Skip to content

Instantly share code, notes, and snippets.

@archmangler

archmangler/gist:da0de1be87b825c0c7834df3772c9b5d

Created September 24, 2022 15:47
Show Gist options
  • Save archmangler/da0de1be87b825c0c7834df3772c9b5d to your computer and use it in GitHub Desktop.
Save archmangler/da0de1be87b825c0c7834df3772c9b5d to your computer and use it in GitHub Desktop.
Download ZIP
Terraform Plan for Azure CAF (v2.3.1)
Raw
gistfile1.txt
This file has been truncated, but you can view the full file.
Note: Objects have changed outside of Terraform
Terraform detected the following changes made outside of Terraform since the
last "terraform apply" which may have affected this plan:
 # module.enterprise_scale.azurerm_management_group.level_3["/providers/Microsoft.Management/managementGroups/engeneon-management"] has changed
 ~ resource "azurerm_management_group" "level_3" {
id = "/providers/Microsoft.Management/managementGroups/engeneon-management"
name = "engeneon-management"
~ subscription_ids = [
- "a9b5dc93-31a8-4859-832f-894fb9ab7831",
]
# (2 unchanged attributes hidden)
}
Unless you have made equivalent changes to your configuration, or ignored the
relevant attributes using ignore_changes, the following plan may include
actions to undo or respond to these changes.

─────────────────────────────────────────────────────────────────────────────
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
+ create
~ update in-place

Terraform will perform the following actions:
 # azurerm_role_definition.enterprise_scale["/providers/Microsoft.Authorization/roleDefinitions/32363e0b-9cc6-5e3d-a263-4d021d5a8d8a"] will be created
 + resource "azurerm_role_definition" "enterprise_scale" {
+ assignable_scopes = [
+ "/providers/Microsoft.Management/managementGroups/engeneon",
]
+ description = "Delegated role for subscription owner generated from subscription Owner role"
+ id = (known after apply)
+ name = "[ENGENEON] Subscription-Owner"
+ role_definition_id = "32363e0b-9cc6-5e3d-a263-4d021d5a8d8a"
+ role_definition_resource_id = (known after apply)
+ scope = "/providers/Microsoft.Management/managementGroups/engeneon"
+ permissions {
+ actions = [
+ "*",
]
+ not_actions = [
+ "Microsoft.Authorization/*/write",
+ "Microsoft.Network/vpnGateways/*",
+ "Microsoft.Network/expressRouteCircuits/*",
+ "Microsoft.Network/routeTables/write",
+ "Microsoft.Network/vpnSites/*",
]
}
}
 # time_sleep.after_azurerm_role_assignment will be created
 + resource "time_sleep" "after_azurerm_role_assignment" {
+ create_duration = "0s"
+ destroy_duration = "0s"
+ id = (known after apply)
+ triggers = {
+ "azurerm_role_assignment_enterprise_scale" = jsonencode([])
+ "module_role_assignments_for_policy" = jsonencode(
[
+ "/providers/Microsoft.Management/managementGroups/engeneon-connectivity/providers/Microsoft.Authorization/policyAssignments/Enable-DDoS-VNET",
+ "/providers/Microsoft.Management/managementGroups/engeneon-identity/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Backup",
+ "/providers/Microsoft.Management/managementGroups/engeneon-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-AKS-Policy",
+ "/providers/Microsoft.Management/managementGroups/engeneon-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-SQL-DB-Auditing",
+ "/providers/Microsoft.Management/managementGroups/engeneon-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-SQL-Threat",
+ "/providers/Microsoft.Management/managementGroups/engeneon-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Backup",
+ "/providers/Microsoft.Management/managementGroups/engeneon-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enable-DDoS-VNET",
+ "/providers/Microsoft.Management/managementGroups/engeneon-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enforce-TLS-SSL",
+ "/providers/Microsoft.Management/managementGroups/engeneon-management/providers/Microsoft.Authorization/policyAssignments/Deploy-Log-Analytics",
+ "/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyAssignments/Deploy-AzActivity-Log",
+ "/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyAssignments/Deploy-LX-Arc-Monitoring",
+ "/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyAssignments/Deploy-MDFC-Config",
+ "/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyAssignments/Deploy-Resource-Diag",
+ "/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Monitoring",
+ "/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyAssignments/Deploy-VMSS-Monitoring",
+ "/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyAssignments/Deploy-WS-Arc-Monitoring",
]
)
}
}
 # time_sleep.after_azurerm_role_definition will be created
 + resource "time_sleep" "after_azurerm_role_definition" {
+ create_duration = "60s"
+ destroy_duration = "0s"
+ id = (known after apply)
+ triggers = {
+ "azurerm_role_definition_enterprise_scale" = jsonencode(
[
+ "/providers/Microsoft.Authorization/roleDefinitions/1b112d41-1e5f-5ab5-b2a3-c841a0fbe4bd",
+ "/providers/Microsoft.Authorization/roleDefinitions/32363e0b-9cc6-5e3d-a263-4d021d5a8d8a",
+ "/providers/Microsoft.Authorization/roleDefinitions/396ad2d1-6086-5a63-ad4e-96a491f8591a",
+ "/providers/Microsoft.Authorization/roleDefinitions/993b6ad4-f3e8-547e-9161-e686b4c606cf",
+ "/providers/Microsoft.Authorization/roleDefinitions/e5a47092-7668-5749-87cc-0fb1f7860347",
]
)
}
}
 # module.enterprise_scale.azurerm_management_group.level_3["/providers/Microsoft.Management/managementGroups/engeneon-management"] will be updated in-place
 ~ resource "azurerm_management_group" "level_3" {
id = "/providers/Microsoft.Management/managementGroups/engeneon-management"
name = "engeneon-management"
~ subscription_ids = [
+ "a9b5dc93-31a8-4859-832f-894fb9ab7831",
]
# (2 unchanged attributes hidden)
}
 # module.enterprise_scale.azurerm_management_group_policy_assignment.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon-connectivity/providers/Microsoft.Authorization/policyAssignments/Enable-DDoS-VNET"] will be created
 + resource "azurerm_management_group_policy_assignment" "enterprise_scale" {
+ description = "Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection Standard. For more information, visit https://aka.ms/ddosprotectiondocs."
+ display_name = "Virtual networks should be protected by Azure DDoS Protection Standard"
+ enforce = false
+ id = (known after apply)
+ location = "eastus"
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon-connectivity"
+ metadata = (known after apply)
+ name = "Enable-DDoS-VNET"
+ not_scopes = []
+ parameters = jsonencode(
{
+ ddosPlan = {
+ value = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/engeneon-ddos/providers/Microsoft.Network/ddosProtectionPlans/engeneon-ddos-eastus"
}
+ effect = {
+ value = "Modify"
}
}
)
+ policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d"
+ identity {
+ principal_id = (known after apply)
+ tenant_id = (known after apply)
+ type = "SystemAssigned"
}
}
 # module.enterprise_scale.azurerm_management_group_policy_assignment.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon-identity/providers/Microsoft.Authorization/policyAssignments/Deny-Public-IP"] will be created
 + resource "azurerm_management_group_policy_assignment" "enterprise_scale" {
+ description = "This policy denies creation of Public IPs under the assigned scope."
+ display_name = "Deny the creation of public IP"
+ enforce = true
+ id = (known after apply)
+ location = "eastus"
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon-identity"
+ metadata = (known after apply)
+ name = "Deny-Public-IP"
+ not_scopes = []
+ parameters = jsonencode(
{
+ effect = {
+ value = "Deny"
}
}
)
+ policy_definition_id = "/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP"
}
 # module.enterprise_scale.azurerm_management_group_policy_assignment.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon-identity/providers/Microsoft.Authorization/policyAssignments/Deny-RDP-From-Internet"] will be created
 + resource "azurerm_management_group_policy_assignment" "enterprise_scale" {
+ description = "This policy denies any network security rule that allows RDP access from Internet."
+ display_name = "RDP access from the Internet should be blocked"
+ enforce = false
+ id = (known after apply)
+ location = "eastus"
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon-identity"
+ metadata = (known after apply)
+ name = "Deny-RDP-From-Internet"
+ not_scopes = []
+ parameters = jsonencode(
{
+ effect = {
+ value = "Deny"
}
}
)
+ policy_definition_id = "/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet"
}
 # module.enterprise_scale.azurerm_management_group_policy_assignment.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon-identity/providers/Microsoft.Authorization/policyAssignments/Deny-Subnet-Without-Nsg"] will be created
 + resource "azurerm_management_group_policy_assignment" "enterprise_scale" {
+ description = "This policy denies the creation of a subnet without a Network Security Group to protect traffic across subnets."
+ display_name = "Subnets should have a Network Security Group"
+ enforce = false
+ id = (known after apply)
+ location = "eastus"
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon-identity"
+ metadata = (known after apply)
+ name = "Deny-Subnet-Without-Nsg"
+ not_scopes = []
+ parameters = jsonencode(
{
+ effect = {
+ value = "Deny"
}
}
)
+ policy_definition_id = "/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg"
}
 # module.enterprise_scale.azurerm_management_group_policy_assignment.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon-identity/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Backup"] will be created
 + resource "azurerm_management_group_policy_assignment" "enterprise_scale" {
+ description = "Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag."
+ display_name = "Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy"
+ enforce = false
+ id = (known after apply)
+ location = "eastus"
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon-identity"
+ metadata = (known after apply)
+ name = "Deploy-VM-Backup"
+ not_scopes = []
+ parameters = jsonencode(
{
+ effect = {
+ value = "deployIfNotExists"
}
+ exclusionTagName = {
+ value = ""
}
+ exclusionTagValue = {
+ value = []
}
}
)
+ policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86"
+ identity {
+ principal_id = (known after apply)
+ tenant_id = (known after apply)
+ type = "SystemAssigned"
}
}
 # module.enterprise_scale.azurerm_management_group_policy_assignment.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-IP-Forwarding"] will be created
 + resource "azurerm_management_group_policy_assignment" "enterprise_scale" {
+ description = "This policy denies the network interfaces which enabled IP forwarding. The setting of IP forwarding disables Azure's check of the source and destination for a network interface. This should be reviewed by the network security team."
+ display_name = "Network interfaces should disable IP forwarding"
+ enforce = true
+ id = (known after apply)
+ location = "eastus"
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon-landing-zones"
+ metadata = (known after apply)
+ name = "Deny-IP-Forwarding"
+ not_scopes = []
+ policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/88c0b9da-ce96-4b03-9635-f29a937e2900"
}
 # module.enterprise_scale.azurerm_management_group_policy_assignment.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Priv-Containers-AKS"] will be created
 + resource "azurerm_management_group_policy_assignment" "enterprise_scale" {
+ description = "Do not allow privileged containers creation in a Kubernetes cluster. This recommendation is part of CIS 5.2.1 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc."
+ display_name = "Kubernetes cluster should not allow privileged containers"
+ enforce = true
+ id = (known after apply)
+ location = "eastus"
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon-landing-zones"
+ metadata = (known after apply)
+ name = "Deny-Priv-Containers-AKS"
+ not_scopes = []
+ parameters = jsonencode(
{
+ effect = {
+ value = "deny"
}
}
)
+ policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/95edb821-ddaf-4404-9732-666045e056b4"
}
 # module.enterprise_scale.azurerm_management_group_policy_assignment.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Priv-Escalation-AKS"] will be created
 + resource "azurerm_management_group_policy_assignment" "enterprise_scale" {
+ description = "Do not allow containers to run with privilege escalation to root in a Kubernetes cluster. This recommendation is part of CIS 5.2.5 which is intended to improve the security of your Kubernetes environments. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For more information, see https://aka.ms/kubepolicydoc."
+ display_name = "Kubernetes clusters should not allow container privilege escalation"
+ enforce = true
+ id = (known after apply)
+ location = "eastus"
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon-landing-zones"
+ metadata = (known after apply)
+ name = "Deny-Priv-Escalation-AKS"
+ not_scopes = []
+ parameters = jsonencode(
{
+ effect = {
+ value = "deny"
}
}
)
+ policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/1c6e92c9-99f0-4e55-9cf2-0c234dc48f99"
}
 # module.enterprise_scale.azurerm_management_group_policy_assignment.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-RDP-From-Internet"] will be created
 + resource "azurerm_management_group_policy_assignment" "enterprise_scale" {
+ description = "This policy denies any network security rule that allows RDP access from Internet."
+ display_name = "RDP access from the Internet should be blocked"
+ enforce = true
+ id = (known after apply)
+ location = "eastus"
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon-landing-zones"
+ metadata = (known after apply)
+ name = "Deny-RDP-From-Internet"
+ not_scopes = []
+ policy_definition_id = "/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet"
}
 # module.enterprise_scale.azurerm_management_group_policy_assignment.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Storage-http"] will be created
 + resource "azurerm_management_group_policy_assignment" "enterprise_scale" {
+ description = "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking."
+ display_name = "Secure transfer to storage accounts should be enabled"
+ enforce = true
+ id = (known after apply)
+ location = "eastus"
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon-landing-zones"
+ metadata = (known after apply)
+ name = "Deny-Storage-http"
+ not_scopes = []
+ policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/404c3081-a854-4457-ae30-26a93ef643f9"
}
 # module.enterprise_scale.azurerm_management_group_policy_assignment.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deny-Subnet-Without-Nsg"] will be created
 + resource "azurerm_management_group_policy_assignment" "enterprise_scale" {
+ description = "This policy denies the creation of a subnet without a Network Security Group to protect traffic across subnets."
+ display_name = "Subnets should have a Network Security Group"
+ enforce = true
+ id = (known after apply)
+ location = "eastus"
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon-landing-zones"
+ metadata = (known after apply)
+ name = "Deny-Subnet-Without-Nsg"
+ not_scopes = []
+ policy_definition_id = "/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg"
}
 # module.enterprise_scale.azurerm_management_group_policy_assignment.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-AKS-Policy"] will be created
 + resource "azurerm_management_group_policy_assignment" "enterprise_scale" {
+ description = "Use Azure Policy Add-on to manage and report on the compliance state of your Azure Kubernetes Service (AKS) clusters. For more information, see https://aka.ms/akspolicydoc."
+ display_name = "Deploy Azure Policy Add-on to Azure Kubernetes Service clusters"
+ enforce = true
+ id = (known after apply)
+ location = "eastus"
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon-landing-zones"
+ metadata = (known after apply)
+ name = "Deploy-AKS-Policy"
+ not_scopes = []
+ policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/a8eff44f-8c92-45c3-a3fb-9880802d67a7"
+ identity {
+ principal_id = (known after apply)
+ tenant_id = (known after apply)
+ type = "SystemAssigned"
}
}
 # module.enterprise_scale.azurerm_management_group_policy_assignment.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-SQL-DB-Auditing"] will be created
 + resource "azurerm_management_group_policy_assignment" "enterprise_scale" {
+ description = "Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log."
+ display_name = "Auditing on SQL server should be enabled"
+ enforce = true
+ id = (known after apply)
+ location = "eastus"
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon-landing-zones"
+ metadata = (known after apply)
+ name = "Deploy-SQL-DB-Auditing"
+ not_scopes = []
+ policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/a6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9"
+ identity {
+ principal_id = (known after apply)
+ tenant_id = (known after apply)
+ type = "SystemAssigned"
}
}
 # module.enterprise_scale.azurerm_management_group_policy_assignment.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-SQL-Threat"] will be created
 + resource "azurerm_management_group_policy_assignment" "enterprise_scale" {
+ description = "This policy ensures that Threat Detection is enabled on SQL Servers."
+ display_name = "Deploy Threat Detection on SQL servers"
+ enforce = true
+ id = (known after apply)
+ location = "eastus"
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon-landing-zones"
+ metadata = (known after apply)
+ name = "Deploy-SQL-Threat"
+ not_scopes = []
+ policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/36d49e87-48c4-4f2e-beed-ba4ed02b71f5"
+ identity {
+ principal_id = (known after apply)
+ tenant_id = (known after apply)
+ type = "SystemAssigned"
}
}
 # module.enterprise_scale.azurerm_management_group_policy_assignment.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon-landing-zones/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Backup"] will be created
 + resource "azurerm_management_group_policy_assignment" "enterprise_scale" {
+ description = "Enforce backup for all virtual machines by deploying a recovery services vault in the same location and resource group as the virtual machine. Doing this is useful when different application teams in your organization are allocated separate resource groups and need to manage their own backups and restores. You can optionally exclude virtual machines containing a specified tag to control the scope of assignment. See https://aka.ms/AzureVMAppCentricBackupExcludeTag."
+ display_name = "Configure backup on virtual machines without a given tag to a new recovery services vault with a default policy"
+ enforce = true
+ id = (known after apply)
+ location = "eastus"
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon-landing-zones"
+ metadata = (known after apply)
+ name = "Deploy-VM-Backup"
+ not_scopes = []
+ policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/98d0b9f8-fd90-49c9-88e2-d3baf3b0dd86"
+ identity {
+ principal_id = (known after apply)
+ tenant_id = (known after apply)
+ type = "SystemAssigned"
}
}
 # module.enterprise_scale.azurerm_management_group_policy_assignment.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enable-DDoS-VNET"] will be created
 + resource "azurerm_management_group_policy_assignment" "enterprise_scale" {
+ description = "Protect your virtual networks against volumetric and protocol attacks with Azure DDoS Protection Standard. For more information, visit https://aka.ms/ddosprotectiondocs."
+ display_name = "Virtual networks should be protected by Azure DDoS Protection Standard"
+ enforce = false
+ id = (known after apply)
+ location = "eastus"
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon-landing-zones"
+ metadata = (known after apply)
+ name = "Enable-DDoS-VNET"
+ not_scopes = []
+ parameters = jsonencode(
{
+ ddosPlan = {
+ value = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/engeneon-ddos/providers/Microsoft.Network/ddosProtectionPlans/engeneon-ddos-eastus"
}
+ effect = {
+ value = "Modify"
}
}
)
+ policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/94de2ad3-e0c1-4caf-ad78-5d47bbc83d3d"
+ identity {
+ principal_id = (known after apply)
+ tenant_id = (known after apply)
+ type = "SystemAssigned"
}
}
 # module.enterprise_scale.azurerm_management_group_policy_assignment.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enforce-AKS-HTTPS"] will be created
 + resource "azurerm_management_group_policy_assignment" "enterprise_scale" {
+ description = "Use of HTTPS ensures authentication and protects data in transit from network layer eavesdropping attacks. This capability is currently generally available for Kubernetes Service (AKS), and in preview for AKS Engine and Azure Arc enabled Kubernetes. For more info, visit https://aka.ms/kubepolicydoc."
+ display_name = "Kubernetes clusters should be accessible only over HTTPS"
+ enforce = true
+ id = (known after apply)
+ location = "eastus"
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon-landing-zones"
+ metadata = (known after apply)
+ name = "Enforce-AKS-HTTPS"
+ not_scopes = []
+ parameters = jsonencode(
{
+ effect = {
+ value = "deny"
}
}
)
+ policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d"
}
 # module.enterprise_scale.azurerm_management_group_policy_assignment.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon-landing-zones/providers/Microsoft.Authorization/policyAssignments/Enforce-TLS-SSL"] will be created
 + resource "azurerm_management_group_policy_assignment" "enterprise_scale" {
+ description = "Choose either Deploy if not exist and append in combination with audit or Select Deny in the Policy effect. Deny polices shift left. Deploy if not exist and append enforce but can be changed, and because missing exsistense condition require then the combination of Audit."
+ display_name = "Deny or Deploy and append TLS requirements and SSL enforcement on resources without Encryption in transit"
+ enforce = true
+ id = (known after apply)
+ location = "eastus"
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon-landing-zones"
+ metadata = (known after apply)
+ name = "Enforce-TLS-SSL"
+ not_scopes = []
+ policy_definition_id = "/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policySetDefinitions/Enforce-EncryptTransit"
+ identity {
+ principal_id = (known after apply)
+ tenant_id = (known after apply)
+ type = "SystemAssigned"
}
}
 # module.enterprise_scale.azurerm_management_group_policy_assignment.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon-management/providers/Microsoft.Authorization/policyAssignments/Deploy-Log-Analytics"] will be created
 + resource "azurerm_management_group_policy_assignment" "enterprise_scale" {
+ description = "Deploy-Log-Analytics."
+ display_name = "Deploy-Log-Analytics"
+ enforce = true
+ id = (known after apply)
+ location = "eastus"
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon-management"
+ metadata = (known after apply)
+ name = "Deploy-Log-Analytics"
+ not_scopes = []
+ parameters = jsonencode(
{
+ automationAccountName = {
+ value = "engeneon-automation"
}
+ automationRegion = {
+ value = "eastus"
}
+ dataRetention = {
+ value = "30"
}
+ effect = {
+ value = "DeployIfNotExists"
}
+ rgName = {
+ value = "engeneon-mgmt"
}
+ sku = {
+ value = "pergb2018"
}
+ workspaceName = {
+ value = "engeneon-la"
}
+ workspaceRegion = {
+ value = "eastus"
}
}
)
+ policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/8e3e61b3-0b32-22d5-4edf-55f87fdb5955"
+ identity {
+ principal_id = (known after apply)
+ tenant_id = (known after apply)
+ type = "SystemAssigned"
}
}
 # module.enterprise_scale.azurerm_management_group_policy_assignment.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyAssignments/Deploy-ASC-Monitoring"] will be created
 + resource "azurerm_management_group_policy_assignment" "enterprise_scale" {
+ description = "Enable Monitoring in Azure Security Center."
+ display_name = "Enable Monitoring in Azure Security Center"
+ enforce = true
+ id = (known after apply)
+ location = "eastus"
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = (known after apply)
+ name = "Deploy-ASC-Monitoring"
+ not_scopes = []
+ parameters = jsonencode(
{
+ aadAuthenticationInSqlServerMonitoringEffect = {
+ value = "Disabled"
}
+ diskEncryptionMonitoringEffect = {
+ value = "Disabled"
}
+ encryptionOfAutomationAccountMonitoringEffect = {
+ value = "Disabled"
}
+ identityDesignateLessThanOwnersMonitoringEffect = {
+ value = "Disabled"
}
+ identityDesignateMoreThanOneOwnerMonitoringEffect = {
+ value = "Disabled"
}
+ identityEnableMFAForWritePermissionsMonitoringEffect = {
+ value = "Disabled"
}
+ identityRemoveDeprecatedAccountMonitoringEffect = {
+ value = "Disabled"
}
+ identityRemoveDeprecatedAccountWithOwnerPermissionsMonitoringEffect = {
+ value = "Disabled"
}
+ identityRemoveExternalAccountWithOwnerPermissionsMonitoringEffect = {
+ value = "Disabled"
}
+ identityRemoveExternalAccountWithReadPermissionsMonitoringEffect = {
+ value = "Disabled"
}
+ identityRemoveExternalAccountWithWritePermissionsMonitoringEffect = {
+ value = "Disabled"
}
+ jitNetworkAccessMonitoringEffect = {
+ value = "Disabled"
}
+ networkSecurityGroupsOnSubnetsMonitoringEffect = {
+ value = "AuditIfNotExists"
}
+ sqlDbEncryptionMonitoringEffect = {
+ value = "Disabled"
}
+ sqlManagedInstanceAdvancedDataSecurityEmailAdminsMonitoringEffect = {
+ value = "Disabled"
}
+ sqlManagedInstanceAdvancedDataSecurityEmailsMonitoringEffect = {
+ value = "Disabled"
}
+ sqlServerAdvancedDataSecurityEmailAdminsMonitoringEffect = {
+ value = "Disabled"
}
+ sqlServerAdvancedDataSecurityMonitoringEffect = {
+ value = "Disabled"
}
+ systemUpdatesMonitoringEffect = {
+ value = "Disabled"
}
+ useRbacRulesMonitoringEffect = {
+ value = "Disabled"
}
+ vmssSystemUpdatesMonitoringEffect = {
+ value = "Disabled"
}
+ windowsDefenderExploitGuardMonitoringEffect = {
+ value = "Disabled"
}
}
)
+ policy_definition_id = "/providers/Microsoft.Authorization/policySetDefinitions/1f3afdf9-d0c9-4c3d-847f-89da613e70a8"
}
 # module.enterprise_scale.azurerm_management_group_policy_assignment.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyAssignments/Deploy-AzActivity-Log"] will be created
 + resource "azurerm_management_group_policy_assignment" "enterprise_scale" {
+ description = "Ensures that Activity Log Diagnostics settings are set to push logs into Log Analytics workspace."
+ display_name = "Deploy Diagnostic Settings for Activity Log to Log Analytics workspace"
+ enforce = true
+ id = (known after apply)
+ location = "eastus"
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = (known after apply)
+ name = "Deploy-AzActivity-Log"
+ not_scopes = []
+ parameters = jsonencode(
{
+ logAnalytics = {
+ value = "/subscriptions/a9b5dc93-31a8-4859-832f-894fb9ab7831/resourceGroups/engeneon-mgmt/providers/Microsoft.OperationalInsights/workspaces/engeneon-la"
}
}
)
+ policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/2465583e-4e78-4c15-b6be-a36cbc7c8b0f"
+ identity {
+ principal_id = (known after apply)
+ tenant_id = (known after apply)
+ type = "SystemAssigned"
}
}
 # module.enterprise_scale.azurerm_management_group_policy_assignment.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyAssignments/Deploy-LX-Arc-Monitoring"] will be created
 + resource "azurerm_management_group_policy_assignment" "enterprise_scale" {
+ description = "Deploy-Linux-Arc-Monitoring."
+ display_name = "Deploy-Linux-Arc-Monitoring"
+ enforce = true
+ id = (known after apply)
+ location = "eastus"
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = (known after apply)
+ name = "Deploy-LX-Arc-Monitoring"
+ not_scopes = []
+ parameters = jsonencode(
{
+ logAnalytics = {
+ value = "/subscriptions/a9b5dc93-31a8-4859-832f-894fb9ab7831/resourceGroups/engeneon-mgmt/providers/Microsoft.OperationalInsights/workspaces/engeneon-la"
}
}
)
+ policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/9d2b61b4-1d14-4a63-be30-d4498e7ad2cf"
+ identity {
+ principal_id = (known after apply)
+ tenant_id = (known after apply)
+ type = "SystemAssigned"
}
}
 # module.enterprise_scale.azurerm_management_group_policy_assignment.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyAssignments/Deploy-MDFC-Config"] will be created
 + resource "azurerm_management_group_policy_assignment" "enterprise_scale" {
+ description = "Deploy Microsoft Defender for Cloud and Security Contacts"
+ display_name = "Deploy Microsoft Defender for Cloud configuration"
+ enforce = true
+ id = (known after apply)
+ location = "eastus"
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = (known after apply)
+ name = "Deploy-MDFC-Config"
+ not_scopes = []
+ parameters = jsonencode(
{
+ ascExportResourceGroupLocation = {
+ value = "eastus"
}
+ ascExportResourceGroupName = {
+ value = "engeneon-asc-export"
}
+ emailSecurityContact = {
+ value = "security_contact@replace_me"
}
+ enableAscForAppServices = {
+ value = "DeployIfNotExists"
}
+ enableAscForArm = {
+ value = "DeployIfNotExists"
}
+ enableAscForContainers = {
+ value = "DeployIfNotExists"
}
+ enableAscForDns = {
+ value = "DeployIfNotExists"
}
+ enableAscForKeyVault = {
+ value = "DeployIfNotExists"
}
+ enableAscForOssDb = {
+ value = "DeployIfNotExists"
}
+ enableAscForServers = {
+ value = "DeployIfNotExists"
}
+ enableAscForSql = {
+ value = "DeployIfNotExists"
}
+ enableAscForSqlOnVm = {
+ value = "DeployIfNotExists"
}
+ enableAscForStorage = {
+ value = "DeployIfNotExists"
}
+ logAnalytics = {
+ value = "/subscriptions/a9b5dc93-31a8-4859-832f-894fb9ab7831/resourceGroups/engeneon-mgmt/providers/Microsoft.OperationalInsights/workspaces/engeneon-la"
}
}
)
+ policy_definition_id = "/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policySetDefinitions/Deploy-MDFC-Config"
+ identity {
+ principal_id = (known after apply)
+ tenant_id = (known after apply)
+ type = "SystemAssigned"
}
}
 # module.enterprise_scale.azurerm_management_group_policy_assignment.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyAssignments/Deploy-Resource-Diag"] will be created
 + resource "azurerm_management_group_policy_assignment" "enterprise_scale" {
+ description = "Ensures that Azure resources are configured to forward diagnostic logs and metrics to an Azure Log Analytics workspace."
+ display_name = "Deploy-Resource-Diag"
+ enforce = true
+ id = (known after apply)
+ location = "eastus"
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = (known after apply)
+ name = "Deploy-Resource-Diag"
+ not_scopes = []
+ parameters = jsonencode(
{
+ logAnalytics = {
+ value = "/subscriptions/a9b5dc93-31a8-4859-832f-894fb9ab7831/resourceGroups/engeneon-mgmt/providers/Microsoft.OperationalInsights/workspaces/engeneon-la"
}
}
)
+ policy_definition_id = "/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policySetDefinitions/Deploy-Diagnostics-LogAnalytics"
+ identity {
+ principal_id = (known after apply)
+ tenant_id = (known after apply)
+ type = "SystemAssigned"
}
}
 # module.enterprise_scale.azurerm_management_group_policy_assignment.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyAssignments/Deploy-VM-Monitoring"] will be created
 + resource "azurerm_management_group_policy_assignment" "enterprise_scale" {
+ description = "Enable Azure Monitor for the virtual machines (VMs) in the specified scope (management group, subscription or resource group). Takes Log Analytics workspace as parameter."
+ display_name = "Enable Azure Monitor for VMs"
+ enforce = true
+ id = (known after apply)
+ location = "eastus"
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = (known after apply)
+ name = "Deploy-VM-Monitoring"
+ not_scopes = []
+ parameters = jsonencode(
{
+ logAnalytics_1 = {
+ value = "/subscriptions/a9b5dc93-31a8-4859-832f-894fb9ab7831/resourceGroups/engeneon-mgmt/providers/Microsoft.OperationalInsights/workspaces/engeneon-la"
}
}
)
+ policy_definition_id = "/providers/Microsoft.Authorization/policySetDefinitions/55f3eceb-5573-4f18-9695-226972c6d74a"
+ identity {
+ principal_id = (known after apply)
+ tenant_id = (known after apply)
+ type = "SystemAssigned"
}
}
 # module.enterprise_scale.azurerm_management_group_policy_assignment.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyAssignments/Deploy-VMSS-Monitoring"] will be created
 + resource "azurerm_management_group_policy_assignment" "enterprise_scale" {
+ description = "Enable Azure Monitor for the Virtual Machine Scale Sets in the specified scope (Management group, Subscription or resource group). Takes Log Analytics workspace as parameter. Note: if your scale set upgradePolicy is set to Manual, you need to apply the extension to the all VMs in the set by calling upgrade on them. In CLI this would be az vmss update-instances."
+ display_name = "Enable Azure Monitor for Virtual Machine Scale Sets"
+ enforce = true
+ id = (known after apply)
+ location = "eastus"
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = (known after apply)
+ name = "Deploy-VMSS-Monitoring"
+ not_scopes = []
+ parameters = jsonencode(
{
+ logAnalytics_1 = {
+ value = "/subscriptions/a9b5dc93-31a8-4859-832f-894fb9ab7831/resourceGroups/engeneon-mgmt/providers/Microsoft.OperationalInsights/workspaces/engeneon-la"
}
}
)
+ policy_definition_id = "/providers/Microsoft.Authorization/policySetDefinitions/75714362-cae7-409e-9b99-a8e5075b7fad"
+ identity {
+ principal_id = (known after apply)
+ tenant_id = (known after apply)
+ type = "SystemAssigned"
}
}
 # module.enterprise_scale.azurerm_management_group_policy_assignment.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyAssignments/Deploy-WS-Arc-Monitoring"] will be created
 + resource "azurerm_management_group_policy_assignment" "enterprise_scale" {
+ description = "Deploys the Log Analytics agent to Windows Azure Arc machines if the agent isn't installed."
+ display_name = "Deploy-Windows-Arc-Monitoring"
+ enforce = true
+ id = (known after apply)
+ location = "eastus"
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = (known after apply)
+ name = "Deploy-WS-Arc-Monitoring"
+ not_scopes = []
+ parameters = jsonencode(
{
+ logAnalytics = {
+ value = "/subscriptions/a9b5dc93-31a8-4859-832f-894fb9ab7831/resourceGroups/engeneon-mgmt/providers/Microsoft.OperationalInsights/workspaces/engeneon-la"
}
}
)
+ policy_definition_id = "/providers/Microsoft.Authorization/policyDefinitions/69af7d4a-7b18-4044-93a9-2651498ef203"
+ identity {
+ principal_id = (known after apply)
+ tenant_id = (known after apply)
+ type = "SystemAssigned"
}
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-httpsonly"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Appends the AppService sites object to ensure that HTTPS only is enabled for server/service authentication and protects data in transit from network layer eavesdropping attacks. Please note Append does not enforce compliance use then deny."
+ display_name = "AppService append enable https only setting to enforce https setting."
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "App Service"
+ version = "1.0.0"
}
)
+ mode = "All"
+ name = "Append-AppService-httpsonly"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "Append",
+ "Disabled",
]
+ defaultValue = "Append"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ allOf = [
+ {
+ equals = "Microsoft.Web/sites"
+ field = "type"
},
+ {
+ field = "Microsoft.Web/sites/httpsOnly"
+ notequals = true
},
]
}
+ then = {
+ details = [
+ {
+ field = "Microsoft.Web/sites/httpsOnly"
+ value = true
},
]
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Append-AppService-latestTLS"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Append the AppService sites object to ensure that min Tls version is set to required minimum TLS version. Please note Append does not enforce compliance use then deny."
+ display_name = "AppService append sites with minimum TLS version to enforce."
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "App Service"
+ version = "1.0.0"
}
)
+ mode = "All"
+ name = "Append-AppService-latestTLS"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "Append",
+ "Disabled",
]
+ defaultValue = "Append"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ minTlsVersion = {
+ allowedValues = [
+ "1.2",
+ "1.0",
+ "1.1",
]
+ defaultValue = "1.2"
+ metadata = {
+ description = "Select version minimum TLS version for a Web App config to enforce"
+ displayName = "Select version minimum TLS Web App config"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ allOf = [
+ {
+ equals = "Microsoft.Web/sites/config"
+ field = "type"
},
+ {
+ field = "Microsoft.Web/sites/config/minTlsVersion"
+ notEquals = "[parameters('minTlsVersion')]"
},
]
}
+ then = {
+ details = [
+ {
+ field = "Microsoft.Web/sites/config/minTlsVersion"
+ value = "[parameters('minTlsVersion')]"
},
]
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Append-KV-SoftDelete"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "This policy enables you to ensure when a Key Vault is created with out soft delete enabled it will be added."
+ display_name = "KeyVault SoftDelete should be enabled"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Key Vault"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Append-KV-SoftDelete"
+ policy_rule = jsonencode(
{
+ if = {
+ anyOf = [
+ {
+ allOf = [
+ {
+ equals = "Microsoft.KeyVault/vaults"
+ field = "type"
},
+ {
+ field = "Microsoft.KeyVault/vaults/enableSoftDelete"
+ notEquals = true
},
]
},
]
}
+ then = {
+ details = [
+ {
+ field = "Microsoft.KeyVault/vaults/enableSoftDelete"
+ value = true
},
]
+ effect = "append"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-disableNonSslPort"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server."
+ display_name = "Azure Cache for Redis Append and the enforcement that enableNonSslPort is disabled."
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Cache"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Append-Redis-disableNonSslPort"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "Append",
+ "Disabled",
+ "Modify",
]
+ defaultValue = "Append"
+ metadata = {
+ description = "Enable or disable the execution of the policy minimum TLS version Azure Cache for Redis"
+ displayName = "Effect Azure Cache for Redis"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ allOf = [
+ {
+ equals = "Microsoft.Cache/redis"
+ field = "type"
},
+ {
+ anyOf = [
+ {
+ equals = "true"
+ field = "Microsoft.Cache/Redis/enableNonSslPort"
},
]
},
]
}
+ then = {
+ details = [
+ {
+ field = "Microsoft.Cache/Redis/enableNonSslPort"
+ value = false
},
]
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Append-Redis-sslEnforcement"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Append a specific min TLS version requirement and enforce SSL on Azure Cache for Redis. Enables secure server to client by enforce minimal Tls Version to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server."
+ display_name = "Azure Cache for Redis Append a specific min TLS version requirement and enforce TLS."
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Cache"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Append-Redis-sslEnforcement"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "Append",
+ "Disabled",
]
+ defaultValue = "Append"
+ metadata = {
+ description = "Enable or disable the execution of the policy minimum TLS version Azure Cache for Redis"
+ displayName = "Effect Azure Cache for Redis"
}
+ type = "String"
}
+ minimumTlsVersion = {
+ allowedValues = [
+ "1.2",
+ "1.1",
+ "1.0",
]
+ defaultValue = "1.2"
+ metadata = {
+ description = "Select version minimum TLS version Azure Cache for Redis to enforce"
+ displayName = "Select version for Redis server"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ allOf = [
+ {
+ equals = "Microsoft.Cache/redis"
+ field = "type"
},
+ {
+ anyOf = [
+ {
+ field = "Microsoft.Cache/Redis/minimumTlsVersion"
+ notequals = "[parameters('minimumTlsVersion')]"
},
]
},
]
}
+ then = {
+ details = [
+ {
+ field = "Microsoft.Cache/Redis/minimumTlsVersion"
+ value = "[parameters('minimumTlsVersion')]"
},
]
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Audit-MachineLearning-PrivateEndpointId"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Audit private endpoints that are created in other subscriptions and/or tenants for Azure Machine Learning."
+ display_name = "Control private endpoint connections to Azure Machine Learning"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Machine Learning"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Audit-MachineLearning-PrivateEndpointId"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "Audit",
+ "Deny",
+ "Disabled",
]
+ defaultValue = "Audit"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ allOf = [
+ {
+ equals = "Microsoft.MachineLearningServices/workspaces/privateEndpointConnections"
+ field = "type"
},
+ {
+ equals = "Approved"
+ field = "Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateLinkServiceConnectionState.status"
},
+ {
+ anyOf = [
+ {
+ exists = false
+ field = "Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id"
},
+ {
+ notEquals = "[subscription().subscriptionId]"
+ value = "[split(concat(field('Microsoft.MachineLearningServices/workspaces/privateEndpointConnections/privateEndpoint.id'), '//'), '/')[2]]"
},
]
},
]
}
+ then = {
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deny-AA-child-resources"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "This policy denies the creation of child resources on the Automation Account"
+ display_name = "No child resources in Automation Account"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Automation"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deny-AA-child-resources"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "Audit",
+ "Deny",
+ "Disabled",
]
+ defaultValue = "Deny"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ allOf = [
+ {
+ field = "type"
+ in = [
+ "Microsoft.Automation/automationAccounts/runbooks",
+ "Microsoft.Automation/automationAccounts/variables",
+ "Microsoft.Automation/automationAccounts/modules",
+ "Microsoft.Automation/automationAccounts/credentials",
+ "Microsoft.Automation/automationAccounts/connections",
+ "Microsoft.Automation/automationAccounts/certificates",
]
},
]
}
+ then = {
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deny-AppGW-Without-WAF"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "This policy enables you to restrict that Application Gateways is always deployed with WAF enabled"
+ display_name = "Application Gateway should be deployed with WAF enabled"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Network"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deny-AppGW-Without-WAF"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "Audit",
+ "Deny",
+ "Disabled",
]
+ defaultValue = "Deny"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ allOf = [
+ {
+ equals = "Microsoft.Network/applicationGateways"
+ field = "type"
},
+ {
+ field = "Microsoft.Network/applicationGateways/sku.name"
+ notequals = "WAF_v2"
},
]
}
+ then = {
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceApiApp-http"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks."
+ display_name = "API App should only be accessible over HTTPS"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "App Service"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deny-AppServiceApiApp-http"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "Audit",
+ "Disabled",
+ "Deny",
]
+ defaultValue = "Deny"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ allOf = [
+ {
+ equals = "Microsoft.Web/sites"
+ field = "type"
},
+ {
+ field = "kind"
+ like = "*api"
},
+ {
+ equals = "false"
+ field = "Microsoft.Web/sites/httpsOnly"
},
]
}
+ then = {
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceFunctionApp-http"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks."
+ display_name = "Function App should only be accessible over HTTPS"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "App Service"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deny-AppServiceFunctionApp-http"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "Audit",
+ "Disabled",
+ "Deny",
]
+ defaultValue = "Deny"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ allOf = [
+ {
+ equals = "Microsoft.Web/sites"
+ field = "type"
},
+ {
+ field = "kind"
+ like = "functionapp*"
},
+ {
+ equals = "false"
+ field = "Microsoft.Web/sites/httpsOnly"
},
]
}
+ then = {
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deny-AppServiceWebApp-http"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks."
+ display_name = "Web Application should only be accessible over HTTPS"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "App Service"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deny-AppServiceWebApp-http"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "Audit",
+ "Disabled",
+ "Deny",
]
+ defaultValue = "Deny"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ allOf = [
+ {
+ equals = "Microsoft.Web/sites"
+ field = "type"
},
+ {
+ field = "kind"
+ like = "app*"
},
+ {
+ equals = "false"
+ field = "Microsoft.Web/sites/httpsOnly"
},
]
}
+ then = {
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-NoPublicIp"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Denies the deployment of workspaces that do not use the noPublicIp feature to host Databricks clusters without public IPs."
+ display_name = "Deny public IPs for Databricks cluster"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Databricks"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deny-Databricks-NoPublicIp"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "Audit",
+ "Disabled",
+ "Deny",
]
+ defaultValue = "Deny"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ allOf = [
+ {
+ equals = "Microsoft.Databricks/workspaces"
+ field = "type"
},
+ {
+ field = "Microsoft.DataBricks/workspaces/parameters.enableNoPublicIp.value"
+ notEquals = true
},
]
}
+ then = {
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-Sku"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Enforces the use of Premium Databricks workspaces to make sure appropriate security features are available including Databricks Access Controls, Credential Passthrough and SCIM provisioning for AAD."
+ display_name = "Deny non-premium Databricks sku"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Databricks"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deny-Databricks-Sku"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "Audit",
+ "Disabled",
+ "Deny",
]
+ defaultValue = "Deny"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ allOf = [
+ {
+ equals = "Microsoft.Databricks/workspaces"
+ field = "type"
},
+ {
+ field = "Microsoft.DataBricks/workspaces/sku.name"
+ notEquals = "premium"
},
]
}
+ then = {
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deny-Databricks-VirtualNetwork"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Enforces the use of vnet injection for Databricks workspaces."
+ display_name = "Deny Databricks workspaces without Vnet injection"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Databricks"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deny-Databricks-VirtualNetwork"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "Audit",
+ "Disabled",
+ "Deny",
]
+ defaultValue = "Deny"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ allOf = [
+ {
+ equals = "Microsoft.Databricks/workspaces"
+ field = "type"
},
+ {
+ anyOf = [
+ {
+ exists = false
+ field = "Microsoft.DataBricks/workspaces/parameters.customVirtualNetworkId.value"
},
+ {
+ exists = false
+ field = "Microsoft.DataBricks/workspaces/parameters.customPublicSubnetName.value"
},
+ {
+ exists = false
+ field = "Microsoft.DataBricks/workspaces/parameters.customPrivateSubnetName.value"
},
]
},
]
}
+ then = {
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Aks"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deny AKS cluster creation in Azure Machine Learning and enforce connecting to existing clusters."
+ display_name = "Deny AKS cluster creation in Azure Machine Learning"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Machine Learning"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deny-MachineLearning-Aks"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "Audit",
+ "Disabled",
+ "Deny",
]
+ defaultValue = "Deny"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ allOf = [
+ {
+ equals = "Microsoft.MachineLearningServices/workspaces/computes"
+ field = "type"
},
+ {
+ equals = "AKS"
+ field = "Microsoft.MachineLearningServices/workspaces/computes/computeType"
},
+ {
+ anyOf = [
+ {
+ exists = false
+ field = "Microsoft.MachineLearningServices/workspaces/computes/resourceId"
},
+ {
+ equals = true
+ value = "[empty(field('Microsoft.MachineLearningServices/workspaces/computes/resourceId'))]"
},
]
},
]
}
+ then = {
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Compute-SubnetId"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances."
+ display_name = "Enforce subnet connectivity for Azure Machine Learning compute clusters and compute instances"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Machine Learning"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deny-MachineLearning-Compute-SubnetId"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "Audit",
+ "Disabled",
+ "Deny",
]
+ defaultValue = "Deny"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ allOf = [
+ {
+ equals = "Microsoft.MachineLearningServices/workspaces/computes"
+ field = "type"
},
+ {
+ field = "Microsoft.MachineLearningServices/workspaces/computes/computeType"
+ in = [
+ "AmlCompute",
+ "ComputeInstance",
]
},
+ {
+ anyOf = [
+ {
+ exists = false
+ field = "Microsoft.MachineLearningServices/workspaces/computes/subnet.id"
},
+ {
+ equals = true
+ value = "[empty(field('Microsoft.MachineLearningServices/workspaces/computes/subnet.id'))]"
},
]
},
]
}
+ then = {
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-Compute-VmSize"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances."
+ display_name = "Limit allowed vm sizes for Azure Machine Learning compute clusters and compute instances"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Budget"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deny-MachineLearning-Compute-VmSize"
+ parameters = jsonencode(
{
+ allowedVmSizes = {
+ defaultValue = [
+ "Standard_D1_v2",
+ "Standard_D2_v2",
+ "Standard_D3_v2",
+ "Standard_D4_v2",
+ "Standard_D11_v2",
+ "Standard_D12_v2",
+ "Standard_D13_v2",
+ "Standard_D14_v2",
+ "Standard_DS1_v2",
+ "Standard_DS2_v2",
+ "Standard_DS3_v2",
+ "Standard_DS4_v2",
+ "Standard_DS5_v2",
+ "Standard_DS11_v2",
+ "Standard_DS12_v2",
+ "Standard_DS13_v2",
+ "Standard_DS14_v2",
+ "Standard_M8-2ms",
+ "Standard_M8-4ms",
+ "Standard_M8ms",
+ "Standard_M16-4ms",
+ "Standard_M16-8ms",
+ "Standard_M16ms",
+ "Standard_M32-8ms",
+ "Standard_M32-16ms",
+ "Standard_M32ls",
+ "Standard_M32ms",
+ "Standard_M32ts",
+ "Standard_M64-16ms",
+ "Standard_M64-32ms",
+ "Standard_M64ls",
+ "Standard_M64ms",
+ "Standard_M64s",
+ "Standard_M128-32ms",
+ "Standard_M128-64ms",
+ "Standard_M128ms",
+ "Standard_M128s",
+ "Standard_M64",
+ "Standard_M64m",
+ "Standard_M128",
+ "Standard_M128m",
+ "Standard_D1",
+ "Standard_D2",
+ "Standard_D3",
+ "Standard_D4",
+ "Standard_D11",
+ "Standard_D12",
+ "Standard_D13",
+ "Standard_D14",
+ "Standard_DS15_v2",
+ "Standard_NV6",
+ "Standard_NV12",
+ "Standard_NV24",
+ "Standard_F2s_v2",
+ "Standard_F4s_v2",
+ "Standard_F8s_v2",
+ "Standard_F16s_v2",
+ "Standard_F32s_v2",
+ "Standard_F64s_v2",
+ "Standard_F72s_v2",
+ "Standard_NC6s_v3",
+ "Standard_NC12s_v3",
+ "Standard_NC24rs_v3",
+ "Standard_NC24s_v3",
+ "Standard_NC6",
+ "Standard_NC12",
+ "Standard_NC24",
+ "Standard_NC24r",
+ "Standard_ND6s",
+ "Standard_ND12s",
+ "Standard_ND24rs",
+ "Standard_ND24s",
+ "Standard_NC6s_v2",
+ "Standard_NC12s_v2",
+ "Standard_NC24rs_v2",
+ "Standard_NC24s_v2",
+ "Standard_ND40rs_v2",
+ "Standard_NV12s_v3",
+ "Standard_NV24s_v3",
+ "Standard_NV48s_v3",
]
+ metadata = {
+ description = "Specifies the allowed VM Sizes for Aml Compute Clusters and Instances"
+ displayName = "Allowed VM Sizes for Aml Compute Clusters and Instances"
}
+ type = "Array"
}
+ effect = {
+ allowedValues = [
+ "Audit",
+ "Disabled",
+ "Deny",
]
+ defaultValue = "Deny"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ allOf = [
+ {
+ equals = "Microsoft.MachineLearningServices/workspaces/computes"
+ field = "type"
},
+ {
+ field = "Microsoft.MachineLearningServices/workspaces/computes/computeType"
+ in = [
+ "AmlCompute",
+ "ComputeInstance",
]
},
+ {
+ field = "Microsoft.MachineLearningServices/workspaces/computes/vmSize"
+ notIn = "[parameters('allowedVmSizes')]"
},
]
}
+ then = {
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deny public access of Azure Machine Learning clusters via SSH."
+ display_name = "Deny public access of Azure Machine Learning clusters via SSH"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Machine Learning"
+ version = "1.1.0"
}
)
+ mode = "All"
+ name = "Deny-MachineLearning-ComputeCluster-RemoteLoginPortPublicAccess"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "Audit",
+ "Disabled",
+ "Deny",
]
+ defaultValue = "Deny"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ allOf = [
+ {
+ equals = "Microsoft.MachineLearningServices/workspaces/computes"
+ field = "type"
},
+ {
+ equals = "AmlCompute"
+ field = "Microsoft.MachineLearningServices/workspaces/computes/computeType"
},
+ {
+ anyOf = [
+ {
+ exists = false
+ field = "Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess"
},
+ {
+ field = "Microsoft.MachineLearningServices/workspaces/computes/remoteLoginPortPublicAccess"
+ notEquals = "Disabled"
},
]
},
]
}
+ then = {
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-ComputeCluster-Scale"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Enforce scale settings for Azure Machine Learning compute clusters."
+ display_name = "Enforce scale settings for Azure Machine Learning compute clusters"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Budget"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deny-MachineLearning-ComputeCluster-Scale"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "Audit",
+ "Disabled",
+ "Deny",
]
+ defaultValue = "Deny"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ maxNodeCount = {
+ defaultValue = 10
+ metadata = {
+ description = "Specifies the maximum node count of AML Clusters"
+ displayName = "Maximum Node Count"
}
+ type = "Integer"
}
+ maxNodeIdleTimeInSecondsBeforeScaleDown = {
+ defaultValue = 900
+ metadata = {
+ description = "Specifies the maximum node idle time in seconds before scaledown"
+ displayName = "Maximum Node Idle Time in Seconds Before Scaledown"
}
+ type = "Integer"
}
+ minNodeCount = {
+ defaultValue = 0
+ metadata = {
+ description = "Specifies the minimum node count of AML Clusters"
+ displayName = "Minimum Node Count"
}
+ type = "Integer"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ allOf = [
+ {
+ equals = "Microsoft.MachineLearningServices/workspaces/computes"
+ field = "type"
},
+ {
+ equals = "AmlCompute"
+ field = "Microsoft.MachineLearningServices/workspaces/computes/computeType"
},
+ {
+ anyOf = [
+ {
+ field = "Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.maxNodeCount"
+ greater = "[parameters('maxNodeCount')]"
},
+ {
+ field = "Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.minNodeCount"
+ greater = "[parameters('minNodeCount')]"
},
+ {
+ greater = "[parameters('maxNodeIdleTimeInSecondsBeforeScaleDown')]"
+ value = "[int(last(split(replace(replace(replace(replace(replace(replace(replace(field('Microsoft.MachineLearningServices/workspaces/computes/scaleSettings.nodeIdleTimeBeforeScaleDown'), 'P', '/'), 'Y', '/'), 'M', '/'), 'D', '/'), 'T', '/'), 'H', '/'), 'S', ''), '/')))]"
},
]
},
]
}
+ then = {
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-HbiWorkspace"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Enforces high business impact Azure Machine Learning workspaces."
+ display_name = "Enforces high business impact Azure Machine Learning Workspaces"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Machine Learning"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deny-MachineLearning-HbiWorkspace"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "Audit",
+ "Disabled",
+ "Deny",
]
+ defaultValue = "Deny"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ allOf = [
+ {
+ equals = "Microsoft.MachineLearningServices/workspaces"
+ field = "type"
},
+ {
+ anyOf = [
+ {
+ exists = false
+ field = "Microsoft.MachineLearningServices/workspaces/hbiWorkspace"
},
+ {
+ field = "Microsoft.MachineLearningServices/workspaces/hbiWorkspace"
+ notEquals = true
},
]
},
]
}
+ then = {
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-PublicAccessWhenBehindVnet"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deny public access behind vnet to Azure Machine Learning workspaces."
+ display_name = "Deny public acces behind vnet to Azure Machine Learning workspace"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Machine Learning"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deny-MachineLearning-PublicAccessWhenBehindVnet"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "Audit",
+ "Disabled",
+ "Deny",
]
+ defaultValue = "Deny"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ allOf = [
+ {
+ equals = "Microsoft.MachineLearningServices/workspaces"
+ field = "type"
},
+ {
+ anyOf = [
+ {
+ exists = false
+ field = "Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet"
},
+ {
+ field = "Microsoft.MachineLearningServices/workspaces/allowPublicAccessWhenBehindVnet"
+ notEquals = false
},
]
},
]
}
+ then = {
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deny-MachineLearning-PublicNetworkAccess"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Denies public network access for Azure Machine Learning workspaces."
+ display_name = "Azure Machine Learning should have disabled public network access"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Machine Learning"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deny-MachineLearning-PublicNetworkAccess"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "Audit",
+ "Disabled",
+ "Deny",
]
+ defaultValue = "Deny"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ allOf = [
+ {
+ equals = "Microsoft.MachineLearningServices/workspaces"
+ field = "type"
},
+ {
+ field = "Microsoft.MachineLearningServices/workspaces/publicNetworkAccess"
+ notEquals = "Disabled"
},
]
}
+ then = {
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deny-MySql-http"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server."
+ display_name = "MySQL database servers enforce SSL connections."
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "SQL"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deny-MySql-http"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "Audit",
+ "Disabled",
+ "Deny",
]
+ defaultValue = "Deny"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ minimalTlsVersion = {
+ allowedValues = [
+ "TLS1_2",
+ "TLS1_0",
+ "TLS1_1",
+ "TLSEnforcementDisabled",
]
+ defaultValue = "TLS1_2"
+ metadata = {
+ description = "Select version minimum TLS version Azure Database for MySQL server to enforce"
+ displayName = "Select version minimum TLS for MySQL server"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ allOf = [
+ {
+ equals = "Microsoft.DBforMySQL/servers"
+ field = "type"
},
+ {
+ anyOf = [
+ {
+ exists = "false"
+ field = "Microsoft.DBforMySQL/servers/sslEnforcement"
},
+ {
+ field = "Microsoft.DBforMySQL/servers/sslEnforcement"
+ notEquals = "Enabled"
},
+ {
+ field = "Microsoft.DBforMySQL/servers/minimalTlsVersion"
+ notequals = "[parameters('minimalTlsVersion')]"
},
]
},
]
}
+ then = {
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deny-PostgreSql-http"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server."
+ display_name = "PostgreSQL database servers enforce SSL connection."
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "SQL"
+ version = "1.0.1"
}
)
+ mode = "Indexed"
+ name = "Deny-PostgreSql-http"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "Audit",
+ "Disabled",
+ "Deny",
]
+ defaultValue = "Deny"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ minimalTlsVersion = {
+ allowedValues = [
+ "TLS1_2",
+ "TLS1_0",
+ "TLS1_1",
+ "TLSEnforcementDisabled",
]
+ defaultValue = "TLS1_2"
+ metadata = {
+ description = "Select version minimum TLS version Azure Database for MySQL server to enforce"
+ displayName = "Select version minimum TLS for MySQL server"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ allOf = [
+ {
+ equals = "Microsoft.DBforPostgreSQL/servers"
+ field = "type"
},
+ {
+ anyOf = [
+ {
+ exists = "false"
+ field = "Microsoft.DBforPostgreSQL/servers/sslEnforcement"
},
+ {
+ field = "Microsoft.DBforPostgreSQL/servers/sslEnforcement"
+ notEquals = "Enabled"
},
+ {
+ field = "Microsoft.DBforPostgreSQL/servers/minimalTlsVersion"
+ notequals = "[parameters('minimalTlsVersion')]"
},
]
},
]
}
+ then = {
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deny-Private-DNS-Zones"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "This policy denies the creation of a private DNS in the current scope, used in combination with policies that create centralized private DNS in connectivity subscription"
+ display_name = "Deny the creation of private DNS"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Network"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deny-Private-DNS-Zones"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "Audit",
+ "Deny",
+ "Disabled",
]
+ defaultValue = "Deny"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ equals = "Microsoft.Network/privateDnsZones"
+ field = "type"
}
+ then = {
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicEndpoint-MariaDB"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "This policy denies the creation of Maria DB accounts with exposed public endpoints"
+ display_name = "Public network access should be disabled for MariaDB"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "SQL"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deny-PublicEndpoint-MariaDB"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "Audit",
+ "Deny",
+ "Disabled",
]
+ defaultValue = "Deny"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ allOf = [
+ {
+ equals = "Microsoft.DBforMariaDB/servers"
+ field = "type"
},
+ {
+ field = "Microsoft.DBforMariaDB/servers/publicNetworkAccess"
+ notequals = "Disabled"
},
]
}
+ then = {
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deny-PublicIP"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "This policy denies creation of Public IPs under the assigned scope."
+ display_name = "Deny the creation of public IP"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Network"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deny-PublicIP"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "Audit",
+ "Deny",
+ "Disabled",
]
+ defaultValue = "Deny"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ equals = "Microsoft.Network/publicIPAddresses"
+ field = "type"
}
+ then = {
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deny-RDP-From-Internet"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "This policy denies any network security rule that allows RDP access from Internet"
+ display_name = "RDP access from the Internet should be blocked"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Network"
+ version = "1.0.0"
}
)
+ mode = "All"
+ name = "Deny-RDP-From-Internet"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "Audit",
+ "Deny",
+ "Disabled",
]
+ defaultValue = "Deny"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ allOf = [
+ {
+ equals = "Microsoft.Network/networkSecurityGroups/securityRules"
+ field = "type"
},
+ {
+ allOf = [
+ {
+ equals = "Allow"
+ field = "Microsoft.Network/networkSecurityGroups/securityRules/access"
},
+ {
+ equals = "Inbound"
+ field = "Microsoft.Network/networkSecurityGroups/securityRules/direction"
},
+ {
+ anyOf = [
+ {
+ equals = "*"
+ field = "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange"
},
+ {
+ equals = "3389"
+ field = "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange"
},
+ {
+ equals = "true"
+ value = "[if(and(not(empty(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'))), contains(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'),'-')), and(lessOrEquals(int(first(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389),greaterOrEquals(int(last(split(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRange'), '-'))),3389)), 'false')]"
},
+ {
+ count = {
+ field = "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]"
+ where = {
+ equals = "true"
+ value = "[if(and(not(empty(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')))), contains(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')),'-')), and(lessOrEquals(int(first(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389),greaterOrEquals(int(last(split(first(field('Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]')), '-'))),3389)) , 'false')]"
}
}
+ greater = 0
},
+ {
+ not = {
+ field = "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]"
+ notEquals = "*"
}
},
+ {
+ not = {
+ field = "Microsoft.Network/networkSecurityGroups/securityRules/destinationPortRanges[*]"
+ notEquals = "3389"
}
},
]
},
+ {
+ anyOf = [
+ {
+ equals = "*"
+ field = "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix"
},
+ {
+ equals = "Internet"
+ field = "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefix"
},
+ {
+ not = {
+ field = "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]"
+ notEquals = "*"
}
},
+ {
+ not = {
+ field = "Microsoft.Network/networkSecurityGroups/securityRules/sourceAddressPrefixes[*]"
+ notEquals = "Internet"
}
},
]
},
]
},
]
}
+ then = {
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deny-Redis-http"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Audit enabling of only connections via SSL to Azure Cache for Redis. Validate both minimum TLS version and enableNonSslPort is disabled. Use of secure connections ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking"
+ display_name = "Azure Cache for Redis only secure connections should be enabled"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Cache"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deny-Redis-http"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "Audit",
+ "Deny",
+ "Disabled",
]
+ defaultValue = "Deny"
+ metadata = {
+ description = "The effect determines what happens when the policy rule is evaluated to match"
+ displayName = "Effect"
}
+ type = "String"
}
+ minimumTlsVersion = {
+ allowedValues = [
+ "1.2",
+ "1.1",
+ "1.0",
]
+ defaultValue = "1.2"
+ metadata = {
+ description = "Select minimum TLS version for Azure Cache for Redis."
+ displayName = "Select minumum TLS version for Azure Cache for Redis."
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ allOf = [
+ {
+ equals = "Microsoft.Cache/redis"
+ field = "type"
},
+ {
+ anyOf = [
+ {
+ equals = "true"
+ field = "Microsoft.Cache/Redis/enableNonSslPort"
},
+ {
+ field = "Microsoft.Cache/Redis/minimumTlsVersion"
+ notequals = "[parameters('minimumTlsVersion')]"
},
]
},
]
}
+ then = {
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deny-Sql-minTLS"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Setting minimal TLS version to 1.2 improves security by ensuring your Azure SQL Database can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities."
+ display_name = "Azure SQL Database should have the minimal TLS version set to the highest version"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "SQL"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deny-Sql-minTLS"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "Audit",
+ "Disabled",
+ "Deny",
]
+ defaultValue = "Audit"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ minimalTlsVersion = {
+ allowedValues = [
+ "1.2",
+ "1.1",
+ "1.0",
]
+ defaultValue = "1.2"
+ metadata = {
+ description = "Select version minimum TLS version SQL servers to enforce"
+ displayName = "Select version for SQL server"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ allOf = [
+ {
+ equals = "Microsoft.Sql/servers"
+ field = "type"
},
+ {
+ anyOf = [
+ {
+ exists = "false"
+ field = "Microsoft.Sql/servers/minimalTlsVersion"
},
+ {
+ field = "Microsoft.Sql/servers/minimalTlsVersion"
+ notequals = "[parameters('minimalTlsVersion')]"
},
]
},
]
}
+ then = {
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deny-SqlMi-minTLS"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Setting minimal TLS version to 1.2 improves security by ensuring your SQL Managed Instance can only be accessed from clients using TLS 1.2. Using versions of TLS less than 1.2 is not reccomended since they have well documented security vunerabilities."
+ display_name = "SQL Managed Instance should have the minimal TLS version set to the highest version"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "SQL"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deny-SqlMi-minTLS"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "Audit",
+ "Disabled",
+ "Deny",
]
+ defaultValue = "Audit"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ minimalTlsVersion = {
+ allowedValues = [
+ "1.2",
+ "1.1",
+ "1.0",
]
+ defaultValue = "1.2"
+ metadata = {
+ description = "Select version minimum TLS version SQL servers to enforce"
+ displayName = "Select version for SQL server"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ allOf = [
+ {
+ equals = "Microsoft.Sql/managedInstances"
+ field = "type"
},
+ {
+ anyOf = [
+ {
+ exists = "false"
+ field = "Microsoft.Sql/managedInstances/minimalTlsVersion"
},
+ {
+ field = "Microsoft.Sql/managedInstances/minimalTlsVersion"
+ notequals = "[parameters('minimalTlsVersion')]"
},
]
},
]
}
+ then = {
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deny-Storage-minTLS"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking"
+ display_name = "Storage Account set to minimum TLS and Secure transfer should be enabled"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Storage"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deny-Storage-minTLS"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "Audit",
+ "Deny",
+ "Disabled",
]
+ defaultValue = "Deny"
+ metadata = {
+ description = "The effect determines what happens when the policy rule is evaluated to match"
+ displayName = "Effect"
}
+ type = "String"
}
+ minimumTlsVersion = {
+ allowedValues = [
+ "TLS1_2",
+ "TLS1_1",
+ "TLS1_0",
]
+ defaultValue = "TLS1_2"
+ metadata = {
+ description = "Select version minimum TLS version on Azure Storage Account to enforce"
+ displayName = "Storage Account select minimum TLS version"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ allOf = [
+ {
+ equals = "Microsoft.Storage/storageAccounts"
+ field = "type"
},
+ {
+ anyOf = [
+ {
+ allOf = [
+ {
+ less = "2019-04-01"
+ value = "[requestContext().apiVersion]"
},
+ {
+ exists = "false"
+ field = "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly"
},
]
},
+ {
+ equals = "false"
+ field = "Microsoft.Storage/storageAccounts/supportsHttpsTrafficOnly"
},
+ {
+ field = "Microsoft.Storage/storageAccounts/minimumTlsVersion"
+ notequals = "[parameters('minimumTlsVersion')]"
},
+ {
+ exists = "false"
+ field = "Microsoft.Storage/storageAccounts/minimumTlsVersion"
},
]
},
]
}
+ then = {
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Nsg"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "This policy denies the creation of a subnet without a Network Security Group. NSG help to protect traffic across subnet-level."
+ display_name = "Subnets should have a Network Security Group"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Network"
+ version = "2.0.0"
}
)
+ mode = "All"
+ name = "Deny-Subnet-Without-Nsg"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "Audit",
+ "Deny",
+ "Disabled",
]
+ defaultValue = "Deny"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ excludedSubnets = {
+ defaultValue = [
+ "GatewaySubnet",
+ "AzureFirewallSubnet",
+ "AzureFirewallManagementSubnet",
]
+ metadata = {
+ description = "Array of subnet names that are excluded from this policy"
+ displayName = "Excluded Subnets"
}
+ type = "Array"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ anyOf = [
+ {
+ allOf = [
+ {
+ equals = "Microsoft.Network/virtualNetworks"
+ field = "type"
},
+ {
+ count = {
+ field = "Microsoft.Network/virtualNetworks/subnets[*]"
+ where = {
+ allOf = [
+ {
+ exists = "false"
+ field = "Microsoft.Network/virtualNetworks/subnets[*].networkSecurityGroup.id"
},
+ {
+ field = "Microsoft.Network/virtualNetworks/subnets[*].name"
+ notIn = "[parameters('excludedSubnets')]"
},
]
}
}
+ notEquals = 0
},
]
},
+ {
+ allOf = [
+ {
+ equals = "Microsoft.Network/virtualNetworks/subnets"
+ field = "type"
},
+ {
+ field = "name"
+ notIn = "[parameters('excludedSubnets')]"
},
+ {
+ exists = "false"
+ field = "Microsoft.Network/virtualNetworks/subnets/networkSecurityGroup.id"
},
]
},
]
}
+ then = {
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deny-Subnet-Without-Udr"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "This policy denies the creation of a subnet without a User Defined Route (UDR)."
+ display_name = "Subnets should have a User Defined Route"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Network"
+ version = "2.0.0"
}
)
+ mode = "All"
+ name = "Deny-Subnet-Without-Udr"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "Audit",
+ "Deny",
+ "Disabled",
]
+ defaultValue = "Deny"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ excludedSubnets = {
+ defaultValue = [
+ "AzureBastionSubnet",
]
+ metadata = {
+ description = "Array of subnet names that are excluded from this policy"
+ displayName = "Excluded Subnets"
}
+ type = "Array"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ anyOf = [
+ {
+ allOf = [
+ {
+ equals = "Microsoft.Network/virtualNetworks"
+ field = "type"
},
+ {
+ count = {
+ field = "Microsoft.Network/virtualNetworks/subnets[*]"
+ where = {
+ allOf = [
+ {
+ exists = "false"
+ field = "Microsoft.Network/virtualNetworks/subnets[*].routeTable.id"
},
+ {
+ field = "Microsoft.Network/virtualNetworks/subnets[*].name"
+ notIn = "[parameters('excludedSubnets')]"
},
]
}
}
+ notEquals = 0
},
]
},
+ {
+ allOf = [
+ {
+ equals = "Microsoft.Network/virtualNetworks/subnets"
+ field = "type"
},
+ {
+ field = "name"
+ notIn = "[parameters('excludedSubnets')]"
},
+ {
+ exists = "false"
+ field = "Microsoft.Network/virtualNetworks/subnets/routeTable.id"
},
]
},
]
}
+ then = {
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peer-Cross-Sub"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "This policy denies the creation of vNet Peerings outside of the same subscriptions under the assigned scope."
+ display_name = "Deny vNet peering cross subscription."
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Network"
+ version = "1.0.1"
}
)
+ mode = "All"
+ name = "Deny-VNET-Peer-Cross-Sub"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "Audit",
+ "Deny",
+ "Disabled",
]
+ defaultValue = "Deny"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ allOf = [
+ {
+ equals = "Microsoft.Network/virtualNetworks/virtualNetworkPeerings"
+ field = "type"
},
+ {
+ field = "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id"
+ notcontains = "[subscription().id]"
},
]
}
+ then = {
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deny-VNET-Peering-To-Non-Approved-VNETs"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "This policy denies the creation of vNet Peerings to non-approved vNets under the assigned scope."
+ display_name = "Deny vNet peering to non-approved vNets"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Network"
+ version = "1.0.0"
}
)
+ mode = "All"
+ name = "Deny-VNET-Peering-To-Non-Approved-VNETs"
+ parameters = jsonencode(
{
+ allowedVnets = {
+ defaultValue = []
+ metadata = {
+ description = "Array of allowed vNets that can be peered with. Must be entered using their resource ID. Example: /subscriptions/{subId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/virtualNetworks/{vnetName}"
+ displayName = "Allowed vNets to peer with"
}
+ type = "Array"
}
+ effect = {
+ allowedValues = [
+ "Audit",
+ "Deny",
+ "Disabled",
]
+ defaultValue = "Deny"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ anyOf = [
+ {
+ allOf = [
+ {
+ equals = "Microsoft.Network/virtualNetworks/virtualNetworkPeerings"
+ field = "type"
},
+ {
+ not = {
+ field = "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/remoteVirtualNetwork.id"
+ in = "[parameters('allowedVnets')]"
}
},
]
},
+ {
+ allOf = [
+ {
+ equals = "Microsoft.Network/virtualNetworks"
+ field = "type"
},
+ {
+ not = {
+ field = "Microsoft.Network/virtualNetworks/virtualNetworkPeerings[*].remoteVirtualNetwork.id"
+ in = "[parameters('allowedVnets')]"
}
},
+ {
+ not = {
+ exists = false
+ field = "Microsoft.Network/virtualNetworks/virtualNetworkPeerings[*].remoteVirtualNetwork.id"
}
},
]
},
]
}
+ then = {
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deny-VNet-Peering"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "This policy denies the creation of vNet Peerings under the assigned scope."
+ display_name = "Deny vNet peering "
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Network"
+ version = "1.0.1"
}
)
+ mode = "All"
+ name = "Deny-VNet-Peering"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "Audit",
+ "Deny",
+ "Disabled",
]
+ defaultValue = "Deny"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ equals = "Microsoft.Network/virtualNetworks/virtualNetworkPeerings"
+ field = "type"
}
+ then = {
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-ASC-SecurityContacts"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploy Azure Security Center Security Contacts"
+ display_name = "Deploy Azure Security Center Security Contacts"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Security Center"
+ version = "1.0.0"
}
)
+ mode = "All"
+ name = "Deploy-ASC-SecurityContacts"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "string"
}
+ emailSecurityContact = {
+ metadata = {
+ description = "Provide email address for Azure Security Center contact details"
+ displayName = "Security contacts email address"
}
+ type = "string"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ allOf = [
+ {
+ equals = "Microsoft.Resources/subscriptions"
+ field = "type"
},
]
}
+ then = {
+ details = {
+ deployment = {
+ location = "northeurope"
+ properties = {
+ mode = "incremental"
+ parameters = {
+ emailSecurityContact = {
+ value = "[parameters('emailSecurityContact')]"
}
}
+ template = {
+ "$schema" = "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ emailSecurityContact = {
+ metadata = {
+ description = "Security contacts email address"
}
+ type = "string"
}
}
+ resources = [
+ {
+ apiVersion = "2020-01-01-preview"
+ name = "default"
+ properties = {
+ alertNotifications = {
+ minimalSeverity = "High"
+ state = "On"
}
+ emails = "[parameters('emailSecurityContact')]"
+ notificationsByRole = {
+ roles = [
+ "Owner",
]
+ state = "On"
}
}
+ type = "Microsoft.Security/securityContacts"
},
]
+ variables = {}
}
}
}
+ deploymentScope = "subscription"
+ existenceCondition = {
+ allOf = [
+ {
+ contains = "[parameters('emailSecurityContact')]"
+ field = "Microsoft.Security/securityContacts/email"
},
+ {
+ equals = "Microsoft.Security/securityContacts"
+ field = "type"
},
+ {
+ equals = "On"
+ field = "Microsoft.Security/securityContacts/alertNotifications"
},
+ {
+ equals = "On"
+ field = "Microsoft.Security/securityContacts/alertsToAdmins"
},
]
}
+ existenceScope = "subscription"
+ roleDefinitionIds = [
+ "/providers/Microsoft.Authorization/roleDefinitions/fb1c8493-542b-48eb-b624-b4c8fea62acd",
]
+ type = "Microsoft.Security/securityContacts"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-Budget"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploy a default budget on all subscriptions under the assigned scope"
+ display_name = "Deploy a default budget on all subscriptions under the assigned scope"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Budget"
+ version = "1.1.0"
}
)
+ mode = "All"
+ name = "Deploy-Budget"
+ parameters = jsonencode(
{
+ amount = {
+ defaultValue = "1000"
+ metadata = {
+ description = "The total amount of cost or usage to track with the budget"
}
+ type = "String"
}
+ budgetName = {
+ defaultValue = "budget-set-by-policy"
+ metadata = {
+ description = "The name for the budget to be created"
}
+ type = "String"
}
+ contactEmails = {
+ defaultValue = []
+ metadata = {
+ description = "The list of email addresses, in an array, to send the budget notification to when the threshold is exceeded."
}
+ type = "Array"
}
+ contactGroups = {
+ defaultValue = []
+ metadata = {
+ description = "The list of action groups, in an array, to send the budget notification to when the threshold is exceeded. It accepts array of strings."
}
+ type = "Array"
}
+ contactRoles = {
+ defaultValue = [
+ "Owner",
+ "Contributor",
]
+ metadata = {
+ description = "The list of contact RBAC roles, in an array, to send the budget notification to when the threshold is exceeded."
}
+ type = "Array"
}
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "AuditIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
}
+ type = "String"
}
+ firstThreshold = {
+ defaultValue = "90"
+ metadata = {
+ description = "Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000."
}
+ type = "String"
}
+ secondThreshold = {
+ defaultValue = "100"
+ metadata = {
+ description = "Threshold value associated with a notification. Notification is sent when the cost exceeded the threshold. It is always percent and has to be between 0 and 1000."
}
+ type = "String"
}
+ timeGrain = {
+ allowedValues = [
+ "Monthly",
+ "Quarterly",
+ "Annually",
+ "BillingMonth",
+ "BillingQuarter",
+ "BillingAnnual",
]
+ defaultValue = "Monthly"
+ metadata = {
+ description = "The time covered by a budget. Tracking of the amount will be reset based on the time grain."
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ allOf = [
+ {
+ equals = "Microsoft.Resources/subscriptions"
+ field = "type"
},
]
}
+ then = {
+ details = {
+ deployment = {
+ location = "northeurope"
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ amount = {
+ value = "[parameters('amount')]"
}
+ budgetName = {
+ value = "[parameters('budgetName')]"
}
+ contactEmails = {
+ value = "[parameters('contactEmails')]"
}
+ contactGroups = {
+ value = "[parameters('contactGroups')]"
}
+ contactRoles = {
+ value = "[parameters('contactRoles')]"
}
+ firstThreshold = {
+ value = "[parameters('firstThreshold')]"
}
+ secondThreshold = {
+ value = "[parameters('secondThreshold')]"
}
+ timeGrain = {
+ value = "[parameters('timeGrain')]"
}
}
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json"
+ contentVersion = "1.0.0.0"
+ parameters = {
+ amount = {
+ type = "String"
}
+ budgetName = {
+ type = "String"
}
+ contactEmails = {
+ type = "Array"
}
+ contactGroups = {
+ type = "Array"
}
+ contactRoles = {
+ type = "Array"
}
+ firstThreshold = {
+ type = "String"
}
+ secondThreshold = {
+ type = "String"
}
+ startDate = {
+ defaultValue = "[concat(utcNow('MM'), '/01/', utcNow('yyyy'))]"
+ type = "String"
}
+ timeGrain = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2019-10-01"
+ name = "[parameters('budgetName')]"
+ properties = {
+ amount = "[parameters('amount')]"
+ category = "Cost"
+ notifications = {
+ NotificationForExceededBudget1 = {
+ contactEmails = "[parameters('contactEmails')]"
+ contactGroups = "[parameters('contactGroups')]"
+ contactRoles = "[parameters('contactRoles')]"
+ enabled = true
+ operator = "GreaterThan"
+ threshold = "[parameters('firstThreshold')]"
}
+ NotificationForExceededBudget2 = {
+ contactEmails = "[parameters('contactEmails')]"
+ contactGroups = "[parameters('contactGroups')]"
+ contactRoles = "[parameters('contactRoles')]"
+ enabled = true
+ operator = "GreaterThan"
+ threshold = "[parameters('secondThreshold')]"
}
}
+ timeGrain = "[parameters('timeGrain')]"
+ timePeriod = {
+ startDate = "[parameters('startDate')]"
}
}
+ type = "Microsoft.Consumption/budgets"
},
]
}
}
}
+ deploymentScope = "subscription"
+ existenceCondition = {
+ allOf = [
+ {
+ equals = "[parameters('amount')]"
+ field = "Microsoft.Consumption/budgets/amount"
},
+ {
+ equals = "[parameters('timeGrain')]"
+ field = "Microsoft.Consumption/budgets/timeGrain"
},
+ {
+ equals = "Cost"
+ field = "Microsoft.Consumption/budgets/category"
},
]
}
+ existenceScope = "subscription"
+ roleDefinitionIds = [
+ "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
]
+ type = "Microsoft.Consumption/budgets"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-Custom-Route-Table"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys a route table with specific user defined routes when one does not exist. The route table deployed by the policy must be manually associated to subnet(s)"
+ display_name = "Deploy a route table with specific user defined routes"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Network"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deploy-Custom-Route-Table"
+ parameters = jsonencode(
{
+ disableBgpPropagation = {
+ defaultValue = false
+ metadata = {
+ description = "Disable BGP Propagation"
+ displayName = "DisableBgpPropagation"
}
+ type = "Boolean"
}
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ requiredRoutes = {
+ metadata = {
+ description = "Routes that must exist in compliant route tables deployed by this policy"
+ displayName = "requiredRoutes"
}
+ type = "Array"
}
+ routeTableName = {
+ metadata = {
+ description = "Name of the route table automatically deployed by this policy"
+ displayName = "routeTableName"
}
+ type = "String"
}
+ vnetRegion = {
+ metadata = {
+ description = "Only VNets in this region will be evaluated against this policy"
+ displayName = "vnetRegion"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ allOf = [
+ {
+ equals = "Microsoft.Network/virtualNetworks"
+ field = "type"
},
+ {
+ equals = "[parameters('vnetRegion')]"
+ field = "location"
},
]
}
+ then = {
+ details = {
+ deployment = {
+ properties = {
+ mode = "incremental"
+ parameters = {
+ disableBgpPropagation = {
+ value = "[parameters('disableBgpPropagation')]"
}
+ requiredRoutes = {
+ value = "[parameters('requiredRoutes')]"
}
+ routeTableName = {
+ value = "[parameters('routeTableName')]"
}
+ vnetRegion = {
+ value = "[parameters('vnetRegion')]"
}
}
+ template = {
+ "$schema" = "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ parameters = {
+ disableBgpPropagation = {
+ type = "bool"
}
+ requiredRoutes = {
+ type = "array"
}
+ routeTableName = {
+ type = "string"
}
+ vnetRegion = {
+ type = "string"
}
}
+ resources = [
+ {
+ apiVersion = "2021-04-01"
+ name = "routeTableDepl"
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ disableBgpPropagation = {
+ value = "[parameters('disableBgpPropagation')]"
}
+ requiredRoutes = {
+ value = "[parameters('requiredRoutes')]"
}
+ routeTableName = {
+ value = "[parameters('routeTableName')]"
}
+ vnetRegion = {
+ value = "[parameters('vnetRegion')]"
}
}
+ template = {
+ "$schema" = "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ parameters = {
+ disableBgpPropagation = {
+ type = "bool"
}
+ requiredRoutes = {
+ type = "array"
}
+ routeTableName = {
+ type = "string"
}
+ vnetRegion = {
+ type = "string"
}
}
+ resources = [
+ {
+ apiVersion = "2021-02-01"
+ location = "[[parameters('vnetRegion')]"
+ name = "[[parameters('routeTableName')]"
+ properties = {
+ copy = "[variables('copyLoop')]"
+ disableBgpRoutePropagation = "[[parameters('disableBgpPropagation')]"
}
+ type = "Microsoft.Network/routeTables"
},
]
}
}
+ type = "Microsoft.Resources/deployments"
},
]
+ variables = {
+ copyLoop = [
+ {
+ count = "[[length(parameters('requiredRoutes'))]"
+ input = {
+ name = "[[concat('route-',copyIndex('routes'))]"
+ properties = {
+ addressPrefix = "[[split(parameters('requiredRoutes')[copyIndex('routes')], ';')[0]]"
+ nextHopIpAddress = "[[if(equals(toLower(split(parameters('requiredRoutes')[copyIndex('routes')], ';')[1]),'virtualappliance'),split(parameters('requiredRoutes')[copyIndex('routes')], ';')[2], null())]"
+ nextHopType = "[[split(parameters('requiredRoutes')[copyIndex('routes')], ';')[1]]"
}
}
+ name = "routes"
},
]
}
}
}
}
+ existenceCondition = {
+ allOf = [
+ {
+ equals = "[parameters('routeTableName')]"
+ field = "name"
},
+ {
+ count = {
+ field = "Microsoft.Network/routeTables/routes[*]"
+ where = {
+ in = "[parameters('requiredRoutes')]"
+ value = "[concat(current('Microsoft.Network/routeTables/routes[*].addressPrefix'), ';', current('Microsoft.Network/routeTables/routes[*].nextHopType'), if(equals(toLower(current('Microsoft.Network/routeTables/routes[*].nextHopType')),'virtualappliance'), concat(';', current('Microsoft.Network/routeTables/routes[*].nextHopIpAddress')), ''))]"
}
}
+ equals = "[length(parameters('requiredRoutes'))]"
},
]
}
+ roleDefinitionIds = [
+ "/subscriptions/e867a45d-e513-44ac-931e-4741cef80b24/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7",
]
+ type = "Microsoft.Network/routeTables"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-DDoSProtection"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys an Azure DDoS Protection Standard plan"
+ display_name = "Deploy an Azure DDoS Protection Standard plan"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Network"
+ version = "1.0.0"
}
)
+ mode = "All"
+ name = "Deploy-DDoSProtection"
+ parameters = jsonencode(
{
+ ddosName = {
+ metadata = {
+ description = "DDoSVnet"
+ displayName = "ddosName"
}
+ type = "String"
}
+ ddosRegion = {
+ metadata = {
+ description = "DDoSVnet location"
+ displayName = "ddosRegion"
+ strongType = "location"
}
+ type = "String"
}
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ rgName = {
+ metadata = {
+ description = "Provide name for resource group."
+ displayName = "rgName"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ allOf = [
+ {
+ equals = "Microsoft.Resources/subscriptions"
+ field = "type"
},
]
}
+ then = {
+ details = {
+ deployment = {
+ location = "northeurope"
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ ddosname = {
+ value = "[parameters('ddosname')]"
}
+ ddosregion = {
+ value = "[parameters('ddosRegion')]"
}
+ rgName = {
+ value = "[parameters('rgName')]"
}
}
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ ddosRegion = {
+ type = "String"
}
+ ddosname = {
+ type = "String"
}
+ rgName = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2018-05-01"
+ location = "[deployment().location]"
+ name = "[parameters('rgName')]"
+ properties = {}
+ type = "Microsoft.Resources/resourceGroups"
},
+ {
+ apiVersion = "2018-05-01"
+ dependsOn = [
+ "[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]",
]
+ name = "ddosprotection"
+ properties = {
+ mode = "Incremental"
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {}
+ resources = [
+ {
+ apiVersion = "2019-12-01"
+ location = "[parameters('ddosRegion')]"
+ name = "[parameters('ddosName')]"
+ properties = {}
+ type = "Microsoft.Network/ddosProtectionPlans"
},
]
}
}
+ resourceGroup = "[parameters('rgName')]"
+ type = "Microsoft.Resources/deployments"
},
]
}
}
}
+ deploymentScope = "subscription"
+ existenceScope = "resourceGroup"
+ name = "[parameters('ddosName')]"
+ resourceGroupName = "[parameters('rgName')]"
+ roleDefinitionIds = [
+ "/providers/Microsoft.Authorization/roleDefinitions/4d97b98b-1d4f-4787-a291-c67834d212e7",
]
+ type = "Microsoft.Network/ddosProtectionPlans"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AA"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys the diagnostic settings for Automation to stream to a Log Analytics workspace when any Automation which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled"
+ display_name = "Deploy Diagnostic Settings for Automation to Log Analytics workspace"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Monitoring"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deploy-Diagnostics-AA"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ logAnalytics = {
+ metadata = {
+ description = "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
+ displayName = "Log Analytics workspace"
+ strongType = "omsWorkspace"
}
+ type = "String"
}
+ logsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable logs stream to the Log Analytics workspace - True or False"
+ displayName = "Enable logs"
}
+ type = "String"
}
+ metricsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable metrics stream to the Log Analytics workspace - True or False"
+ displayName = "Enable metrics"
}
+ type = "String"
}
+ profileName = {
+ defaultValue = "setbypolicy"
+ metadata = {
+ description = "The diagnostic settings profile name"
+ displayName = "Profile name"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ equals = "Microsoft.Automation/automationAccounts"
+ field = "type"
}
+ then = {
+ details = {
+ deployment = {
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ location = {
+ value = "[field('location')]"
}
+ logAnalytics = {
+ value = "[parameters('logAnalytics')]"
}
+ logsEnabled = {
+ value = "[parameters('logsEnabled')]"
}
+ metricsEnabled = {
+ value = "[parameters('metricsEnabled')]"
}
+ profileName = {
+ value = "[parameters('profileName')]"
}
+ resourceName = {
+ value = "[field('name')]"
}
}
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ location = {
+ type = "String"
}
+ logAnalytics = {
+ type = "String"
}
+ logsEnabled = {
+ type = "String"
}
+ metricsEnabled = {
+ type = "String"
}
+ profileName = {
+ type = "String"
}
+ resourceName = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2017-05-01-preview"
+ dependsOn = []
+ location = "[parameters('location')]"
+ name = "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]"
+ properties = {
+ logs = [
+ {
+ category = "JobLogs"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "JobStreams"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "DscNodeStatus"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "AuditEvent"
+ enabled = "[parameters('logsEnabled')]"
},
]
+ metrics = [
+ {
+ category = "AllMetrics"
+ enabled = "[parameters('metricsEnabled')]"
+ retentionPolicy = {
+ days = 0
+ enabled = false
}
+ timeGrain = null
},
]
+ workspaceId = "[parameters('logAnalytics')]"
}
+ type = "Microsoft.Automation/automationAccounts/providers/diagnosticSettings"
},
]
+ variables = {}
}
}
}
+ existenceCondition = {
+ allOf = [
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/logs.enabled"
},
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/metrics.enabled"
},
+ {
+ equals = "[parameters('logAnalytics')]"
+ field = "Microsoft.Insights/diagnosticSettings/workspaceId"
},
]
}
+ name = "setByPolicy"
+ roleDefinitionIds = [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
]
+ type = "Microsoft.Insights/diagnosticSettings"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACI"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys the diagnostic settings for Container Instances to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy willset the diagnostic with all metrics enabled."
+ display_name = "Deploy Diagnostic Settings for Container Instances to Log Analytics workspace"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Monitoring"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deploy-Diagnostics-ACI"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ logAnalytics = {
+ metadata = {
+ description = "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
+ displayName = "Log Analytics workspace"
+ strongType = "omsWorkspace"
}
+ type = "String"
}
+ metricsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable metrics stream to the Log Analytics workspace - True or False"
+ displayName = "Enable metrics"
}
+ type = "String"
}
+ profileName = {
+ defaultValue = "setbypolicy"
+ metadata = {
+ description = "The diagnostic settings profile name"
+ displayName = "Profile name"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ equals = "Microsoft.ContainerInstance/containerGroups"
+ field = "type"
}
+ then = {
+ details = {
+ deployment = {
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ location = {
+ value = "[field('location')]"
}
+ logAnalytics = {
+ value = "[parameters('logAnalytics')]"
}
+ metricsEnabled = {
+ value = "[parameters('metricsEnabled')]"
}
+ profileName = {
+ value = "[parameters('profileName')]"
}
+ resourceName = {
+ value = "[field('name')]"
}
}
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ location = {
+ type = "String"
}
+ logAnalytics = {
+ type = "String"
}
+ metricsEnabled = {
+ type = "String"
}
+ profileName = {
+ type = "String"
}
+ resourceName = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2017-05-01-preview"
+ dependsOn = []
+ location = "[parameters('location')]"
+ name = "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]"
+ properties = {
+ logs = []
+ metrics = [
+ {
+ category = "AllMetrics"
+ enabled = "[parameters('metricsEnabled')]"
+ retentionPolicy = {
+ days = 0
+ enabled = false
}
+ timeGrain = null
},
]
+ workspaceId = "[parameters('logAnalytics')]"
}
+ type = "Microsoft.ContainerInstance/containerGroups/providers/diagnosticSettings"
},
]
+ variables = {}
}
}
}
+ existenceCondition = {
+ allOf = [
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/metrics.enabled"
},
+ {
+ equals = "[parameters('logAnalytics')]"
+ field = "Microsoft.Insights/diagnosticSettings/workspaceId"
},
]
}
+ name = "setByPolicy"
+ roleDefinitionIds = [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
]
+ type = "Microsoft.Insights/diagnosticSettings"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ACR"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys the diagnostic settings for Container Registry to stream to a Log Analytics workspace when any ACR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics enabled."
+ display_name = "Deploy Diagnostic Settings for Container Registry to Log Analytics workspace"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Monitoring"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deploy-Diagnostics-ACR"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ logAnalytics = {
+ metadata = {
+ description = "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
+ displayName = "Log Analytics workspace"
+ strongType = "omsWorkspace"
}
+ type = "String"
}
+ logsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable logs stream to the Log Analytics workspace - True or False"
+ displayName = "Enable logs"
}
+ type = "String"
}
+ metricsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable metrics stream to the Log Analytics workspace - True or False"
+ displayName = "Enable metrics"
}
+ type = "String"
}
+ profileName = {
+ defaultValue = "setbypolicy"
+ metadata = {
+ description = "The diagnostic settings profile name"
+ displayName = "Profile name"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ equals = "Microsoft.ContainerRegistry/registries"
+ field = "type"
}
+ then = {
+ details = {
+ deployment = {
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ location = {
+ value = "[field('location')]"
}
+ logAnalytics = {
+ value = "[parameters('logAnalytics')]"
}
+ logsEnabled = {
+ value = "[parameters('logsEnabled')]"
}
+ metricsEnabled = {
+ value = "[parameters('metricsEnabled')]"
}
+ profileName = {
+ value = "[parameters('profileName')]"
}
+ resourceName = {
+ value = "[field('name')]"
}
}
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ location = {
+ type = "String"
}
+ logAnalytics = {
+ type = "String"
}
+ logsEnabled = {
+ type = "String"
}
+ metricsEnabled = {
+ type = "String"
}
+ profileName = {
+ type = "String"
}
+ resourceName = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2017-05-01-preview"
+ dependsOn = []
+ location = "[parameters('location')]"
+ name = "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]"
+ properties = {
+ logs = [
+ {
+ category = "ContainerRegistryLoginEvents"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "ContainerRegistryRepositoryEvents"
+ enabled = "[parameters('logsEnabled')]"
},
]
+ metrics = [
+ {
+ category = "AllMetrics"
+ enabled = "[parameters('metricsEnabled')]"
+ retentionPolicy = {
+ days = 0
+ enabled = false
}
+ timeGrain = null
},
]
+ workspaceId = "[parameters('logAnalytics')]"
}
+ type = "Microsoft.ContainerRegistry/registries/providers/diagnosticSettings"
},
]
+ variables = {}
}
}
}
+ existenceCondition = {
+ allOf = [
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/metrics.enabled"
},
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/logs.enabled"
},
+ {
+ equals = "[parameters('logAnalytics')]"
+ field = "Microsoft.Insights/diagnosticSettings/workspaceId"
},
]
}
+ name = "setByPolicy"
+ roleDefinitionIds = [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
]
+ type = "Microsoft.Insights/diagnosticSettings"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-APIMgmt"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys the diagnostic settings for API Management to stream to a Log Analytics workspace when any API Management which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled"
+ display_name = "Deploy Diagnostic Settings for API Management to Log Analytics workspace"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Monitoring"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deploy-Diagnostics-APIMgmt"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ logAnalytics = {
+ metadata = {
+ description = "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
+ displayName = "Log Analytics workspace"
+ strongType = "omsWorkspace"
}
+ type = "String"
}
+ logsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable logs stream to the Log Analytics workspace - True or False"
+ displayName = "Enable logs"
}
+ type = "String"
}
+ metricsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable metrics stream to the Log Analytics workspace - True or False"
+ displayName = "Enable metrics"
}
+ type = "String"
}
+ profileName = {
+ defaultValue = "setbypolicy"
+ metadata = {
+ description = "The diagnostic settings profile name"
+ displayName = "Profile name"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ equals = "Microsoft.ApiManagement/service"
+ field = "type"
}
+ then = {
+ details = {
+ deployment = {
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ location = {
+ value = "[field('location')]"
}
+ logAnalytics = {
+ value = "[parameters('logAnalytics')]"
}
+ logsEnabled = {
+ value = "[parameters('logsEnabled')]"
}
+ metricsEnabled = {
+ value = "[parameters('metricsEnabled')]"
}
+ profileName = {
+ value = "[parameters('profileName')]"
}
+ resourceName = {
+ value = "[field('name')]"
}
}
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ location = {
+ type = "String"
}
+ logAnalytics = {
+ type = "String"
}
+ logsEnabled = {
+ type = "String"
}
+ metricsEnabled = {
+ type = "String"
}
+ profileName = {
+ type = "String"
}
+ resourceName = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2017-05-01-preview"
+ dependsOn = []
+ location = "[parameters('location')]"
+ name = "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]"
+ properties = {
+ logs = [
+ {
+ category = "GatewayLogs"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "WebSocketConnectionLogs"
+ enabled = "[parameters('logsEnabled')]"
},
]
+ metrics = [
+ {
+ category = "AllMetrics"
+ enabled = "[parameters('metricsEnabled')]"
+ retentionPolicy = {
+ days = 0
+ enabled = false
}
+ timeGrain = null
},
]
+ workspaceId = "[parameters('logAnalytics')]"
}
+ type = "Microsoft.ApiManagement/service/providers/diagnosticSettings"
},
]
+ variables = {}
}
}
}
+ existenceCondition = {
+ allOf = [
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/logs.enabled"
},
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/metrics.enabled"
},
+ {
+ equals = "[parameters('logAnalytics')]"
+ field = "Microsoft.Insights/diagnosticSettings/workspaceId"
},
]
}
+ name = "setByPolicy"
+ roleDefinitionIds = [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
]
+ type = "Microsoft.Insights/diagnosticSettings"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AVDScalingPlans"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys the diagnostic settings for AVD Scaling Plans to stream to a Log Analytics workspace when any Scaling Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled."
+ display_name = "Deploy Diagnostic Settings for AVD Scaling Plans to Log Analytics workspace"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Monitoring"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deploy-Diagnostics-AVDScalingPlans"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ logAnalytics = {
+ metadata = {
+ description = "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
+ displayName = "Log Analytics workspace"
+ strongType = "omsWorkspace"
}
+ type = "String"
}
+ logsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable logs stream to the Log Analytics workspace - True or False"
+ displayName = "Enable logs"
}
+ type = "String"
}
+ profileName = {
+ defaultValue = "setbypolicy"
+ metadata = {
+ description = "The diagnostic settings profile name"
+ displayName = "Profile name"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ equals = "Microsoft.DesktopVirtualization/scalingplans"
+ field = "type"
}
+ then = {
+ details = {
+ deployment = {
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ location = {
+ value = "[field('location')]"
}
+ logAnalytics = {
+ value = "[parameters('logAnalytics')]"
}
+ logsEnabled = {
+ value = "[parameters('logsEnabled')]"
}
+ profileName = {
+ value = "[parameters('profileName')]"
}
+ resourceName = {
+ value = "[field('name')]"
}
}
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ location = {
+ type = "String"
}
+ logAnalytics = {
+ type = "String"
}
+ logsEnabled = {
+ type = "String"
}
+ profileName = {
+ type = "String"
}
+ resourceName = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2017-05-01-preview"
+ dependsOn = []
+ location = "[parameters('location')]"
+ name = "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]"
+ properties = {
+ logs = [
+ {
+ category = "Autoscale"
+ enabled = "[parameters('logsEnabled')]"
},
]
+ workspaceId = "[parameters('logAnalytics')]"
}
+ type = "Microsoft.DesktopVirtualization/scalingplans/providers/diagnosticSettings"
},
]
+ variables = {}
}
}
}
+ existenceCondition = {
+ allOf = [
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/logs.enabled"
},
+ {
+ equals = "[parameters('logAnalytics')]"
+ field = "Microsoft.Insights/diagnosticSettings/workspaceId"
},
]
}
+ name = "setByPolicy"
+ roleDefinitionIds = [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
]
+ type = "Microsoft.Insights/diagnosticSettings"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-AnalysisService"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys the diagnostic settings for Analysis Services to stream to a Log Analytics workspace when any Analysis Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled"
+ display_name = "Deploy Diagnostic Settings for Analysis Services to Log Analytics workspace"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Monitoring"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deploy-Diagnostics-AnalysisService"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ logAnalytics = {
+ metadata = {
+ description = "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
+ displayName = "Log Analytics workspace"
+ strongType = "omsWorkspace"
}
+ type = "String"
}
+ logsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable logs stream to the Log Analytics workspace - True or False"
+ displayName = "Enable logs"
}
+ type = "String"
}
+ metricsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable metrics stream to the Log Analytics workspace - True or False"
+ displayName = "Enable metrics"
}
+ type = "String"
}
+ profileName = {
+ defaultValue = "setbypolicy"
+ metadata = {
+ description = "The diagnostic settings profile name"
+ displayName = "Profile name"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ equals = "Microsoft.AnalysisServices/servers"
+ field = "type"
}
+ then = {
+ details = {
+ deployment = {
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ location = {
+ value = "[field('location')]"
}
+ logAnalytics = {
+ value = "[parameters('logAnalytics')]"
}
+ logsEnabled = {
+ value = "[parameters('logsEnabled')]"
}
+ metricsEnabled = {
+ value = "[parameters('metricsEnabled')]"
}
+ profileName = {
+ value = "[parameters('profileName')]"
}
+ resourceName = {
+ value = "[field('name')]"
}
}
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ location = {
+ type = "String"
}
+ logAnalytics = {
+ type = "String"
}
+ logsEnabled = {
+ type = "String"
}
+ metricsEnabled = {
+ type = "String"
}
+ profileName = {
+ type = "String"
}
+ resourceName = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2017-05-01-preview"
+ dependsOn = []
+ location = "[parameters('location')]"
+ name = "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]"
+ properties = {
+ logs = [
+ {
+ category = "Engine"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "Service"
+ enabled = "[parameters('logsEnabled')]"
},
]
+ metrics = [
+ {
+ category = "AllMetrics"
+ enabled = "[parameters('metricsEnabled')]"
+ retentionPolicy = {
+ days = 0
+ enabled = false
}
+ timeGrain = null
},
]
+ workspaceId = "[parameters('logAnalytics')]"
}
+ type = "Microsoft.AnalysisServices/servers/providers/diagnosticSettings"
},
]
+ variables = {}
}
}
}
+ existenceCondition = {
+ allOf = [
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/logs.enabled"
},
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/metrics.enabled"
},
+ {
+ equals = "[parameters('logAnalytics')]"
+ field = "Microsoft.Insights/diagnosticSettings/workspaceId"
},
]
}
+ name = "setByPolicy"
+ roleDefinitionIds = [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
]
+ type = "Microsoft.Insights/diagnosticSettings"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApiForFHIR"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys the diagnostic settings for Azure API for FHIR to stream to a Log Analytics workspace when any Azure API for FHIR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled"
+ display_name = "Deploy Diagnostic Settings for Azure API for FHIR to Log Analytics workspace"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Monitoring"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deploy-Diagnostics-ApiForFHIR"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ logAnalytics = {
+ metadata = {
+ description = "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
+ displayName = "Log Analytics workspace"
+ strongType = "omsWorkspace"
}
+ type = "String"
}
+ logsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable logs stream to the Log Analytics workspace - True or False"
+ displayName = "Enable logs"
}
+ type = "String"
}
+ metricsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable metrics stream to the Log Analytics workspace - True or False"
+ displayName = "Enable metrics"
}
+ type = "String"
}
+ profileName = {
+ defaultValue = "setbypolicy"
+ metadata = {
+ description = "The diagnostic settings profile name"
+ displayName = "Profile name"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ equals = "Microsoft.HealthcareApis/services"
+ field = "type"
}
+ then = {
+ details = {
+ deployment = {
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ location = {
+ value = "[field('location')]"
}
+ logAnalytics = {
+ value = "[parameters('logAnalytics')]"
}
+ logsEnabled = {
+ value = "[parameters('logsEnabled')]"
}
+ metricsEnabled = {
+ value = "[parameters('metricsEnabled')]"
}
+ profileName = {
+ value = "[parameters('profileName')]"
}
+ resourceName = {
+ value = "[field('name')]"
}
}
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ location = {
+ type = "String"
}
+ logAnalytics = {
+ type = "String"
}
+ logsEnabled = {
+ type = "String"
}
+ metricsEnabled = {
+ type = "String"
}
+ profileName = {
+ type = "String"
}
+ resourceName = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2017-05-01-preview"
+ dependsOn = []
+ location = "[parameters('location')]"
+ name = "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]"
+ properties = {
+ logs = [
+ {
+ category = "AuditLogs"
+ enabled = "[parameters('logsEnabled')]"
},
]
+ metrics = [
+ {
+ category = "AllMetrics"
+ enabled = "[parameters('metricsEnabled')]"
+ retentionPolicy = {
+ days = 0
+ enabled = false
}
+ timeGrain = null
},
]
+ workspaceId = "[parameters('logAnalytics')]"
}
+ type = "Microsoft.HealthcareApis/services/providers/diagnosticSettings"
},
]
+ variables = {}
}
}
}
+ existenceCondition = {
+ allOf = [
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/logs.enabled"
},
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/metrics.enabled"
},
+ {
+ equals = "[parameters('logAnalytics')]"
+ field = "Microsoft.Insights/diagnosticSettings/workspaceId"
},
]
}
+ name = "setByPolicy"
+ roleDefinitionIds = [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
]
+ type = "Microsoft.Insights/diagnosticSettings"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ApplicationGateway"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys the diagnostic settings for Application Gateway to stream to a Log Analytics workspace when any Application Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled"
+ display_name = "Deploy Diagnostic Settings for Application Gateway to Log Analytics workspace"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Monitoring"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deploy-Diagnostics-ApplicationGateway"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ logAnalytics = {
+ metadata = {
+ description = "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
+ displayName = "Log Analytics workspace"
+ strongType = "omsWorkspace"
}
+ type = "String"
}
+ logsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable logs stream to the Log Analytics workspace - True or False"
+ displayName = "Enable logs"
}
+ type = "String"
}
+ metricsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable metrics stream to the Log Analytics workspace - True or False"
+ displayName = "Enable metrics"
}
+ type = "String"
}
+ profileName = {
+ defaultValue = "setbypolicy"
+ metadata = {
+ description = "The diagnostic settings profile name"
+ displayName = "Profile name"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ equals = "Microsoft.Network/applicationGateways"
+ field = "type"
}
+ then = {
+ details = {
+ deployment = {
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ location = {
+ value = "[field('location')]"
}
+ logAnalytics = {
+ value = "[parameters('logAnalytics')]"
}
+ logsEnabled = {
+ value = "[parameters('logsEnabled')]"
}
+ metricsEnabled = {
+ value = "[parameters('metricsEnabled')]"
}
+ profileName = {
+ value = "[parameters('profileName')]"
}
+ resourceName = {
+ value = "[field('name')]"
}
}
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ location = {
+ type = "String"
}
+ logAnalytics = {
+ type = "String"
}
+ logsEnabled = {
+ type = "String"
}
+ metricsEnabled = {
+ type = "String"
}
+ profileName = {
+ type = "String"
}
+ resourceName = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2017-05-01-preview"
+ dependsOn = []
+ location = "[parameters('location')]"
+ name = "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]"
+ properties = {
+ logs = [
+ {
+ category = "ApplicationGatewayAccessLog"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "ApplicationGatewayPerformanceLog"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "ApplicationGatewayFirewallLog"
+ enabled = "[parameters('logsEnabled')]"
},
]
+ metrics = [
+ {
+ category = "AllMetrics"
+ enabled = "[parameters('metricsEnabled')]"
+ retentionPolicy = {
+ days = 0
+ enabled = false
}
+ timeGrain = null
},
]
+ workspaceId = "[parameters('logAnalytics')]"
}
+ type = "Microsoft.Network/applicationGateways/providers/diagnosticSettings"
},
]
+ variables = {}
}
}
}
+ existenceCondition = {
+ allOf = [
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/logs.enabled"
},
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/metrics.enabled"
},
+ {
+ equals = "[parameters('logAnalytics')]"
+ field = "Microsoft.Insights/diagnosticSettings/workspaceId"
},
]
}
+ name = "setByPolicy"
+ roleDefinitionIds = [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
]
+ type = "Microsoft.Insights/diagnosticSettings"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Bastion"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys the diagnostic settings for Azure Bastion to stream to a Log Analytics workspace when any Azure Bastion which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled"
+ display_name = "Deploy Diagnostic Settings for Azure Bastion to Log Analytics workspace"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Monitoring"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deploy-Diagnostics-Bastion"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ logAnalytics = {
+ metadata = {
+ description = "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
+ displayName = "Log Analytics workspace"
+ strongType = "omsWorkspace"
}
+ type = "String"
}
+ logsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable logs stream to the Log Analytics workspace - True or False"
+ displayName = "Enable logs"
}
+ type = "String"
}
+ metricsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable metrics stream to the Log Analytics workspace - True or False"
+ displayName = "Enable metrics"
}
+ type = "String"
}
+ profileName = {
+ defaultValue = "setbypolicy"
+ metadata = {
+ description = "The diagnostic settings profile name"
+ displayName = "Profile name"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ equals = "Microsoft.Network/bastionHosts"
+ field = "type"
}
+ then = {
+ details = {
+ deployment = {
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ location = {
+ value = "[field('location')]"
}
+ logAnalytics = {
+ value = "[parameters('logAnalytics')]"
}
+ logsEnabled = {
+ value = "[parameters('logsEnabled')]"
}
+ metricsEnabled = {
+ value = "[parameters('metricsEnabled')]"
}
+ profileName = {
+ value = "[parameters('profileName')]"
}
+ resourceName = {
+ value = "[field('name')]"
}
}
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ location = {
+ type = "String"
}
+ logAnalytics = {
+ type = "String"
}
+ logsEnabled = {
+ type = "String"
}
+ metricsEnabled = {
+ type = "String"
}
+ profileName = {
+ type = "String"
}
+ resourceName = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2017-05-01-preview"
+ dependsOn = []
+ location = "[parameters('location')]"
+ name = "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]"
+ properties = {
+ logs = [
+ {
+ category = "BastionAuditLogs"
+ enabled = "[parameters('logsEnabled')]"
},
]
+ metrics = [
+ {
+ category = "AllMetrics"
+ enabled = "[parameters('metricsEnabled')]"
+ retentionPolicy = {
+ days = 0
+ enabled = false
}
+ timeGrain = null
},
]
+ workspaceId = "[parameters('logAnalytics')]"
}
+ type = "Microsoft.Network/bastionHosts/providers/diagnosticSettings"
},
]
+ variables = {}
}
}
}
+ existenceCondition = {
+ allOf = [
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/logs.enabled"
},
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/metrics.enabled"
},
+ {
+ equals = "[parameters('logAnalytics')]"
+ field = "Microsoft.Insights/diagnosticSettings/workspaceId"
},
]
}
+ name = "setByPolicy"
+ roleDefinitionIds = [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
]
+ type = "Microsoft.Insights/diagnosticSettings"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CDNEndpoints"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys the diagnostic settings for CDN Endpoint to stream to a Log Analytics workspace when any CDN Endpoint which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled"
+ display_name = "Deploy Diagnostic Settings for CDN Endpoint to Log Analytics workspace"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Monitoring"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deploy-Diagnostics-CDNEndpoints"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ logAnalytics = {
+ metadata = {
+ description = "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
+ displayName = "Log Analytics workspace"
+ strongType = "omsWorkspace"
}
+ type = "String"
}
+ logsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable logs stream to the Log Analytics workspace - True or False"
+ displayName = "Enable logs"
}
+ type = "String"
}
+ profileName = {
+ defaultValue = "setbypolicy"
+ metadata = {
+ description = "The diagnostic settings profile name"
+ displayName = "Profile name"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ equals = "Microsoft.Cdn/profiles/endpoints"
+ field = "type"
}
+ then = {
+ details = {
+ deployment = {
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ location = {
+ value = "[field('location')]"
}
+ logAnalytics = {
+ value = "[parameters('logAnalytics')]"
}
+ logsEnabled = {
+ value = "[parameters('logsEnabled')]"
}
+ profileName = {
+ value = "[parameters('profileName')]"
}
+ resourceName = {
+ value = "[field('fullName')]"
}
}
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ location = {
+ type = "String"
}
+ logAnalytics = {
+ type = "String"
}
+ logsEnabled = {
+ type = "String"
}
+ profileName = {
+ type = "String"
}
+ resourceName = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2017-05-01-preview"
+ dependsOn = []
+ location = "[parameters('location')]"
+ name = "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]"
+ properties = {
+ logs = [
+ {
+ category = "CoreAnalytics"
+ enabled = "[parameters('logsEnabled')]"
},
]
+ metrics = []
+ workspaceId = "[parameters('logAnalytics')]"
}
+ type = "Microsoft.Cdn/profiles/endpoints/providers/diagnosticSettings"
},
]
+ variables = {}
}
}
}
+ existenceCondition = {
+ allOf = [
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/logs.enabled"
},
+ {
+ equals = "[parameters('logAnalytics')]"
+ field = "Microsoft.Insights/diagnosticSettings/workspaceId"
},
]
}
+ name = "setByPolicy"
+ roleDefinitionIds = [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
]
+ type = "Microsoft.Insights/diagnosticSettings"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CognitiveServices"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys the diagnostic settings for Cognitive Services to stream to a Log Analytics workspace when any Cognitive Services which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled"
+ display_name = "Deploy Diagnostic Settings for Cognitive Services to Log Analytics workspace"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Monitoring"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deploy-Diagnostics-CognitiveServices"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ logAnalytics = {
+ metadata = {
+ description = "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
+ displayName = "Log Analytics workspace"
+ strongType = "omsWorkspace"
}
+ type = "String"
}
+ logsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable logs stream to the Log Analytics workspace - True or False"
+ displayName = "Enable logs"
}
+ type = "String"
}
+ metricsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable metrics stream to the Log Analytics workspace - True or False"
+ displayName = "Enable metrics"
}
+ type = "String"
}
+ profileName = {
+ defaultValue = "setbypolicy"
+ metadata = {
+ description = "The diagnostic settings profile name"
+ displayName = "Profile name"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ equals = "Microsoft.CognitiveServices/accounts"
+ field = "type"
}
+ then = {
+ details = {
+ deployment = {
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ location = {
+ value = "[field('location')]"
}
+ logAnalytics = {
+ value = "[parameters('logAnalytics')]"
}
+ logsEnabled = {
+ value = "[parameters('logsEnabled')]"
}
+ metricsEnabled = {
+ value = "[parameters('metricsEnabled')]"
}
+ profileName = {
+ value = "[parameters('profileName')]"
}
+ resourceName = {
+ value = "[field('name')]"
}
}
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ location = {
+ type = "String"
}
+ logAnalytics = {
+ type = "String"
}
+ logsEnabled = {
+ type = "String"
}
+ metricsEnabled = {
+ type = "String"
}
+ profileName = {
+ type = "String"
}
+ resourceName = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2017-05-01-preview"
+ dependsOn = []
+ location = "[parameters('location')]"
+ name = "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]"
+ properties = {
+ logs = [
+ {
+ category = "Audit"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "RequestResponse"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "Trace"
+ enabled = "[parameters('logsEnabled')]"
},
]
+ metrics = [
+ {
+ category = "AllMetrics"
+ enabled = "[parameters('metricsEnabled')]"
+ retentionPolicy = {
+ days = 0
+ enabled = false
}
+ timeGrain = null
},
]
+ workspaceId = "[parameters('logAnalytics')]"
}
+ type = "Microsoft.CognitiveServices/accounts/providers/diagnosticSettings"
},
]
+ variables = {}
}
}
}
+ existenceCondition = {
+ allOf = [
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/logs.enabled"
},
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/metrics.enabled"
},
+ {
+ equals = "[parameters('logAnalytics')]"
+ field = "Microsoft.Insights/diagnosticSettings/workspaceId"
},
]
}
+ name = "setByPolicy"
+ roleDefinitionIds = [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
]
+ type = "Microsoft.Insights/diagnosticSettings"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-CosmosDB"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys the diagnostic settings for Cosmos DB to stream to a Log Analytics workspace when any Cosmos DB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled"
+ display_name = "Deploy Diagnostic Settings for Cosmos DB to Log Analytics workspace"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Monitoring"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deploy-Diagnostics-CosmosDB"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ logAnalytics = {
+ metadata = {
+ description = "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
+ displayName = "Log Analytics workspace"
+ strongType = "omsWorkspace"
}
+ type = "String"
}
+ logsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable logs stream to the Log Analytics workspace - True or False"
+ displayName = "Enable logs"
}
+ type = "String"
}
+ metricsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable metrics stream to the Log Analytics workspace - True or False"
+ displayName = "Enable metrics"
}
+ type = "String"
}
+ profileName = {
+ defaultValue = "setbypolicy"
+ metadata = {
+ description = "The diagnostic settings profile name"
+ displayName = "Profile name"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ equals = "Microsoft.DocumentDB/databaseAccounts"
+ field = "type"
}
+ then = {
+ details = {
+ deployment = {
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ location = {
+ value = "[field('location')]"
}
+ logAnalytics = {
+ value = "[parameters('logAnalytics')]"
}
+ logsEnabled = {
+ value = "[parameters('logsEnabled')]"
}
+ metricsEnabled = {
+ value = "[parameters('metricsEnabled')]"
}
+ profileName = {
+ value = "[parameters('profileName')]"
}
+ resourceName = {
+ value = "[field('name')]"
}
}
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ location = {
+ type = "String"
}
+ logAnalytics = {
+ type = "String"
}
+ logsEnabled = {
+ type = "String"
}
+ metricsEnabled = {
+ type = "String"
}
+ profileName = {
+ type = "String"
}
+ resourceName = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2017-05-01-preview"
+ dependsOn = []
+ location = "[parameters('location')]"
+ name = "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]"
+ properties = {
+ logs = [
+ {
+ category = "DataPlaneRequests"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "MongoRequests"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "QueryRuntimeStatistics"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "PartitionKeyStatistics"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "PartitionKeyRUConsumption"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "ControlPlaneRequests"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "CassandraRequests"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "GremlinRequests"
+ enabled = "[parameters('logsEnabled')]"
},
]
+ metrics = [
+ {
+ category = "Requests"
+ enabled = "[parameters('metricsEnabled')]"
+ retentionPolicy = {
+ days = 0
+ enabled = false
}
+ timeGrain = null
},
]
+ workspaceId = "[parameters('logAnalytics')]"
}
+ type = "Microsoft.DocumentDB/databaseAccounts/providers/diagnosticSettings"
},
]
+ variables = {}
}
}
}
+ existenceCondition = {
+ allOf = [
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/logs.enabled"
},
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/metrics.enabled"
},
+ {
+ equals = "[parameters('logAnalytics')]"
+ field = "Microsoft.Insights/diagnosticSettings/workspaceId"
},
]
}
+ name = "setByPolicy"
+ roleDefinitionIds = [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
]
+ type = "Microsoft.Insights/diagnosticSettings"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DLAnalytics"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys the diagnostic settings for Data Lake Analytics to stream to a Log Analytics workspace when any Data Lake Analytics which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled"
+ display_name = "Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Monitoring"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deploy-Diagnostics-DLAnalytics"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ logAnalytics = {
+ metadata = {
+ description = "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
+ displayName = "Log Analytics workspace"
+ strongType = "omsWorkspace"
}
+ type = "String"
}
+ logsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable logs stream to the Log Analytics workspace - True or False"
+ displayName = "Enable logs"
}
+ type = "String"
}
+ metricsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable metrics stream to the Log Analytics workspace - True or False"
+ displayName = "Enable metrics"
}
+ type = "String"
}
+ profileName = {
+ defaultValue = "setbypolicy"
+ metadata = {
+ description = "The diagnostic settings profile name"
+ displayName = "Profile name"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ equals = "Microsoft.DataLakeAnalytics/accounts"
+ field = "type"
}
+ then = {
+ details = {
+ deployment = {
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ location = {
+ value = "[field('location')]"
}
+ logAnalytics = {
+ value = "[parameters('logAnalytics')]"
}
+ logsEnabled = {
+ value = "[parameters('logsEnabled')]"
}
+ metricsEnabled = {
+ value = "[parameters('metricsEnabled')]"
}
+ profileName = {
+ value = "[parameters('profileName')]"
}
+ resourceName = {
+ value = "[field('name')]"
}
}
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ location = {
+ type = "String"
}
+ logAnalytics = {
+ type = "String"
}
+ logsEnabled = {
+ type = "String"
}
+ metricsEnabled = {
+ type = "String"
}
+ profileName = {
+ type = "String"
}
+ resourceName = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2017-05-01-preview"
+ dependsOn = []
+ location = "[parameters('location')]"
+ name = "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]"
+ properties = {
+ logs = [
+ {
+ category = "Audit"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "Requests"
+ enabled = "[parameters('logsEnabled')]"
},
]
+ metrics = [
+ {
+ category = "AllMetrics"
+ enabled = "[parameters('metricsEnabled')]"
+ retentionPolicy = {
+ days = 0
+ enabled = false
}
+ timeGrain = null
},
]
+ workspaceId = "[parameters('logAnalytics')]"
}
+ type = "Microsoft.DataLakeAnalytics/accounts/providers/diagnosticSettings"
},
]
+ variables = {}
}
}
}
+ existenceCondition = {
+ allOf = [
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/logs.enabled"
},
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/metrics.enabled"
},
+ {
+ equals = "[parameters('logAnalytics')]"
+ field = "Microsoft.Insights/diagnosticSettings/workspaceId"
},
]
}
+ name = "setByPolicy"
+ roleDefinitionIds = [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
]
+ type = "Microsoft.Insights/diagnosticSettings"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataExplorerCluster"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys the diagnostic settings for Azure Data Explorer Cluster to stream to a Log Analytics workspace when any Azure Data Explorer Cluster which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled"
+ display_name = "Deploy Diagnostic Settings for Azure Data Explorer Cluster to Log Analytics workspace"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Monitoring"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deploy-Diagnostics-DataExplorerCluster"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ logAnalytics = {
+ metadata = {
+ description = "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
+ displayName = "Log Analytics workspace"
+ strongType = "omsWorkspace"
}
+ type = "String"
}
+ logsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable logs stream to the Log Analytics workspace - True or False"
+ displayName = "Enable logs"
}
+ type = "String"
}
+ metricsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable metrics stream to the Log Analytics workspace - True or False"
+ displayName = "Enable metrics"
}
+ type = "String"
}
+ profileName = {
+ defaultValue = "setbypolicy"
+ metadata = {
+ description = "The diagnostic settings profile name"
+ displayName = "Profile name"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ equals = "Microsoft.Kusto/Clusters"
+ field = "type"
}
+ then = {
+ details = {
+ deployment = {
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ location = {
+ value = "[field('location')]"
}
+ logAnalytics = {
+ value = "[parameters('logAnalytics')]"
}
+ logsEnabled = {
+ value = "[parameters('logsEnabled')]"
}
+ metricsEnabled = {
+ value = "[parameters('metricsEnabled')]"
}
+ profileName = {
+ value = "[parameters('profileName')]"
}
+ resourceName = {
+ value = "[field('name')]"
}
}
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ location = {
+ type = "String"
}
+ logAnalytics = {
+ type = "String"
}
+ logsEnabled = {
+ type = "String"
}
+ metricsEnabled = {
+ type = "String"
}
+ profileName = {
+ type = "String"
}
+ resourceName = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2017-05-01-preview"
+ dependsOn = []
+ location = "[parameters('location')]"
+ name = "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]"
+ properties = {
+ logs = [
+ {
+ category = "SucceededIngestion"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "FailedIngestion"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "IngestionBatching"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "Command"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "Query"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "TableUsageStatistics"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "TableDetails"
+ enabled = "[parameters('logsEnabled')]"
},
]
+ metrics = [
+ {
+ category = "AllMetrics"
+ enabled = "[parameters('metricsEnabled')]"
+ retentionPolicy = {
+ days = 0
+ enabled = false
}
+ timeGrain = null
},
]
+ workspaceId = "[parameters('logAnalytics')]"
}
+ type = "Microsoft.Kusto/Clusters/providers/diagnosticSettings"
},
]
+ variables = {}
}
}
}
+ existenceCondition = {
+ allOf = [
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/logs.enabled"
},
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/metrics.enabled"
},
+ {
+ equals = "[parameters('logAnalytics')]"
+ field = "Microsoft.Insights/diagnosticSettings/workspaceId"
},
]
}
+ name = "setByPolicy"
+ roleDefinitionIds = [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
]
+ type = "Microsoft.Insights/diagnosticSettings"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-DataFactory"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys the diagnostic settings for Data Factory to stream to a Log Analytics workspace when any Data Factory which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled"
+ display_name = "Deploy Diagnostic Settings for Data Factory to Log Analytics workspace"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Monitoring"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deploy-Diagnostics-DataFactory"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ logAnalytics = {
+ metadata = {
+ description = "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
+ displayName = "Log Analytics workspace"
+ strongType = "omsWorkspace"
}
+ type = "String"
}
+ logsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable logs stream to the Log Analytics workspace - True or False"
+ displayName = "Enable logs"
}
+ type = "String"
}
+ metricsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable metrics stream to the Log Analytics workspace - True or False"
+ displayName = "Enable metrics"
}
+ type = "String"
}
+ profileName = {
+ defaultValue = "setbypolicy"
+ metadata = {
+ description = "The diagnostic settings profile name"
+ displayName = "Profile name"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ equals = "Microsoft.DataFactory/factories"
+ field = "type"
}
+ then = {
+ details = {
+ deployment = {
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ location = {
+ value = "[field('location')]"
}
+ logAnalytics = {
+ value = "[parameters('logAnalytics')]"
}
+ logsEnabled = {
+ value = "[parameters('logsEnabled')]"
}
+ metricsEnabled = {
+ value = "[parameters('metricsEnabled')]"
}
+ profileName = {
+ value = "[parameters('profileName')]"
}
+ resourceName = {
+ value = "[field('name')]"
}
}
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ location = {
+ type = "String"
}
+ logAnalytics = {
+ type = "String"
}
+ logsEnabled = {
+ type = "String"
}
+ metricsEnabled = {
+ type = "String"
}
+ profileName = {
+ type = "String"
}
+ resourceName = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2017-05-01-preview"
+ dependsOn = []
+ location = "[parameters('location')]"
+ name = "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]"
+ properties = {
+ logs = [
+ {
+ category = "ActivityRuns"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "PipelineRuns"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "TriggerRuns"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "SSISPackageEventMessages"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "SSISPackageExecutableStatistics"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "SSISPackageEventMessageContext"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "SSISPackageExecutionComponentPhases"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "SSISPackageExecutionDataStatistics"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "SSISIntegrationRuntimeLogs"
+ enabled = "[parameters('logsEnabled')]"
},
]
+ metrics = [
+ {
+ category = "AllMetrics"
+ enabled = "[parameters('metricsEnabled')]"
+ retentionPolicy = {
+ days = 0
+ enabled = false
}
+ timeGrain = null
},
]
+ workspaceId = "[parameters('logAnalytics')]"
}
+ type = "Microsoft.DataFactory/factories/providers/diagnosticSettings"
},
]
+ variables = {}
}
}
}
+ existenceCondition = {
+ allOf = [
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/logs.enabled"
},
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/metrics.enabled"
},
+ {
+ equals = "[parameters('logAnalytics')]"
+ field = "Microsoft.Insights/diagnosticSettings/workspaceId"
},
]
}
+ name = "setByPolicy"
+ roleDefinitionIds = [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
]
+ type = "Microsoft.Insights/diagnosticSettings"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Databricks"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys the diagnostic settings for Databricks to stream to a Log Analytics workspace when any Databricks which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled"
+ display_name = "Deploy Diagnostic Settings for Databricks to Log Analytics workspace"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Monitoring"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deploy-Diagnostics-Databricks"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ logAnalytics = {
+ metadata = {
+ description = "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
+ displayName = "Log Analytics workspace"
+ strongType = "omsWorkspace"
}
+ type = "String"
}
+ logsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable logs stream to the Log Analytics workspace - True or False"
+ displayName = "Enable logs"
}
+ type = "String"
}
+ profileName = {
+ defaultValue = "setbypolicy"
+ metadata = {
+ description = "The diagnostic settings profile name"
+ displayName = "Profile name"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ equals = "Microsoft.Databricks/workspaces"
+ field = "type"
}
+ then = {
+ details = {
+ deployment = {
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ location = {
+ value = "[field('location')]"
}
+ logAnalytics = {
+ value = "[parameters('logAnalytics')]"
}
+ logsEnabled = {
+ value = "[parameters('logsEnabled')]"
}
+ profileName = {
+ value = "[parameters('profileName')]"
}
+ resourceName = {
+ value = "[field('name')]"
}
}
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ location = {
+ type = "String"
}
+ logAnalytics = {
+ type = "String"
}
+ logsEnabled = {
+ type = "String"
}
+ profileName = {
+ type = "String"
}
+ resourceName = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2017-05-01-preview"
+ dependsOn = []
+ location = "[parameters('location')]"
+ name = "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]"
+ properties = {
+ logs = [
+ {
+ category = "dbfs"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "clusters"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "accounts"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "jobs"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "notebook"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "ssh"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "workspace"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "secrets"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "sqlPermissions"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "instancePools"
+ enabled = "[parameters('logsEnabled')]"
},
]
+ workspaceId = "[parameters('logAnalytics')]"
}
+ type = "Microsoft.Databricks/workspaces/providers/diagnosticSettings"
},
]
+ variables = {}
}
}
}
+ existenceCondition = {
+ allOf = [
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/logs.enabled"
},
+ {
+ equals = "[parameters('logAnalytics')]"
+ field = "Microsoft.Insights/diagnosticSettings/workspaceId"
},
]
}
+ name = "setByPolicy"
+ roleDefinitionIds = [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
]
+ type = "Microsoft.Insights/diagnosticSettings"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSub"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys the diagnostic settings for Event Grid subscriptions to stream to a Log Analytics workspace when any Event Grid subscriptions which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled"
+ display_name = "Deploy Diagnostic Settings for Event Grid subscriptions to Log Analytics workspace"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Monitoring"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deploy-Diagnostics-EventGridSub"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ logAnalytics = {
+ metadata = {
+ description = "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
+ displayName = "Log Analytics workspace"
+ strongType = "omsWorkspace"
}
+ type = "String"
}
+ metricsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable metrics stream to the Log Analytics workspace - True or False"
+ displayName = "Enable metrics"
}
+ type = "String"
}
+ profileName = {
+ defaultValue = "setbypolicy"
+ metadata = {
+ description = "The diagnostic settings profile name"
+ displayName = "Profile name"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ equals = "Microsoft.EventGrid/eventSubscriptions"
+ field = "type"
}
+ then = {
+ details = {
+ deployment = {
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ location = {
+ value = "[field('location')]"
}
+ logAnalytics = {
+ value = "[parameters('logAnalytics')]"
}
+ metricsEnabled = {
+ value = "[parameters('metricsEnabled')]"
}
+ profileName = {
+ value = "[parameters('profileName')]"
}
+ resourceName = {
+ value = "[field('name')]"
}
}
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ location = {
+ type = "String"
}
+ logAnalytics = {
+ type = "String"
}
+ metricsEnabled = {
+ type = "String"
}
+ profileName = {
+ type = "String"
}
+ resourceName = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2017-05-01-preview"
+ dependsOn = []
+ location = "[parameters('location')]"
+ name = "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]"
+ properties = {
+ logs = []
+ metrics = [
+ {
+ category = "AllMetrics"
+ enabled = "[parameters('metricsEnabled')]"
+ retentionPolicy = {
+ days = 0
+ enabled = false
}
+ timeGrain = null
},
]
+ workspaceId = "[parameters('logAnalytics')]"
}
+ type = "Microsoft.EventGrid/eventSubscriptions/providers/diagnosticSettings"
},
]
+ variables = {}
}
}
}
+ existenceCondition = {
+ allOf = [
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/metrics.enabled"
},
+ {
+ equals = "[parameters('logAnalytics')]"
+ field = "Microsoft.Insights/diagnosticSettings/workspaceId"
},
]
}
+ name = "setByPolicy"
+ roleDefinitionIds = [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
]
+ type = "Microsoft.Insights/diagnosticSettings"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridSystemTopic"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys the diagnostic settings for Event Grid System Topic to stream to a Log Analytics workspace when any Event Grid System Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled"
+ display_name = "Deploy Diagnostic Settings for Event Grid System Topic to Log Analytics workspace"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Monitoring"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deploy-Diagnostics-EventGridSystemTopic"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ logAnalytics = {
+ metadata = {
+ description = "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
+ displayName = "Log Analytics workspace"
+ strongType = "omsWorkspace"
}
+ type = "String"
}
+ logsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable logs stream to the Log Analytics workspace - True or False"
+ displayName = "Enable logs"
}
+ type = "String"
}
+ metricsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable metrics stream to the Log Analytics workspace - True or False"
+ displayName = "Enable metrics"
}
+ type = "String"
}
+ profileName = {
+ defaultValue = "setbypolicy"
+ metadata = {
+ description = "The diagnostic settings profile name"
+ displayName = "Profile name"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ equals = "Microsoft.EventGrid/systemTopics"
+ field = "type"
}
+ then = {
+ details = {
+ deployment = {
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ location = {
+ value = "[field('location')]"
}
+ logAnalytics = {
+ value = "[parameters('logAnalytics')]"
}
+ logsEnabled = {
+ value = "[parameters('logsEnabled')]"
}
+ metricsEnabled = {
+ value = "[parameters('metricsEnabled')]"
}
+ profileName = {
+ value = "[parameters('profileName')]"
}
+ resourceName = {
+ value = "[field('name')]"
}
}
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ location = {
+ type = "String"
}
+ logAnalytics = {
+ type = "String"
}
+ logsEnabled = {
+ type = "String"
}
+ metricsEnabled = {
+ type = "String"
}
+ profileName = {
+ type = "String"
}
+ resourceName = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2017-05-01-preview"
+ dependsOn = []
+ location = "[parameters('location')]"
+ name = "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]"
+ properties = {
+ logs = [
+ {
+ category = "DeliveryFailures"
+ enabled = "[parameters('logsEnabled')]"
},
]
+ metrics = [
+ {
+ category = "AllMetrics"
+ enabled = "[parameters('metricsEnabled')]"
+ retentionPolicy = {
+ days = 0
+ enabled = false
}
+ timeGrain = null
},
]
+ workspaceId = "[parameters('logAnalytics')]"
}
+ type = "Microsoft.EventGrid/systemTopics/providers/diagnosticSettings"
},
]
+ variables = {}
}
}
}
+ existenceCondition = {
+ allOf = [
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/logs.enabled"
},
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/metrics.enabled"
},
+ {
+ equals = "[parameters('logAnalytics')]"
+ field = "Microsoft.Insights/diagnosticSettings/workspaceId"
},
]
}
+ name = "setByPolicy"
+ roleDefinitionIds = [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
]
+ type = "Microsoft.Insights/diagnosticSettings"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-EventGridTopic"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys the diagnostic settings for Event Grid Topic to stream to a Log Analytics workspace when any Event Grid Topic which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled"
+ display_name = "Deploy Diagnostic Settings for Event Grid Topic to Log Analytics workspace"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Monitoring"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deploy-Diagnostics-EventGridTopic"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ logAnalytics = {
+ metadata = {
+ description = "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
+ displayName = "Log Analytics workspace"
+ strongType = "omsWorkspace"
}
+ type = "String"
}
+ logsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable logs stream to the Log Analytics workspace - True or False"
+ displayName = "Enable logs"
}
+ type = "String"
}
+ metricsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable metrics stream to the Log Analytics workspace - True or False"
+ displayName = "Enable metrics"
}
+ type = "String"
}
+ profileName = {
+ defaultValue = "setbypolicy"
+ metadata = {
+ description = "The diagnostic settings profile name"
+ displayName = "Profile name"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ equals = "Microsoft.EventGrid/topics"
+ field = "type"
}
+ then = {
+ details = {
+ deployment = {
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ location = {
+ value = "[field('location')]"
}
+ logAnalytics = {
+ value = "[parameters('logAnalytics')]"
}
+ logsEnabled = {
+ value = "[parameters('logsEnabled')]"
}
+ metricsEnabled = {
+ value = "[parameters('metricsEnabled')]"
}
+ profileName = {
+ value = "[parameters('profileName')]"
}
+ resourceName = {
+ value = "[field('name')]"
}
}
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ location = {
+ type = "String"
}
+ logAnalytics = {
+ type = "String"
}
+ logsEnabled = {
+ type = "String"
}
+ metricsEnabled = {
+ type = "String"
}
+ profileName = {
+ type = "String"
}
+ resourceName = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2017-05-01-preview"
+ dependsOn = []
+ location = "[parameters('location')]"
+ name = "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]"
+ properties = {
+ logs = [
+ {
+ category = "DeliveryFailures"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "PublishFailures"
+ enabled = "[parameters('logsEnabled')]"
},
]
+ metrics = [
+ {
+ category = "AllMetrics"
+ enabled = "[parameters('metricsEnabled')]"
+ retentionPolicy = {
+ days = 0
+ enabled = false
}
+ timeGrain = null
},
]
+ workspaceId = "[parameters('logAnalytics')]"
}
+ type = "Microsoft.EventGrid/topics/providers/diagnosticSettings"
},
]
+ variables = {}
}
}
}
+ existenceCondition = {
+ allOf = [
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/logs.enabled"
},
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/metrics.enabled"
},
+ {
+ equals = "[parameters('logAnalytics')]"
+ field = "Microsoft.Insights/diagnosticSettings/workspaceId"
},
]
}
+ name = "setByPolicy"
+ roleDefinitionIds = [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
]
+ type = "Microsoft.Insights/diagnosticSettings"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-ExpressRoute"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys the diagnostic settings for ExpressRoute to stream to a Log Analytics workspace when any ExpressRoute which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled"
+ display_name = "Deploy Diagnostic Settings for ExpressRoute to Log Analytics workspace"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Monitoring"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deploy-Diagnostics-ExpressRoute"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ logAnalytics = {
+ metadata = {
+ description = "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
+ displayName = "Log Analytics workspace"
+ strongType = "omsWorkspace"
}
+ type = "String"
}
+ logsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable logs stream to the Log Analytics workspace - True or False"
+ displayName = "Enable logs"
}
+ type = "String"
}
+ metricsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable metrics stream to the Log Analytics workspace - True or False"
+ displayName = "Enable metrics"
}
+ type = "String"
}
+ profileName = {
+ defaultValue = "setbypolicy"
+ metadata = {
+ description = "The diagnostic settings profile name"
+ displayName = "Profile name"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ equals = "Microsoft.Network/expressRouteCircuits"
+ field = "type"
}
+ then = {
+ details = {
+ deployment = {
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ location = {
+ value = "[field('location')]"
}
+ logAnalytics = {
+ value = "[parameters('logAnalytics')]"
}
+ logsEnabled = {
+ value = "[parameters('logsEnabled')]"
}
+ metricsEnabled = {
+ value = "[parameters('metricsEnabled')]"
}
+ profileName = {
+ value = "[parameters('profileName')]"
}
+ resourceName = {
+ value = "[field('name')]"
}
}
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ location = {
+ type = "String"
}
+ logAnalytics = {
+ type = "String"
}
+ logsEnabled = {
+ type = "String"
}
+ metricsEnabled = {
+ type = "String"
}
+ profileName = {
+ type = "String"
}
+ resourceName = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2017-05-01-preview"
+ dependsOn = []
+ location = "[parameters('location')]"
+ name = "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]"
+ properties = {
+ logs = [
+ {
+ category = "PeeringRouteLog"
+ enabled = "[parameters('logsEnabled')]"
},
]
+ metrics = [
+ {
+ category = "AllMetrics"
+ enabled = "[parameters('metricsEnabled')]"
+ retentionPolicy = {
+ days = 0
+ enabled = false
}
+ timeGrain = null
},
]
+ workspaceId = "[parameters('logAnalytics')]"
}
+ type = "Microsoft.Network/expressRouteCircuits/providers/diagnosticSettings"
},
]
+ variables = {}
}
}
}
+ existenceCondition = {
+ allOf = [
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/logs.enabled"
},
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/metrics.enabled"
},
+ {
+ equals = "[parameters('logAnalytics')]"
+ field = "Microsoft.Insights/diagnosticSettings/workspaceId"
},
]
}
+ name = "setByPolicy"
+ roleDefinitionIds = [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
]
+ type = "Microsoft.Insights/diagnosticSettings"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Firewall"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys the diagnostic settings for Firewall to stream to a Log Analytics workspace when any Firewall which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled"
+ display_name = "Deploy Diagnostic Settings for Firewall to Log Analytics workspace"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Monitoring"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deploy-Diagnostics-Firewall"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ logAnalytics = {
+ metadata = {
+ description = "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
+ displayName = "Log Analytics workspace"
+ strongType = "omsWorkspace"
}
+ type = "String"
}
+ logsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable logs stream to the Log Analytics workspace - True or False"
+ displayName = "Enable logs"
}
+ type = "String"
}
+ metricsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable metrics stream to the Log Analytics workspace - True or False"
+ displayName = "Enable metrics"
}
+ type = "String"
}
+ profileName = {
+ defaultValue = "setbypolicy"
+ metadata = {
+ description = "The diagnostic settings profile name"
+ displayName = "Profile name"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ equals = "Microsoft.Network/azureFirewalls"
+ field = "type"
}
+ then = {
+ details = {
+ deployment = {
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ location = {
+ value = "[field('location')]"
}
+ logAnalytics = {
+ value = "[parameters('logAnalytics')]"
}
+ logsEnabled = {
+ value = "[parameters('logsEnabled')]"
}
+ metricsEnabled = {
+ value = "[parameters('metricsEnabled')]"
}
+ profileName = {
+ value = "[parameters('profileName')]"
}
+ resourceName = {
+ value = "[field('name')]"
}
}
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ location = {
+ type = "String"
}
+ logAnalytics = {
+ type = "String"
}
+ logsEnabled = {
+ type = "String"
}
+ metricsEnabled = {
+ type = "String"
}
+ profileName = {
+ type = "String"
}
+ resourceName = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2017-05-01-preview"
+ dependsOn = []
+ location = "[parameters('location')]"
+ name = "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]"
+ properties = {
+ logs = [
+ {
+ category = "AzureFirewallApplicationRule"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "AzureFirewallNetworkRule"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "AzureFirewallDnsProxy"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "AZFWNetworkRule"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "AZFWApplicationRule"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "AZFWNatRule"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "AZFWThreatIntel"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "AZFWIdpsSignature"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "AZFWDnsQuery"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "AZFWFqdnResolveFailure"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "AZFWApplicationRuleAggregation"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "AZFWNetworkRuleAggregation"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "AZFWNatRuleAggregation"
+ enabled = "[parameters('logsEnabled')]"
},
]
+ metrics = [
+ {
+ category = "AllMetrics"
+ enabled = "[parameters('metricsEnabled')]"
+ retentionPolicy = {
+ days = 0
+ enabled = false
}
+ timeGrain = null
},
]
+ workspaceId = "[parameters('logAnalytics')]"
}
+ type = "Microsoft.Network/azureFirewalls/providers/diagnosticSettings"
},
]
+ variables = {}
}
}
}
+ existenceCondition = {
+ allOf = [
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/logs.enabled"
},
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/metrics.enabled"
},
+ {
+ equals = "[parameters('logAnalytics')]"
+ field = "Microsoft.Insights/diagnosticSettings/workspaceId"
},
]
}
+ name = "setByPolicy"
+ roleDefinitionIds = [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
]
+ type = "Microsoft.Insights/diagnosticSettings"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-FrontDoor"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys the diagnostic settings for Front Door to stream to a Log Analytics workspace when any Front Door which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled"
+ display_name = "Deploy Diagnostic Settings for Front Door to Log Analytics workspace"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Monitoring"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deploy-Diagnostics-FrontDoor"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ logAnalytics = {
+ metadata = {
+ description = "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
+ displayName = "Log Analytics workspace"
+ strongType = "omsWorkspace"
}
+ type = "String"
}
+ logsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable logs stream to the Log Analytics workspace - True or False"
+ displayName = "Enable logs"
}
+ type = "String"
}
+ metricsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable metrics stream to the Log Analytics workspace - True or False"
+ displayName = "Enable metrics"
}
+ type = "String"
}
+ profileName = {
+ defaultValue = "setbypolicy"
+ metadata = {
+ description = "The diagnostic settings profile name"
+ displayName = "Profile name"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ equals = "Microsoft.Network/frontDoors"
+ field = "type"
}
+ then = {
+ details = {
+ deployment = {
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ location = {
+ value = "[field('location')]"
}
+ logAnalytics = {
+ value = "[parameters('logAnalytics')]"
}
+ logsEnabled = {
+ value = "[parameters('logsEnabled')]"
}
+ metricsEnabled = {
+ value = "[parameters('metricsEnabled')]"
}
+ profileName = {
+ value = "[parameters('profileName')]"
}
+ resourceName = {
+ value = "[field('name')]"
}
}
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ location = {
+ type = "String"
}
+ logAnalytics = {
+ type = "String"
}
+ logsEnabled = {
+ type = "String"
}
+ metricsEnabled = {
+ type = "String"
}
+ profileName = {
+ type = "String"
}
+ resourceName = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2017-05-01-preview"
+ dependsOn = []
+ location = "[parameters('location')]"
+ name = "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]"
+ properties = {
+ logs = [
+ {
+ category = "FrontdoorAccessLog"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "FrontdoorWebApplicationFirewallLog"
+ enabled = "[parameters('logsEnabled')]"
},
]
+ metrics = [
+ {
+ category = "AllMetrics"
+ enabled = "[parameters('metricsEnabled')]"
+ retentionPolicy = {
+ days = 0
+ enabled = false
}
+ timeGrain = null
},
]
+ workspaceId = "[parameters('logAnalytics')]"
}
+ type = "Microsoft.Network/frontDoors/providers/diagnosticSettings"
},
]
+ variables = {}
}
}
}
+ existenceCondition = {
+ allOf = [
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/logs.enabled"
},
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/metrics.enabled"
},
+ {
+ equals = "[parameters('logAnalytics')]"
+ field = "Microsoft.Insights/diagnosticSettings/workspaceId"
},
]
}
+ name = "setByPolicy"
+ roleDefinitionIds = [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
]
+ type = "Microsoft.Insights/diagnosticSettings"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Function"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys the diagnostic settings for Azure Function App to stream to a Log Analytics workspace when any function app which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled"
+ display_name = "Deploy Diagnostic Settings for Azure Function App to Log Analytics workspace"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Monitoring"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deploy-Diagnostics-Function"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ logAnalytics = {
+ metadata = {
+ description = "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
+ displayName = "Log Analytics workspace"
+ strongType = "omsWorkspace"
}
+ type = "String"
}
+ logsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable logs stream to the Log Analytics workspace - True or False"
+ displayName = "Enable logs"
}
+ type = "String"
}
+ metricsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable metrics stream to the Log Analytics workspace - True or False"
+ displayName = "Enable metrics"
}
+ type = "String"
}
+ profileName = {
+ defaultValue = "setbypolicy"
+ metadata = {
+ description = "The diagnostic settings profile name"
+ displayName = "Profile name"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ allOf = [
+ {
+ equals = "Microsoft.Web/sites"
+ field = "type"
},
+ {
+ contains = "functionapp"
+ value = "[field('kind')]"
},
]
}
+ then = {
+ details = {
+ deployment = {
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ location = {
+ value = "[field('location')]"
}
+ logAnalytics = {
+ value = "[parameters('logAnalytics')]"
}
+ logsEnabled = {
+ value = "[parameters('logsEnabled')]"
}
+ metricsEnabled = {
+ value = "[parameters('metricsEnabled')]"
}
+ profileName = {
+ value = "[parameters('profileName')]"
}
+ resourceName = {
+ value = "[field('name')]"
}
}
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ location = {
+ type = "String"
}
+ logAnalytics = {
+ type = "String"
}
+ logsEnabled = {
+ type = "String"
}
+ metricsEnabled = {
+ type = "String"
}
+ profileName = {
+ type = "String"
}
+ resourceName = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2017-05-01-preview"
+ dependsOn = []
+ location = "[parameters('location')]"
+ name = "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]"
+ properties = {
+ logs = [
+ {
+ category = "FunctionAppLogs"
+ enabled = "[parameters('logsEnabled')]"
},
]
+ metrics = [
+ {
+ category = "AllMetrics"
+ enabled = "[parameters('metricsEnabled')]"
+ retentionPolicy = {
+ days = 0
+ enabled = false
}
+ timeGrain = null
},
]
+ workspaceId = "[parameters('logAnalytics')]"
}
+ type = "Microsoft.Web/sites/providers/diagnosticSettings"
},
]
+ variables = {}
}
}
}
+ existenceCondition = {
+ allOf = [
