Given this ARM template : https://github.com/Azure/azure-quickstart-templates/blob/master/101-redis-cache/azuredeploy.json
How do we enforce that the Redis cache is deployed with diagnostic settings enabled?
Will it be only possible only if an appropriate alias is provided by Azure team?
Current Set of aliases for Redis cache:
{
"Microsoft.Cache/Redis/redisConfiguration": {
"maxfragmentationmemory-reserved": "300",
"maxmemory-reserved": "200",
"maxmemory-delta": "200",
"maxclients": "7500",
"rdb-backup-enabled": "true",
"rdb-backup-frequency": "60",
"rdb-backup-max-snapshot-count": "1",
"rdb-storage-connection-string": "DefaultEndpointsProtocol=https;AccountName=blobnubldepenclsstgwu2;AccountKey=[key hidden]"
},
"Microsoft.Cache/Redis/provisioningState": "Succeeded",
"Microsoft.Cache/Redis/enableNonSslPort": false,
"Microsoft.Cache/Redis/sku.capacity": 1,
"Microsoft.Cache/Redis/redisVersion": "4.0.14",
"Microsoft.Cache/Redis/sku.family": "P",
"Microsoft.Cache/Redis/hostName": "rc-nuRed-epe-ncls-stg-wu2.redis.cache.windows.net",
"Microsoft.Cache/Redis/sku.name": "Premium",
"Microsoft.Cache/Redis/sslPort": 6380,
"Microsoft.Cache/Redis/port": 6379,
"Microsoft.Cache/Redis/sku": {
"name": "Premium",
"capacity": 1,
"family": "P"
},
"Microsoft.Cache/Redis/subnetId": "/subscriptions/d0ee6b93-7d29-45db-aabf-784018016241/resourceGroups/rg-grp-epe-ncls-stg-wu2/providers/Microsoft.Network/virtualNetworks/AZ-BIZ-10.32.223.0-26/subnets/AZ-BIZ-10.32.223.16-28",
"Microsoft.Cache/Redis/staticIP": "10.32.223.24",
"Microsoft.Cache/Redis/minimumTlsVersion": "1.2",
"Microsoft.Cache/Redis/shardCount": 2,
"Microsoft.Cache/Redis/zones": [
"3"
]
}
You would need to use an
auditIfNotExists
ordeployIfNotExists
policy. TheauditIfNotExists
will get you started in how to detect resources without diagnostics settings, however there is much more complexity in thedeployIfNotExists
route that would require more about your specific application in order to address.Keep in mind that Redis specifically does not have any "log" options as of today (Oct 20, 2020) If you are planning to apply this to another resource you would also want to check log options and your existence condition would look like the following
This should get you to the point of being able to audit the diagnostics logs. If you want to create a remediation you will need to add a
roleDefinition
and adeployment
to the policy as well as change the effect todeployIfNotExists
. Just a warning, diagnostics setting can be tough to remediate for because they also require the existence of a storage account, event hub, or another resource. If this already exists and can be statically defined then this problem becomes much easier to solve. However, if a remediation would be required to dynamically provision these supporting infrastructure then you must also create rules around globally uniqueness of infrastructure names among and other issues.If you plan on going the
deployIfNotExists
route here is the "tip of the iceberg" doc you will need to know to get started. https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effects#deployifnotexists