TechQA.

How do we define azure policy rules for dependent resources?

270 views Asked by At

Given this ARM template : https://github.com/Azure/azure-quickstart-templates/blob/master/101-redis-cache/azuredeploy.json

How do we enforce that the Redis cache is deployed with diagnostic settings enabled?

Will it be only possible only if an appropriate alias is provided by Azure team?

Current Set of aliases for Redis cache:

{
    "Microsoft.Cache/Redis/redisConfiguration": {
        "maxfragmentationmemory-reserved": "300",
        "maxmemory-reserved": "200",
        "maxmemory-delta": "200",
        "maxclients": "7500",
        "rdb-backup-enabled": "true",
        "rdb-backup-frequency": "60",
        "rdb-backup-max-snapshot-count": "1",
        "rdb-storage-connection-string": "DefaultEndpointsProtocol=https;AccountName=blobnubldepenclsstgwu2;AccountKey=[key hidden]"
    },
    "Microsoft.Cache/Redis/provisioningState": "Succeeded",
    "Microsoft.Cache/Redis/enableNonSslPort": false,
    "Microsoft.Cache/Redis/sku.capacity": 1,
    "Microsoft.Cache/Redis/redisVersion": "4.0.14",
    "Microsoft.Cache/Redis/sku.family": "P",
    "Microsoft.Cache/Redis/hostName": "rc-nuRed-epe-ncls-stg-wu2.redis.cache.windows.net",
    "Microsoft.Cache/Redis/sku.name": "Premium",
    "Microsoft.Cache/Redis/sslPort": 6380,
    "Microsoft.Cache/Redis/port": 6379,
    "Microsoft.Cache/Redis/sku": {
        "name": "Premium",
        "capacity": 1,
        "family": "P"
    },
    "Microsoft.Cache/Redis/subnetId": "/subscriptions/d0ee6b93-7d29-45db-aabf-784018016241/resourceGroups/rg-grp-epe-ncls-stg-wu2/providers/Microsoft.Network/virtualNetworks/AZ-BIZ-10.32.223.0-26/subnets/AZ-BIZ-10.32.223.16-28",
    "Microsoft.Cache/Redis/staticIP": "10.32.223.24",
    "Microsoft.Cache/Redis/minimumTlsVersion": "1.2",
    "Microsoft.Cache/Redis/shardCount": 2,
    "Microsoft.Cache/Redis/zones": [
        "3"
    ]
}
azure-policy
Original Q&A
1

There are 1 answers

0
Rob S. On BEST ANSWER

You would need to use an auditIfNotExists or deployIfNotExists policy. The auditIfNotExists will get you started in how to detect resources without diagnostics settings, however there is much more complexity in the deployIfNotExists route that would require more about your specific application in order to address.

"policyRule": {
  "if": {
    "allOf": [
      {
        "field": "type",
        "equals": "Microsoft.Cache/redis"
      }
    ]
  },
  "then": {
    "effect": "auditIfNotExists",
    "details": {
      "type": "Microsoft.Insights/diagnosticSettings",
      "existenceCondition": {
        "allOf": [              
          {
            "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
            "equals": "true"
          },
          {
            "field": "Microsoft.Insights/diagnosticSettings/metrics[*].retentionPolicy.enabled",
            "equals": "false"
          }
        ]
      }
    }
  }
}

Keep in mind that Redis specifically does not have any "log" options as of today (Oct 20, 2020) If you are planning to apply this to another resource you would also want to check log options and your existence condition would look like the following

"existenceCondition": {
        "allOf": [
          {
            "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
            "equals": "true"
          },
          {
            "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled",
            "equals": "false"
          },
          {
            "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
            "equals": "true"
          },
          {
            "field": "Microsoft.Insights/diagnosticSettings/metrics[*].retentionPolicy.enabled",
            "equals": "false"
          }
        ]
      }
    }

This should get you to the point of being able to audit the diagnostics logs. If you want to create a remediation you will need to add a roleDefinition and a deployment to the policy as well as change the effect to deployIfNotExists. Just a warning, diagnostics setting can be tough to remediate for because they also require the existence of a storage account, event hub, or another resource. If this already exists and can be statically defined then this problem becomes much easier to solve. However, if a remediation would be required to dynamically provision these supporting infrastructure then you must also create rules around globally uniqueness of infrastructure names among and other issues.

If you plan on going the deployIfNotExists route here is the "tip of the iceberg" doc you will need to know to get started. https://learn.microsoft.com/en-us/azure/governance/policy/concepts/effects#deployifnotexists

Related Questions in AZURE-POLICY

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions