From d80fff2c1ef28fa1e8a287a52de8cd9da94dcc47 Mon Sep 17 00:00:00 2001 From: Hugo Ribeiro Date: Tue, 19 Mar 2024 17:30:37 +0000 Subject: [PATCH 01/13] add 2 Virtual Machines AMA related policies for cross subscription supportability --- .../azurepolicy.json | 407 +++++++++++++++++ .../azurepolicy.parameters.json | 58 +++ .../azurepolicy.rules.json | 336 ++++++++++++++ .../azurepolicy.json | 427 ++++++++++++++++++ .../azurepolicy.parameters.json | 69 +++ .../azurepolicy.rules.json | 345 ++++++++++++++ 6 files changed, 1642 insertions(+) create mode 100644 policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machines/azurepolicy.json create mode 100644 policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machines/azurepolicy.parameters.json create mode 100644 policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machines/azurepolicy.rules.json create mode 100644 policyDefinitions/Monitoring/configure-win-vms-ama-with-cross-subscription-uami/azurepolicy.json create mode 100644 policyDefinitions/Monitoring/configure-win-vms-ama-with-cross-subscription-uami/azurepolicy.parameters.json create mode 100644 policyDefinitions/Monitoring/configure-win-vms-ama-with-cross-subscription-uami/azurepolicy.rules.json diff --git a/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machines/azurepolicy.json b/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machines/azurepolicy.json new file mode 100644 index 00000000..157509d0 --- /dev/null +++ b/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machines/azurepolicy.json @@ -0,0 +1,407 @@ +{ + "name": "9b482817-a7f1-42e2-9e93-5ef439610368", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Assign Cross Subscription User-Assigned Managed Identity to Virtual Machines", + "mode": "Indexed", + "description": "Assign User-Assigned Managed Identity that can be located in a different subscription to Virtual Machines.", + "metadata": { + "version": "1.0.0", + "category": "Managed Identity" + }, + "parameters": { + "bringYourOwnUserAssignedManagedIdentity": { + "type": "Boolean", + "metadata": { + "displayName": "Bring Your Own User-Assigned Identity", + "description": "Enable this to use your pre-created user-assigned managed identity. The pre-created identity MUST exist within the subscription otherwise the policy deployment will fail. If enabled, ensure that the User-Assigned Identity Name and Identity Resource Group Name parameters match the pre-created identity. If not enabled, the policy will create per subscription, per resource user-assigned managed identities in a new resource group named 'Built-In-Identity-RG'." + }, + "allowedValues": [ + true, + false + ] + }, + "userAssignedIdentityName": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Name", + "description": "The name of the pre-created user-assigned managed identity." + }, + "defaultValue": "" + }, + "identityResourceGroup": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Resource Group Name", + "description": "The resource group in which the pre-created user-assigned managed identity resides." + }, + "defaultValue": "" + }, + "identitySubscription": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Subscription ID", + "description": "The Subscription id of the pre-created user-assigned managed identity." + }, + "defaultValue": "" + }, + "builtInIdentityResourceGroupLocation": { + "type": "String", + "metadata": { + "displayName": "Built-In-Identity-RG Location", + "description": "The location of the resource group 'Built-In-Identity-RG' created by the policy. This parameter is only used when 'Bring Your Own User Assigned Identity' parameter is false." + }, + "defaultValue": "eastus" + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "The effect determines what happens when the policy rule is evaluated to match." + }, + "allowedValues": [ + "AuditIfNotExists", + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Compute/virtualMachines" + }, + { + "value": "[requestContext().apiVersion]", + "greaterOrEquals": "2018-10-01" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Compute/virtualMachines", + "name": "[field('name')]", + "evaluationDelay": "AfterProvisioning", + "deploymentScope": "subscription", + "existenceCondition": { + "anyOf": [ + { + "allOf": [ + { + "field": "identity.type", + "contains": "UserAssigned" + }, + { + "field": "identity.userAssignedIdentities", + "containsKey": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), concat('/subscriptions/', parameters('identitySubscription'), '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('userAssignedIdentityName'))), concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/Built-In-Identity-RG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/Built-In-Identity-', field('location')))]" + } + ] + }, + { + "allOf": [ + { + "field": "identity.type", + "equals": "UserAssigned" + }, + { + "value": "[string(length(field('identity.userAssignedIdentities')))]", + "equals": "1" + } + ] + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", + "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9" + ], + "deployment": { + "location": "eastus", + "properties": { + "mode": "incremental", + "parameters": { + "bringYourOwnUserAssignedManagedIdentity": { + "value": "[parameters('bringYourOwnUserAssignedManagedIdentity')]" + }, + "location": { + "value": "[field('location')]" + }, + "uaName": { + "value": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), parameters('userAssignedIdentityName'), 'Built-In-Identity')]" + }, + "identityResourceGroup": { + "value": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), parameters('identityResourceGroup'), 'Built-In-Identity-RG')]" + }, + "identitySubscription": { + "value": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), parameters('identitySubscription'), subscription().subscriptionId )]" + }, + "builtInIdentityResourceGroupLocation": { + "value": "[parameters('builtInIdentityResourceGroupLocation')]" + }, + "vmName": { + "value": "[field('name')]" + }, + "vmResourceGroup": { + "value": "[resourceGroup().name]" + }, + "resourceId": { + "value": "[field('id')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.1", + "parameters": { + "bringYourOwnUserAssignedManagedIdentity": { + "type": "bool" + }, + "location": { + "type": "string" + }, + "uaName": { + "type": "string" + }, + "identityResourceGroup": { + "type": "string" + }, + "identitySubscription": { + "type": "string" + }, + "builtInIdentityResourceGroupLocation": { + "type": "string" + }, + "vmName": { + "type": "string" + }, + "vmResourceGroup": { + "type": "string" + }, + "resourceId": { + "type": "string" + } + }, + "variables": { + "uaNameWithLocation": "[concat(parameters('uaName'),'-', parameters('location'))]", + "precreatedUaId": "[concat('/subscriptions/', trim(parameters('identitySubscription')), '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('uaName')))]", + "autocreatedUaId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('uaName')), '-', parameters('location'))]", + "deployUALockName": "[concat('deployUALock-', uniqueString(deployment().name))]", + "deployUAName": "[concat('deployUA-', uniqueString(deployment().name))]", + "deployGetResourceProperties": "[concat('deployGetResourceProperties-', uniqueString(deployment().name))]", + "deployAssignUAName": "[concat('deployAssignUA-', uniqueString(deployment().name))]" + }, + "resources": [ + { + "condition": "[not(parameters('bringYourOwnUserAssignedManagedIdentity'))]", + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2020-06-01", + "name": "[parameters('identityResourceGroup')]", + "location": "[parameters('builtInIdentityResourceGroupLocation')]" + }, + { + "condition": "[parameters('bringYourOwnUserAssignedManagedIdentity')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[variables('deployUALockName')]", + "resourceGroup": "[parameters('identityResourceGroup')]", + "subscriptionId": "[parameters('identitySubscription')]", + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "uaName": { + "value": "[parameters('uaName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "uaName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Authorization/locks", + "apiVersion": "2016-09-01", + "name": "[concat('CanNotDeleteLock-', parameters('uaName'))]", + "scope": "[concat('Microsoft.ManagedIdentity/userAssignedIdentities/', parameters('uaName'))]", + "properties": { + "level": "CanNotDelete", + "notes": "Please do not delete this User-Assigned Identity since extensions enabled by Azure Policy are relying on their existence." + } + } + ] + } + } + }, + { + "condition": "[not(parameters('bringYourOwnUserAssignedManagedIdentity'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[variables('deployUAName')]", + "resourceGroup": "[parameters('identityResourceGroup')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]" + ], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "uaName": { + "value": "[variables('uaNameWithLocation')]" + }, + "location": { + "value": "[parameters('location')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "uaName": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "name": "[parameters('uaName')]", + "apiVersion": "2018-11-30", + "location": "[parameters('location')]" + }, + { + "type": "Microsoft.ManagedIdentity/userAssignedIdentities/providers/locks", + "apiVersion": "2016-09-01", + "name": "[concat(parameters('uaName'), '/Microsoft.Authorization/', 'CanNotDeleteLock-', parameters('uaName'))]", + "dependsOn": [ + "[parameters('uaName')]" + ], + "properties": { + "level": "CanNotDelete", + "notes": "Please do not delete this User-Assigned Identity since extensions enabled by Azure Policy are relying on their existence." + } + } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[variables('deployGetResourceProperties')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]", + "[variables('deployUAName')]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [], + "outputs": { + "resource": { + "type": "object", + "value": "[reference(parameters('resourceId'), '2019-07-01', 'Full')]" + } + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat(variables('deployAssignUAName'))]", + "resourceGroup": "[parameters('vmResourceGroup')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]", + "[variables('deployUAName')]", + "[variables('deployGetResourceProperties')]" + ], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "uaId": { + "value": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), variables('precreatedUaId'), variables('autocreatedUaId'))]" + }, + "vmName": { + "value": "[parameters('vmName')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "identityType": { + "value": "[if(contains(reference(variables('deployGetResourceProperties')).outputs.resource.value, 'identity'), reference(variables('deployGetResourceProperties')).outputs.resource.value.identity.type, '')]" + }, + "userAssignedIdentities": { + "value": "[if(and(contains(reference(variables('deployGetResourceProperties')).outputs.resource.value, 'identity'), contains(reference(variables('deployGetResourceProperties')).outputs.resource.value.identity, 'userAssignedIdentities')), reference(variables('deployGetResourceProperties')).outputs.resource.value.identity.userAssignedIdentities, createObject())]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "uaId": { + "type": "string" + }, + "vmName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "identityType": { + "type": "string" + }, + "userAssignedIdentities": { + "type": "object" + } + }, + "variables": { + "identityTypeValue": "[if(contains(parameters('identityType'), 'SystemAssigned'), 'SystemAssigned,UserAssigned', 'UserAssigned')]", + "userAssignedIdentitiesValue": "[union(parameters('userAssignedIdentities'), createObject(parameters('uaId'), createObject()))]", + "resourceWithSingleUAI": "[and(equals(parameters('identityType'), 'UserAssigned'), equals(string(length(parameters('userAssignedIdentities'))), '1'))]" + }, + "resources": [ + { + "condition": "[not(variables('resourceWithSingleUAI'))]", + "apiVersion": "2019-07-01", + "type": "Microsoft.Compute/virtualMachines", + "name": "[parameters('vmName')]", + "location": "[parameters('location')]", + "identity": { + "type": "[variables('identityTypeValue')]", + "userAssignedIdentities": "[variables('userAssignedIdentitiesValue')]" + } + } + ] + } + } + } + ] + } + } + } + } + } + } + } + } \ No newline at end of file diff --git a/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machines/azurepolicy.parameters.json b/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machines/azurepolicy.parameters.json new file mode 100644 index 00000000..7981ce06 --- /dev/null +++ b/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machines/azurepolicy.parameters.json @@ -0,0 +1,58 @@ +{ + "bringYourOwnUserAssignedManagedIdentity": { + "type": "Boolean", + "metadata": { + "displayName": "Bring Your Own User-Assigned Identity", + "description": "Enable this to use your pre-created user-assigned managed identity. The pre-created identity MUST exist within the subscription otherwise the policy deployment will fail. If enabled, ensure that the User-Assigned Identity Name and Identity Resource Group Name parameters match the pre-created identity. If not enabled, the policy will create per subscription, per resource user-assigned managed identities in a new resource group named 'Built-In-Identity-RG'." + }, + "allowedValues": [ + true, + false + ] + }, + "userAssignedIdentityName": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Name", + "description": "The name of the pre-created user-assigned managed identity." + }, + "defaultValue": "" + }, + "identityResourceGroup": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Resource Group Name", + "description": "The resource group in which the pre-created user-assigned managed identity resides." + }, + "defaultValue": "" + }, + "identitySubscription": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Subscription ID", + "description": "The Subscription id of the pre-created user-assigned managed identity." + }, + "defaultValue": "" + }, + "builtInIdentityResourceGroupLocation": { + "type": "String", + "metadata": { + "displayName": "Built-In-Identity-RG Location", + "description": "The location of the resource group 'Built-In-Identity-RG' created by the policy. This parameter is only used when 'Bring Your Own User Assigned Identity' parameter is false." + }, + "defaultValue": "eastus" + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Policy Effect", + "description": "The effect determines what happens when the policy rule is evaluated to match." + }, + "allowedValues": [ + "AuditIfNotExists", + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + } +} \ No newline at end of file diff --git a/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machines/azurepolicy.rules.json b/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machines/azurepolicy.rules.json new file mode 100644 index 00000000..adf780b0 --- /dev/null +++ b/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machines/azurepolicy.rules.json @@ -0,0 +1,336 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Compute/virtualMachines" + }, + { + "value": "[requestContext().apiVersion]", + "greaterOrEquals": "2018-10-01" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Compute/virtualMachines", + "name": "[field('name')]", + "evaluationDelay": "AfterProvisioning", + "deploymentScope": "subscription", + "existenceCondition": { + "anyOf": [ + { + "allOf": [ + { + "field": "identity.type", + "contains": "UserAssigned" + }, + { + "field": "identity.userAssignedIdentities", + "containsKey": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), concat('/subscriptions/', parameters('identitySubscription'), '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('userAssignedIdentityName'))), concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/Built-In-Identity-RG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/Built-In-Identity-', field('location')))]" + } + ] + }, + { + "allOf": [ + { + "field": "identity.type", + "equals": "UserAssigned" + }, + { + "value": "[string(length(field('identity.userAssignedIdentities')))]", + "equals": "1" + } + ] + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", + "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9" + ], + "deployment": { + "location": "eastus", + "properties": { + "mode": "incremental", + "parameters": { + "bringYourOwnUserAssignedManagedIdentity": { + "value": "[parameters('bringYourOwnUserAssignedManagedIdentity')]" + }, + "location": { + "value": "[field('location')]" + }, + "uaName": { + "value": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), parameters('userAssignedIdentityName'), 'Built-In-Identity')]" + }, + "identityResourceGroup": { + "value": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), parameters('identityResourceGroup'), 'Built-In-Identity-RG')]" + }, + "identitySubscription": { + "value": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), parameters('identitySubscription'), subscription().subscriptionId )]" + }, + "builtInIdentityResourceGroupLocation": { + "value": "[parameters('builtInIdentityResourceGroupLocation')]" + }, + "vmName": { + "value": "[field('name')]" + }, + "vmResourceGroup": { + "value": "[resourceGroup().name]" + }, + "resourceId": { + "value": "[field('id')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.1", + "parameters": { + "bringYourOwnUserAssignedManagedIdentity": { + "type": "bool" + }, + "location": { + "type": "string" + }, + "uaName": { + "type": "string" + }, + "identityResourceGroup": { + "type": "string" + }, + "identitySubscription": { + "type": "string" + }, + "builtInIdentityResourceGroupLocation": { + "type": "string" + }, + "vmName": { + "type": "string" + }, + "vmResourceGroup": { + "type": "string" + }, + "resourceId": { + "type": "string" + } + }, + "variables": { + "uaNameWithLocation": "[concat(parameters('uaName'),'-', parameters('location'))]", + "precreatedUaId": "[concat('/subscriptions/', trim(parameters('identitySubscription')), '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('uaName')))]", + "autocreatedUaId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('uaName')), '-', parameters('location'))]", + "deployUALockName": "[concat('deployUALock-', uniqueString(deployment().name))]", + "deployUAName": "[concat('deployUA-', uniqueString(deployment().name))]", + "deployGetResourceProperties": "[concat('deployGetResourceProperties-', uniqueString(deployment().name))]", + "deployAssignUAName": "[concat('deployAssignUA-', uniqueString(deployment().name))]" + }, + "resources": [ + { + "condition": "[not(parameters('bringYourOwnUserAssignedManagedIdentity'))]", + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2020-06-01", + "name": "[parameters('identityResourceGroup')]", + "location": "[parameters('builtInIdentityResourceGroupLocation')]" + }, + { + "condition": "[parameters('bringYourOwnUserAssignedManagedIdentity')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[variables('deployUALockName')]", + "resourceGroup": "[parameters('identityResourceGroup')]", + "subscriptionId": "[parameters('identitySubscription')]", + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "uaName": { + "value": "[parameters('uaName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "uaName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Authorization/locks", + "apiVersion": "2016-09-01", + "name": "[concat('CanNotDeleteLock-', parameters('uaName'))]", + "scope": "[concat('Microsoft.ManagedIdentity/userAssignedIdentities/', parameters('uaName'))]", + "properties": { + "level": "CanNotDelete", + "notes": "Please do not delete this User-Assigned Identity since extensions enabled by Azure Policy are relying on their existence." + } + } + ] + } + } + }, + { + "condition": "[not(parameters('bringYourOwnUserAssignedManagedIdentity'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[variables('deployUAName')]", + "resourceGroup": "[parameters('identityResourceGroup')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]" + ], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "uaName": { + "value": "[variables('uaNameWithLocation')]" + }, + "location": { + "value": "[parameters('location')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "uaName": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "name": "[parameters('uaName')]", + "apiVersion": "2018-11-30", + "location": "[parameters('location')]" + }, + { + "type": "Microsoft.ManagedIdentity/userAssignedIdentities/providers/locks", + "apiVersion": "2016-09-01", + "name": "[concat(parameters('uaName'), '/Microsoft.Authorization/', 'CanNotDeleteLock-', parameters('uaName'))]", + "dependsOn": [ + "[parameters('uaName')]" + ], + "properties": { + "level": "CanNotDelete", + "notes": "Please do not delete this User-Assigned Identity since extensions enabled by Azure Policy are relying on their existence." + } + } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[variables('deployGetResourceProperties')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]", + "[variables('deployUAName')]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [], + "outputs": { + "resource": { + "type": "object", + "value": "[reference(parameters('resourceId'), '2019-07-01', 'Full')]" + } + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat(variables('deployAssignUAName'))]", + "resourceGroup": "[parameters('vmResourceGroup')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]", + "[variables('deployUAName')]", + "[variables('deployGetResourceProperties')]" + ], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "uaId": { + "value": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), variables('precreatedUaId'), variables('autocreatedUaId'))]" + }, + "vmName": { + "value": "[parameters('vmName')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "identityType": { + "value": "[if(contains(reference(variables('deployGetResourceProperties')).outputs.resource.value, 'identity'), reference(variables('deployGetResourceProperties')).outputs.resource.value.identity.type, '')]" + }, + "userAssignedIdentities": { + "value": "[if(and(contains(reference(variables('deployGetResourceProperties')).outputs.resource.value, 'identity'), contains(reference(variables('deployGetResourceProperties')).outputs.resource.value.identity, 'userAssignedIdentities')), reference(variables('deployGetResourceProperties')).outputs.resource.value.identity.userAssignedIdentities, createObject())]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "uaId": { + "type": "string" + }, + "vmName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "identityType": { + "type": "string" + }, + "userAssignedIdentities": { + "type": "object" + } + }, + "variables": { + "identityTypeValue": "[if(contains(parameters('identityType'), 'SystemAssigned'), 'SystemAssigned,UserAssigned', 'UserAssigned')]", + "userAssignedIdentitiesValue": "[union(parameters('userAssignedIdentities'), createObject(parameters('uaId'), createObject()))]", + "resourceWithSingleUAI": "[and(equals(parameters('identityType'), 'UserAssigned'), equals(string(length(parameters('userAssignedIdentities'))), '1'))]" + }, + "resources": [ + { + "condition": "[not(variables('resourceWithSingleUAI'))]", + "apiVersion": "2019-07-01", + "type": "Microsoft.Compute/virtualMachines", + "name": "[parameters('vmName')]", + "location": "[parameters('location')]", + "identity": { + "type": "[variables('identityTypeValue')]", + "userAssignedIdentities": "[variables('userAssignedIdentitiesValue')]" + } + } + ] + } + } + } + ] + } + } + } + } + } +} \ No newline at end of file diff --git a/policyDefinitions/Monitoring/configure-win-vms-ama-with-cross-subscription-uami/azurepolicy.json b/policyDefinitions/Monitoring/configure-win-vms-ama-with-cross-subscription-uami/azurepolicy.json new file mode 100644 index 00000000..0fd8cf75 --- /dev/null +++ b/policyDefinitions/Monitoring/configure-win-vms-ama-with-cross-subscription-uami/azurepolicy.json @@ -0,0 +1,427 @@ +{ + "name": "2993aef3-6bcf-4e34-929c-79727b646663", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Configure Windows virtual machines to run Azure Monitor Agent with cross subscription user-assigned managed identity-based authentication", + "mode": "Indexed", + "description": "Copy of built-in 637125fd-7c39-4b94-bb0a-d331faf333a9 with minimal changes to support a cross subscription UAMI. Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. ", + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy." + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "bringYourOwnUserAssignedManagedIdentity": { + "type": "Boolean", + "metadata": { + "displayName": "Bring Your Own User-Assigned Managed Identity", + "description": "If set to true, Azure Monitor Agent will use the user-assigned managed identity specified via the 'User-Assigned Managed Identity ...' parameters for authentication. Otherwise, Azure Monitor Agent will use the user-assigned managed identity /subscriptions//resourceGroups/built-in-identity-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/built-in-identity- for authentication." + }, + "allowedValues": [ + false, + true + ] + }, + "userAssignedManagedIdentityName": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Name", + "description": "The name of the user-assigned managed identity which Azure Monitor Agent will use for authentication when 'Bring Your Own User-Assigned Managed Identity' is set to true." + }, + "defaultValue": "" + }, + "userAssignedManagedIdentityResourceGroup": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Resource Group", + "description": "The resource group of the user-assigned managed identity which Azure Monitor Agent will use for authentication when 'Bring Your Own User-Assigned Managed Identity' is set to true." + }, + "defaultValue": "" + }, + "userAssignedManagedIdentitySubscription": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Subscription Id", + "description": "The subscription id of the user-assigned managed identity which Azure Monitor Agent will use for authentication when 'Bring Your Own User-Assigned Managed Identity' is set to true." + }, + "defaultValue": "" + }, + "scopeToSupportedImages": { + "type": "Boolean", + "metadata": { + "displayName": "Scope Policy to Azure Monitor Agent-Supported Operating Systems", + "description": "If set to true, the policy will apply only to virtual machines with supported operating systems. Otherwise, the policy will apply to all virtual machine resources in the assignment scope. For supported operating systems, see https://aka.ms/AMAOverview." + }, + "allowedValues": [ + true, + false + ], + "defaultValue": true + }, + "listOfWindowsImageIdToInclude": { + "type": "Array", + "metadata": { + "displayName": "Additional Virtual Machine Images", + "description": "List of virtual machine images that have supported Windows OS to add to scope. Example values: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'" + }, + "defaultValue": [] + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Compute/virtualMachines" + }, + { + "field": "location", + "in": [ + "australiacentral", + "australiaeast", + "australiasoutheast", + "brazilsouth", + "canadacentral", + "canadaeast", + "centralindia", + "centralus", + "eastasia", + "eastus2euap", + "eastus", + "eastus2", + "francecentral", + "germanywestcentral", + "japaneast", + "japanwest", + "jioindiawest", + "koreacentral", + "koreasouth", + "northcentralus", + "northeurope", + "norwayeast", + "southafricanorth", + "southcentralus", + "southeastasia", + "southindia", + "switzerlandnorth", + "uaenorth", + "uksouth", + "ukwest", + "westcentralus", + "westeurope", + "westindia", + "westus", + "westus2", + "chinaeast", + "chinaeast2", + "chinaeast3", + "chinanorth", + "chinanorth2", + "chinanorth3", + "usgovarizona", + "usgovtexas", + "usgovvirginia", + "usdodeast", + "usdodcentral" + ] + }, + { + "anyOf": [ + { + "allOf": [ + { + "value": "[parameters('scopeToSupportedImages')]", + "equals": false + }, + { + "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType", + "like": "Windows*" + } + ] + }, + { + "field": "Microsoft.Compute/imageId", + "in": "[parameters('listOfWindowsImageIdToInclude')]" + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftWindowsServer" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "WindowsServer" + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageSku", + "like": "2008-R2-SP1*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "2012-*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "2016-*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "2019-*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "2022-*" + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftWindowsServer" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "WindowsServerSemiAnnual" + }, + { + "field": "Microsoft.Compute/imageSKU", + "in": [ + "Datacenter-Core-1709-smalldisk", + "Datacenter-Core-1709-with-Containers-smalldisk", + "Datacenter-Core-1803-with-Containers-smalldisk" + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftWindowsServerHPCPack" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "WindowsServerHPCPack" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftSQLServer" + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2022" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2022-BYOL" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2019" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2019-BYOL" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2016" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2016-BYOL" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2012R2" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2012R2-BYOL" + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftRServer" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "MLServer-WS2016" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftVisualStudio" + }, + { + "field": "Microsoft.Compute/imageOffer", + "in": [ + "VisualStudio", + "Windows" + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftDynamicsAX" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "Dynamics" + }, + { + "field": "Microsoft.Compute/imageSKU", + "equals": "Pre-Req-AX7-Onebox-U8" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "microsoft-ads" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "windows-data-science-vm" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftWindowsDesktop" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "Windows-1*" + } + ] + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Compute/virtualMachines/extensions", + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c" + ], + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Compute/virtualMachines/extensions/type", + "equals": "AzureMonitorWindowsAgent" + }, + { + "field": "Microsoft.Compute/virtualMachines/extensions/publisher", + "equals": "Microsoft.Azure.Monitor" + }, + { + "field": "Microsoft.Compute/virtualMachines/extensions/provisioningState", + "equals": "Succeeded" + } + ] + }, + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "vmName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "userAssignedManagedIdentity": { + "type": "string" + } + }, + "variables": { + "extensionName": "AzureMonitorWindowsAgent", + "extensionPublisher": "Microsoft.Azure.Monitor", + "extensionType": "AzureMonitorWindowsAgent", + "extensionTypeHandlerVersion": "1.2" + }, + "resources": [ + { + "name": "[concat(parameters('vmName'), '/', variables('extensionName'))]", + "type": "Microsoft.Compute/virtualMachines/extensions", + "location": "[parameters('location')]", + "apiVersion": "2019-07-01", + "properties": { + "publisher": "[variables('extensionPublisher')]", + "type": "[variables('extensionType')]", + "typeHandlerVersion": "[variables('extensionTypeHandlerVersion')]", + "autoUpgradeMinorVersion": true, + "enableAutomaticUpgrade": true, + "settings": { + "authentication": { + "managedIdentity": { + "identifier-name": "mi_res_id", + "identifier-value": "[parameters('userAssignedManagedIdentity')]" + } + } + } + } + } + ] + }, + "parameters": { + "vmName": { + "value": "[field('name')]" + }, + "location": { + "value": "[field('location')]" + }, + "userAssignedManagedIdentity": { + "value": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), concat('/subscriptions/', parameters('userAssignedManagedIdentitySubscription'), '/resourceGroups/', parameters('userAssignedManagedIdentityResourceGroup'), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', parameters('userAssignedManagedIdentityName')), concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/built-in-identity-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/built-in-identity-', field('location')))]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/policyDefinitions/Monitoring/configure-win-vms-ama-with-cross-subscription-uami/azurepolicy.parameters.json b/policyDefinitions/Monitoring/configure-win-vms-ama-with-cross-subscription-uami/azurepolicy.parameters.json new file mode 100644 index 00000000..8a8dcf1d --- /dev/null +++ b/policyDefinitions/Monitoring/configure-win-vms-ama-with-cross-subscription-uami/azurepolicy.parameters.json @@ -0,0 +1,69 @@ +{ + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy." + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "bringYourOwnUserAssignedManagedIdentity": { + "type": "Boolean", + "metadata": { + "displayName": "Bring Your Own User-Assigned Managed Identity", + "description": "If set to true, Azure Monitor Agent will use the user-assigned managed identity specified via the 'User-Assigned Managed Identity ...' parameters for authentication. Otherwise, Azure Monitor Agent will use the user-assigned managed identity /subscriptions//resourceGroups/built-in-identity-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/built-in-identity- for authentication." + }, + "allowedValues": [ + false, + true + ] + }, + "userAssignedManagedIdentityName": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Name", + "description": "The name of the user-assigned managed identity which Azure Monitor Agent will use for authentication when 'Bring Your Own User-Assigned Managed Identity' is set to true." + }, + "defaultValue": "" + }, + "userAssignedManagedIdentityResourceGroup": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Resource Group", + "description": "The resource group of the user-assigned managed identity which Azure Monitor Agent will use for authentication when 'Bring Your Own User-Assigned Managed Identity' is set to true." + }, + "defaultValue": "" + }, + "userAssignedManagedIdentitySubscription": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Subscription Id", + "description": "The subscription id of the user-assigned managed identity which Azure Monitor Agent will use for authentication when 'Bring Your Own User-Assigned Managed Identity' is set to true." + }, + "defaultValue": "" + }, + "scopeToSupportedImages": { + "type": "Boolean", + "metadata": { + "displayName": "Scope Policy to Azure Monitor Agent-Supported Operating Systems", + "description": "If set to true, the policy will apply only to virtual machines with supported operating systems. Otherwise, the policy will apply to all virtual machine resources in the assignment scope. For supported operating systems, see https://aka.ms/AMAOverview." + }, + "allowedValues": [ + true, + false + ], + "defaultValue": true + }, + "listOfWindowsImageIdToInclude": { + "type": "Array", + "metadata": { + "displayName": "Additional Virtual Machine Images", + "description": "List of virtual machine images that have supported Windows OS to add to scope. Example values: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'" + }, + "defaultValue": [] + } +} \ No newline at end of file diff --git a/policyDefinitions/Monitoring/configure-win-vms-ama-with-cross-subscription-uami/azurepolicy.rules.json b/policyDefinitions/Monitoring/configure-win-vms-ama-with-cross-subscription-uami/azurepolicy.rules.json new file mode 100644 index 00000000..0dc99502 --- /dev/null +++ b/policyDefinitions/Monitoring/configure-win-vms-ama-with-cross-subscription-uami/azurepolicy.rules.json @@ -0,0 +1,345 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Compute/virtualMachines" + }, + { + "field": "location", + "in": [ + "australiacentral", + "australiaeast", + "australiasoutheast", + "brazilsouth", + "canadacentral", + "canadaeast", + "centralindia", + "centralus", + "eastasia", + "eastus2euap", + "eastus", + "eastus2", + "francecentral", + "germanywestcentral", + "japaneast", + "japanwest", + "jioindiawest", + "koreacentral", + "koreasouth", + "northcentralus", + "northeurope", + "norwayeast", + "southafricanorth", + "southcentralus", + "southeastasia", + "southindia", + "switzerlandnorth", + "uaenorth", + "uksouth", + "ukwest", + "westcentralus", + "westeurope", + "westindia", + "westus", + "westus2", + "chinaeast", + "chinaeast2", + "chinaeast3", + "chinanorth", + "chinanorth2", + "chinanorth3", + "usgovarizona", + "usgovtexas", + "usgovvirginia", + "usdodeast", + "usdodcentral" + ] + }, + { + "anyOf": [ + { + "allOf": [ + { + "value": "[parameters('scopeToSupportedImages')]", + "equals": false + }, + { + "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType", + "like": "Windows*" + } + ] + }, + { + "field": "Microsoft.Compute/imageId", + "in": "[parameters('listOfWindowsImageIdToInclude')]" + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftWindowsServer" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "WindowsServer" + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageSku", + "like": "2008-R2-SP1*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "2012-*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "2016-*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "2019-*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "2022-*" + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftWindowsServer" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "WindowsServerSemiAnnual" + }, + { + "field": "Microsoft.Compute/imageSKU", + "in": [ + "Datacenter-Core-1709-smalldisk", + "Datacenter-Core-1709-with-Containers-smalldisk", + "Datacenter-Core-1803-with-Containers-smalldisk" + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftWindowsServerHPCPack" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "WindowsServerHPCPack" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftSQLServer" + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2022" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2022-BYOL" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2019" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2019-BYOL" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2016" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2016-BYOL" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2012R2" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2012R2-BYOL" + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftRServer" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "MLServer-WS2016" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftVisualStudio" + }, + { + "field": "Microsoft.Compute/imageOffer", + "in": [ + "VisualStudio", + "Windows" + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftDynamicsAX" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "Dynamics" + }, + { + "field": "Microsoft.Compute/imageSKU", + "equals": "Pre-Req-AX7-Onebox-U8" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "microsoft-ads" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "windows-data-science-vm" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftWindowsDesktop" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "Windows-1*" + } + ] + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Compute/virtualMachines/extensions", + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c" + ], + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Compute/virtualMachines/extensions/type", + "equals": "AzureMonitorWindowsAgent" + }, + { + "field": "Microsoft.Compute/virtualMachines/extensions/publisher", + "equals": "Microsoft.Azure.Monitor" + }, + { + "field": "Microsoft.Compute/virtualMachines/extensions/provisioningState", + "equals": "Succeeded" + } + ] + }, + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "vmName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "userAssignedManagedIdentity": { + "type": "string" + } + }, + "variables": { + "extensionName": "AzureMonitorWindowsAgent", + "extensionPublisher": "Microsoft.Azure.Monitor", + "extensionType": "AzureMonitorWindowsAgent", + "extensionTypeHandlerVersion": "1.2" + }, + "resources": [ + { + "name": "[concat(parameters('vmName'), '/', variables('extensionName'))]", + "type": "Microsoft.Compute/virtualMachines/extensions", + "location": "[parameters('location')]", + "apiVersion": "2019-07-01", + "properties": { + "publisher": "[variables('extensionPublisher')]", + "type": "[variables('extensionType')]", + "typeHandlerVersion": "[variables('extensionTypeHandlerVersion')]", + "autoUpgradeMinorVersion": true, + "enableAutomaticUpgrade": true, + "settings": { + "authentication": { + "managedIdentity": { + "identifier-name": "mi_res_id", + "identifier-value": "[parameters('userAssignedManagedIdentity')]" + } + } + } + } + } + ] + }, + "parameters": { + "vmName": { + "value": "[field('name')]" + }, + "location": { + "value": "[field('location')]" + }, + "userAssignedManagedIdentity": { + "value": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), concat('/subscriptions/', parameters('userAssignedManagedIdentitySubscription'), '/resourceGroups/', parameters('userAssignedManagedIdentityResourceGroup'), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', parameters('userAssignedManagedIdentityName')), concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/built-in-identity-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/built-in-identity-', field('location')))]" + } + } + } + } + } + } +} \ No newline at end of file From f0928ef0d0d08adddda741d816033d9448a1e8be Mon Sep 17 00:00:00 2001 From: Hugo Ribeiro Date: Tue, 19 Mar 2024 22:55:15 +0000 Subject: [PATCH 02/13] add 2 windows vmss AMA related policies for cross subscription supportability --- .../azurepolicy.json | 407 ++++++++++++++++ .../azurepolicy.parameters.json | 58 +++ .../azurepolicy.rules.json | 336 ++++++++++++++ .../azurepolicy.json | 2 +- .../azurepolicy.json | 106 +++-- .../azurepolicy.parameters.json | 55 +++ .../azurepolicy.rules.json | 49 +- .../azurepolicy.json | 435 ++++++++++++++++++ .../azurepolicy.parameters.json | 124 +++++ .../azurepolicy.rules.json | 298 ++++++++++++ 10 files changed, 1772 insertions(+), 98 deletions(-) create mode 100644 policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machine-scale-set/azurepolicy.json create mode 100644 policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machine-scale-set/azurepolicy.parameters.json create mode 100644 policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machine-scale-set/azurepolicy.rules.json rename policyDefinitions/Monitoring/{configure-win-vms-ama-with-cross-subscription-uami => configure-ama-on-windows-vm-with-cross-subscription-uami}/azurepolicy.json (90%) rename policyDefinitions/Monitoring/{configure-win-vms-ama-with-cross-subscription-uami => configure-ama-on-windows-vm-with-cross-subscription-uami}/azurepolicy.parameters.json (68%) rename policyDefinitions/Monitoring/{configure-win-vms-ama-with-cross-subscription-uami => configure-ama-on-windows-vm-with-cross-subscription-uami}/azurepolicy.rules.json (89%) create mode 100644 policyDefinitions/Monitoring/configure-ama-on-windows-vmss-with-cross-subscription-uami/azurepolicy.json create mode 100644 policyDefinitions/Monitoring/configure-ama-on-windows-vmss-with-cross-subscription-uami/azurepolicy.parameters.json create mode 100644 policyDefinitions/Monitoring/configure-ama-on-windows-vmss-with-cross-subscription-uami/azurepolicy.rules.json diff --git a/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machine-scale-set/azurepolicy.json b/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machine-scale-set/azurepolicy.json new file mode 100644 index 00000000..2fefa12a --- /dev/null +++ b/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machine-scale-set/azurepolicy.json @@ -0,0 +1,407 @@ +{ + "name": "7a38a53e-958c-50af-acca-fe2785e0cf7c", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Assign Cross Subscription User-Assigned Managed Identity to Virtual Machine Scale Set", + "mode": "Indexed", + "description": "Assign User-Assigned Managed Identity that can be located in a different subscription to Virtual Machine Scale Set.", + "metadata": { + "version": "1.0.0", + "category": "Managed Identity" + }, + "parameters": { + "bringYourOwnUserAssignedManagedIdentity": { + "type": "Boolean", + "metadata": { + "displayName": "Bring Your Own User-Assigned Identity", + "description": "Enable this to use your pre-created user-assigned managed identity. The pre-created identity MUST exist within the subscription otherwise the policy deployment will fail. If enabled, ensure that the User-Assigned Identity Name and Identity Resource Group Name parameters match the pre-created identity. If not enabled, the policy will create per subscription, per resource user-assigned managed identities in a new resource group named 'Built-In-Identity-RG'." + }, + "allowedValues": [ + true, + false + ] + }, + "userAssignedIdentityName": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Name", + "description": "The name of the pre-created user-assigned managed identity." + }, + "defaultValue": "" + }, + "identityResourceGroup": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Resource Group Name", + "description": "The resource group in which the pre-created user-assigned managed identity resides." + }, + "defaultValue": "" + }, + "identitySubscription": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Subscription ID", + "description": "The Subscription id of the pre-created user-assigned managed identity." + }, + "defaultValue": "" + }, + "builtInIdentityResourceGroupLocation": { + "type": "String", + "metadata": { + "displayName": "Built-In-Identity-RG Location", + "description": "The location of the resource group 'Built-In-Identity-RG' created by the policy. This parameter is only used when 'Bring Your Own User Assigned Identity' parameter is false." + }, + "defaultValue": "eastus" + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Policy Effect", + "description": "The effect determines what happens when the policy rule is evaluated to match." + }, + "allowedValues": [ + "AuditIfNotExists", + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Compute/virtualMachineScaleSets" + }, + { + "value": "[requestContext().apiVersion]", + "greaterOrEquals": "2018-10-01" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Compute/virtualMachineScaleSets", + "name": "[field('name')]", + "evaluationDelay": "AfterProvisioning", + "deploymentScope": "subscription", + "existenceCondition": { + "anyOf": [ + { + "allOf": [ + { + "field": "identity.type", + "contains": "UserAssigned" + }, + { + "field": "identity.userAssignedIdentities", + "containsKey": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), concat('/subscriptions/', parameters('identitySubscription'), '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('userAssignedIdentityName'))), concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/Built-In-Identity-RG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/Built-In-Identity-', field('location')))]" + } + ] + }, + { + "allOf": [ + { + "field": "identity.type", + "equals": "UserAssigned" + }, + { + "value": "[string(length(field('identity.userAssignedIdentities')))]", + "equals": "1" + } + ] + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", + "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9" + ], + "deployment": { + "location": "eastus", + "properties": { + "mode": "incremental", + "parameters": { + "bringYourOwnUserAssignedManagedIdentity": { + "value": "[parameters('bringYourOwnUserAssignedManagedIdentity')]" + }, + "location": { + "value": "[field('location')]" + }, + "uaName": { + "value": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), parameters('userAssignedIdentityName'), 'Built-In-Identity')]" + }, + "identityResourceGroup": { + "value": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), parameters('identityResourceGroup'), 'Built-In-Identity-RG')]" + }, + "identitySubscription": { + "value": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), parameters('identitySubscription'), subscription().subscriptionId )]" + }, + "builtInIdentityResourceGroupLocation": { + "value": "[parameters('builtInIdentityResourceGroupLocation')]" + }, + "vmName": { + "value": "[field('name')]" + }, + "vmResourceGroup": { + "value": "[resourceGroup().name]" + }, + "resourceId": { + "value": "[field('id')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.1", + "parameters": { + "bringYourOwnUserAssignedManagedIdentity": { + "type": "bool" + }, + "location": { + "type": "string" + }, + "uaName": { + "type": "string" + }, + "identityResourceGroup": { + "type": "string" + }, + "identitySubscription": { + "type": "string" + }, + "builtInIdentityResourceGroupLocation": { + "type": "string" + }, + "vmName": { + "type": "string" + }, + "vmResourceGroup": { + "type": "string" + }, + "resourceId": { + "type": "string" + } + }, + "variables": { + "uaNameWithLocation": "[concat(parameters('uaName'),'-', parameters('location'))]", + "precreatedUaId": "[concat('/subscriptions/', trim(parameters('identitySubscription')), '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('uaName')))]", + "autocreatedUaId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('uaName')), '-', parameters('location'))]", + "deployUALockName": "[concat('deployUALock-', uniqueString(deployment().name))]", + "deployUAName": "[concat('deployUA-', uniqueString(deployment().name))]", + "deployGetResourceProperties": "[concat('deployGetResourceProperties-', uniqueString(deployment().name))]", + "deployAssignUAName": "[concat('deployAssignUA-', uniqueString(deployment().name))]" + }, + "resources": [ + { + "condition": "[not(parameters('bringYourOwnUserAssignedManagedIdentity'))]", + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2020-06-01", + "name": "[parameters('identityResourceGroup')]", + "location": "[parameters('builtInIdentityResourceGroupLocation')]" + }, + { + "condition": "[parameters('bringYourOwnUserAssignedManagedIdentity')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[variables('deployUALockName')]", + "resourceGroup": "[parameters('identityResourceGroup')]", + "subscriptionId": "[parameters('identitySubscription')]", + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "uaName": { + "value": "[parameters('uaName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "uaName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Authorization/locks", + "apiVersion": "2016-09-01", + "name": "[concat('CanNotDeleteLock-', parameters('uaName'))]", + "scope": "[concat('Microsoft.ManagedIdentity/userAssignedIdentities/', parameters('uaName'))]", + "properties": { + "level": "CanNotDelete", + "notes": "Please do not delete this User-Assigned Identity since extensions enabled by Azure Policy are relying on their existence." + } + } + ] + } + } + }, + { + "condition": "[not(parameters('bringYourOwnUserAssignedManagedIdentity'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[variables('deployUAName')]", + "resourceGroup": "[parameters('identityResourceGroup')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]" + ], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "uaName": { + "value": "[variables('uaNameWithLocation')]" + }, + "location": { + "value": "[parameters('location')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "uaName": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "name": "[parameters('uaName')]", + "apiVersion": "2018-11-30", + "location": "[parameters('location')]" + }, + { + "type": "Microsoft.ManagedIdentity/userAssignedIdentities/providers/locks", + "apiVersion": "2016-09-01", + "name": "[concat(parameters('uaName'), '/Microsoft.Authorization/', 'CanNotDeleteLock-', parameters('uaName'))]", + "dependsOn": [ + "[parameters('uaName')]" + ], + "properties": { + "level": "CanNotDelete", + "notes": "Please do not delete this User-Assigned Identity since extensions enabled by Azure Policy are relying on their existence." + } + } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[variables('deployGetResourceProperties')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]", + "[variables('deployUAName')]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [], + "outputs": { + "resource": { + "type": "object", + "value": "[reference(parameters('resourceId'), '2019-07-01', 'Full')]" + } + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat(variables('deployAssignUAName'))]", + "resourceGroup": "[parameters('vmResourceGroup')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]", + "[variables('deployUAName')]", + "[variables('deployGetResourceProperties')]" + ], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "uaId": { + "value": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), variables('precreatedUaId'), variables('autocreatedUaId'))]" + }, + "vmName": { + "value": "[parameters('vmName')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "identityType": { + "value": "[if(contains(reference(variables('deployGetResourceProperties')).outputs.resource.value, 'identity'), reference(variables('deployGetResourceProperties')).outputs.resource.value.identity.type, '')]" + }, + "userAssignedIdentities": { + "value": "[if(and(contains(reference(variables('deployGetResourceProperties')).outputs.resource.value, 'identity'), contains(reference(variables('deployGetResourceProperties')).outputs.resource.value.identity, 'userAssignedIdentities')), reference(variables('deployGetResourceProperties')).outputs.resource.value.identity.userAssignedIdentities, createObject())]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "uaId": { + "type": "string" + }, + "vmName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "identityType": { + "type": "string" + }, + "userAssignedIdentities": { + "type": "object" + } + }, + "variables": { + "identityTypeValue": "[if(contains(parameters('identityType'), 'SystemAssigned'), 'SystemAssigned,UserAssigned', 'UserAssigned')]", + "userAssignedIdentitiesValue": "[union(parameters('userAssignedIdentities'), createObject(parameters('uaId'), createObject()))]", + "resourceWithSingleUAI": "[and(equals(parameters('identityType'), 'UserAssigned'), equals(string(length(parameters('userAssignedIdentities'))), '1'))]" + }, + "resources": [ + { + "condition": "[not(variables('resourceWithSingleUAI'))]", + "apiVersion": "2019-07-01", + "type": "Microsoft.Compute/virtualMachineScaleSets", + "name": "[parameters('vmName')]", + "location": "[parameters('location')]", + "identity": { + "type": "[variables('identityTypeValue')]", + "userAssignedIdentities": "[variables('userAssignedIdentitiesValue')]" + } + } + ] + } + } + } + ] + } + } + } + } + } + } + } + } \ No newline at end of file diff --git a/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machine-scale-set/azurepolicy.parameters.json b/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machine-scale-set/azurepolicy.parameters.json new file mode 100644 index 00000000..7981ce06 --- /dev/null +++ b/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machine-scale-set/azurepolicy.parameters.json @@ -0,0 +1,58 @@ +{ + "bringYourOwnUserAssignedManagedIdentity": { + "type": "Boolean", + "metadata": { + "displayName": "Bring Your Own User-Assigned Identity", + "description": "Enable this to use your pre-created user-assigned managed identity. The pre-created identity MUST exist within the subscription otherwise the policy deployment will fail. If enabled, ensure that the User-Assigned Identity Name and Identity Resource Group Name parameters match the pre-created identity. If not enabled, the policy will create per subscription, per resource user-assigned managed identities in a new resource group named 'Built-In-Identity-RG'." + }, + "allowedValues": [ + true, + false + ] + }, + "userAssignedIdentityName": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Name", + "description": "The name of the pre-created user-assigned managed identity." + }, + "defaultValue": "" + }, + "identityResourceGroup": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Resource Group Name", + "description": "The resource group in which the pre-created user-assigned managed identity resides." + }, + "defaultValue": "" + }, + "identitySubscription": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Subscription ID", + "description": "The Subscription id of the pre-created user-assigned managed identity." + }, + "defaultValue": "" + }, + "builtInIdentityResourceGroupLocation": { + "type": "String", + "metadata": { + "displayName": "Built-In-Identity-RG Location", + "description": "The location of the resource group 'Built-In-Identity-RG' created by the policy. This parameter is only used when 'Bring Your Own User Assigned Identity' parameter is false." + }, + "defaultValue": "eastus" + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Policy Effect", + "description": "The effect determines what happens when the policy rule is evaluated to match." + }, + "allowedValues": [ + "AuditIfNotExists", + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + } +} \ No newline at end of file diff --git a/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machine-scale-set/azurepolicy.rules.json b/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machine-scale-set/azurepolicy.rules.json new file mode 100644 index 00000000..cb8081ee --- /dev/null +++ b/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machine-scale-set/azurepolicy.rules.json @@ -0,0 +1,336 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Compute/virtualMachineScaleSets" + }, + { + "value": "[requestContext().apiVersion]", + "greaterOrEquals": "2018-10-01" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Compute/virtualMachineScaleSets", + "name": "[field('name')]", + "evaluationDelay": "AfterProvisioning", + "deploymentScope": "subscription", + "existenceCondition": { + "anyOf": [ + { + "allOf": [ + { + "field": "identity.type", + "contains": "UserAssigned" + }, + { + "field": "identity.userAssignedIdentities", + "containsKey": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), concat('/subscriptions/', parameters('identitySubscription'), '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('userAssignedIdentityName'))), concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/Built-In-Identity-RG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/Built-In-Identity-', field('location')))]" + } + ] + }, + { + "allOf": [ + { + "field": "identity.type", + "equals": "UserAssigned" + }, + { + "value": "[string(length(field('identity.userAssignedIdentities')))]", + "equals": "1" + } + ] + } + ] + }, + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c", + "/providers/Microsoft.Authorization/roleDefinitions/18d7d88d-d35e-4fb5-a5c3-7773c20a72d9" + ], + "deployment": { + "location": "eastus", + "properties": { + "mode": "incremental", + "parameters": { + "bringYourOwnUserAssignedManagedIdentity": { + "value": "[parameters('bringYourOwnUserAssignedManagedIdentity')]" + }, + "location": { + "value": "[field('location')]" + }, + "uaName": { + "value": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), parameters('userAssignedIdentityName'), 'Built-In-Identity')]" + }, + "identityResourceGroup": { + "value": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), parameters('identityResourceGroup'), 'Built-In-Identity-RG')]" + }, + "identitySubscription": { + "value": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), parameters('identitySubscription'), subscription().subscriptionId )]" + }, + "builtInIdentityResourceGroupLocation": { + "value": "[parameters('builtInIdentityResourceGroupLocation')]" + }, + "vmName": { + "value": "[field('name')]" + }, + "vmResourceGroup": { + "value": "[resourceGroup().name]" + }, + "resourceId": { + "value": "[field('id')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.1", + "parameters": { + "bringYourOwnUserAssignedManagedIdentity": { + "type": "bool" + }, + "location": { + "type": "string" + }, + "uaName": { + "type": "string" + }, + "identityResourceGroup": { + "type": "string" + }, + "identitySubscription": { + "type": "string" + }, + "builtInIdentityResourceGroupLocation": { + "type": "string" + }, + "vmName": { + "type": "string" + }, + "vmResourceGroup": { + "type": "string" + }, + "resourceId": { + "type": "string" + } + }, + "variables": { + "uaNameWithLocation": "[concat(parameters('uaName'),'-', parameters('location'))]", + "precreatedUaId": "[concat('/subscriptions/', trim(parameters('identitySubscription')), '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('uaName')))]", + "autocreatedUaId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', trim(parameters('identityResourceGroup')), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', trim(parameters('uaName')), '-', parameters('location'))]", + "deployUALockName": "[concat('deployUALock-', uniqueString(deployment().name))]", + "deployUAName": "[concat('deployUA-', uniqueString(deployment().name))]", + "deployGetResourceProperties": "[concat('deployGetResourceProperties-', uniqueString(deployment().name))]", + "deployAssignUAName": "[concat('deployAssignUA-', uniqueString(deployment().name))]" + }, + "resources": [ + { + "condition": "[not(parameters('bringYourOwnUserAssignedManagedIdentity'))]", + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2020-06-01", + "name": "[parameters('identityResourceGroup')]", + "location": "[parameters('builtInIdentityResourceGroupLocation')]" + }, + { + "condition": "[parameters('bringYourOwnUserAssignedManagedIdentity')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[variables('deployUALockName')]", + "resourceGroup": "[parameters('identityResourceGroup')]", + "subscriptionId": "[parameters('identitySubscription')]", + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "uaName": { + "value": "[parameters('uaName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "uaName": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Authorization/locks", + "apiVersion": "2016-09-01", + "name": "[concat('CanNotDeleteLock-', parameters('uaName'))]", + "scope": "[concat('Microsoft.ManagedIdentity/userAssignedIdentities/', parameters('uaName'))]", + "properties": { + "level": "CanNotDelete", + "notes": "Please do not delete this User-Assigned Identity since extensions enabled by Azure Policy are relying on their existence." + } + } + ] + } + } + }, + { + "condition": "[not(parameters('bringYourOwnUserAssignedManagedIdentity'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[variables('deployUAName')]", + "resourceGroup": "[parameters('identityResourceGroup')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]" + ], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "uaName": { + "value": "[variables('uaNameWithLocation')]" + }, + "location": { + "value": "[parameters('location')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "uaName": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "variables": {}, + "resources": [ + { + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "name": "[parameters('uaName')]", + "apiVersion": "2018-11-30", + "location": "[parameters('location')]" + }, + { + "type": "Microsoft.ManagedIdentity/userAssignedIdentities/providers/locks", + "apiVersion": "2016-09-01", + "name": "[concat(parameters('uaName'), '/Microsoft.Authorization/', 'CanNotDeleteLock-', parameters('uaName'))]", + "dependsOn": [ + "[parameters('uaName')]" + ], + "properties": { + "level": "CanNotDelete", + "notes": "Please do not delete this User-Assigned Identity since extensions enabled by Azure Policy are relying on their existence." + } + } + ] + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[variables('deployGetResourceProperties')]", + "location": "[parameters('location')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]", + "[variables('deployUAName')]" + ], + "properties": { + "mode": "Incremental", + "template": { + "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [], + "outputs": { + "resource": { + "type": "object", + "value": "[reference(parameters('resourceId'), '2019-07-01', 'Full')]" + } + } + } + } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[concat(variables('deployAssignUAName'))]", + "resourceGroup": "[parameters('vmResourceGroup')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/resourceGroups', parameters('identityResourceGroup'))]", + "[variables('deployUAName')]", + "[variables('deployGetResourceProperties')]" + ], + "properties": { + "mode": "Incremental", + "expressionEvaluationOptions": { + "scope": "inner" + }, + "parameters": { + "uaId": { + "value": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), variables('precreatedUaId'), variables('autocreatedUaId'))]" + }, + "vmName": { + "value": "[parameters('vmName')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "identityType": { + "value": "[if(contains(reference(variables('deployGetResourceProperties')).outputs.resource.value, 'identity'), reference(variables('deployGetResourceProperties')).outputs.resource.value.identity.type, '')]" + }, + "userAssignedIdentities": { + "value": "[if(and(contains(reference(variables('deployGetResourceProperties')).outputs.resource.value, 'identity'), contains(reference(variables('deployGetResourceProperties')).outputs.resource.value.identity, 'userAssignedIdentities')), reference(variables('deployGetResourceProperties')).outputs.resource.value.identity.userAssignedIdentities, createObject())]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "uaId": { + "type": "string" + }, + "vmName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "identityType": { + "type": "string" + }, + "userAssignedIdentities": { + "type": "object" + } + }, + "variables": { + "identityTypeValue": "[if(contains(parameters('identityType'), 'SystemAssigned'), 'SystemAssigned,UserAssigned', 'UserAssigned')]", + "userAssignedIdentitiesValue": "[union(parameters('userAssignedIdentities'), createObject(parameters('uaId'), createObject()))]", + "resourceWithSingleUAI": "[and(equals(parameters('identityType'), 'UserAssigned'), equals(string(length(parameters('userAssignedIdentities'))), '1'))]" + }, + "resources": [ + { + "condition": "[not(variables('resourceWithSingleUAI'))]", + "apiVersion": "2019-07-01", + "type": "Microsoft.Compute/virtualMachineScaleSets", + "name": "[parameters('vmName')]", + "location": "[parameters('location')]", + "identity": { + "type": "[variables('identityTypeValue')]", + "userAssignedIdentities": "[variables('userAssignedIdentitiesValue')]" + } + } + ] + } + } + } + ] + } + } + } + } + } +} \ No newline at end of file diff --git a/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machines/azurepolicy.json b/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machines/azurepolicy.json index 157509d0..e6628850 100644 --- a/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machines/azurepolicy.json +++ b/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machines/azurepolicy.json @@ -1,5 +1,5 @@ { - "name": "9b482817-a7f1-42e2-9e93-5ef439610368", + "name": "e2464615-862b-5b44-901b-df87360c25ee", "type": "Microsoft.Authorization/policyDefinitions", "properties": { "displayName": "Assign Cross Subscription User-Assigned Managed Identity to Virtual Machines", diff --git a/policyDefinitions/Monitoring/configure-win-vms-ama-with-cross-subscription-uami/azurepolicy.json b/policyDefinitions/Monitoring/configure-ama-on-windows-vm-with-cross-subscription-uami/azurepolicy.json similarity index 90% rename from policyDefinitions/Monitoring/configure-win-vms-ama-with-cross-subscription-uami/azurepolicy.json rename to policyDefinitions/Monitoring/configure-ama-on-windows-vm-with-cross-subscription-uami/azurepolicy.json index 0fd8cf75..ae269444 100644 --- a/policyDefinitions/Monitoring/configure-win-vms-ama-with-cross-subscription-uami/azurepolicy.json +++ b/policyDefinitions/Monitoring/configure-ama-on-windows-vm-with-cross-subscription-uami/azurepolicy.json @@ -1,5 +1,5 @@ { - "name": "2993aef3-6bcf-4e34-929c-79727b646663", + "name": "bdffab46-452d-5c4d-aacb-bdf9e45fd363", "type": "Microsoft.Authorization/policyDefinitions", "properties": { "displayName": "Configure Windows virtual machines to run Azure Monitor Agent with cross subscription user-assigned managed identity-based authentication", @@ -76,6 +76,61 @@ "description": "List of virtual machine images that have supported Windows OS to add to scope. Example values: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'" }, "defaultValue": [] + }, + "allowedLocations": { + "type": "Array", + "metadata": { + "displayName": "Allowed Virtual Machine Locations", + "description": "List