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/logs.enabled"
},
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/metrics.enabled"
},
+ {
+ equals = "[parameters('logAnalytics')]"
+ field = "Microsoft.Insights/diagnosticSettings/workspaceId"
},
]
}
+ name = "setByPolicy"
+ roleDefinitionIds = [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
]
+ type = "Microsoft.Insights/diagnosticSettings"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-HDInsight"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys the diagnostic settings for HDInsight to stream to a Log Analytics workspace when any HDInsight which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled"
+ display_name = "Deploy Diagnostic Settings for HDInsight to Log Analytics workspace"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Monitoring"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deploy-Diagnostics-HDInsight"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ logAnalytics = {
+ metadata = {
+ description = "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
+ displayName = "Log Analytics workspace"
+ strongType = "omsWorkspace"
}
+ type = "String"
}
+ metricsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable metrics stream to the Log Analytics workspace - True or False"
+ displayName = "Enable metrics"
}
+ type = "String"
}
+ profileName = {
+ defaultValue = "setbypolicy"
+ metadata = {
+ description = "The diagnostic settings profile name"
+ displayName = "Profile name"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ equals = "Microsoft.HDInsight/clusters"
+ field = "type"
}
+ then = {
+ details = {
+ deployment = {
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ location = {
+ value = "[field('location')]"
}
+ logAnalytics = {
+ value = "[parameters('logAnalytics')]"
}
+ metricsEnabled = {
+ value = "[parameters('metricsEnabled')]"
}
+ profileName = {
+ value = "[parameters('profileName')]"
}
+ resourceName = {
+ value = "[field('name')]"
}
}
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ location = {
+ type = "String"
}
+ logAnalytics = {
+ type = "String"
}
+ metricsEnabled = {
+ type = "String"
}
+ profileName = {
+ type = "String"
}
+ resourceName = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2017-05-01-preview"
+ dependsOn = []
+ location = "[parameters('location')]"
+ name = "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]"
+ properties = {
+ logs = []
+ metrics = [
+ {
+ category = "AllMetrics"
+ enabled = "[parameters('metricsEnabled')]"
+ retentionPolicy = {
+ days = 0
+ enabled = false
}
+ timeGrain = null
},
]
+ workspaceId = "[parameters('logAnalytics')]"
}
+ type = "Microsoft.HDInsight/clusters/providers/diagnosticSettings"
},
]
+ variables = {}
}
}
}
+ existenceCondition = {
+ allOf = [
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/metrics.enabled"
},
+ {
+ equals = "[parameters('logAnalytics')]"
+ field = "Microsoft.Insights/diagnosticSettings/workspaceId"
},
]
}
+ name = "setByPolicy"
+ roleDefinitionIds = [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
]
+ type = "Microsoft.Insights/diagnosticSettings"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LoadBalancer"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys the diagnostic settings for Load Balancer to stream to a Log Analytics workspace when any Load Balancer which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled"
+ display_name = "Deploy Diagnostic Settings for Load Balancer to Log Analytics workspace"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Monitoring"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deploy-Diagnostics-LoadBalancer"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ logAnalytics = {
+ metadata = {
+ description = "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
+ displayName = "Log Analytics workspace"
+ strongType = "omsWorkspace"
}
+ type = "String"
}
+ logsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable logs stream to the Log Analytics workspace - True or False"
+ displayName = "Enable logs"
}
+ type = "String"
}
+ metricsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable metrics stream to the Log Analytics workspace - True or False"
+ displayName = "Enable metrics"
}
+ type = "String"
}
+ profileName = {
+ defaultValue = "setbypolicy"
+ metadata = {
+ description = "The diagnostic settings profile name"
+ displayName = "Profile name"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ equals = "Microsoft.Network/loadBalancers"
+ field = "type"
}
+ then = {
+ details = {
+ deployment = {
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ location = {
+ value = "[field('location')]"
}
+ logAnalytics = {
+ value = "[parameters('logAnalytics')]"
}
+ logsEnabled = {
+ value = "[parameters('logsEnabled')]"
}
+ metricsEnabled = {
+ value = "[parameters('metricsEnabled')]"
}
+ profileName = {
+ value = "[parameters('profileName')]"
}
+ resourceName = {
+ value = "[field('name')]"
}
}
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ location = {
+ type = "String"
}
+ logAnalytics = {
+ type = "String"
}
+ logsEnabled = {
+ type = "String"
}
+ metricsEnabled = {
+ type = "String"
}
+ profileName = {
+ type = "String"
}
+ resourceName = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2017-05-01-preview"
+ dependsOn = []
+ location = "[parameters('location')]"
+ name = "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]"
+ properties = {
+ logs = [
+ {
+ category = "LoadBalancerAlertEvent"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "LoadBalancerProbeHealthStatus"
+ enabled = "[parameters('logsEnabled')]"
},
]
+ metrics = [
+ {
+ category = "AllMetrics"
+ enabled = "[parameters('metricsEnabled')]"
+ retentionPolicy = {
+ days = 0
+ enabled = false
}
+ timeGrain = null
},
]
+ workspaceId = "[parameters('logAnalytics')]"
}
+ type = "Microsoft.Network/loadBalancers/providers/diagnosticSettings"
},
]
+ variables = {}
}
}
}
+ existenceCondition = {
+ allOf = [
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/logs.enabled"
},
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/metrics.enabled"
},
+ {
+ equals = "[parameters('logAnalytics')]"
+ field = "Microsoft.Insights/diagnosticSettings/workspaceId"
},
]
}
+ name = "setByPolicy"
+ roleDefinitionIds = [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
]
+ type = "Microsoft.Insights/diagnosticSettings"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-LogicAppsISE"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys the diagnostic settings for Logic Apps integration service environment to stream to a Log Analytics workspace when any Logic Apps integration service environment which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled"
+ display_name = "Deploy Diagnostic Settings for Logic Apps integration service environment to Log Analytics workspace"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Monitoring"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deploy-Diagnostics-LogicAppsISE"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ logAnalytics = {
+ metadata = {
+ description = "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
+ displayName = "Log Analytics workspace"
+ strongType = "omsWorkspace"
}
+ type = "String"
}
+ logsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable logs stream to the Log Analytics workspace - True or False"
+ displayName = "Enable logs"
}
+ type = "String"
}
+ profileName = {
+ defaultValue = "setbypolicy"
+ metadata = {
+ description = "The diagnostic settings profile name"
+ displayName = "Profile name"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ equals = "Microsoft.Logic/integrationAccounts"
+ field = "type"
}
+ then = {
+ details = {
+ deployment = {
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ location = {
+ value = "[field('location')]"
}
+ logAnalytics = {
+ value = "[parameters('logAnalytics')]"
}
+ logsEnabled = {
+ value = "[parameters('logsEnabled')]"
}
+ profileName = {
+ value = "[parameters('profileName')]"
}
+ resourceName = {
+ value = "[field('name')]"
}
}
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ location = {
+ type = "String"
}
+ logAnalytics = {
+ type = "String"
}
+ logsEnabled = {
+ type = "String"
}
+ profileName = {
+ type = "String"
}
+ resourceName = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2017-05-01-preview"
+ dependsOn = []
+ location = "[parameters('location')]"
+ name = "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]"
+ properties = {
+ logs = [
+ {
+ category = "IntegrationAccountTrackingEvents"
+ enabled = "[parameters('logsEnabled')]"
},
]
+ metrics = []
+ workspaceId = "[parameters('logAnalytics')]"
}
+ type = "Microsoft.Logic/integrationAccounts/providers/diagnosticSettings"
},
]
+ variables = {}
}
}
}
+ existenceCondition = {
+ allOf = [
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/logs.enabled"
},
+ {
+ equals = "[parameters('logAnalytics')]"
+ field = "Microsoft.Insights/diagnosticSettings/workspaceId"
},
]
}
+ name = "setByPolicy"
+ roleDefinitionIds = [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
]
+ type = "Microsoft.Insights/diagnosticSettings"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MariaDB"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys the diagnostic settings for MariaDB to stream to a Log Analytics workspace when any MariaDB which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled"
+ display_name = "Deploy Diagnostic Settings for MariaDB to Log Analytics workspace"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Monitoring"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deploy-Diagnostics-MariaDB"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ logAnalytics = {
+ metadata = {
+ description = "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
+ displayName = "Log Analytics workspace"
+ strongType = "omsWorkspace"
}
+ type = "String"
}
+ logsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable logs stream to the Log Analytics workspace - True or False"
+ displayName = "Enable logs"
}
+ type = "String"
}
+ metricsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable metrics stream to the Log Analytics workspace - True or False"
+ displayName = "Enable metrics"
}
+ type = "String"
}
+ profileName = {
+ defaultValue = "setbypolicy"
+ metadata = {
+ description = "The diagnostic settings profile name"
+ displayName = "Profile name"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ equals = "Microsoft.DBforMariaDB/servers"
+ field = "type"
}
+ then = {
+ details = {
+ deployment = {
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ location = {
+ value = "[field('location')]"
}
+ logAnalytics = {
+ value = "[parameters('logAnalytics')]"
}
+ logsEnabled = {
+ value = "[parameters('logsEnabled')]"
}
+ metricsEnabled = {
+ value = "[parameters('metricsEnabled')]"
}
+ profileName = {
+ value = "[parameters('profileName')]"
}
+ resourceName = {
+ value = "[field('name')]"
}
}
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ location = {
+ type = "String"
}
+ logAnalytics = {
+ type = "String"
}
+ logsEnabled = {
+ type = "String"
}
+ metricsEnabled = {
+ type = "String"
}
+ profileName = {
+ type = "String"
}
+ resourceName = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2017-05-01-preview"
+ dependsOn = []
+ location = "[parameters('location')]"
+ name = "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]"
+ properties = {
+ logs = [
+ {
+ category = "MySqlSlowLogs"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "MySqlAuditLogs"
+ enabled = "[parameters('logsEnabled')]"
},
]
+ metrics = [
+ {
+ category = "AllMetrics"
+ enabled = "[parameters('metricsEnabled')]"
+ retentionPolicy = {
+ days = 0
+ enabled = false
}
+ timeGrain = null
},
]
+ workspaceId = "[parameters('logAnalytics')]"
}
+ type = "Microsoft.DBforMariaDB/servers/providers/diagnosticSettings"
},
]
+ variables = {}
}
}
}
+ existenceCondition = {
+ allOf = [
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/logs.enabled"
},
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/metrics.enabled"
},
+ {
+ equals = "[parameters('logAnalytics')]"
+ field = "Microsoft.Insights/diagnosticSettings/workspaceId"
},
]
}
+ name = "setByPolicy"
+ roleDefinitionIds = [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
]
+ type = "Microsoft.Insights/diagnosticSettings"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MediaService"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys the diagnostic settings for Azure Media Service to stream to a Log Analytics workspace when any Azure Media Service which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled"
+ display_name = "Deploy Diagnostic Settings for Azure Media Service to Log Analytics workspace"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Monitoring"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deploy-Diagnostics-MediaService"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ logAnalytics = {
+ metadata = {
+ description = "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
+ displayName = "Log Analytics workspace"
+ strongType = "omsWorkspace"
}
+ type = "String"
}
+ logsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable logs stream to the Log Analytics workspace - True or False"
+ displayName = "Enable logs"
}
+ type = "String"
}
+ metricsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable metrics stream to the Log Analytics workspace - True or False"
+ displayName = "Enable metrics"
}
+ type = "String"
}
+ profileName = {
+ defaultValue = "setbypolicy"
+ metadata = {
+ description = "The diagnostic settings profile name"
+ displayName = "Profile name"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ equals = "Microsoft.Media/mediaServices"
+ field = "type"
}
+ then = {
+ details = {
+ deployment = {
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ location = {
+ value = "[field('location')]"
}
+ logAnalytics = {
+ value = "[parameters('logAnalytics')]"
}
+ logsEnabled = {
+ value = "[parameters('logsEnabled')]"
}
+ metricsEnabled = {
+ value = "[parameters('metricsEnabled')]"
}
+ profileName = {
+ value = "[parameters('profileName')]"
}
+ resourceName = {
+ value = "[field('name')]"
}
}
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ location = {
+ type = "String"
}
+ logAnalytics = {
+ type = "String"
}
+ logsEnabled = {
+ type = "String"
}
+ metricsEnabled = {
+ type = "String"
}
+ profileName = {
+ type = "String"
}
+ resourceName = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2017-05-01-preview"
+ dependsOn = []
+ location = "[parameters('location')]"
+ name = "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]"
+ properties = {
+ logs = [
+ {
+ category = "KeyDeliveryRequests"
+ enabled = "[parameters('logsEnabled')]"
},
]
+ metrics = [
+ {
+ category = "AllMetrics"
+ enabled = "[parameters('metricsEnabled')]"
+ retentionPolicy = {
+ days = 0
+ enabled = false
}
+ timeGrain = null
},
]
+ workspaceId = "[parameters('logAnalytics')]"
}
+ type = "Microsoft.Media/mediaServices/providers/diagnosticSettings"
},
]
+ variables = {}
}
}
}
+ existenceCondition = {
+ allOf = [
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/logs.enabled"
},
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/metrics.enabled"
},
+ {
+ equals = "[parameters('logAnalytics')]"
+ field = "Microsoft.Insights/diagnosticSettings/workspaceId"
},
]
}
+ name = "setByPolicy"
+ roleDefinitionIds = [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
]
+ type = "Microsoft.Insights/diagnosticSettings"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MlWorkspace"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys the diagnostic settings for Machine Learning workspace to stream to a Log Analytics workspace when any Machine Learning workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled"
+ display_name = "Deploy Diagnostic Settings for Machine Learning workspace to Log Analytics workspace"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Monitoring"
+ version = "1.1.0"
}
)
+ mode = "Indexed"
+ name = "Deploy-Diagnostics-MlWorkspace"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ logAnalytics = {
+ metadata = {
+ description = "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
+ displayName = "Log Analytics workspace"
+ strongType = "omsWorkspace"
}
+ type = "String"
}
+ logsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable logs stream to the Log Analytics workspace - True or False"
+ displayName = "Enable logs"
}
+ type = "String"
}
+ metricsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable metrics stream to the Log Analytics workspace - True or False"
+ displayName = "Enable metrics"
}
+ type = "String"
}
+ profileName = {
+ defaultValue = "setbypolicy"
+ metadata = {
+ description = "The diagnostic settings profile name"
+ displayName = "Profile name"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ equals = "Microsoft.MachineLearningServices/workspaces"
+ field = "type"
}
+ then = {
+ details = {
+ deployment = {
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ location = {
+ value = "[field('location')]"
}
+ logAnalytics = {
+ value = "[parameters('logAnalytics')]"
}
+ logsEnabled = {
+ value = "[parameters('logsEnabled')]"
}
+ metricsEnabled = {
+ value = "[parameters('metricsEnabled')]"
}
+ profileName = {
+ value = "[parameters('profileName')]"
}
+ resourceName = {
+ value = "[field('name')]"
}
}
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ location = {
+ type = "String"
}
+ logAnalytics = {
+ type = "String"
}
+ logsEnabled = {
+ type = "String"
}
+ metricsEnabled = {
+ type = "String"
}
+ profileName = {
+ type = "String"
}
+ resourceName = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2017-05-01-preview"
+ dependsOn = []
+ location = "[parameters('location')]"
+ name = "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]"
+ properties = {
+ logs = [
+ {
+ category = "AmlComputeClusterEvent"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "AmlComputeClusterNodeEvent"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "AmlComputeJobEvent"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "AmlComputeCpuGpuUtilization"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "AmlRunStatusChangedEvent"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "ModelsChangeEvent"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "ModelsReadEvent"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "ModelsActionEvent"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "DeploymentReadEvent"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "DeploymentEventACI"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "DeploymentEventAKS"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "InferencingOperationAKS"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "InferencingOperationACI"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "DataLabelChangeEvent"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "DataLabelReadEvent"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "ComputeInstanceEvent"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "DataStoreChangeEvent"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "DataStoreReadEvent"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "DataSetChangeEvent"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "DataSetReadEvent"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "PipelineChangeEvent"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "PipelineReadEvent"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "RunEvent"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "RunReadEvent"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "EnvironmentChangeEvent"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "EnvironmentReadEvent"
+ enabled = "[parameters('logsEnabled')]"
},
]
+ metrics = [
+ {
+ category = "AllMetrics"
+ enabled = "[parameters('metricsEnabled')]"
+ retentionPolicy = {
+ days = 0
+ enabled = false
}
},
]
+ workspaceId = "[parameters('logAnalytics')]"
}
+ type = "Microsoft.MachineLearningServices/workspaces/providers/diagnosticSettings"
},
]
+ variables = {}
}
}
}
+ existenceCondition = {
+ allOf = [
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/logs.enabled"
},
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/metrics.enabled"
},
+ {
+ equals = "[parameters('logAnalytics')]"
+ field = "Microsoft.Insights/diagnosticSettings/workspaceId"
},
]
}
+ name = "setByPolicy"
+ roleDefinitionIds = [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
]
+ type = "Microsoft.Insights/diagnosticSettings"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-MySQL"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys the diagnostic settings for Database for MySQL to stream to a Log Analytics workspace when any Database for MySQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled"
+ display_name = "Deploy Diagnostic Settings for Database for MySQL to Log Analytics workspace"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Monitoring"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deploy-Diagnostics-MySQL"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ logAnalytics = {
+ metadata = {
+ description = "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
+ displayName = "Log Analytics workspace"
+ strongType = "omsWorkspace"
}
+ type = "String"
}
+ logsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable logs stream to the Log Analytics workspace - True or False"
+ displayName = "Enable logs"
}
+ type = "String"
}
+ metricsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable metrics stream to the Log Analytics workspace - True or False"
+ displayName = "Enable metrics"
}
+ type = "String"
}
+ profileName = {
+ defaultValue = "setbypolicy"
+ metadata = {
+ description = "The diagnostic settings profile name"
+ displayName = "Profile name"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ equals = "Microsoft.DBforMySQL/servers"
+ field = "type"
}
+ then = {
+ details = {
+ deployment = {
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ location = {
+ value = "[field('location')]"
}
+ logAnalytics = {
+ value = "[parameters('logAnalytics')]"
}
+ logsEnabled = {
+ value = "[parameters('logsEnabled')]"
}
+ metricsEnabled = {
+ value = "[parameters('metricsEnabled')]"
}
+ profileName = {
+ value = "[parameters('profileName')]"
}
+ resourceName = {
+ value = "[field('name')]"
}
}
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ location = {
+ type = "String"
}
+ logAnalytics = {
+ type = "String"
}
+ logsEnabled = {
+ type = "String"
}
+ metricsEnabled = {
+ type = "String"
}
+ profileName = {
+ type = "String"
}
+ resourceName = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2017-05-01-preview"
+ dependsOn = []
+ location = "[parameters('location')]"
+ name = "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]"
+ properties = {
+ logs = [
+ {
+ category = "MySqlSlowLogs"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "MySqlAuditLogs"
+ enabled = "[parameters('logsEnabled')]"
},
]
+ metrics = [
+ {
+ category = "AllMetrics"
+ enabled = "[parameters('metricsEnabled')]"
+ retentionPolicy = {
+ days = 0
+ enabled = false
}
+ timeGrain = null
},
]
+ workspaceId = "[parameters('logAnalytics')]"
}
+ type = "Microsoft.DBforMySQL/servers/providers/diagnosticSettings"
},
]
+ variables = {}
}
}
}
+ existenceCondition = {
+ allOf = [
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/logs.enabled"
},
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/metrics.enabled"
},
+ {
+ equals = "[parameters('logAnalytics')]"
+ field = "Microsoft.Insights/diagnosticSettings/workspaceId"
},
]
}
+ name = "setByPolicy"
+ roleDefinitionIds = [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
]
+ type = "Microsoft.Insights/diagnosticSettings"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NIC"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys the diagnostic settings for Network Interfaces to stream to a Log Analytics workspace when any Network Interfaces which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled"
+ display_name = "Deploy Diagnostic Settings for Network Interfaces to Log Analytics workspace"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Monitoring"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deploy-Diagnostics-NIC"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ logAnalytics = {
+ metadata = {
+ description = "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
+ displayName = "Log Analytics workspace"
+ strongType = "omsWorkspace"
}
+ type = "String"
}
+ metricsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable metrics stream to the Log Analytics workspace - True or False"
+ displayName = "Enable metrics"
}
+ type = "String"
}
+ profileName = {
+ defaultValue = "setbypolicy"
+ metadata = {
+ description = "The diagnostic settings profile name"
+ displayName = "Profile name"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ equals = "Microsoft.Network/networkInterfaces"
+ field = "type"
}
+ then = {
+ details = {
+ deployment = {
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ location = {
+ value = "[field('location')]"
}
+ logAnalytics = {
+ value = "[parameters('logAnalytics')]"
}
+ metricsEnabled = {
+ value = "[parameters('metricsEnabled')]"
}
+ profileName = {
+ value = "[parameters('profileName')]"
}
+ resourceName = {
+ value = "[field('name')]"
}
}
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ location = {
+ type = "String"
}
+ logAnalytics = {
+ type = "String"
}
+ metricsEnabled = {
+ type = "String"
}
+ profileName = {
+ type = "String"
}
+ resourceName = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2017-05-01-preview"
+ dependsOn = []
+ location = "[parameters('location')]"
+ name = "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]"
+ properties = {
+ metrics = [
+ {
+ category = "AllMetrics"
+ enabled = "[parameters('metricsEnabled')]"
+ retentionPolicy = {
+ days = 0
+ enabled = false
}
+ timeGrain = null
},
]
+ workspaceId = "[parameters('logAnalytics')]"
}
+ type = "Microsoft.Network/networkInterfaces/providers/diagnosticSettings"
},
]
+ variables = {}
}
}
}
+ existenceCondition = {
+ allOf = [
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/metrics.enabled"
},
+ {
+ equals = "[parameters('logAnalytics')]"
+ field = "Microsoft.Insights/diagnosticSettings/workspaceId"
},
]
}
+ name = "setByPolicy"
+ roleDefinitionIds = [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
]
+ type = "Microsoft.Insights/diagnosticSettings"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-NetworkSecurityGroups"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys the diagnostic settings for Network Security Groups to stream to a Log Analytics workspace when any Network Security Groups which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled"
+ display_name = "Deploy Diagnostic Settings for Network Security Groups to Log Analytics workspace"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Monitoring"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deploy-Diagnostics-NetworkSecurityGroups"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ logAnalytics = {
+ metadata = {
+ description = "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
+ displayName = "Log Analytics workspace"
+ strongType = "omsWorkspace"
}
+ type = "String"
}
+ logsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable logs stream to the Log Analytics workspace - True or False"
+ displayName = "Enable logs"
}
+ type = "String"
}
+ profileName = {
+ defaultValue = "setbypolicy"
+ metadata = {
+ description = "The diagnostic settings profile name"
+ displayName = "Profile name"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ equals = "Microsoft.Network/networkSecurityGroups"
+ field = "type"
}
+ then = {
+ details = {
+ deployment = {
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ location = {
+ value = "[field('location')]"
}
+ logAnalytics = {
+ value = "[parameters('logAnalytics')]"
}
+ logsEnabled = {
+ value = "[parameters('logsEnabled')]"
}
+ profileName = {
+ value = "[parameters('profileName')]"
}
+ resourceName = {
+ value = "[field('name')]"
}
}
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ location = {
+ type = "String"
}
+ logAnalytics = {
+ type = "String"
}
+ logsEnabled = {
+ type = "String"
}
+ profileName = {
+ type = "String"
}
+ resourceName = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2017-05-01-preview"
+ dependsOn = []
+ location = "[parameters('location')]"
+ name = "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]"
+ properties = {
+ logs = [
+ {
+ category = "NetworkSecurityGroupEvent"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "NetworkSecurityGroupRuleCounter"
+ enabled = "[parameters('logsEnabled')]"
},
]
+ metrics = []
+ workspaceId = "[parameters('logAnalytics')]"
}
+ type = "Microsoft.Network/networkSecurityGroups/providers/diagnosticSettings"
},
]
+ variables = {}
}
}
}
+ existenceCondition = {
+ allOf = [
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/logs.enabled"
},
+ {
+ equals = "[parameters('logAnalytics')]"
+ field = "Microsoft.Insights/diagnosticSettings/workspaceId"
},
]
}
+ name = "setByPolicy"
+ roleDefinitionIds = [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
]
+ type = "Microsoft.Insights/diagnosticSettings"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PostgreSQL"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys the diagnostic settings for Database for PostgreSQL to stream to a Log Analytics workspace when any Database for PostgreSQL which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled"
+ display_name = "Deploy Diagnostic Settings for Database for PostgreSQL to Log Analytics workspace"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Monitoring"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deploy-Diagnostics-PostgreSQL"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ logAnalytics = {
+ metadata = {
+ description = "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
+ displayName = "Log Analytics workspace"
+ strongType = "omsWorkspace"
}
+ type = "String"
}
+ logsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable logs stream to the Log Analytics workspace - True or False"
+ displayName = "Enable logs"
}
+ type = "String"
}
+ metricsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable metrics stream to the Log Analytics workspace - True or False"
+ displayName = "Enable metrics"
}
+ type = "String"
}
+ profileName = {
+ defaultValue = "setbypolicy"
+ metadata = {
+ description = "The diagnostic settings profile name"
