourceTypeToProcess -gt $DiagnosticCapable.Count -or $ResourceTypeToProcess -lt 1 -and $ExportALL -ne $True) { Write-Host "The table below are the resource types that support sending diagnostics to Log Analytics and Event Hubs" - $DiagnosticCapable | Select-Object "#", ResourceType, Metrics, Logs |Format-Table + $DiagnosticCapable | Select-Object "#", ResourceType, Metrics, Logs, Kind |Format-Table try { $ResourceTypeToProcess = Read-Host "Please select a number from 1 - $($DiagnosticCapable.count) to create custom policy (select resourceType ALL to create a policy for each RP)" From afbf03725096566b8bf436ff2ea43c498b2039c4 Mon Sep 17 00:00:00 2001 From: "Jim Britt (AZURE CXP CCI)" Date: Fri, 14 Jan 2022 16:29:20 -0800 Subject: [PATCH 7/7] Updates to support categoryGroups --- AzureMonitor/Scripts/Create-AzDiagPolicy.ps1 | 21 +++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/AzureMonitor/Scripts/Create-AzDiagPolicy.ps1 b/AzureMonitor/Scripts/Create-AzDiagPolicy.ps1 index fdb93bf..db1cf4a 100644 --- a/AzureMonitor/Scripts/Create-AzDiagPolicy.ps1 +++ b/AzureMonitor/Scripts/Create-AzDiagPolicy.ps1 @@ -634,11 +634,14 @@ function Get-ResourceType ( $Categories =@(); $metrics = $false #initialize metrics flag to $false $logs = $false #initialize logs flag to $false + $CategoryGroupAllLogs = $false #initialize flag to $false + $CategoryGroupAuditLogs = $false #initialize flag to $false #Establish URI to gather resources # Determine cloud and ensure proper REST Endpoint defined $azEnvironment = Get-AzEnvironment -Name $Environment - $URI = "$($azEnvironment.ResourceManagerUrl)$($Resource.ResourceId.substring(1))/providers/microsoft.insights/diagnosticSettingsCategories/?api-version=2017-05-01-preview" + #$URI = "$($azEnvironment.ResourceManagerUrl)$($Resource.ResourceId.substring(1))/providers/microsoft.insights/diagnosticSettingsCategories/?api-version=2017-05-01-preview" + $URI = "$($azEnvironment.ResourceManagerUrl)$($Resource.ResourceId.substring(1))/providers/microsoft.insights/diagnosticSettingsCategories/?api-version=2021-05-01-preview" #Write-Host "URI: $($URI)" $Exists = $false @@ -688,6 +691,14 @@ function Get-ResourceType ( { $Logs = $true } + If($R.properties.categoryGroups -eq "allLogs") + { + $CategoryGroupAllLogs = $true + } + If($R.properties.categoryGroups -eq "allLogs") + { + $CategoryGroupAuditLogs = $true + } } $Kind = $Resource.kind } @@ -697,7 +708,7 @@ function Get-ResourceType ( { if(!($Exists)) { - $object = New-Object -TypeName PSObject -Property @{'ResourceType' = $resource.ResourceType; 'Metrics' = $metrics; 'Logs' = $logs; 'Categories' = $Categories; 'Kind' = $Kind} + $object = New-Object -TypeName PSObject -Property @{'ResourceType' = $resource.ResourceType; 'Metrics' = $metrics; 'Logs' = $logs; 'Categories' = $Categories; 'Kind' = $Kind; 'CategoryGroupAllLogs' = $CategoryGroupAllLogs; 'CategoryGroupAuditLogs' = $CategoryGroupAuditLogs} $analysis += $object } } @@ -722,7 +733,7 @@ function Get-ResourceType ( # Add the "ALL" option to the tail of the analysis array if we are only going against one subscription if($SubscriptionId) { - $object = New-Object -TypeName PSObject -Property @{'ResourceType' = "All"; 'Metrics' = "True"; 'Logs' = "True"; 'Categories' = "Various"; 'Kind' = "Various"} + $object = New-Object -TypeName PSObject -Property @{'ResourceType' = "All"; 'Metrics' = "True"; 'Logs' = "True"; 'Categories' = "Various"; 'Kind' = "Various"; 'CategoryGroupAllLogs' = "Various"; 'CategoryGroupAuditLogs' = "Various"} $analysis += $object } $analysis @@ -2441,8 +2452,8 @@ IF($($ExportEH) -or ($ExportLA) -or ($ExportStorage)) } while($ResourceTypeToProcess -gt $DiagnosticCapable.Count -or $ResourceTypeToProcess -lt 1 -and $ExportALL -ne $True) { - Write-Host "The table below are the resource types that support sending diagnostics to Log Analytics and Event Hubs" - $DiagnosticCapable | Select-Object "#", ResourceType, Metrics, Logs, Kind |Format-Table + Write-Host "The table below are the resource types that support sending diagnostics to Log Analytics, Event Hubs, and Azure Storage" + $DiagnosticCapable | Select-Object "#", ResourceType, Metrics, Logs, Kind, CategoryGroupAllLogs, CategoryGroupAuditLogs |Format-Table try { $ResourceTypeToProcess = Read-Host "Please select a number from 1 - $($DiagnosticCapable.count) to create custom policy (select resourceType ALL to create a policy for each RP)"