of Allowed Virtual Machine Locations" + }, + "defaultValue": [ + "australiacentral", + "australiaeast", + "australiasoutheast", + "brazilsouth", + "canadacentral", + "canadaeast", + "centralindia", + "centralus", + "eastasia", + "eastus2euap", + "eastus", + "eastus2", + "francecentral", + "germanywestcentral", + "japaneast", + "japanwest", + "jioindiawest", + "koreacentral", + "koreasouth", + "northcentralus", + "northeurope", + "norwayeast", + "southafricanorth", + "southcentralus", + "southeastasia", + "southindia", + "switzerlandnorth", + "uaenorth", + "uksouth", + "ukwest", + "westcentralus", + "westeurope", + "westindia", + "westus", + "westus2", + "chinaeast", + "chinaeast2", + "chinaeast3", + "chinanorth", + "chinanorth2", + "chinanorth3", + "usgovarizona", + "usgovtexas", + "usgovvirginia", + "usdodeast", + "usdodcentral" + ] } }, "policyRule": { @@ -87,54 +142,7 @@ }, { "field": "location", - "in": [ - "australiacentral", - "australiaeast", - "australiasoutheast", - "brazilsouth", - "canadacentral", - "canadaeast", - "centralindia", - "centralus", - "eastasia", - "eastus2euap", - "eastus", - "eastus2", - "francecentral", - "germanywestcentral", - "japaneast", - "japanwest", - "jioindiawest", - "koreacentral", - "koreasouth", - "northcentralus", - "northeurope", - "norwayeast", - "southafricanorth", - "southcentralus", - "southeastasia", - "southindia", - "switzerlandnorth", - "uaenorth", - "uksouth", - "ukwest", - "westcentralus", - "westeurope", - "westindia", - "westus", - "westus2", - "chinaeast", - "chinaeast2", - "chinaeast3", - "chinanorth", - "chinanorth2", - "chinanorth3", - "usgovarizona", - "usgovtexas", - "usgovvirginia", - "usdodeast", - "usdodcentral" - ] + "in": "[parameters('allowedLocations')]" }, { "anyOf": [ diff --git a/policyDefinitions/Monitoring/configure-win-vms-ama-with-cross-subscription-uami/azurepolicy.parameters.json b/policyDefinitions/Monitoring/configure-ama-on-windows-vm-with-cross-subscription-uami/azurepolicy.parameters.json similarity index 68% rename from policyDefinitions/Monitoring/configure-win-vms-ama-with-cross-subscription-uami/azurepolicy.parameters.json rename to policyDefinitions/Monitoring/configure-ama-on-windows-vm-with-cross-subscription-uami/azurepolicy.parameters.json index 8a8dcf1d..21f84ce5 100644 --- a/policyDefinitions/Monitoring/configure-win-vms-ama-with-cross-subscription-uami/azurepolicy.parameters.json +++ b/policyDefinitions/Monitoring/configure-ama-on-windows-vm-with-cross-subscription-uami/azurepolicy.parameters.json @@ -65,5 +65,60 @@ "description": "List of virtual machine images that have supported Windows OS to add to scope. Example values: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'" }, "defaultValue": [] + }, + "allowedLocations": { + "type": "Array", + "metadata": { + "displayName": "Allowed Virtual Machine Locations", + "description": "List of Allowed Virtual Machine Locations" + }, + "defaultValue": [ + "australiacentral", + "australiaeast", + "australiasoutheast", + "brazilsouth", + "canadacentral", + "canadaeast", + "centralindia", + "centralus", + "eastasia", + "eastus2euap", + "eastus", + "eastus2", + "francecentral", + "germanywestcentral", + "japaneast", + "japanwest", + "jioindiawest", + "koreacentral", + "koreasouth", + "northcentralus", + "northeurope", + "norwayeast", + "southafricanorth", + "southcentralus", + "southeastasia", + "southindia", + "switzerlandnorth", + "uaenorth", + "uksouth", + "ukwest", + "westcentralus", + "westeurope", + "westindia", + "westus", + "westus2", + "chinaeast", + "chinaeast2", + "chinaeast3", + "chinanorth", + "chinanorth2", + "chinanorth3", + "usgovarizona", + "usgovtexas", + "usgovvirginia", + "usdodeast", + "usdodcentral" + ] } } \ No newline at end of file diff --git a/policyDefinitions/Monitoring/configure-win-vms-ama-with-cross-subscription-uami/azurepolicy.rules.json b/policyDefinitions/Monitoring/configure-ama-on-windows-vm-with-cross-subscription-uami/azurepolicy.rules.json similarity index 89% rename from policyDefinitions/Monitoring/configure-win-vms-ama-with-cross-subscription-uami/azurepolicy.rules.json rename to policyDefinitions/Monitoring/configure-ama-on-windows-vm-with-cross-subscription-uami/azurepolicy.rules.json index 0dc99502..490ae89f 100644 --- a/policyDefinitions/Monitoring/configure-win-vms-ama-with-cross-subscription-uami/azurepolicy.rules.json +++ b/policyDefinitions/Monitoring/configure-ama-on-windows-vm-with-cross-subscription-uami/azurepolicy.rules.json @@ -7,54 +7,7 @@ }, { "field": "location", - "in": [ - "australiacentral", - "australiaeast", - "australiasoutheast", - "brazilsouth", - "canadacentral", - "canadaeast", - "centralindia", - "centralus", - "eastasia", - "eastus2euap", - "eastus", - "eastus2", - "francecentral", - "germanywestcentral", - "japaneast", - "japanwest", - "jioindiawest", - "koreacentral", - "koreasouth", - "northcentralus", - "northeurope", - "norwayeast", - "southafricanorth", - "southcentralus", - "southeastasia", - "southindia", - "switzerlandnorth", - "uaenorth", - "uksouth", - "ukwest", - "westcentralus", - "westeurope", - "westindia", - "westus", - "westus2", - "chinaeast", - "chinaeast2", - "chinaeast3", - "chinanorth", - "chinanorth2", - "chinanorth3", - "usgovarizona", - "usgovtexas", - "usgovvirginia", - "usdodeast", - "usdodcentral" - ] + "in": "[parameters('allowedLocations')]" }, { "anyOf": [ diff --git a/policyDefinitions/Monitoring/configure-ama-on-windows-vmss-with-cross-subscription-uami/azurepolicy.json b/policyDefinitions/Monitoring/configure-ama-on-windows-vmss-with-cross-subscription-uami/azurepolicy.json new file mode 100644 index 00000000..332c6d67 --- /dev/null +++ b/policyDefinitions/Monitoring/configure-ama-on-windows-vmss-with-cross-subscription-uami/azurepolicy.json @@ -0,0 +1,435 @@ +{ + "name": "6eef296d-6e58-5404-acb0-a102bd5f0ee6", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Configure Windows virtual machine scale sets to run Azure Monitor Agent with cross subscription user-assigned managed identity-based authentication", + "mode": "Indexed", + "description": "Copy of built-in 637125fd-7c39-4b94-bb0a-d331faf333a9 with minimal changes to support a cross subscription UAMI. Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. ", + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy." + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "bringYourOwnUserAssignedManagedIdentity": { + "type": "Boolean", + "metadata": { + "displayName": "Bring Your Own User-Assigned Managed Identity", + "description": "If set to true, Azure Monitor Agent will use the user-assigned managed identity specified via the 'User-Assigned Managed Identity ...' parameters for authentication. Otherwise, Azure Monitor Agent will use the user-assigned managed identity /subscriptions//resourceGroups/built-in-identity-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/built-in-identity- for authentication." + }, + "allowedValues": [ + false, + true + ] + }, + "userAssignedManagedIdentityName": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Name", + "description": "The name of the user-assigned managed identity which Azure Monitor Agent will use for authentication when 'Bring Your Own User-Assigned Managed Identity' is set to true." + }, + "defaultValue": "" + }, + "userAssignedManagedIdentityResourceGroup": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Resource Group", + "description": "The resource group of the user-assigned managed identity which Azure Monitor Agent will use for authentication when 'Bring Your Own User-Assigned Managed Identity' is set to true." + }, + "defaultValue": "" + }, + "userAssignedManagedIdentitySubscription": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Subscription Id", + "description": "The subscription id of the user-assigned managed identity which Azure Monitor Agent will use for authentication when 'Bring Your Own User-Assigned Managed Identity' is set to true." + }, + "defaultValue": "" + }, + "scopeToSupportedImages": { + "type": "Boolean", + "metadata": { + "displayName": "Scope Policy to Azure Monitor Agent-Supported Operating Systems", + "description": "If set to true, the policy will apply only to virtual machine scale sets with supported operating systems. Otherwise, the policy will apply to all virtual machine scale set resources in the assignment scope. For supported operating systems, see https://aka.ms/AMAOverview." + }, + "allowedValues": [ + true, + false + ], + "defaultValue": true + }, + "listOfWindowsImageIdToInclude": { + "type": "Array", + "metadata": { + "displayName": "Additional Virtual Machine Images", + "description": "List of virtual machine images that have supported Windows OS to add to scope. Example values: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'" + }, + "defaultValue": [] + }, + "allowedLocations": { + "type": "Array", + "metadata": { + "displayName": "Allowed Virtual Machine Locations", + "description": "List of Allowed Virtual Machine Locations" + }, + "defaultValue": [ + "australiacentral", + "australiaeast", + "australiasoutheast", + "brazilsouth", + "canadacentral", + "canadaeast", + "centralindia", + "centralus", + "eastasia", + "eastus2euap", + "eastus", + "eastus2", + "francecentral", + "germanywestcentral", + "japaneast", + "japanwest", + "jioindiawest", + "koreacentral", + "koreasouth", + "northcentralus", + "northeurope", + "norwayeast", + "southafricanorth", + "southcentralus", + "southeastasia", + "southindia", + "switzerlandnorth", + "uaenorth", + "uksouth", + "ukwest", + "westcentralus", + "westeurope", + "westindia", + "westus", + "westus2", + "chinaeast", + "chinaeast2", + "chinaeast3", + "chinanorth", + "chinanorth2", + "chinanorth3", + "usgovarizona", + "usgovtexas", + "usgovvirginia", + "usdodeast", + "usdodcentral" + ] + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Compute/virtualMachineScaleSets" + }, + { + "field": "location", + "in": "[parameters('allowedLocations')]" + }, + { + "anyOf": [ + { + "allOf": [ + { + "value": "[parameters('scopeToSupportedImages')]", + "equals": false + }, + { + "field": "Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.storageProfile.osDisk.osType", + "like": "Windows*" + } + ] + }, + { + "field": "Microsoft.Compute/imageId", + "in": "[parameters('listOfWindowsImageIdToInclude')]" + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftWindowsServer" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "WindowsServer" + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageSku", + "like": "2008-R2-SP1*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "2012-*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "2016-*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "2019-*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "2022-*" + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftWindowsServer" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "WindowsServerSemiAnnual" + }, + { + "field": "Microsoft.Compute/imageSKU", + "in": [ + "Datacenter-Core-1709-smalldisk", + "Datacenter-Core-1709-with-Containers-smalldisk", + "Datacenter-Core-1803-with-Containers-smalldisk" + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftWindowsServerHPCPack" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "WindowsServerHPCPack" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftSQLServer" + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2022" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2022-BYOL" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2019" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2019-BYOL" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2016" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2016-BYOL" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2012R2" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2012R2-BYOL" + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftRServer" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "MLServer-WS2016" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftVisualStudio" + }, + { + "field": "Microsoft.Compute/imageOffer", + "in": [ + "VisualStudio", + "Windows" + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftDynamicsAX" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "Dynamics" + }, + { + "field": "Microsoft.Compute/imageSKU", + "equals": "Pre-Req-AX7-Onebox-U8" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "microsoft-ads" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "windows-data-science-vm" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftWindowsDesktop" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "Windows-1*" + } + ] + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c" + ], + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/type", + "equals": "AzureMonitorWindowsAgent" + }, + { + "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/publisher", + "equals": "Microsoft.Azure.Monitor" + }, + { + "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/provisioningState", + "equals": "Succeeded" + } + ] + }, + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "vmName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "userAssignedManagedIdentity": { + "type": "string" + } + }, + "variables": { + "extensionName": "AzureMonitorWindowsAgent", + "extensionPublisher": "Microsoft.Azure.Monitor", + "extensionType": "AzureMonitorWindowsAgent", + "extensionTypeHandlerVersion": "1.2" + }, + "resources": [ + { + "name": "[concat(parameters('vmName'), '/', variables('extensionName'))]", + "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", + "location": "[parameters('location')]", + "apiVersion": "2019-07-01", + "properties": { + "publisher": "[variables('extensionPublisher')]", + "type": "[variables('extensionType')]", + "typeHandlerVersion": "[variables('extensionTypeHandlerVersion')]", + "autoUpgradeMinorVersion": true, + "enableAutomaticUpgrade": true, + "settings": { + "authentication": { + "managedIdentity": { + "identifier-name": "mi_res_id", + "identifier-value": "[parameters('userAssignedManagedIdentity')]" + } + } + } + } + } + ] + }, + "parameters": { + "vmName": { + "value": "[field('name')]" + }, + "location": { + "value": "[field('location')]" + }, + "userAssignedManagedIdentity": { + "value": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), concat('/subscriptions/', parameters('userAssignedManagedIdentitySubscription'), '/resourceGroups/', parameters('userAssignedManagedIdentityResourceGroup'), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', parameters('userAssignedManagedIdentityName')), concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/built-in-identity-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/built-in-identity-', field('location')))]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/policyDefinitions/Monitoring/configure-ama-on-windows-vmss-with-cross-subscription-uami/azurepolicy.parameters.json b/policyDefinitions/Monitoring/configure-ama-on-windows-vmss-with-cross-subscription-uami/azurepolicy.parameters.json new file mode 100644 index 00000000..01843422 --- /dev/null +++ b/policyDefinitions/Monitoring/configure-ama-on-windows-vmss-with-cross-subscription-uami/azurepolicy.parameters.json @@ -0,0 +1,124 @@ +{ + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy." + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "bringYourOwnUserAssignedManagedIdentity": { + "type": "Boolean", + "metadata": { + "displayName": "Bring Your Own User-Assigned Managed Identity", + "description": "If set to true, Azure Monitor Agent will use the user-assigned managed identity specified via the 'User-Assigned Managed Identity ...' parameters for authentication. Otherwise, Azure Monitor Agent will use the user-assigned managed identity /subscriptions//resourceGroups/built-in-identity-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/built-in-identity- for authentication." + }, + "allowedValues": [ + false, + true + ] + }, + "userAssignedManagedIdentityName": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Name", + "description": "The name of the user-assigned managed identity which Azure Monitor Agent will use for authentication when 'Bring Your Own User-Assigned Managed Identity' is set to true." + }, + "defaultValue": "" + }, + "userAssignedManagedIdentityResourceGroup": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Resource Group", + "description": "The resource group of the user-assigned managed identity which Azure Monitor Agent will use for authentication when 'Bring Your Own User-Assigned Managed Identity' is set to true." + }, + "defaultValue": "" + }, + "userAssignedManagedIdentitySubscription": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Subscription Id", + "description": "The subscription id of the user-assigned managed identity which Azure Monitor Agent will use for authentication when 'Bring Your Own User-Assigned Managed Identity' is set to true." + }, + "defaultValue": "" + }, + "scopeToSupportedImages": { + "type": "Boolean", + "metadata": { + "displayName": "Scope Policy to Azure Monitor Agent-Supported Operating Systems", + "description": "If set to true, the policy will apply only to virtual machine scale sets with supported operating systems. Otherwise, the policy will apply to all virtual machine scale set resources in the assignment scope. For supported operating systems, see https://aka.ms/AMAOverview." + }, + "allowedValues": [ + true, + false + ], + "defaultValue": true + }, + "listOfWindowsImageIdToInclude": { + "type": "Array", + "metadata": { + "displayName": "Additional Virtual Machine Images", + "description": "List of virtual machine images that have supported Windows OS to add to scope. Example values: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'" + }, + "defaultValue": [] + }, + "allowedLocations": { + "type": "Array", + "metadata": { + "displayName": "Allowed Virtual Machine Locations", + "description": "List of Allowed Virtual Machine Locations" + }, + "defaultValue": [ + "australiacentral", + "australiaeast", + "australiasoutheast", + "brazilsouth", + "canadacentral", + "canadaeast", + "centralindia", + "centralus", + "eastasia", + "eastus2euap", + "eastus", + "eastus2", + "francecentral", + "germanywestcentral", + "japaneast", + "japanwest", + "jioindiawest", + "koreacentral", + "koreasouth", + "northcentralus", + "northeurope", + "norwayeast", + "southafricanorth", + "southcentralus", + "southeastasia", + "southindia", + "switzerlandnorth", + "uaenorth", + "uksouth", + "ukwest", + "westcentralus", + "westeurope", + "westindia", + "westus", + "westus2", + "chinaeast", + "chinaeast2", + "chinaeast3", + "chinanorth", + "chinanorth2", + "chinanorth3", + "usgovarizona", + "usgovtexas", + "usgovvirginia", + "usdodeast", + "usdodcentral" + ] + } +} \ No newline at end of file diff --git a/policyDefinitions/Monitoring/configure-ama-on-windows-vmss-with-cross-subscription-uami/azurepolicy.rules.json b/policyDefinitions/Monitoring/configure-ama-on-windows-vmss-with-cross-subscription-uami/azurepolicy.rules.json new file mode 100644 index 00000000..0b13c745 --- /dev/null +++ b/policyDefinitions/Monitoring/configure-ama-on-windows-vmss-with-cross-subscription-uami/azurepolicy.rules.json @@ -0,0 +1,298 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Compute/virtualMachineScaleSets" + }, + { + "field": "location", + "in": "[parameters('allowedLocations')]" + }, + { + "anyOf": [ + { + "allOf": [ + { + "value": "[parameters('scopeToSupportedImages')]", + "equals": false + }, + { + "field": "Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.storageProfile.osDisk.osType", + "like": "Windows*" + } + ] + }, + { + "field": "Microsoft.Compute/imageId", + "in": "[parameters('listOfWindowsImageIdToInclude')]" + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftWindowsServer" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "WindowsServer" + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageSku", + "like": "2008-R2-SP1*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "2012-*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "2016-*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "2019-*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "2022-*" + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftWindowsServer" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "WindowsServerSemiAnnual" + }, + { + "field": "Microsoft.Compute/imageSKU", + "in": [ + "Datacenter-Core-1709-smalldisk", + "Datacenter-Core-1709-with-Containers-smalldisk", + "Datacenter-Core-1803-with-Containers-smalldisk" + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftWindowsServerHPCPack" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "WindowsServerHPCPack" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftSQLServer" + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2022" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2022-BYOL" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2019" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2019-BYOL" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2016" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2016-BYOL" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2012R2" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "*-WS2012R2-BYOL" + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftRServer" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "MLServer-WS2016" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftVisualStudio" + }, + { + "field": "Microsoft.Compute/imageOffer", + "in": [ + "VisualStudio", + "Windows" + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftDynamicsAX" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "Dynamics" + }, + { + "field": "Microsoft.Compute/imageSKU", + "equals": "Pre-Req-AX7-Onebox-U8" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "microsoft-ads" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "windows-data-science-vm" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "MicrosoftWindowsDesktop" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "Windows-1*" + } + ] + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c" + ], + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/type", + "equals": "AzureMonitorWindowsAgent" + }, + { + "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/publisher", + "equals": "Microsoft.Azure.Monitor" + }, + { + "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/provisioningState", + "equals": "Succeeded" + } + ] + }, + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "vmName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "userAssignedManagedIdentity": { + "type": "string" + } + }, + "variables": { + "extensionName": "AzureMonitorWindowsAgent", + "extensionPublisher": "Microsoft.Azure.Monitor", + "extensionType": "AzureMonitorWindowsAgent", + "extensionTypeHandlerVersion": "1.2" + }, + "resources": [ + { + "name": "[concat(parameters('vmName'), '/', variables('extensionName'))]", + "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", + "location": "[parameters('location')]", + "apiVersion": "2019-07-01", + "properties": { + "publisher": "[variables('extensionPublisher')]", + "type": "[variables('extensionType')]", + "typeHandlerVersion": "[variables('extensionTypeHandlerVersion')]", + "autoUpgradeMinorVersion": true, + "enableAutomaticUpgrade": true, + "settings": { + "authentication": { + "managedIdentity": { + "identifier-name": "mi_res_id", + "identifier-value": "[parameters('userAssignedManagedIdentity')]" + } + } + } + } + } + ] + }, + "parameters": { + "vmName": { + "value": "[field('name')]" + }, + "location": { + "value": "[field('location')]" + }, + "userAssignedManagedIdentity": { + "value": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), concat('/subscriptions/', parameters('userAssignedManagedIdentitySubscription'), '/resourceGroups/', parameters('userAssignedManagedIdentityResourceGroup'), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', parameters('userAssignedManagedIdentityName')), concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/built-in-identity-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/built-in-identity-', field('location')))]" + } + } + } + } + } + } +} \ No newline at end of file From f4c4112f98dd7df907e210c789dff055d4bc550e Mon Sep 17 00:00:00 2001 From: Hugo Ribeiro Date: Wed, 20 Mar 2024 21:34:29 +0000 Subject: [PATCH 03/13] adjust descriptions --- .../azurepolicy.json | 2 +- .../azurepolicy.json | 2 +- .../azurepolicy.json | 2 +- .../azurepolicy.json | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machine-scale-set/azurepolicy.json b/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machine-scale-set/azurepolicy.json index 2fefa12a..b0301f18 100644 --- a/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machine-scale-set/azurepolicy.json +++ b/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machine-scale-set/azurepolicy.json @@ -4,7 +4,7 @@ "properties": { "displayName": "Assign Cross Subscription User-Assigned Managed Identity to Virtual Machine Scale Set", "mode": "Indexed", - "description": "Assign User-Assigned Managed Identity that can be located in a different subscription to Virtual Machine Scale Set.", + "description": "Assign User-Assigned Managed Identity that can be located in a different subscription to Virtual Machine Scale Set. Adapted from built-in /providers/Microsoft.Authorization/policyDefinitions/516187d4-ef64-4a1b-ad6b-a7348502976c. This policy is meant to be assigned at Management Group Level, otherwise you must assign manualy the permissions (Microsoft.Authorization/locks/write + Microsoft.Resources/deployments/* + */read) to the Policy Managed Idenity on the cross subscription UAMI.", "metadata": { "version": "1.0.0", "category": "Managed Identity" diff --git a/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machines/azurepolicy.json b/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machines/azurepolicy.json index e6628850..961df3ef 100644 --- a/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machines/azurepolicy.json +++ b/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machines/azurepolicy.json @@ -4,7 +4,7 @@ "properties": { "displayName": "Assign Cross Subscription User-Assigned Managed Identity to Virtual Machines", "mode": "Indexed", - "description": "Assign User-Assigned Managed Identity that can be located in a different subscription to Virtual Machines.", + "description": "Assign User-Assigned Managed Identity that can be located in a different subscription to Virtual Machines. Adapted from built-in /providers/Microsoft.Authorization/policyDefinitions/d367bd60-64ca-4364-98ea-276775bddd94. This policy is meant to be assigned at Management Group Level, otherwise you must assign manualy the permissions (Microsoft.Authorization/locks/write + Microsoft.Resources/deployments/* + */read) to the Policy Managed Idenity on the cross subscription UAMI.", "metadata": { "version": "1.0.0", "category": "Managed Identity" diff --git a/policyDefinitions/Monitoring/configure-ama-on-windows-vm-with-cross-subscription-uami/azurepolicy.json b/policyDefinitions/Monitoring/configure-ama-on-windows-vm-with-cross-subscription-uami/azurepolicy.json index ae269444..c482531a 100644 --- a/policyDefinitions/Monitoring/configure-ama-on-windows-vm-with-cross-subscription-uami/azurepolicy.json +++ b/policyDefinitions/Monitoring/configure-ama-on-windows-vm-with-cross-subscription-uami/azurepolicy.json @@ -4,7 +4,7 @@ "properties": { "displayName": "Configure Windows virtual machines to run Azure Monitor Agent with cross subscription user-assigned managed identity-based authentication", "mode": "Indexed", - "description": "Copy of built-in 637125fd-7c39-4b94-bb0a-d331faf333a9 with minimal changes to support a cross subscription UAMI. Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. ", + "description": "Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Adapted from built-in /providers/Microsoft.Authorization/policyDefinitions/637125fd-7c39-4b94-bb0a-d331faf333a9 with minimal changes to support a cross subscription UAMI. This policy is meant to be assigned at Management Group Level, if you don't do this then you must assign manualy the permissions */read to the Policy Managed Idenity on the cross subscription UAMI.", "metadata": { "version": "1.0.0", "category": "Monitoring" diff --git a/policyDefinitions/Monitoring/configure-ama-on-windows-vmss-with-cross-subscription-uami/azurepolicy.json b/policyDefinitions/Monitoring/configure-ama-on-windows-vmss-with-cross-subscription-uami/azurepolicy.json index 332c6d67..74c90ccb 100644 --- a/policyDefinitions/Monitoring/configure-ama-on-windows-vmss-with-cross-subscription-uami/azurepolicy.json +++ b/policyDefinitions/Monitoring/configure-ama-on-windows-vmss-with-cross-subscription-uami/azurepolicy.json @@ -4,7 +4,7 @@ "properties": { "displayName": "Configure Windows virtual machine scale sets to run Azure Monitor Agent with cross subscription user-assigned managed identity-based authentication", "mode": "Indexed", - "description": "Copy of built-in 637125fd-7c39-4b94-bb0a-d331faf333a9 with minimal changes to support a cross subscription UAMI. Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. ", + "description": "Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Adapted from built-in /providers/Microsoft.Authorization/policyDefinitions/98569e20-8f32-4f31-bf34-0e91590ae9d3 with minimal changes to support a cross subscription UAMI. This policy is meant to be assigned at Management Group Level, otherwise you must assign manualy the permissions */read to the Policy Managed Idenity on the cross subscription UAMI.", "metadata": { "version": "1.0.0", "category": "Monitoring" From e1e8c052a01608f97ab753e1b0238694f84e2b9b Mon Sep 17 00:00:00 2001 From: Hugo Ribeiro Date: Wed, 20 Mar 2024 22:00:56 +0000 Subject: [PATCH 04/13] add 2 Linux AMA related policies for cross subscription supportability --- .../azurepolicy.json | 584 ++++++++++++++++++ .../azurepolicy.parameters.json | 124 ++++ .../azurepolicy.rules.json | 447 ++++++++++++++ .../azurepolicy.json | 584 ++++++++++++++++++ .../azurepolicy.parameters.json | 124 ++++ .../azurepolicy.rules.json | 447 ++++++++++++++ 6 files changed, 2310 insertions(+) create mode 100644 policyDefinitions/Monitoring/configure-ama-on-linux-vm-with-cross-subscription-uami/azurepolicy.json create mode 100644 policyDefinitions/Monitoring/configure-ama-on-linux-vm-with-cross-subscription-uami/azurepolicy.parameters.json create mode 100644 policyDefinitions/Monitoring/configure-ama-on-linux-vm-with-cross-subscription-uami/azurepolicy.rules.json create mode 100644 policyDefinitions/Monitoring/configure-ama-on-linux-vmss-with-cross-subscription-uami/azurepolicy.json create mode 100644 policyDefinitions/Monitoring/configure-ama-on-linux-vmss-with-cross-subscription-uami/azurepolicy.parameters.json create mode 100644 policyDefinitions/Monitoring/configure-ama-on-linux-vmss-with-cross-subscription-uami/azurepolicy.rules.json diff --git a/policyDefinitions/Monitoring/configure-ama-on-linux-vm-with-cross-subscription-uami/azurepolicy.json b/policyDefinitions/Monitoring/configure-ama-on-linux-vm-with-cross-subscription-uami/azurepolicy.json new file mode 100644 index 00000000..9cbf7d92 --- /dev/null +++ b/policyDefinitions/Monitoring/configure-ama-on-linux-vm-with-cross-subscription-uami/azurepolicy.json @@ -0,0 +1,584 @@ +{ + "name": "2bf130ac-424c-570d-aadf-3cd38fbf1157", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Configure Linux virtual machines to run Azure Monitor Agent with cross subscription user-assigned managed identity-based authentication", + "mode": "Indexed", + "description": "Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Adapted from built-in /providers/Microsoft.Authorization/policyDefinitions/ae8a10e6-19d6-44a3-a02d-a2bdfc707742 with minimal changes to support a cross subscription UAMI. This policy is meant to be assigned at Management Group Level, if you don't do this then you must assign manualy the permissions */read to the Policy Managed Idenity on the cross subscription UAMI.", + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy." + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "bringYourOwnUserAssignedManagedIdentity": { + "type": "Boolean", + "metadata": { + "displayName": "Bring Your Own User-Assigned Managed Identity", + "description": "If set to true, Azure Monitor Agent will use the user-assigned managed identity specified via the 'User-Assigned Managed Identity ...' parameters for authentication. Otherwise, Azure Monitor Agent will use the user-assigned managed identity /subscriptions//resourceGroups/built-in-identity-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/built-in-identity- for authentication." + }, + "allowedValues": [ + false, + true + ] + }, + "userAssignedManagedIdentityName": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Name", + "description": "The name of the user-assigned managed identity which Azure Monitor Agent will use for authentication when 'Bring Your Own User-Assigned Managed Identity' is set to true." + }, + "defaultValue": "" + }, + "userAssignedManagedIdentityResourceGroup": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Resource Group", + "description": "The resource group of the user-assigned managed identity which Azure Monitor Agent will use for authentication when 'Bring Your Own User-Assigned Managed Identity' is set to true." + }, + "defaultValue": "" + }, + "userAssignedManagedIdentitySubscription": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Subscription Id", + "description": "The subscription id of the user-assigned managed identity which Azure Monitor Agent will use for authentication when 'Bring Your Own User-Assigned Managed Identity' is set to true." + }, + "defaultValue": "" + }, + "scopeToSupportedImages": { + "type": "Boolean", + "metadata": { + "displayName": "Scope Policy to Azure Monitor Agent-Supported Operating Systems", + "description": "If set to true, the policy will apply only to virtual machines with supported operating systems. Otherwise, the policy will apply to all virtual machine resources in the assignment scope. For supported operating systems, see https://aka.ms/AMAOverview." + }, + "allowedValues": [ + true, + false + ], + "defaultValue": true + }, + "listOfLinuxImageIdToInclude": { + "type": "Array", + "metadata": { + "displayName": "Additional Virtual Machine Images", + "description": "List of virtual machine images that have supported Linux OS to add to scope. Example values: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'" + }, + "defaultValue": [] + }, + "allowedLocations": { + "type": "Array", + "metadata": { + "displayName": "Allowed Virtual Machine Locations", + "description": "List of Allowed Virtual Machine Locations" + }, + "defaultValue": [ + "australiacentral", + "australiaeast", + "australiasoutheast", + "brazilsouth", + "canadacentral", + "canadaeast", + "centralindia", + "centralus", + "eastasia", + "eastus2euap", + "eastus", + "eastus2", + "francecentral", + "germanywestcentral", + "japaneast", + "japanwest", + "jioindiawest", + "koreacentral", + "koreasouth", + "northcentralus", + "northeurope", + "norwayeast", + "southafricanorth", + "southcentralus", + "southeastasia", + "southindia", + "switzerlandnorth", + "uaenorth", + "uksouth", + "ukwest", + "westcentralus", + "westeurope", + "westindia", + "westus", + "westus2", + "chinaeast", + "chinaeast2", + "chinaeast3", + "chinanorth", + "chinanorth2", + "chinanorth3", + "usgovarizona", + "usgovtexas", + "usgovvirginia", + "usdodeast", + "usdodcentral" + ] + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Compute/virtualMachines" + }, + { + "field": "location", + "in": "[parameters('allowedLocations')]" + }, + { + "anyOf": [ + { + "allOf": [ + { + "value": "[parameters('scopeToSupportedImages')]", + "equals": false + }, + { + "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType", + "like": "Linux*" + } + ] + }, + { + "field": "Microsoft.Compute/imageId", + "in": "[parameters('listOfLinuxImageIdToInclude')]" + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "RedHat" + }, + { + "field": "Microsoft.Compute/imageOffer", + "in": [ + "RHEL", + "RHEL-ARM64", + "RHEL-BYOS", + "RHEL-HA", + "RHEL-SAP", + "RHEL-SAP-APPS", + "RHEL-SAP-HA" + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageSku", + "like": "7*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "8*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "rhel-lvm7*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "rhel-lvm8*" + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "SUSE" + }, + { + "anyOf": [ + { + "allOf": [ + { + "field": "Microsoft.Compute/imageOffer", + "in": [ + "SLES", + "SLES-HPC", + "SLES-HPC-Priority", + "SLES-SAP", + "SLES-SAP-BYOS", + "SLES-Priority", + "SLES-BYOS", + "SLES-SAPCAL", + "SLES-Standard" + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageSku", + "like": "12*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "15*" + } + ] + } + ] + }, + { + "allOf": [ + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageOffer", + "like": "sles-12*" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "sles-15*" + } + ] + }, + { + "field": "Microsoft.Compute/imageSku", + "in": [ + "gen1", + "gen2" + ] + } + ] + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "Canonical" + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageOffer", + "equals": "UbuntuServer" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "0001-com-ubuntu-server-*" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "0001-com-ubuntu-pro-*" + } + ] + }, + { + "field": "Microsoft.Compute/imageSku", + "in": [ + "14.04.0-lts", + "14.04.1-lts", + "14.04.2-lts", + "14.04.3-lts", + "14.04.4-lts", + "14.04.5-lts", + "16_04_0-lts-gen2", + "16_04-lts-gen2", + "16.04-lts", + "16.04.0-lts", + "18_04-lts-arm64", + "18_04-lts-gen2", + "18.04-lts", + "20_04-lts-arm64", + "20_04-lts-gen2", + "20_04-lts", + "22_04-lts-gen2", + "22_04-lts", + "pro-16_04-lts-gen2", + "pro-16_04-lts", + "pro-18_04-lts-gen2", + "pro-18_04-lts", + "pro-20_04-lts-gen2", + "pro-20_04-lts", + "pro-22_04-lts-gen2", + "pro-22_04-lts" + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "Oracle" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "Oracle-Linux" + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageSku", + "like": "7*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "8*" + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "OpenLogic" + }, + { + "field": "Microsoft.Compute/imageOffer", + "in": [ + "CentOS", + "Centos-LVM", + "CentOS-SRIOV" + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageSku", + "like": "6*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "7*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "8*" + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "cloudera" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "cloudera-centos-os" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "7*" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "almalinux" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "almalinux" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "8*" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "ctrliqinc1648673227698" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "rocky-8*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "rocky-8*" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "credativ" + }, + { + "field": "Microsoft.Compute/imageOffer", + "in": [ + "Debian" + ] + }, + { + "field": "Microsoft.Compute/imageSku", + "equals": "9" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "Debian" + }, + { + "field": "Microsoft.Compute/imageOffer", + "in": [ + "debian-10", + "debian-11" + ] + }, + { + "field": "Microsoft.Compute/imageSku", + "in": [ + "10", + "10-gen2", + "11", + "11-gen2" + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "microsoftcblmariner" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "cbl-mariner" + }, + { + "field": "Microsoft.Compute/imageSku", + "in": [ + "1-gen2", + "cbl-mariner-1", + "cbl-mariner-2", + "cbl-mariner-2-arm64", + "cbl-mariner-2-gen2" + ] + } + ] + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Compute/virtualMachines/extensions", + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c" + ], + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Compute/virtualMachines/extensions/type", + "equals": "AzureMonitorLinuxAgent" + }, + { + "field": "Microsoft.Compute/virtualMachines/extensions/publisher", + "equals": "Microsoft.Azure.Monitor" + }, + { + "field": "Microsoft.Compute/virtualMachines/extensions/provisioningState", + "equals": "Succeeded" + } + ] + }, + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "vmName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "userAssignedManagedIdentity": { + "type": "string" + } + }, + "variables": { + "extensionName": "AzureMonitorLinuxAgent", + "extensionPublisher": "Microsoft.Azure.Monitor", + "extensionTypeHandlerVersion": "1.29", + "extensionType": "AzureMonitorLinuxAgent" + }, + "resources": [ + { + "name": "[concat(parameters('vmName'), '/', variables('extensionName'))]", + "type": "Microsoft.Compute/virtualMachines/extensions", + "location": "[parameters('location')]", + "apiVersion": "2019-07-01", + "properties": { + "publisher": "[variables('extensionPublisher')]", + "type": "[variables('extensionType')]", + "typeHandlerVersion": "[variables('extensionTypeHandlerVersion')]", + "autoUpgradeMinorVersion": true, + "enableAutomaticUpgrade": true, + "settings": { + "authentication": { + "managedIdentity": { + "identifier-name": "mi_res_id", + "identifier-value": "[parameters('userAssignedManagedIdentity')]" + } + } + } + } + } + ] + }, + "parameters": { + "vmName": { + "value": "[field('name')]" + }, + "location": { + "value": "[field('location')]" + }, + "userAssignedManagedIdentity": { + "value": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), concat('/subscriptions/', parameters('userAssignedManagedIdentitySubscription'), '/resourceGroups/', parameters('userAssignedManagedIdentityResourceGroup'), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', parameters('userAssignedManagedIdentityName')), concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/built-in-identity-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/built-in-identity-', field('location')))]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/policyDefinitions/Monitoring/configure-ama-on-linux-vm-with-cross-subscription-uami/azurepolicy.parameters.json b/policyDefinitions/Monitoring/configure-ama-on-linux-vm-with-cross-subscription-uami/azurepolicy.parameters.json new file mode 100644 index 00000000..a2ec89dd --- /dev/null +++ b/policyDefinitions/Monitoring/configure-ama-on-linux-vm-with-cross-subscription-uami/azurepolicy.parameters.json @@ -0,0 +1,124 @@ +{ + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy." + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "bringYourOwnUserAssignedManagedIdentity": { + "type": "Boolean", + "metadata": { + "displayName": "Bring Your Own User-Assigned Managed Identity", + "description": "If set to true, Azure Monitor Agent will use the user-assigned managed identity specified via the 'User-Assigned Managed Identity ...' parameters for authentication. Otherwise, Azure Monitor Agent will use the user-assigned managed identity /subscriptions//resourceGroups/built-in-identity-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/built-in-identity- for authentication." + }, + "allowedValues": [ + false, + true + ] + }, + "userAssignedManagedIdentityName": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Name", + "description": "The name of the user-assigned managed identity which Azure Monitor Agent will use for authentication when 'Bring Your Own User-Assigned Managed Identity' is set to true." + }, + "defaultValue": "" + }, + "userAssignedManagedIdentityResourceGroup": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Resource Group", + "description": "The resource group of the user-assigned managed identity which Azure Monitor Agent will use for authentication when 'Bring Your Own User-Assigned Managed Identity' is set to true." + }, + "defaultValue": "" + }, + "userAssignedManagedIdentitySubscription": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Subscription Id", + "description": "The subscription id of the user-assigned managed identity which Azure Monitor Agent will use for authentication when 'Bring Your Own User-Assigned Managed Identity' is set to true." + }, + "defaultValue": "" + }, + "scopeToSupportedImages": { + "type": "Boolean", + "metadata": { + "displayName": "Scope Policy to Azure Monitor Agent-Supported Operating Systems", + "description": "If set to true, the policy will apply only to virtual machines with supported operating systems. Otherwise, the policy will apply to all virtual machine resources in the assignment scope. For supported operating systems, see https://aka.ms/AMAOverview." + }, + "allowedValues": [ + true, + false + ], + "defaultValue": true + }, + "listOfLinuxImageIdToInclude": { + "type": "Array", + "metadata": { + "displayName": "Additional Virtual Machine Images", + "description": "List of virtual machine images that have supported Linux OS to add to scope. Example values: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'" + }, + "defaultValue": [] + }, + "allowedLocations": { + "type": "Array", + "metadata": { + "displayName": "Allowed Virtual Machine Locations", + "description": "List of Allowed Virtual Machine Locations" + }, + "defaultValue": [ + "australiacentral", + "australiaeast", + "australiasoutheast", + "brazilsouth", + "canadacentral", + "canadaeast", + "centralindia", + "centralus", + "eastasia", + "eastus2euap", + "eastus", + "eastus2", + "francecentral", + "germanywestcentral", + "japaneast", + "japanwest", + "jioindiawest", + "koreacentral", + "koreasouth", + "northcentralus", + "northeurope", + "norwayeast", + "southafricanorth", + "southcentralus", + "southeastasia", + "southindia", + "switzerlandnorth", + "uaenorth", + "uksouth", + "ukwest", + "westcentralus", + "westeurope", + "westindia", + "westus", + "westus2", + "chinaeast", + "chinaeast2", + "chinaeast3", + "chinanorth", + "chinanorth2", + "chinanorth3", + "usgovarizona", + "usgovtexas", + "usgovvirginia", + "usdodeast", + "usdodcentral" + ] + } +} \ No newline at end of file diff --git a/policyDefinitions/Monitoring/configure-ama-on-linux-vm-with-cross-subscription-uami/azurepolicy.rules.json b/policyDefinitions/Monitoring/configure-ama-on-linux-vm-with-cross-subscription-uami/azurepolicy.rules.json new file mode 100644 index 00000000..3facdfeb --- /dev/null +++ b/policyDefinitions/Monitoring/configure-ama-on-linux-vm-with-cross-subscription-uami/azurepolicy.rules.json @@ -0,0 +1,447 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Compute/virtualMachines" + }, + { + "field": "location", + "in": "[parameters('allowedLocations')]" + }, + { + "anyOf": [ + { + "allOf": [ + { + "value": "[parameters('scopeToSupportedImages')]", + "equals": false + }, + { + "field": "Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType", + "like": "Linux*" + } + ] + }, + { + "field": "Microsoft.Compute/imageId", + "in": "[parameters('listOfLinuxImageIdToInclude')]" + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "RedHat" + }, + { + "field": "Microsoft.Compute/imageOffer", + "in": [ + "RHEL", + "RHEL-ARM64", + "RHEL-BYOS", + "RHEL-HA", + "RHEL-SAP", + "RHEL-SAP-APPS", + "RHEL-SAP-HA" + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageSku", + "like": "7*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "8*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "rhel-lvm7*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "rhel-lvm8*" + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "SUSE" + }, + { + "anyOf": [ + { + "allOf": [ + { + "field": "Microsoft.Compute/imageOffer", + "in": [ + "SLES", + "SLES-HPC", + "SLES-HPC-Priority", + "SLES-SAP", + "SLES-SAP-BYOS", + "SLES-Priority", + "SLES-BYOS", + "SLES-SAPCAL", + "SLES-Standard" + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageSku", + "like": "12*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "15*" + } + ] + } + ] + }, + { + "allOf": [ + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageOffer", + "like": "sles-12*" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "sles-15*" + } + ] + }, + { + "field": "Microsoft.Compute/imageSku", + "in": [ + "gen1", + "gen2" + ] + } + ] + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "Canonical" + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageOffer", + "equals": "UbuntuServer" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "0001-com-ubuntu-server-*" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "0001-com-ubuntu-pro-*" + } + ] + }, + { + "field": "Microsoft.Compute/imageSku", + "in": [ + "14.04.0-lts", + "14.04.1-lts", + "14.04.2-lts", + "14.04.3-lts", + "14.04.4-lts", + "14.04.5-lts", + "16_04_0-lts-gen2", + "16_04-lts-gen2", + "16.04-lts", + "16.04.0-lts", + "18_04-lts-arm64", + "18_04-lts-gen2", + "18.04-lts", + "20_04-lts-arm64", + "20_04-lts-gen2", + "20_04-lts", + "22_04-lts-gen2", + "22_04-lts", + "pro-16_04-lts-gen2", + "pro-16_04-lts", + "pro-18_04-lts-gen2", + "pro-18_04-lts", + "pro-20_04-lts-gen2", + "pro-20_04-lts", + "pro-22_04-lts-gen2", + "pro-22_04-lts" + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "Oracle" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "Oracle-Linux" + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageSku", + "like": "7*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "8*" + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "OpenLogic" + }, + { + "field": "Microsoft.Compute/imageOffer", + "in": [ + "CentOS", + "Centos-LVM", + "CentOS-SRIOV" + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageSku", + "like": "6*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "7*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "8*" + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "cloudera" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "cloudera-centos-os" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "7*" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "almalinux" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "almalinux" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "8*" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "ctrliqinc1648673227698" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "rocky-8*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "rocky-8*" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "credativ" + }, + { + "field": "Microsoft.Compute/imageOffer", + "in": [ + "Debian" + ] + }, + { + "field": "Microsoft.Compute/imageSku", + "equals": "9" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "Debian" + }, + { + "field": "Microsoft.Compute/imageOffer", + "in": [ + "debian-10", + "debian-11" + ] + }, + { + "field": "Microsoft.Compute/imageSku", + "in": [ + "10", + "10-gen2", + "11", + "11-gen2" + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "microsoftcblmariner" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "cbl-mariner" + }, + { + "field": "Microsoft.Compute/imageSku", + "in": [ + "1-gen2", + "cbl-mariner-1", + "cbl-mariner-2", + "cbl-mariner-2-arm64", + "cbl-mariner-2-gen2" + ] + } + ] + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Compute/virtualMachines/extensions", + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c" + ], + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Compute/virtualMachines/extensions/type", + "equals": "AzureMonitorLinuxAgent" + }, + { + "field": "Microsoft.Compute/virtualMachines/extensions/publisher", + "equals": "Microsoft.Azure.Monitor" + }, + { + "field": "Microsoft.Compute/virtualMachines/extensions/provisioningState", + "equals": "Succeeded" + } + ] + }, + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "vmName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "userAssignedManagedIdentity": { + "type": "string" + } + }, + "variables": { + "extensionName": "AzureMonitorLinuxAgent", + "extensionPublisher": "Microsoft.Azure.Monitor", + "extensionTypeHandlerVersion": "1.29", + "extensionType": "AzureMonitorLinuxAgent" + }, + "resources": [ + { + "name": "[concat(parameters('vmName'), '/', variables('extensionName'))]", + "type": "Microsoft.Compute/virtualMachines/extensions", + "location": "[parameters('location')]", + "apiVersion": "2019-07-01", + "properties": { + "publisher": "[variables('extensionPublisher')]", + "type": "[variables('extensionType')]", + "typeHandlerVersion": "[variables('extensionTypeHandlerVersion')]", + "autoUpgradeMinorVersion": true, + "enableAutomaticUpgrade": true, + "settings": { + "authentication": { + "managedIdentity": { + "identifier-name": "mi_res_id", + "identifier-value": "[parameters('userAssignedManagedIdentity')]" + } + } + } + } + } + ] + }, + "parameters": { + "vmName": { + "value": "[field('name')]" + }, + "location": { + "value": "[field('location')]" + }, + "userAssignedManagedIdentity": { + "value": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), concat('/subscriptions/', parameters('userAssignedManagedIdentitySubscription'), '/resourceGroups/', parameters('userAssignedManagedIdentityResourceGroup'), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', parameters('userAssignedManagedIdentityName')), concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/built-in-identity-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/built-in-identity-', field('location')))]" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/policyDefinitions/Monitoring/configure-ama-on-linux-vmss-with-cross-subscription-uami/azurepolicy.json b/policyDefinitions/Monitoring/configure-ama-on-linux-vmss-with-cross-subscription-uami/azurepolicy.json new file mode 100644 index 00000000..f8ccfb9c --- /dev/null +++ b/policyDefinitions/Monitoring/configure-ama-on-linux-vmss-with-cross-subscription-uami/azurepolicy.json @@ -0,0 +1,584 @@ +{ + "name": "8d6bad71-c21b-5e56-b083-b239434aa82e", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Configure Linux virtual machine scale sets to run Azure Monitor Agent with cross subscription user-assigned managed identity-based authentication", + "mode": "Indexed", + "description": "Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Adapted from built-in /providers/Microsoft.Authorization/policyDefinitions/59c3d93f-900b-4827-a8bd-562e7b956e7c with minimal changes to support a cross subscription UAMI. This policy is meant to be assigned at Management Group Level, otherwise you must assign manualy the permissions */read to the Policy Managed Idenity on the cross subscription UAMI.", + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "parameters": { + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy." + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "bringYourOwnUserAssignedManagedIdentity": { + "type": "Boolean", + "metadata": { + "displayName": "Bring Your Own User-Assigned Managed Identity", + "description": "If set to true, Azure Monitor Agent will use the user-assigned managed identity specified via the 'User-Assigned Managed Identity ...' parameters for authentication. Otherwise, Azure Monitor Agent will use the user-assigned managed identity /subscriptions//resourceGroups/built-in-identity-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/built-in-identity- for authentication." + }, + "allowedValues": [ + false, + true + ] + }, + "userAssignedManagedIdentityName": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Name", + "description": "The name of the user-assigned managed identity which Azure Monitor Agent will use for authentication when 'Bring Your Own User-Assigned Managed Identity' is set to true." + }, + "defaultValue": "" + }, + "userAssignedManagedIdentityResourceGroup": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Resource Group", + "description": "The resource group of the user-assigned managed identity which Azure Monitor Agent will use for authentication when 'Bring Your Own User-Assigned Managed Identity' is set to true." + }, + "defaultValue": "" + }, + "userAssignedManagedIdentitySubscription": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Subscription Id", + "description": "The subscription id of the user-assigned managed identity which Azure Monitor Agent will use for authentication when 'Bring Your Own User-Assigned Managed Identity' is set to true." + }, + "defaultValue": "" + }, + "scopeToSupportedImages": { + "type": "Boolean", + "metadata": { + "displayName": "Scope Policy to Azure Monitor Agent-Supported Operating Systems", + "description": "If set to true, the policy will apply only to virtual machine scale sets with supported operating systems. Otherwise, the policy will apply to all virtual machine scale set resources in the assignment scope. For supported operating systems, see https://aka.ms/AMAOverview." + }, + "allowedValues": [ + true, + false + ], + "defaultValue": true + }, + "listOfLinuxImageIdToInclude": { + "type": "Array", + "metadata": { + "displayName": "Additional Virtual Machine Images", + "description": "List of virtual machine images that have supported Linux OS to add to scope. Example values: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'" + }, + "defaultValue": [] + }, + "allowedLocations": { + "type": "Array", + "metadata": { + "displayName": "Allowed Virtual Machine Locations", + "description": "List of Allowed Virtual Machine Locations" + }, + "defaultValue": [ + "australiacentral", + "australiaeast", + "australiasoutheast", + "brazilsouth", + "canadacentral", + "canadaeast", + "centralindia", + "centralus", + "eastasia", + "eastus2euap", + "eastus", + "eastus2", + "francecentral", + "germanywestcentral", + "japaneast", + "japanwest", + "jioindiawest", + "koreacentral", + "koreasouth", + "northcentralus", + "northeurope", + "norwayeast", + "southafricanorth", + "southcentralus", + "southeastasia", + "southindia", + "switzerlandnorth", + "uaenorth", + "uksouth", + "ukwest", + "westcentralus", + "westeurope", + "westindia", + "westus", + "westus2", + "chinaeast", + "chinaeast2", + "chinaeast3", + "chinanorth", + "chinanorth2", + "chinanorth3", + "usgovarizona", + "usgovtexas", + "usgovvirginia", + "usdodeast", + "usdodcentral" + ] + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Compute/virtualMachineScaleSets" + }, + { + "field": "location", + "in": "[parameters('allowedLocations')]" + }, + { + "anyOf": [ + { + "allOf": [ + { + "value": "[parameters('scopeToSupportedImages')]", + "equals": false + }, + { + "field": "Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.storageProfile.osDisk.osType", + "like": "Linux*" + } + ] + }, + { + "field": "Microsoft.Compute/imageId", + "in": "[parameters('listOfLinuxImageIdToInclude')]" + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "RedHat" + }, + { + "field": "Microsoft.Compute/imageOffer", + "in": [ + "RHEL", + "RHEL-ARM64", + "RHEL-BYOS", + "RHEL-HA", + "RHEL-SAP", + "RHEL-SAP-APPS", + "RHEL-SAP-HA" + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageSku", + "like": "7*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "8*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "rhel-lvm7*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "rhel-lvm8*" + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "SUSE" + }, + { + "anyOf": [ + { + "allOf": [ + { + "field": "Microsoft.Compute/imageOffer", + "in": [ + "SLES", + "SLES-HPC", + "SLES-HPC-Priority", + "SLES-SAP", + "SLES-SAP-BYOS", + "SLES-Priority", + "SLES-BYOS", + "SLES-SAPCAL", + "SLES-Standard" + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageSku", + "like": "12*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "15*" + } + ] + } + ] + }, + { + "allOf": [ + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageOffer", + "like": "sles-12*" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "sles-15*" + } + ] + }, + { + "field": "Microsoft.Compute/imageSku", + "in": [ + "gen1", + "gen2" + ] + } + ] + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "Canonical" + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageOffer", + "equals": "UbuntuServer" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "0001-com-ubuntu-server-*" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "0001-com-ubuntu-pro-*" + } + ] + }, + { + "field": "Microsoft.Compute/imageSku", + "in": [ + "14.04.0-lts", + "14.04.1-lts", + "14.04.2-lts", + "14.04.3-lts", + "14.04.4-lts", + "14.04.5-lts", + "16_04_0-lts-gen2", + "16_04-lts-gen2", + "16.04-lts", + "16.04.0-lts", + "18_04-lts-arm64", + "18_04-lts-gen2", + "18.04-lts", + "20_04-lts-arm64", + "20_04-lts-gen2", + "20_04-lts", + "22_04-lts-gen2", + "22_04-lts", + "pro-16_04-lts-gen2", + "pro-16_04-lts", + "pro-18_04-lts-gen2", + "pro-18_04-lts", + "pro-20_04-lts-gen2", + "pro-20_04-lts", + "pro-22_04-lts-gen2", + "pro-22_04-lts" + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "Oracle" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "Oracle-Linux" + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageSku", + "like": "7*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "8*" + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "OpenLogic" + }, + { + "field": "Microsoft.Compute/imageOffer", + "in": [ + "CentOS", + "Centos-LVM", + "CentOS-SRIOV" + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageSku", + "like": "6*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "7*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "8*" + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "cloudera" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "cloudera-centos-os" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "7*" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "almalinux" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "almalinux" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "8*" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "ctrliqinc1648673227698" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "rocky-8*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "rocky-8*" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "credativ" + }, + { + "field": "Microsoft.Compute/imageOffer", + "in": [ + "Debian" + ] + }, + { + "field": "Microsoft.Compute/imageSku", + "equals": "9" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "Debian" + }, + { + "field": "Microsoft.Compute/imageOffer", + "in": [ + "debian-10", + "debian-11" + ] + }, + { + "field": "Microsoft.Compute/imageSku", + "in": [ + "10", + "10-gen2", + "11", + "11-gen2" + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "microsoftcblmariner" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "cbl-mariner" + }, + { + "field": "Microsoft.Compute/imageSku", + "in": [ + "1-gen2", + "cbl-mariner-1", + "cbl-mariner-2", + "cbl-mariner-2-arm64", + "cbl-mariner-2-gen2" + ] + } + ] + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c" + ], + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/type", + "equals": "AzureMonitorLinuxAgent" + }, + { + "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/publisher", + "equals": "Microsoft.Azure.Monitor" + }, + { + "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/provisioningState", + "equals": "Succeeded" + } + ] + }, + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "vmName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "userAssignedManagedIdentity": { + "type": "string" + } + }, + "variables": { + "extensionName": "AzureMonitorLinuxAgent", + "extensionPublisher": "Microsoft.Azure.Monitor", + "extensionTypeHandlerVersion": "1.29", + "extensionType": "AzureMonitorLinuxAgent" + }, + "resources": [ + { + "name": "[concat(parameters('vmName'), '/', variables('extensionName'))]", + "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", + "location": "[parameters('location')]", + "apiVersion": "2019-07-01", + "properties": { + "publisher": "[variables('extensionPublisher')]", + "type": "[variables('extensionType')]", + "autoUpgradeMinorVersion": true, + "typeHandlerVersion": "[variables('extensionTypeHandlerVersion')]", + "enableAutomaticUpgrade": true, + "settings": { + "authentication": { + "managedIdentity": { + "identifier-name": "mi_res_id", + "identifier-value": "[parameters('userAssignedManagedIdentity')]" + } + } + } + } + } + ] + }, + "parameters": { + "vmName": { + "value": "[field('name')]" + }, + "location": { + "value": "[field('location')]" + }, + "userAssignedManagedIdentity": { + "value": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), concat('/subscriptions/', parameters('userAssignedManagedIdentitySubscription'), '/resourceGroups/', parameters('userAssignedManagedIdentityResourceGroup'), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', parameters('userAssignedManagedIdentityName')), concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/built-in-identity-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/built-in-identity-', field('location')))]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/policyDefinitions/Monitoring/configure-ama-on-linux-vmss-with-cross-subscription-uami/azurepolicy.parameters.json b/policyDefinitions/Monitoring/configure-ama-on-linux-vmss-with-cross-subscription-uami/azurepolicy.parameters.json new file mode 100644 index 00000000..cfc27a43 --- /dev/null +++ b/policyDefinitions/Monitoring/configure-ama-on-linux-vmss-with-cross-subscription-uami/azurepolicy.parameters.json @@ -0,0 +1,124 @@ +{ + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy." + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + }, + "bringYourOwnUserAssignedManagedIdentity": { + "type": "Boolean", + "metadata": { + "displayName": "Bring Your Own User-Assigned Managed Identity", + "description": "If set to true, Azure Monitor Agent will use the user-assigned managed identity specified via the 'User-Assigned Managed Identity ...' parameters for authentication. Otherwise, Azure Monitor Agent will use the user-assigned managed identity /subscriptions//resourceGroups/built-in-identity-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/built-in-identity- for authentication." + }, + "allowedValues": [ + false, + true + ] + }, + "userAssignedManagedIdentityName": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Name", + "description": "The name of the user-assigned managed identity which Azure Monitor Agent will use for authentication when 'Bring Your Own User-Assigned Managed Identity' is set to true." + }, + "defaultValue": "" + }, + "userAssignedManagedIdentityResourceGroup": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Resource Group", + "description": "The resource group of the user-assigned managed identity which Azure Monitor Agent will use for authentication when 'Bring Your Own User-Assigned Managed Identity' is set to true." + }, + "defaultValue": "" + }, + "userAssignedManagedIdentitySubscription": { + "type": "String", + "metadata": { + "displayName": "User-Assigned Managed Identity Subscription Id", + "description": "The subscription id of the user-assigned managed identity which Azure Monitor Agent will use for authentication when 'Bring Your Own User-Assigned Managed Identity' is set to true." + }, + "defaultValue": "" + }, + "scopeToSupportedImages": { + "type": "Boolean", + "metadata": { + "displayName": "Scope Policy to Azure Monitor Agent-Supported Operating Systems", + "description": "If set to true, the policy will apply only to virtual machine scale sets with supported operating systems. Otherwise, the policy will apply to all virtual machine scale set resources in the assignment scope. For supported operating systems, see https://aka.ms/AMAOverview." + }, + "allowedValues": [ + true, + false + ], + "defaultValue": true + }, + "listOfLinuxImageIdToInclude": { + "type": "Array", + "metadata": { + "displayName": "Additional Virtual Machine Images", + "description": "List of virtual machine images that have supported Linux OS to add to scope. Example values: '/subscriptions//resourceGroups/YourResourceGroup/providers/Microsoft.Compute/images/ContosoStdImage'" + }, + "defaultValue": [] + }, + "allowedLocations": { + "type": "Array", + "metadata": { + "displayName": "Allowed Virtual Machine Locations", + "description": "List of Allowed Virtual Machine Locations" + }, + "defaultValue": [ + "australiacentral", + "australiaeast", + "australiasoutheast", + "brazilsouth", + "canadacentral", + "canadaeast", + "centralindia", + "centralus", + "eastasia", + "eastus2euap", + "eastus", + "eastus2", + "francecentral", + "germanywestcentral", + "japaneast", + "japanwest", + "jioindiawest", + "koreacentral", + "koreasouth", + "northcentralus", + "northeurope", + "norwayeast", + "southafricanorth", + "southcentralus", + "southeastasia", + "southindia", + "switzerlandnorth", + "uaenorth", + "uksouth", + "ukwest", + "westcentralus", + "westeurope", + "westindia", + "westus", + "westus2", + "chinaeast", + "chinaeast2", + "chinaeast3", + "chinanorth", + "chinanorth2", + "chinanorth3", + "usgovarizona", + "usgovtexas", + "usgovvirginia", + "usdodeast", + "usdodcentral" + ] + } +} \ No newline at end of file diff --git a/policyDefinitions/Monitoring/configure-ama-on-linux-vmss-with-cross-subscription-uami/azurepolicy.rules.json b/policyDefinitions/Monitoring/configure-ama-on-linux-vmss-with-cross-subscription-uami/azurepolicy.rules.json new file mode 100644 index 00000000..aeab0546 --- /dev/null +++ b/policyDefinitions/Monitoring/configure-ama-on-linux-vmss-with-cross-subscription-uami/azurepolicy.rules.json @@ -0,0 +1,447 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Compute/virtualMachineScaleSets" + }, + { + "field": "location", + "in": "[parameters('allowedLocations')]" + }, + { + "anyOf": [ + { + "allOf": [ + { + "value": "[parameters('scopeToSupportedImages')]", + "equals": false + }, + { + "field": "Microsoft.Compute/virtualMachineScaleSets/virtualMachineProfile.storageProfile.osDisk.osType", + "like": "Linux*" + } + ] + }, + { + "field": "Microsoft.Compute/imageId", + "in": "[parameters('listOfLinuxImageIdToInclude')]" + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "RedHat" + }, + { + "field": "Microsoft.Compute/imageOffer", + "in": [ + "RHEL", + "RHEL-ARM64", + "RHEL-BYOS", + "RHEL-HA", + "RHEL-SAP", + "RHEL-SAP-APPS", + "RHEL-SAP-HA" + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageSku", + "like": "7*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "8*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "rhel-lvm7*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "rhel-lvm8*" + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "SUSE" + }, + { + "anyOf": [ + { + "allOf": [ + { + "field": "Microsoft.Compute/imageOffer", + "in": [ + "SLES", + "SLES-HPC", + "SLES-HPC-Priority", + "SLES-SAP", + "SLES-SAP-BYOS", + "SLES-Priority", + "SLES-BYOS", + "SLES-SAPCAL", + "SLES-Standard" + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageSku", + "like": "12*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "15*" + } + ] + } + ] + }, + { + "allOf": [ + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageOffer", + "like": "sles-12*" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "sles-15*" + } + ] + }, + { + "field": "Microsoft.Compute/imageSku", + "in": [ + "gen1", + "gen2" + ] + } + ] + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "Canonical" + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageOffer", + "equals": "UbuntuServer" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "0001-com-ubuntu-server-*" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "0001-com-ubuntu-pro-*" + } + ] + }, + { + "field": "Microsoft.Compute/imageSku", + "in": [ + "14.04.0-lts", + "14.04.1-lts", + "14.04.2-lts", + "14.04.3-lts", + "14.04.4-lts", + "14.04.5-lts", + "16_04_0-lts-gen2", + "16_04-lts-gen2", + "16.04-lts", + "16.04.0-lts", + "18_04-lts-arm64", + "18_04-lts-gen2", + "18.04-lts", + "20_04-lts-arm64", + "20_04-lts-gen2", + "20_04-lts", + "22_04-lts-gen2", + "22_04-lts", + "pro-16_04-lts-gen2", + "pro-16_04-lts", + "pro-18_04-lts-gen2", + "pro-18_04-lts", + "pro-20_04-lts-gen2", + "pro-20_04-lts", + "pro-22_04-lts-gen2", + "pro-22_04-lts" + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "Oracle" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "Oracle-Linux" + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageSku", + "like": "7*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "8*" + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "OpenLogic" + }, + { + "field": "Microsoft.Compute/imageOffer", + "in": [ + "CentOS", + "Centos-LVM", + "CentOS-SRIOV" + ] + }, + { + "anyOf": [ + { + "field": "Microsoft.Compute/imageSku", + "like": "6*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "7*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "8*" + } + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "cloudera" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "cloudera-centos-os" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "7*" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "almalinux" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "almalinux" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "8*" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "ctrliqinc1648673227698" + }, + { + "field": "Microsoft.Compute/imageOffer", + "like": "rocky-8*" + }, + { + "field": "Microsoft.Compute/imageSku", + "like": "rocky-8*" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "credativ" + }, + { + "field": "Microsoft.Compute/imageOffer", + "in": [ + "Debian" + ] + }, + { + "field": "Microsoft.Compute/imageSku", + "equals": "9" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "Debian" + }, + { + "field": "Microsoft.Compute/imageOffer", + "in": [ + "debian-10", + "debian-11" + ] + }, + { + "field": "Microsoft.Compute/imageSku", + "in": [ + "10", + "10-gen2", + "11", + "11-gen2" + ] + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Compute/imagePublisher", + "equals": "microsoftcblmariner" + }, + { + "field": "Microsoft.Compute/imageOffer", + "equals": "cbl-mariner" + }, + { + "field": "Microsoft.Compute/imageSku", + "in": [ + "1-gen2", + "cbl-mariner-1", + "cbl-mariner-2", + "cbl-mariner-2-arm64", + "cbl-mariner-2-gen2" + ] + } + ] + } + ] + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/9980e02c-c2be-4d73-94e8-173b1dc7cf3c" + ], + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/type", + "equals": "AzureMonitorLinuxAgent" + }, + { + "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/publisher", + "equals": "Microsoft.Azure.Monitor" + }, + { + "field": "Microsoft.Compute/virtualMachineScaleSets/extensions/provisioningState", + "equals": "Succeeded" + } + ] + }, + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "vmName": { + "type": "string" + }, + "location": { + "type": "string" + }, + "userAssignedManagedIdentity": { + "type": "string" + } + }, + "variables": { + "extensionName": "AzureMonitorLinuxAgent", + "extensionPublisher": "Microsoft.Azure.Monitor", + "extensionTypeHandlerVersion": "1.29", + "extensionType": "AzureMonitorLinuxAgent" + }, + "resources": [ + { + "name": "[concat(parameters('vmName'), '/', variables('extensionName'))]", + "type": "Microsoft.Compute/virtualMachineScaleSets/extensions", + "location": "[parameters('location')]", + "apiVersion": "2019-07-01", + "properties": { + "publisher": "[variables('extensionPublisher')]", + "type": "[variables('extensionType')]", + "autoUpgradeMinorVersion": true, + "typeHandlerVersion": "[variables('extensionTypeHandlerVersion')]", + "enableAutomaticUpgrade": true, + "settings": { + "authentication": { + "managedIdentity": { + "identifier-name": "mi_res_id", + "identifier-value": "[parameters('userAssignedManagedIdentity')]" + } + } + } + } + } + ] + }, + "parameters": { + "vmName": { + "value": "[field('name')]" + }, + "location": { + "value": "[field('location')]" + }, + "userAssignedManagedIdentity": { + "value": "[if(parameters('bringYourOwnUserAssignedManagedIdentity'), concat('/subscriptions/', parameters('userAssignedManagedIdentitySubscription'), '/resourceGroups/', parameters('userAssignedManagedIdentityResourceGroup'), '/providers/Microsoft.ManagedIdentity/userAssignedIdentities/', parameters('userAssignedManagedIdentityName')), concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/built-in-identity-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/built-in-identity-', field('location')))]" + } + } + } + } + } + } +} \ No newline at end of file From df8d493fd735c3c9a4607877147dd491aeeb797f Mon Sep 17 00:00:00 2001 From: Hugo Ribeiro Date: Wed, 20 Mar 2024 22:24:13 +0000 Subject: [PATCH 05/13] rename effect --- .../azurepolicy.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machine-scale-set/azurepolicy.json b/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machine-scale-set/azurepolicy.json index b0301f18..29c5fad9 100644 --- a/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machine-scale-set/azurepolicy.json +++ b/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machine-scale-set/azurepolicy.json @@ -56,7 +56,7 @@ "effect": { "type": "String", "metadata": { - "displayName": "Policy Effect", + "displayName": "Effect", "description": "The effect determines what happens when the policy rule is evaluated to match." }, "allowedValues": [ From cbfb230c9555a26a097fe80c2ece94b63d80a65f Mon Sep 17 00:00:00 2001 From: Hugo Ribeiro Date: Wed, 20 Mar 2024 22:24:54 +0000 Subject: [PATCH 06/13] rename effect --- .../azurepolicy.parameters.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machine-scale-set/azurepolicy.parameters.json b/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machine-scale-set/azurepolicy.parameters.json index 7981ce06..32a81b03 100644 --- a/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machine-scale-set/azurepolicy.parameters.json +++ b/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machine-scale-set/azurepolicy.parameters.json @@ -45,7 +45,7 @@ "effect": { "type": "String", "metadata": { - "displayName": "Policy Effect", + "displayName": "Effect", "description": "The effect determines what happens when the policy rule is evaluated to match." }, "allowedValues": [ From 2d2ea305124aec87c67a354e0fbc10de4c8e9092 Mon Sep 17 00:00:00 2001 From: Hugo Ribeiro Date: Wed, 20 Mar 2024 22:27:18 +0000 Subject: [PATCH 07/13] rename effect --- .../azurepolicy.parameters.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machines/azurepolicy.parameters.json b/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machines/azurepolicy.parameters.json index 7981ce06..32a81b03 100644 --- a/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machines/azurepolicy.parameters.json +++ b/policyDefinitions/Managed Identity/assign-cross-subscription-user-assigned-managed-identity-to-virtual-machines/azurepolicy.parameters.json @@ -45,7 +45,7 @@ "effect": { "type": "String", "metadata": { - "displayName": "Policy Effect", + "displayName": "Effect", "description": "The effect determines what happens when the policy rule is evaluated to match." }, "allowedValues": [ From 0cb53f1f22d40c65b7dfd406977bcee68560aaa6 Mon Sep 17 00:00:00 2001 From: Hugo Ribeiro Date: Thu, 2 May 2024 15:55:44 +0100 Subject: [PATCH 08/13] rename display Name and descriptions --- .../azurepolicy.json | 4 ++-- .../azurepolicy.json | 2 +- .../azurepolicy.json | 4 ++-- .../azurepolicy.json | 4 ++-- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/policyDefinitions/Monitoring/configure-ama-on-linux-vm-with-cross-subscription-uami/azurepolicy.json b/policyDefinitions/Monitoring/configure-ama-on-linux-vm-with-cross-subscription-uami/azurepolicy.json index 9cbf7d92..29bcd9aa 100644 --- a/policyDefinitions/Monitoring/configure-ama-on-linux-vm-with-cross-subscription-uami/azurepolicy.json +++ b/policyDefinitions/Monitoring/configure-ama-on-linux-vm-with-cross-subscription-uami/azurepolicy.json @@ -2,9 +2,9 @@ "name": "2bf130ac-424c-570d-aadf-3cd38fbf1157", "type": "Microsoft.Authorization/policyDefinitions", "properties": { - "displayName": "Configure Linux virtual machines to run Azure Monitor Agent with cross subscription user-assigned managed identity-based authentication", + "displayName": "Configure Linux virtual machines to run AMA with cross subscription user-assigned managed identity-based authentication", "mode": "Indexed", - "description": "Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Adapted from built-in /providers/Microsoft.Authorization/policyDefinitions/ae8a10e6-19d6-44a3-a02d-a2bdfc707742 with minimal changes to support a cross subscription UAMI. This policy is meant to be assigned at Management Group Level, if you don't do this then you must assign manualy the permissions */read to the Policy Managed Idenity on the cross subscription UAMI.", + "description": "Adapted from built-in /providers/Microsoft.Authorization/policyDefinitions/ae8a10e6-19d6-44a3-a02d-a2bdfc707742 with minimal changes to support a cross subscription UAMI. This policy is meant to be assigned at Management Group Level, if you don't do this then you must assign manualy the permissions */read to the Policy Managed Idenity on the cross subscription UAMI.Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS.", "metadata": { "version": "1.0.0", "category": "Monitoring" diff --git a/policyDefinitions/Monitoring/configure-ama-on-linux-vmss-with-cross-subscription-uami/azurepolicy.json b/policyDefinitions/Monitoring/configure-ama-on-linux-vmss-with-cross-subscription-uami/azurepolicy.json index f8ccfb9c..0013afb6 100644 --- a/policyDefinitions/Monitoring/configure-ama-on-linux-vmss-with-cross-subscription-uami/azurepolicy.json +++ b/policyDefinitions/Monitoring/configure-ama-on-linux-vmss-with-cross-subscription-uami/azurepolicy.json @@ -4,7 +4,7 @@ "properties": { "displayName": "Configure Linux virtual machine scale sets to run Azure Monitor Agent with cross subscription user-assigned managed identity-based authentication", "mode": "Indexed", - "description": "Automate the deployment of Azure Monitor Agent extension on your Linux virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Adapted from built-in /providers/Microsoft.Authorization/policyDefinitions/59c3d93f-900b-4827-a8bd-562e7b956e7c with minimal changes to support a cross subscription UAMI. This policy is meant to be assigned at Management Group Level, otherwise you must assign manualy the permissions */read to the Policy Managed Idenity on the cross subscription UAMI.", + "description": "Adapted from built-in /providers/Microsoft.Authorization/policyDefinitions/59c3d93f-900b-4827-a8bd-562e7b956e7c with minimal changes to support a cross subscription UAMI. This policy is meant to be assigned at Management Group Level, otherwise you must assign manualy the permissions */read to the Policy Managed Idenity on the cross subscription UAMI. Automate the deployment of Azure Monitor Agent extension on your Linux VMSS for collecting telemetry data from the guest OS.", "metadata": { "version": "1.0.0", "category": "Monitoring" diff --git a/policyDefinitions/Monitoring/configure-ama-on-windows-vm-with-cross-subscription-uami/azurepolicy.json b/policyDefinitions/Monitoring/configure-ama-on-windows-vm-with-cross-subscription-uami/azurepolicy.json index c482531a..cbe5774f 100644 --- a/policyDefinitions/Monitoring/configure-ama-on-windows-vm-with-cross-subscription-uami/azurepolicy.json +++ b/policyDefinitions/Monitoring/configure-ama-on-windows-vm-with-cross-subscription-uami/azurepolicy.json @@ -2,9 +2,9 @@ "name": "bdffab46-452d-5c4d-aacb-bdf9e45fd363", "type": "Microsoft.Authorization/policyDefinitions", "properties": { - "displayName": "Configure Windows virtual machines to run Azure Monitor Agent with cross subscription user-assigned managed identity-based authentication", + "displayName": "Configure Windows virtual machines to run AMA with cross subscription user-assigned managed identity-based authentication", "mode": "Indexed", - "description": "Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Adapted from built-in /providers/Microsoft.Authorization/policyDefinitions/637125fd-7c39-4b94-bb0a-d331faf333a9 with minimal changes to support a cross subscription UAMI. This policy is meant to be assigned at Management Group Level, if you don't do this then you must assign manualy the permissions */read to the Policy Managed Idenity on the cross subscription UAMI.", + "description": "Adapted from built-in /providers/Microsoft.Authorization/policyDefinitions/637125fd-7c39-4b94-bb0a-d331faf333a9 with minimal changes to support a cross subscription UAMI. This policy is meant to be assigned at Management Group Level, if you don't do this then you must assign manualy the permissions */read to the Policy Managed Idenity on the cross subscription UAMI. Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS.", "metadata": { "version": "1.0.0", "category": "Monitoring" diff --git a/policyDefinitions/Monitoring/configure-ama-on-windows-vmss-with-cross-subscription-uami/azurepolicy.json b/policyDefinitions/Monitoring/configure-ama-on-windows-vmss-with-cross-subscription-uami/azurepolicy.json index 74c90ccb..0560a3fc 100644 --- a/policyDefinitions/Monitoring/configure-ama-on-windows-vmss-with-cross-subscription-uami/azurepolicy.json +++ b/policyDefinitions/Monitoring/configure-ama-on-windows-vmss-with-cross-subscription-uami/azurepolicy.json @@ -2,9 +2,9 @@ "name": "6eef296d-6e58-5404-acb0-a102bd5f0ee6", "type": "Microsoft.Authorization/policyDefinitions", "properties": { - "displayName": "Configure Windows virtual machine scale sets to run Azure Monitor Agent with cross subscription user-assigned managed identity-based authentication", + "displayName": "Configure Windows VMSS to run AMA with cross subscription user-assigned managed identity-based authentication", "mode": "Indexed", - "description": "Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS. This policy will install the extension and configure it to use the specified user-assigned managed identity if the OS and region are supported, and skip install otherwise. Learn more: https://aka.ms/AMAOverview. Adapted from built-in /providers/Microsoft.Authorization/policyDefinitions/98569e20-8f32-4f31-bf34-0e91590ae9d3 with minimal changes to support a cross subscription UAMI. This policy is meant to be assigned at Management Group Level, otherwise you must assign manualy the permissions */read to the Policy Managed Idenity on the cross subscription UAMI.", + "description": "Adapted from built-in /providers/Microsoft.Authorization/policyDefinitions/98569e20-8f32-4f31-bf34-0e91590ae9d3 with minimal changes to support a cross subscription UAMI. This policy is meant to be assigned at Management Group Level, otherwise you must assign manualy the permissions */read to the Policy Managed Idenity on the cross subscription UAMI.Automate the deployment of Azure Monitor Agent extension on your Windows virtual machines for collecting telemetry data from the guest OS.", "metadata": { "version": "1.0.0", "category": "Monitoring" From f356baa91624f78f7dfd01805ecf1727b09dc985 Mon Sep 17 00:00:00 2001 From: Hugo Ribeiro Date: Fri, 17 Jan 2025 14:35:15 +0000 Subject: [PATCH 09/13] Add policy Enforce tag Name and Value casing on resource groups and subscriptions --- .../azurepolicy.json | 100 ++++++++++++++++++ .../azurepolicy.parameters.json | 42 ++++++++ .../azurepolicy.rules.json | 45 ++++++++ 3 files changed, 187 insertions(+) create mode 100644 policyDefinitions/Tags/enforce-tag-name-and-value-casing-on-rg-and-sub/azurepolicy.json create mode 100644 policyDefinitions/Tags/enforce-tag-name-and-value-casing-on-rg-and-sub/azurepolicy.parameters.json create mode 100644 policyDefinitions/Tags/enforce-tag-name-and-value-casing-on-rg-and-sub/azurepolicy.rules.json diff --git a/policyDefinitions/Tags/enforce-tag-name-and-value-casing-on-rg-and-sub/azurepolicy.json b/policyDefinitions/Tags/enforce-tag-name-and-value-casing-on-rg-and-sub/azurepolicy.json new file mode 100644 index 00000000..105b0ffe --- /dev/null +++ b/policyDefinitions/Tags/enforce-tag-name-and-value-casing-on-rg-and-sub/azurepolicy.json @@ -0,0 +1,100 @@ +{ + "name": "dd478b1b-83a0-48d3-92fe-bba17c3a72a4", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Enforce tag Name and Value casing on resource groups and subscriptions", + "description": "This policy can be used to convert a specific tag name and value on a resource to either being all lowercase or all uppercase. IMPORTANT: Tag Names are NOT case sensitive in azure therefore this is just a workaround that might stop working at any time.", + "mode": "All", + "metadata": { + "category": "Tags", + "version": "1.0.0" + }, + "parameters": { + "toLowerOrToUpper": { + "type": "String", + "metadata": { + "displayName": "Enforce lowercase or uppercase", + "description": "If set to lowercase/uppercase then the Policy will convert the tag name and value on existing and new resources groups to lowercase/Uppercase " + }, + "allowedValues": [ + "Lowercase", + "Uppercase" + ] + }, + "tagName": { + "type": "String", + "metadata": { + "displayName": "TagName", + "description": "Tag name that will be used for enforcement of lowercase/uppercase case." + } + }, + "applyCaseToValue": { + "type": "Boolean", + "metadata": { + "displayName": "Apply Case to Value", + "description": "Control if the same case applied to the tag name should be applied to the value." + }, + "defaultValue": true + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Modify, Deny, Audit or Disabled the execution of the Policy" + }, + "allowedValues": [ + "Modify", + "Deny", + "Audit", + "Disabled" + ], + "defaultValue": "Modify" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "anyOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + }, + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions/resourceGroups" + } + ] + }, + { + "field": "[concat('tags[', parameters('tagName'), ']')]", + "exists": true + }, + { + "value": "[if(empty(field('tags')), bool('false'), if(contains(field('tags'), parameters('tagName')), bool('true'), bool('false')))]", + "equals": true + }, + { + "value": "[if(empty(field('tags')), bool('false'), if(contains(field('tags'), parameters('tagName')), if(equals(parameters('applyCaseToValue'), bool('true')),if(equals(parameters('toLowerOrToUpper'), 'Lowercase'), not(equals(base64(toLower(string(field(concat('tags[', parameters('tagName'), ']'))))), base64(string(field(concat('tags[', parameters('tagName'), ']')))))), not(equals(base64(toUpper(string(field(concat('tags[', parameters('tagName'), ']'))))), base64(string(field(concat('tags[', parameters('tagName'), ']'))))))), bool('false')), bool('false')))]", + "equals": true + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "operations": [ + { + "operation": "addOrReplace", + "field": "tags", + "value": "[json(if(empty(field('tags')), '{}', if(equals(parameters('toLowerOrToUpper'), 'Lowercase'), string(union(field('tags'), createObject(tolower(parameters('tagName')), if(parameters('applyCaseToValue'),toLower(string(field(concat('tags[', parameters('tagName'), ']')))) , string(field(concat('tags[', parameters('tagName'), ']'))))))), string(union(field('tags'), createObject(toUpper(parameters('tagName')), if(parameters('applyCaseToValue'),toUpper(string(field(concat('tags[', parameters('tagName'), ']')))) , string(field(concat('tags[', parameters('tagName'), ']'))))))))))]" + } + ] + } + } + } + } +} \ No newline at end of file diff --git a/policyDefinitions/Tags/enforce-tag-name-and-value-casing-on-rg-and-sub/azurepolicy.parameters.json b/policyDefinitions/Tags/enforce-tag-name-and-value-casing-on-rg-and-sub/azurepolicy.parameters.json new file mode 100644 index 00000000..b871c3bf --- /dev/null +++ b/policyDefinitions/Tags/enforce-tag-name-and-value-casing-on-rg-and-sub/azurepolicy.parameters.json @@ -0,0 +1,42 @@ +{ + "toLowerOrToUpper": { + "type": "String", + "metadata": { + "displayName": "Enforce lowercase or uppercase", + "description": "If set to lowercase/uppercase then the Policy will convert the tag name and value on existing and new resources groups to lowercase/Uppercase " + }, + "allowedValues": [ + "Lowercase", + "Uppercase" + ] + }, + "tagName": { + "type": "String", + "metadata": { + "displayName": "TagName", + "description": "Tag name that will be used for enforcement of lowercase/uppercase case." + } + }, + "applyCaseToValue": { + "type": "Boolean", + "metadata": { + "displayName": "Apply Case to Value", + "description": "Control if the same case applied to the tag name should be applied to the value." + }, + "defaultValue": true + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Modify, Deny, Audit or Disabled the execution of the Policy" + }, + "allowedValues": [ + "Modify", + "Deny", + "Audit", + "Disabled" + ], + "defaultValue": "Modify" + } +} \ No newline at end of file diff --git a/policyDefinitions/Tags/enforce-tag-name-and-value-casing-on-rg-and-sub/azurepolicy.rules.json b/policyDefinitions/Tags/enforce-tag-name-and-value-casing-on-rg-and-sub/azurepolicy.rules.json new file mode 100644 index 00000000..3e27a0d2 --- /dev/null +++ b/policyDefinitions/Tags/enforce-tag-name-and-value-casing-on-rg-and-sub/azurepolicy.rules.json @@ -0,0 +1,45 @@ +{ + "if": { + "allOf": [ + { + "anyOf": [ + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions" + }, + { + "field": "type", + "equals": "Microsoft.Resources/subscriptions/resourceGroups" + } + ] + }, + { + "field": "[concat('tags[', parameters('tagName'), ']')]", + "exists": true + }, + { + "value": "[if(empty(field('tags')), bool('false'), if(contains(field('tags'), parameters('tagName')), bool('true'), bool('false')))]", + "equals": true + }, + { + "value": "[if(empty(field('tags')), bool('false'), if(contains(field('tags'), parameters('tagName')), if(equals(parameters('applyCaseToValue'), bool('true')),if(equals(parameters('toLowerOrToUpper'), 'Lowercase'), not(equals(base64(toLower(string(field(concat('tags[', parameters('tagName'), ']'))))), base64(string(field(concat('tags[', parameters('tagName'), ']')))))), not(equals(base64(toUpper(string(field(concat('tags[', parameters('tagName'), ']'))))), base64(string(field(concat('tags[', parameters('tagName'), ']'))))))), bool('false')), bool('false')))]", + "equals": true + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "roleDefinitionIds": [ + "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "operations": [ + { + "operation": "addOrReplace", + "field": "tags", + "value": "[json(if(empty(field('tags')), '{}', if(equals(parameters('toLowerOrToUpper'), 'Lowercase'), string(union(field('tags'), createObject(tolower(parameters('tagName')), if(parameters('applyCaseToValue'),toLower(string(field(concat('tags[', parameters('tagName'), ']')))) , string(field(concat('tags[', parameters('tagName'), ']'))))))), string(union(field('tags'), createObject(toUpper(parameters('tagName')), if(parameters('applyCaseToValue'),toUpper(string(field(concat('tags[', parameters('tagName'), ']')))) , string(field(concat('tags[', parameters('tagName'), ']'))))))))))]" + } + ] + } + } +} \ No newline at end of file From 5ac0dd96b0437b5e945143d5c9c8a10f8168814f Mon Sep 17 00:00:00 2001 From: Hugo Ribeiro Date: Mon, 20 Jan 2025 09:48:09 +0000 Subject: [PATCH 10/13] change the guid --- .../azurepolicy.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policyDefinitions/Tags/enforce-tag-name-and-value-casing-on-rg-and-sub/azurepolicy.json b/policyDefinitions/Tags/enforce-tag-name-and-value-casing-on-rg-and-sub/azurepolicy.json index 105b0ffe..20025aa7 100644 --- a/policyDefinitions/Tags/enforce-tag-name-and-value-casing-on-rg-and-sub/azurepolicy.json +++ b/policyDefinitions/Tags/enforce-tag-name-and-value-casing-on-rg-and-sub/azurepolicy.json @@ -1,5 +1,5 @@ { - "name": "dd478b1b-83a0-48d3-92fe-bba17c3a72a4", + "name": "f73c65c4-8baf-4e81-9ab6-77e64211f6ba", "type": "Microsoft.Authorization/policyDefinitions", "properties": { "displayName": "Enforce tag Name and Value casing on resource groups and subscriptions", From f2f8c16cbe1f805433f28eaeb221fca6653dd619 Mon Sep 17 00:00:00 2001 From: Hugo Ribeiro Date: Tue, 28 Jan 2025 11:54:25 +0000 Subject: [PATCH 11/13] change the guid --- .../azurepolicy.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policyDefinitions/Tags/enforce-tag-name-and-value-casing-on-rg-and-sub/azurepolicy.json b/policyDefinitions/Tags/enforce-tag-name-and-value-casing-on-rg-and-sub/azurepolicy.json index 20025aa7..33b605b2 100644 --- a/policyDefinitions/Tags/enforce-tag-name-and-value-casing-on-rg-and-sub/azurepolicy.json +++ b/policyDefinitions/Tags/enforce-tag-name-and-value-casing-on-rg-and-sub/azurepolicy.json @@ -1,5 +1,5 @@ { - "name": "f73c65c4-8baf-4e81-9ab6-77e64211f6ba", + "name": "4c79587a-c4a1-5c28-8806-d7d29d3c114c", "type": "Microsoft.Authorization/policyDefinitions", "properties": { "displayName": "Enforce tag Name and Value casing on resource groups and subscriptions", From 48f8a3c38a9eceed7ac71a4cb7b8d58a6b1035ed Mon Sep 17 00:00:00 2001 From: Hugo Ribeiro Date: Fri, 13 Feb 2026 18:46:31 +0000 Subject: [PATCH 12/13] fix policy logic, activity log for selected category and operation name --- .../azurepolicy.json | 328 ++++++++++++++++++ .../azurepolicy.parameters.json | 82 +++++ .../azurepolicy.rules.json | 233 +++++++++++++ 3 files changed, 643 insertions(+) create mode 100644 policyDefinitions/Monitoring/deploy-activity-log-for-selected-category-and-operation-name/azurepolicy.json create mode 100644 policyDefinitions/Monitoring/deploy-activity-log-for-selected-category-and-operation-name/azurepolicy.parameters.json create mode 100644 policyDefinitions/Monitoring/deploy-activity-log-for-selected-category-and-operation-name/azurepolicy.rules.json diff --git a/policyDefinitions/Monitoring/deploy-activity-log-for-selected-category-and-operation-name/azurepolicy.json b/policyDefinitions/Monitoring/deploy-activity-log-for-selected-category-and-operation-name/azurepolicy.json new file mode 100644 index 00000000..db48435e --- /dev/null +++ b/policyDefinitions/Monitoring/deploy-activity-log-for-selected-category-and-operation-name/azurepolicy.json @@ -0,0 +1,328 @@ +{ + "name": "1a30544f-d89d-42ee-9e74-7f8176772c3d", + "type": "Microsoft.Authorization/policyDefinitions", + "properties": { + "displayName": "Deploy Activity Log Alert for the seleccted category and operation name", + "description": "Deploy Activity Log Alert for the seleccted category and operation name", + "metadata": { + "version": "1.0.0", + "category": "Monitoring" + }, + "mode": "All", + "parameters": { + "actionGroupResourceId": { + "type": "string", + "metadata": { + "description": "Name for the Action group.", + "displayName": "Action Group Resource ID" + } + }, + "activityLogAlertName": { + "type": "string", + "metadata": { + "description": "Name for the Activity log alert.", + "displayName": "Alert Name" + } + }, + "appendSubscriptionNameAsPrefix": { + "type": "boolean", + "metadata": { + "description": "Append the Subscription Name to the parameter for the name of the Activity log alert and for the rg name.", + "displayName": "Append Subscription Name as Prefix" + }, + "defaultValue": false, + "allowedValues":[ + true, + false + ] + }, + "activityLogCategory": { + "type": "string", + "metadata": { + "description": "Category for the Activity log alert.", + "displayName": "Alert Category" + }, + "allowedValues": [ + "Administrative", + "Security", + "ServiceHealth", + "Alert", + "Recommendation", + "Policy", + "Autoscale", + "ResourceHealth" + ], + "defaultValue": "Administrative" + }, + "activityLogOperationName": { + "type": "string", + "metadata": { + "description": "Operation Name for the Activity log alert. format: Microsoft.Provider/resourceType/actionOrOperation examples: Microsoft.Sql/servers/firewallRules/write, Microsoft.Security/policies/write", + "displayName": "Alert Operation Name" + } + }, + "activityLogAlertResourceGroupName": { + "type": "string", + "metadata": { + "description": "This is the name of the Resource Group that will contain the Activity log alert resource.", + "displayName": "Alert Resource Group Name" + } + }, + "activityLogAlertResourceGroupLocation": { + "type": "string", + "metadata": { + "description": "This is the location of the Resource Group that will contain the Activity log alert resource.", + "displayName": "Alert Resource Group Location", + "strongType": "location" + }, + "defaultValue": "northeurope" + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "DeployIfNotExists, AuditIfNotExists or Disabled the execution of the Policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + } + }, + "policyRule": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.resources/subscriptions" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/activityLogAlerts", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/ActivityLogAlerts/enabled", + "equals": "true" + }, + { + "count": { + "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]", + "where": { + "anyOf": [ + { + "allOf": [ + { + "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field", + "equals": "category" + }, + { + "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals", + "equals": "[parameters('activityLogCategory')]" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field", + "equals": "operationName" + }, + { + "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals", + "equals": "[parameters('activityLogOperationName')]" + } + ] + } + ] + } + }, + "equals": 2 + }, + { + "not": { + "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field", + "equals": "category" + } + }, + { + "not": { + "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field", + "equals": "operationName" + } + } + ] + }, + "deploymentScope": "subscription", + "resourceGroupName":"[if(parameters('appendSubscriptionNameAsPrefix'), concat(subscription().displayName,'-', parameters('activityLogAlertResourceGroupName')), parameters('activityLogAlertResourceGroupName'))]", + "deployment": { + "location": "eastus", + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "activityLogAlertResourceGroupName": { + "type": "string" + }, + "activityLogAlertResourceGroupLocation": { + "type": "string" + }, + "actionGroupResourceId": { + "type": "string" + }, + "activityLogAlertName": { + "type": "string" + }, + "activityLogCategory": { + "type": "string" + }, + "activityLogOperationName": { + "type": "string" + }, + "appendSubscriptionNameAsPrefix": { + "type": "bool" + } + }, + "variables": { + "createRg": "[concat('deployRG-', uniqueString(deployment().name))]", + "createAlert": "[concat('deployAlert-', uniqueString(deployment().name))]", + "alertRGNAme": "[if(parameters('appendSubscriptionNameAsPrefix'), concat(subscription().displayName,'-', parameters('activityLogAlertResourceGroupName')), parameters('activityLogAlertResourceGroupName'))]" + }, + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2022-09-01", + "name": "[variables('alertRGNAme')]", + "location": "[parameters('activityLogAlertResourceGroupLocation')]" + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[variables('createAlert')]", + "resourceGroup": "[variables('alertRGNAme')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/resourceGroups', variables('alertRGNAme'))]" + ], + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "activityLogAlertName": { + "value": "[trim(parameters('activityLogAlertName'))]" + }, + "actionGroupResourceId": { + "value": "[trim(parameters('actionGroupResourceId'))]" + }, + "activityLogCategory": { + "value": "[parameters('activityLogCategory')]" + }, + "activityLogOperationName": { + "value": "[trim(parameters('activityLogOperationName'))]" + }, + "appendSubscriptionNameAsPrefix": { + "value": "[parameters('appendSubscriptionNameAsPrefix')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "actionGroupResourceId": { + "type": "string" + }, + "activityLogAlertName": { + "type": "string" + }, + "activityLogCategory": { + "type": "string" + }, + "activityLogOperationName": { + "type": "string" + }, + "appendSubscriptionNameAsPrefix": { + "type": "bool" + } + }, + "variables": { + "alertName": "[if(parameters('appendSubscriptionNameAsPrefix'), concat(subscription().displayName,'-', parameters('activityLogAlertName')), parameters('activityLogAlertName'))]" + }, + "resources": [ + { + "type": "Microsoft.Insights/activityLogAlerts", + "apiVersion": "2017-04-01", + "name": "[substring(variables('alertName') ,0 , min(createArray(length(variables('alertName')), 259)))]", + "location": "Global", + "properties": { + "enabled": true, + "scopes": [ + "[subscription().id]" + ], + "condition": { + "allOf": [ + { + "field": "category", + "equals": "[parameters('activityLogCategory')]" + }, + { + "field": "operationName", + "equals": "[parameters('activityLogOperationName')]" + } + ] + }, + "actions": { + "actionGroups": [ + { + "actionGroupId": "[parameters('actionGroupResourceId')]" + } + ] + } + } + } + ] + } + } + } + ] + }, + "parameters": { + "activityLogAlertName": { + "value": "[trim(parameters('activityLogAlertName'))]" + }, + "actionGroupResourceId": { + "value": "[trim(parameters('actionGroupResourceId'))]" + }, + "activityLogCategory": { + "value": "[parameters('activityLogCategory')]" + }, + "activityLogOperationName": { + "value": "[trim(parameters('activityLogOperationName'))]" + }, + "appendSubscriptionNameAsPrefix": { + "value": "[parameters('appendSubscriptionNameAsPrefix')]" + }, + "activityLogAlertResourceGroupName": { + "value": "[parameters('activityLogAlertResourceGroupName')]" + }, + "activityLogAlertResourceGroupLocation": { + "value": "[parameters('activityLogAlertResourceGroupLocation')]" + } + } + } + } + } + } + } + } +} \ No newline at end of file diff --git a/policyDefinitions/Monitoring/deploy-activity-log-for-selected-category-and-operation-name/azurepolicy.parameters.json b/policyDefinitions/Monitoring/deploy-activity-log-for-selected-category-and-operation-name/azurepolicy.parameters.json new file mode 100644 index 00000000..785e7d62 --- /dev/null +++ b/policyDefinitions/Monitoring/deploy-activity-log-for-selected-category-and-operation-name/azurepolicy.parameters.json @@ -0,0 +1,82 @@ +{ + "actionGroupResourceId": { + "type": "string", + "metadata": { + "description": "Name for the Action group.", + "displayName": "Action Group Resource ID" + } + }, + "activityLogAlertName": { + "type": "string", + "metadata": { + "description": "Name for the Activity log alert.", + "displayName": "Alert Name" + } + }, + "appendSubscriptionNameAsPrefix": { + "type": "boolean", + "metadata": { + "description": "Append the Subscription Name to the parameter for the name of the Activity log alert and for the rg name.", + "displayName": "Append Subscription Name as Prefix" + }, + "defaultValue": false, + "allowedValues":[ + true, + false + ] + }, + "activityLogCategory": { + "type": "string", + "metadata": { + "description": "Category for the Activity log alert.", + "displayName": "Alert Category" + }, + "allowedValues": [ + "Administrative", + "Security", + "ServiceHealth", + "Alert", + "Recommendation", + "Policy", + "Autoscale", + "ResourceHealth" + ], + "defaultValue": "Administrative" + }, + "activityLogOperationName": { + "type": "string", + "metadata": { + "description": "Operation Name for the Activity log alert. format: Microsoft.Provider/resourceType/actionOrOperation examples: Microsoft.Sql/servers/firewallRules/write, Microsoft.Security/policies/write", + "displayName": "Alert Operation Name" + } + }, + "activityLogAlertResourceGroupName": { + "type": "string", + "metadata": { + "description": "This is the name of the Resource Group that will contain the Activity log alert resource.", + "displayName": "Alert Resource Group Name" + } + }, + "activityLogAlertResourceGroupLocation": { + "type": "string", + "metadata": { + "description": "This is the location of the Resource Group that will contain the Activity log alert resource.", + "displayName": "Alert Resource Group Location", + "strongType": "location" + }, + "defaultValue": "northeurope" + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "DeployIfNotExists, AuditIfNotExists or Disabled the execution of the Policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "AuditIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + } + } \ No newline at end of file diff --git a/policyDefinitions/Monitoring/deploy-activity-log-for-selected-category-and-operation-name/azurepolicy.rules.json b/policyDefinitions/Monitoring/deploy-activity-log-for-selected-category-and-operation-name/azurepolicy.rules.json new file mode 100644 index 00000000..cd65be1e --- /dev/null +++ b/policyDefinitions/Monitoring/deploy-activity-log-for-selected-category-and-operation-name/azurepolicy.rules.json @@ -0,0 +1,233 @@ +{ + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.resources/subscriptions" + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Insights/activityLogAlerts", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "existenceCondition": { + "allOf": [ + { + "field": "Microsoft.Insights/ActivityLogAlerts/enabled", + "equals": "true" + }, + { + "count": { + "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]", + "where": { + "anyOf": [ + { + "allOf": [ + { + "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field", + "equals": "category" + }, + { + "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals", + "equals": "[parameters('activityLogCategory')]" + } + ] + }, + { + "allOf": [ + { + "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field", + "equals": "operationName" + }, + { + "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals", + "equals": "[parameters('activityLogOperationName')]" + } + ] + } + ] + } + }, + "equals": 2 + }, + { + "not": { + "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field", + "equals": "category" + } + }, + { + "not": { + "field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field", + "equals": "operationName" + } + } + ] + }, + "deploymentScope": "subscription", + "resourceGroupName":"[if(parameters('appendSubscriptionNameAsPrefix'), concat(subscription().displayName,'-', parameters('activityLogAlertResourceGroupName')), parameters('activityLogAlertResourceGroupName'))]", + "deployment": { + "location": "eastus", + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "activityLogAlertResourceGroupName": { + "type": "string" + }, + "activityLogAlertResourceGroupLocation": { + "type": "string" + }, + "actionGroupResourceId": { + "type": "string" + }, + "activityLogAlertName": { + "type": "string" + }, + "activityLogCategory": { + "type": "string" + }, + "activityLogOperationName": { + "type": "string" + }, + "appendSubscriptionNameAsPrefix": { + "type": "bool" + } + }, + "variables": { + "createRg": "[concat('deployRG-', uniqueString(deployment().name))]", + "createAlert": "[concat('deployAlert-', uniqueString(deployment().name))]", + "alertRGNAme": "[if(parameters('appendSubscriptionNameAsPrefix'), concat(subscription().displayName,'-', parameters('activityLogAlertResourceGroupName')), parameters('activityLogAlertResourceGroupName'))]" + }, + "resources": [ + { + "type": "Microsoft.Resources/resourceGroups", + "apiVersion": "2022-09-01", + "name": "[variables('alertRGNAme')]", + "location": "[parameters('activityLogAlertResourceGroupLocation')]" + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-06-01", + "name": "[variables('createAlert')]", + "resourceGroup": "[variables('alertRGNAme')]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/resourceGroups', variables('alertRGNAme'))]" + ], + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "activityLogAlertName": { + "value": "[trim(parameters('activityLogAlertName'))]" + }, + "actionGroupResourceId": { + "value": "[trim(parameters('actionGroupResourceId'))]" + }, + "activityLogCategory": { + "value": "[parameters('activityLogCategory')]" + }, + "activityLogOperationName": { + "value": "[trim(parameters('activityLogOperationName'))]" + }, + "appendSubscriptionNameAsPrefix": { + "value": "[parameters('appendSubscriptionNameAsPrefix')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "actionGroupResourceId": { + "type": "string" + }, + "activityLogAlertName": { + "type": "string" + }, + "activityLogCategory": { + "type": "string" + }, + "activityLogOperationName": { + "type": "string" + }, + "appendSubscriptionNameAsPrefix": { + "type": "bool" + } + }, + "variables": { + "alertName": "[if(parameters('appendSubscriptionNameAsPrefix'), concat(subscription().displayName,'-', parameters('activityLogAlertName')), parameters('activityLogAlertName'))]" + }, + "resources": [ + { + "type": "Microsoft.Insights/activityLogAlerts", + "apiVersion": "2017-04-01", + "name": "[substring(variables('alertName') ,0 , min(createArray(length(variables('alertName')), 259)))]", + "location": "Global", + "properties": { + "enabled": true, + "scopes": [ + "[subscription().id]" + ], + "condition": { + "allOf": [ + { + "field": "category", + "equals": "[parameters('activityLogCategory')]" + }, + { + "field": "operationName", + "equals": "[parameters('activityLogOperationName')]" + } + ] + }, + "actions": { + "actionGroups": [ + { + "actionGroupId": "[parameters('actionGroupResourceId')]" + } + ] + } + } + } + ] + } + } + } + ] + }, + "parameters": { + "activityLogAlertName": { + "value": "[trim(parameters('activityLogAlertName'))]" + }, + "actionGroupResourceId": { + "value": "[trim(parameters('actionGroupResourceId'))]" + }, + "activityLogCategory": { + "value": "[parameters('activityLogCategory')]" + }, + "activityLogOperationName": { + "value": "[trim(parameters('activityLogOperationName'))]" + }, + "appendSubscriptionNameAsPrefix": { + "value": "[parameters('appendSubscriptionNameAsPrefix')]" + }, + "activityLogAlertResourceGroupName": { + "value": "[parameters('activityLogAlertResourceGroupName')]" + }, + "activityLogAlertResourceGroupLocation": { + "value": "[parameters('activityLogAlertResourceGroupLocation')]" + } + } + } + } + } + } + } \ No newline at end of file From ef646b458649f5634d8a4ac549677d7d6a5a72cc Mon Sep 17 00:00:00 2001 From: Hugo Ribeiro Date: Fri, 13 Feb 2026 18:56:06 +0000 Subject: [PATCH 13/13] fix policy logic, activity log for selected category and operation name --- .../azurepolicy.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/policyDefinitions/Monitoring/deploy-activity-log-for-selected-category-and-operation-name/azurepolicy.json b/policyDefinitions/Monitoring/deploy-activity-log-for-selected-category-and-operation-name/azurepolicy.json index db48435e..ef9cf905 100644 --- a/policyDefinitions/Monitoring/deploy-activity-log-for-selected-category-and-operation-name/azurepolicy.json +++ b/policyDefinitions/Monitoring/deploy-activity-log-for-selected-category-and-operation-name/azurepolicy.json @@ -2,8 +2,8 @@ "name": "1a30544f-d89d-42ee-9e74-7f8176772c3d", "type": "Microsoft.Authorization/policyDefinitions", "properties": { - "displayName": "Deploy Activity Log Alert for the seleccted category and operation name", - "description": "Deploy Activity Log Alert for the seleccted category and operation name", + "displayName": "Deploy Activity Log Alert for the selected category and operation name", + "description": "Deploy Activity Log Alert for the selected category and operation name", "metadata": { "version": "1.0.0", "category": "Monitoring"