+ displayName = "Profile name"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ equals = "Microsoft.DBforPostgreSQL/servers"
+ field = "type"
}
+ then = {
+ details = {
+ deployment = {
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ location = {
+ value = "[field('location')]"
}
+ logAnalytics = {
+ value = "[parameters('logAnalytics')]"
}
+ logsEnabled = {
+ value = "[parameters('logsEnabled')]"
}
+ metricsEnabled = {
+ value = "[parameters('metricsEnabled')]"
}
+ profileName = {
+ value = "[parameters('profileName')]"
}
+ resourceName = {
+ value = "[field('name')]"
}
}
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ location = {
+ type = "String"
}
+ logAnalytics = {
+ type = "String"
}
+ logsEnabled = {
+ type = "String"
}
+ metricsEnabled = {
+ type = "String"
}
+ profileName = {
+ type = "String"
}
+ resourceName = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2017-05-01-preview"
+ dependsOn = []
+ location = "[parameters('location')]"
+ name = "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]"
+ properties = {
+ logs = [
+ {
+ category = "PostgreSQLLogs"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "QueryStoreRuntimeStatistics"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "QueryStoreWaitStatistics"
+ enabled = "[parameters('logsEnabled')]"
},
]
+ metrics = [
+ {
+ category = "AllMetrics"
+ enabled = "[parameters('metricsEnabled')]"
+ retentionPolicy = {
+ days = 0
+ enabled = false
}
+ timeGrain = null
},
]
+ workspaceId = "[parameters('logAnalytics')]"
}
+ type = "Microsoft.DBforPostgreSQL/servers/providers/diagnosticSettings"
},
]
+ variables = {}
}
}
}
+ existenceCondition = {
+ allOf = [
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/logs.enabled"
},
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/metrics.enabled"
},
+ {
+ equals = "[parameters('logAnalytics')]"
+ field = "Microsoft.Insights/diagnosticSettings/workspaceId"
},
]
}
+ name = "setByPolicy"
+ roleDefinitionIds = [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
]
+ type = "Microsoft.Insights/diagnosticSettings"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-PowerBIEmbedded"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys the diagnostic settings for Power BI Embedded to stream to a Log Analytics workspace when any Power BI Embedded which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled"
+ display_name = "Deploy Diagnostic Settings for Power BI Embedded to Log Analytics workspace"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Monitoring"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deploy-Diagnostics-PowerBIEmbedded"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ logAnalytics = {
+ metadata = {
+ description = "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
+ displayName = "Log Analytics workspace"
+ strongType = "omsWorkspace"
}
+ type = "String"
}
+ logsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable logs stream to the Log Analytics workspace - True or False"
+ displayName = "Enable logs"
}
+ type = "String"
}
+ metricsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable metrics stream to the Log Analytics workspace - True or False"
+ displayName = "Enable metrics"
}
+ type = "String"
}
+ profileName = {
+ defaultValue = "setbypolicy"
+ metadata = {
+ description = "The diagnostic settings profile name"
+ displayName = "Profile name"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ equals = "Microsoft.PowerBIDedicated/capacities"
+ field = "type"
}
+ then = {
+ details = {
+ deployment = {
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ location = {
+ value = "[field('location')]"
}
+ logAnalytics = {
+ value = "[parameters('logAnalytics')]"
}
+ logsEnabled = {
+ value = "[parameters('logsEnabled')]"
}
+ metricsEnabled = {
+ value = "[parameters('metricsEnabled')]"
}
+ profileName = {
+ value = "[parameters('profileName')]"
}
+ resourceName = {
+ value = "[field('name')]"
}
}
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ location = {
+ type = "String"
}
+ logAnalytics = {
+ type = "String"
}
+ logsEnabled = {
+ type = "String"
}
+ metricsEnabled = {
+ type = "String"
}
+ profileName = {
+ type = "String"
}
+ resourceName = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2017-05-01-preview"
+ dependsOn = []
+ location = "[parameters('location')]"
+ name = "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]"
+ properties = {
+ logs = [
+ {
+ category = "Engine"
+ enabled = "[parameters('logsEnabled')]"
},
]
+ metrics = [
+ {
+ category = "AllMetrics"
+ enabled = "[parameters('metricsEnabled')]"
+ retentionPolicy = {
+ days = 0
+ enabled = false
}
+ timeGrain = null
},
]
+ workspaceId = "[parameters('logAnalytics')]"
}
+ type = "Microsoft.PowerBIDedicated/capacities/providers/diagnosticSettings"
},
]
+ variables = {}
}
}
}
+ existenceCondition = {
+ allOf = [
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/logs.enabled"
},
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/metrics.enabled"
},
+ {
+ equals = "[parameters('logAnalytics')]"
+ field = "Microsoft.Insights/diagnosticSettings/workspaceId"
},
]
}
+ name = "setByPolicy"
+ roleDefinitionIds = [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
]
+ type = "Microsoft.Insights/diagnosticSettings"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-RedisCache"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys the diagnostic settings for Redis Cache to stream to a Log Analytics workspace when any Redis Cache which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled"
+ display_name = "Deploy Diagnostic Settings for Redis Cache to Log Analytics workspace"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Monitoring"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deploy-Diagnostics-RedisCache"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ logAnalytics = {
+ metadata = {
+ description = "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
+ displayName = "Log Analytics workspace"
+ strongType = "omsWorkspace"
}
+ type = "String"
}
+ metricsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable metrics stream to the Log Analytics workspace - True or False"
+ displayName = "Enable metrics"
}
+ type = "String"
}
+ profileName = {
+ defaultValue = "setbypolicy"
+ metadata = {
+ description = "The diagnostic settings profile name"
+ displayName = "Profile name"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ equals = "Microsoft.Cache/redis"
+ field = "type"
}
+ then = {
+ details = {
+ deployment = {
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ location = {
+ value = "[field('location')]"
}
+ logAnalytics = {
+ value = "[parameters('logAnalytics')]"
}
+ metricsEnabled = {
+ value = "[parameters('metricsEnabled')]"
}
+ profileName = {
+ value = "[parameters('profileName')]"
}
+ resourceName = {
+ value = "[field('name')]"
}
}
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ location = {
+ type = "String"
}
+ logAnalytics = {
+ type = "String"
}
+ metricsEnabled = {
+ type = "String"
}
+ profileName = {
+ type = "String"
}
+ resourceName = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2017-05-01-preview"
+ dependsOn = []
+ location = "[parameters('location')]"
+ name = "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]"
+ properties = {
+ logs = []
+ metrics = [
+ {
+ category = "AllMetrics"
+ enabled = "[parameters('metricsEnabled')]"
+ retentionPolicy = {
+ days = 0
+ enabled = false
}
+ timeGrain = null
},
]
+ workspaceId = "[parameters('logAnalytics')]"
}
+ type = "Microsoft.Cache/redis/providers/diagnosticSettings"
},
]
+ variables = {}
}
}
}
+ existenceCondition = {
+ allOf = [
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/metrics.enabled"
},
+ {
+ equals = "[parameters('logAnalytics')]"
+ field = "Microsoft.Insights/diagnosticSettings/workspaceId"
},
]
}
+ name = "setByPolicy"
+ roleDefinitionIds = [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
]
+ type = "Microsoft.Insights/diagnosticSettings"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Relay"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys the diagnostic settings for Relay to stream to a Log Analytics workspace when any Relay which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled"
+ display_name = "Deploy Diagnostic Settings for Relay to Log Analytics workspace"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Monitoring"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deploy-Diagnostics-Relay"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ logAnalytics = {
+ metadata = {
+ description = "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
+ displayName = "Log Analytics workspace"
+ strongType = "omsWorkspace"
}
+ type = "String"
}
+ logsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable logs stream to the Log Analytics workspace - True or False"
+ displayName = "Enable logs"
}
+ type = "String"
}
+ metricsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable metrics stream to the Log Analytics workspace - True or False"
+ displayName = "Enable metrics"
}
+ type = "String"
}
+ profileName = {
+ defaultValue = "setbypolicy"
+ metadata = {
+ description = "The diagnostic settings profile name"
+ displayName = "Profile name"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ equals = "Microsoft.Relay/namespaces"
+ field = "type"
}
+ then = {
+ details = {
+ deployment = {
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ location = {
+ value = "[field('location')]"
}
+ logAnalytics = {
+ value = "[parameters('logAnalytics')]"
}
+ logsEnabled = {
+ value = "[parameters('logsEnabled')]"
}
+ metricsEnabled = {
+ value = "[parameters('metricsEnabled')]"
}
+ profileName = {
+ value = "[parameters('profileName')]"
}
+ resourceName = {
+ value = "[field('name')]"
}
}
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ location = {
+ type = "String"
}
+ logAnalytics = {
+ type = "String"
}
+ logsEnabled = {
+ type = "String"
}
+ metricsEnabled = {
+ type = "String"
}
+ profileName = {
+ type = "String"
}
+ resourceName = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2017-05-01-preview"
+ dependsOn = []
+ location = "[parameters('location')]"
+ name = "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]"
+ properties = {
+ logs = [
+ {
+ category = "HybridConnectionsEvent"
+ enabled = "[parameters('logsEnabled')]"
},
]
+ metrics = [
+ {
+ category = "AllMetrics"
+ enabled = "[parameters('metricsEnabled')]"
+ retentionPolicy = {
+ days = 0
+ enabled = false
}
+ timeGrain = null
},
]
+ workspaceId = "[parameters('logAnalytics')]"
}
+ type = "Microsoft.Relay/namespaces/providers/diagnosticSettings"
},
]
+ variables = {}
}
}
}
+ existenceCondition = {
+ allOf = [
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/logs.enabled"
},
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/metrics.enabled"
},
+ {
+ equals = "[parameters('logAnalytics')]"
+ field = "Microsoft.Insights/diagnosticSettings/workspaceId"
},
]
}
+ name = "setByPolicy"
+ roleDefinitionIds = [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
]
+ type = "Microsoft.Insights/diagnosticSettings"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLElasticPools"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys the diagnostic settings for SQL Elastic Pools to stream to a Log Analytics workspace when any SQL Elastic Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled"
+ display_name = "Deploy Diagnostic Settings for SQL Elastic Pools to Log Analytics workspace"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Monitoring"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deploy-Diagnostics-SQLElasticPools"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ logAnalytics = {
+ metadata = {
+ description = "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
+ displayName = "Log Analytics workspace"
+ strongType = "omsWorkspace"
}
+ type = "String"
}
+ metricsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable metrics stream to the Log Analytics workspace - True or False"
+ displayName = "Enable metrics"
}
+ type = "String"
}
+ profileName = {
+ defaultValue = "setbypolicy"
+ metadata = {
+ description = "The diagnostic settings profile name"
+ displayName = "Profile name"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ equals = "Microsoft.Sql/servers/elasticPools"
+ field = "type"
}
+ then = {
+ details = {
+ deployment = {
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ location = {
+ value = "[field('location')]"
}
+ logAnalytics = {
+ value = "[parameters('logAnalytics')]"
}
+ metricsEnabled = {
+ value = "[parameters('metricsEnabled')]"
}
+ profileName = {
+ value = "[parameters('profileName')]"
}
+ resourceName = {
+ value = "[field('fullName')]"
}
}
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ location = {
+ type = "String"
}
+ logAnalytics = {
+ type = "String"
}
+ metricsEnabled = {
+ type = "String"
}
+ profileName = {
+ type = "String"
}
+ resourceName = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2017-05-01-preview"
+ dependsOn = []
+ location = "[parameters('location')]"
+ name = "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]"
+ properties = {
+ logs = []
+ metrics = [
+ {
+ category = "AllMetrics"
+ enabled = "[parameters('metricsEnabled')]"
+ retentionPolicy = {
+ days = 0
+ enabled = false
}
+ timeGrain = null
},
]
+ workspaceId = "[parameters('logAnalytics')]"
}
+ type = "Microsoft.Sql/servers/elasticPools/providers/diagnosticSettings"
},
]
+ variables = {}
}
}
}
+ existenceCondition = {
+ allOf = [
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/metrics.enabled"
},
+ {
+ equals = "[parameters('logAnalytics')]"
+ field = "Microsoft.Insights/diagnosticSettings/workspaceId"
},
]
}
+ name = "setByPolicy"
+ roleDefinitionIds = [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
]
+ type = "Microsoft.Insights/diagnosticSettings"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SQLMI"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys the diagnostic settings for SQL Managed Instances to stream to a Log Analytics workspace when any SQL Managed Instances which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled"
+ display_name = "Deploy Diagnostic Settings for SQL Managed Instances to Log Analytics workspace"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Monitoring"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deploy-Diagnostics-SQLMI"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ logAnalytics = {
+ metadata = {
+ description = "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
+ displayName = "Log Analytics workspace"
+ strongType = "omsWorkspace"
}
+ type = "String"
}
+ logsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable logs stream to the Log Analytics workspace - True or False"
+ displayName = "Enable logs"
}
+ type = "String"
}
+ profileName = {
+ defaultValue = "setbypolicy"
+ metadata = {
+ description = "The diagnostic settings profile name"
+ displayName = "Profile name"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ equals = "Microsoft.Sql/managedInstances"
+ field = "type"
}
+ then = {
+ details = {
+ deployment = {
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ location = {
+ value = "[field('location')]"
}
+ logAnalytics = {
+ value = "[parameters('logAnalytics')]"
}
+ logsEnabled = {
+ value = "[parameters('logsEnabled')]"
}
+ profileName = {
+ value = "[parameters('profileName')]"
}
+ resourceName = {
+ value = "[field('name')]"
}
}
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ location = {
+ type = "String"
}
+ logAnalytics = {
+ type = "String"
}
+ logsEnabled = {
+ type = "String"
}
+ profileName = {
+ type = "String"
}
+ resourceName = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2017-05-01-preview"
+ dependsOn = []
+ location = "[parameters('location')]"
+ name = "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]"
+ properties = {
+ logs = [
+ {
+ category = "ResourceUsageStats"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "SQLSecurityAuditEvents"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "DevOpsOperationsAudit"
+ enabled = "[parameters('logsEnabled')]"
},
]
+ workspaceId = "[parameters('logAnalytics')]"
}
+ type = "Microsoft.Sql/managedInstances/providers/diagnosticSettings"
},
]
+ variables = {}
}
}
}
+ existenceCondition = {
+ allOf = [
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/logs.enabled"
},
+ {
+ equals = "[parameters('logAnalytics')]"
+ field = "Microsoft.Insights/diagnosticSettings/workspaceId"
},
]
}
+ name = "setByPolicy"
+ roleDefinitionIds = [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
]
+ type = "Microsoft.Insights/diagnosticSettings"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-SignalR"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys the diagnostic settings for SignalR to stream to a Log Analytics workspace when any SignalR which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled"
+ display_name = "Deploy Diagnostic Settings for SignalR to Log Analytics workspace"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Monitoring"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deploy-Diagnostics-SignalR"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ logAnalytics = {
+ metadata = {
+ description = "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
+ displayName = "Log Analytics workspace"
+ strongType = "omsWorkspace"
}
+ type = "String"
}
+ logsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable logs stream to the Log Analytics workspace - True or False"
+ displayName = "Enable logs"
}
+ type = "String"
}
+ metricsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable metrics stream to the Log Analytics workspace - True or False"
+ displayName = "Enable metrics"
}
+ type = "String"
}
+ profileName = {
+ defaultValue = "setbypolicy"
+ metadata = {
+ description = "The diagnostic settings profile name"
+ displayName = "Profile name"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ equals = "Microsoft.SignalRService/SignalR"
+ field = "type"
}
+ then = {
+ details = {
+ deployment = {
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ location = {
+ value = "[field('location')]"
}
+ logAnalytics = {
+ value = "[parameters('logAnalytics')]"
}
+ logsEnabled = {
+ value = "[parameters('logsEnabled')]"
}
+ metricsEnabled = {
+ value = "[parameters('metricsEnabled')]"
}
+ profileName = {
+ value = "[parameters('profileName')]"
}
+ resourceName = {
+ value = "[field('name')]"
}
}
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ location = {
+ type = "String"
}
+ logAnalytics = {
+ type = "String"
}
+ logsEnabled = {
+ type = "String"
}
+ metricsEnabled = {
+ type = "String"
}
+ profileName = {
+ type = "String"
}
+ resourceName = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2017-05-01-preview"
+ dependsOn = []
+ location = "[parameters('location')]"
+ name = "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]"
+ properties = {
+ logs = [
+ {
+ category = "AllLogs"
+ enabled = "[parameters('logsEnabled')]"
},
]
+ metrics = [
+ {
+ category = "AllMetrics"
+ enabled = "[parameters('metricsEnabled')]"
+ retentionPolicy = {
+ days = 0
+ enabled = false
}
+ timeGrain = null
},
]
+ workspaceId = "[parameters('logAnalytics')]"
}
+ type = "Microsoft.SignalRService/SignalR/providers/diagnosticSettings"
},
]
+ variables = {}
}
}
}
+ existenceCondition = {
+ allOf = [
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/metrics.enabled"
},
+ {
+ equals = "[parameters('logAnalytics')]"
+ field = "Microsoft.Insights/diagnosticSettings/workspaceId"
},
]
}
+ name = "setByPolicy"
+ roleDefinitionIds = [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
]
+ type = "Microsoft.Insights/diagnosticSettings"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TimeSeriesInsights"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys the diagnostic settings for Time Series Insights to stream to a Log Analytics workspace when any Time Series Insights which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled"
+ display_name = "Deploy Diagnostic Settings for Time Series Insights to Log Analytics workspace"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Monitoring"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deploy-Diagnostics-TimeSeriesInsights"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ logAnalytics = {
+ metadata = {
+ description = "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
+ displayName = "Log Analytics workspace"
+ strongType = "omsWorkspace"
}
+ type = "String"
}
+ logsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable logs stream to the Log Analytics workspace - True or False"
+ displayName = "Enable logs"
}
+ type = "String"
}
+ metricsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable metrics stream to the Log Analytics workspace - True or False"
+ displayName = "Enable metrics"
}
+ type = "String"
}
+ profileName = {
+ defaultValue = "setbypolicy"
+ metadata = {
+ description = "The diagnostic settings profile name"
+ displayName = "Profile name"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ equals = "Microsoft.TimeSeriesInsights/environments"
+ field = "type"
}
+ then = {
+ details = {
+ deployment = {
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ location = {
+ value = "[field('location')]"
}
+ logAnalytics = {
+ value = "[parameters('logAnalytics')]"
}
+ logsEnabled = {
+ value = "[parameters('logsEnabled')]"
}
+ metricsEnabled = {
+ value = "[parameters('metricsEnabled')]"
}
+ profileName = {
+ value = "[parameters('profileName')]"
}
+ resourceName = {
+ value = "[field('name')]"
}
}
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ location = {
+ type = "String"
}
+ logAnalytics = {
+ type = "String"
}
+ logsEnabled = {
+ type = "String"
}
+ metricsEnabled = {
+ type = "String"
}
+ profileName = {
+ type = "String"
}
+ resourceName = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2017-05-01-preview"
+ dependsOn = []
+ location = "[parameters('location')]"
+ name = "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]"
+ properties = {
+ logs = [
+ {
+ category = "Ingress"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "Management"
+ enabled = "[parameters('logsEnabled')]"
},
]
+ metrics = [
+ {
+ category = "AllMetrics"
+ enabled = "[parameters('metricsEnabled')]"
+ retentionPolicy = {
+ days = 0
+ enabled = false
}
+ timeGrain = null
},
]
+ workspaceId = "[parameters('logAnalytics')]"
}
+ type = "Microsoft.TimeSeriesInsights/environments/providers/diagnosticSettings"
},
]
+ variables = {}
}
}
}
+ existenceCondition = {
+ allOf = [
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/logs.enabled"
},
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/metrics.enabled"
},
+ {
+ equals = "[parameters('logAnalytics')]"
+ field = "Microsoft.Insights/diagnosticSettings/workspaceId"
},
]
}
+ name = "setByPolicy"
+ roleDefinitionIds = [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
]
+ type = "Microsoft.Insights/diagnosticSettings"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-TrafficManager"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys the diagnostic settings for Traffic Manager to stream to a Log Analytics workspace when any Traffic Manager which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled"
+ display_name = "Deploy Diagnostic Settings for Traffic Manager to Log Analytics workspace"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Monitoring"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deploy-Diagnostics-TrafficManager"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ logAnalytics = {
+ metadata = {
+ description = "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
+ displayName = "Log Analytics workspace"
+ strongType = "omsWorkspace"
}
+ type = "String"
}
+ logsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable logs stream to the Log Analytics workspace - True or False"
+ displayName = "Enable logs"
}
+ type = "String"
}
+ metricsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable metrics stream to the Log Analytics workspace - True or False"
+ displayName = "Enable metrics"
}
+ type = "String"
}
+ profileName = {
+ defaultValue = "setbypolicy"
+ metadata = {
+ description = "The diagnostic settings profile name"
+ displayName = "Profile name"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ equals = "Microsoft.Network/trafficManagerProfiles"
+ field = "type"
}
+ then = {
+ details = {
+ deployment = {
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ location = {
+ value = "[field('location')]"
}
+ logAnalytics = {
+ value = "[parameters('logAnalytics')]"
}
+ logsEnabled = {
+ value = "[parameters('logsEnabled')]"
}
+ metricsEnabled = {
+ value = "[parameters('metricsEnabled')]"
}
+ profileName = {
+ value = "[parameters('profileName')]"
}
+ resourceName = {
+ value = "[field('name')]"
}
}
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ location = {
+ type = "String"
}
+ logAnalytics = {
+ type = "String"
}
+ logsEnabled = {
+ type = "String"
}
+ metricsEnabled = {
+ type = "String"
}
+ profileName = {
+ type = "String"
}
+ resourceName = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2017-05-01-preview"
+ dependsOn = []
+ location = "[parameters('location')]"
+ name = "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]"
+ properties = {
+ logs = [
+ {
+ category = "ProbeHealthStatusEvents"
+ enabled = "[parameters('logsEnabled')]"
},
]
+ metrics = [
+ {
+ category = "AllMetrics"
+ enabled = "[parameters('metricsEnabled')]"
+ retentionPolicy = {
+ days = 0
+ enabled = false
}
+ timeGrain = null
},
]
+ workspaceId = "[parameters('logAnalytics')]"
}
+ type = "Microsoft.Network/trafficManagerProfiles/providers/diagnosticSettings"
},
]
+ variables = {}
}
}
}
+ existenceCondition = {
+ allOf = [
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/logs.enabled"
},
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/metrics.enabled"
},
+ {
+ equals = "[parameters('logAnalytics')]"
+ field = "Microsoft.Insights/diagnosticSettings/workspaceId"
},
]
}
+ name = "setByPolicy"
+ roleDefinitionIds = [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
]
+ type = "Microsoft.Insights/diagnosticSettings"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VM"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys the diagnostic settings for Virtual Machines to stream to a Log Analytics workspace when any Virtual Machines which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled"
+ display_name = "Deploy Diagnostic Settings for Virtual Machines to Log Analytics workspace"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Monitoring"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deploy-Diagnostics-VM"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ logAnalytics = {
+ metadata = {
+ description = "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
+ displayName = "Log Analytics workspace"
+ strongType = "omsWorkspace"
}
+ type = "String"
}
+ metricsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable metrics stream to the Log Analytics workspace - True or False"
+ displayName = "Enable metrics"
}
+ type = "String"
}
+ profileName = {
+ defaultValue = "setbypolicy"
+ metadata = {
+ description = "The diagnostic settings profile name"
+ displayName = "Profile name"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ equals = "Microsoft.Compute/virtualMachines"
+ field = "type"
}
+ then = {
+ details = {
+ deployment = {
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ location = {
+ value = "[field('location')]"
}
+ logAnalytics = {
+ value = "[parameters('logAnalytics')]"
}
+ metricsEnabled = {
+ value = "[parameters('metricsEnabled')]"
}
+ profileName = {
+ value = "[parameters('profileName')]"
}
+ resourceName = {
+ value = "[field('name')]"
}
}
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ location = {
+ type = "String"
}
+ logAnalytics = {
+ type = "String"
}
+ metricsEnabled = {
+ type = "String"
}
+ profileName = {
+ type = "String"
}
+ resourceName = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2017-05-01-preview"
+ dependsOn = []
+ location = "[parameters('location')]"
+ name = "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]"
+ properties = {
+ logs = []
+ metrics = [
+ {
+ category = "AllMetrics"
+ enabled = "[parameters('metricsEnabled')]"
+ retentionPolicy = {
+ days = 0
+ enabled = false
}
},
]
+ workspaceId = "[parameters('logAnalytics')]"
}
+ type = "Microsoft.Compute/virtualMachines/providers/diagnosticSettings"
},
]
+ variables = {}
}
}
}
+ existenceCondition = {
+ allOf = [
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/metrics.enabled"
},
+ {
+ equals = "[parameters('logAnalytics')]"
+ field = "Microsoft.Insights/diagnosticSettings/workspaceId"
},
]
}
+ name = "setByPolicy"
+ roleDefinitionIds = [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
]
+ type = "Microsoft.Insights/diagnosticSettings"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VMSS"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys the diagnostic settings for Virtual Machine Scale Sets to stream to a Log Analytics workspace when any Virtual Machine Scale Sets which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled"
+ display_name = "Deploy Diagnostic Settings for Virtual Machine Scale Sets to Log Analytics workspace"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Monitoring"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deploy-Diagnostics-VMSS"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ logAnalytics = {
+ metadata = {
+ description = "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
+ displayName = "Log Analytics workspace"
+ strongType = "omsWorkspace"
}
+ type = "String"
}
+ metricsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable metrics stream to the Log Analytics workspace - True or False"
+ displayName = "Enable metrics"
}
+ type = "String"
}
+ profileName = {
+ defaultValue = "setbypolicy"
+ metadata = {
+ description = "The diagnostic settings profile name"
+ displayName = "Profile name"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ equals = "Microsoft.Compute/virtualMachineScaleSets"
+ field = "type"
}
+ then = {
+ details = {
+ deployment = {
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ location = {
+ value = "[field('location')]"
}
+ logAnalytics = {
+ value = "[parameters('logAnalytics')]"
}
+ metricsEnabled = {
+ value = "[parameters('metricsEnabled')]"
}
+ profileName = {
+ value = "[parameters('profileName')]"
}
+ resourceName = {
+ value = "[field('name')]"
}
}
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ location = {
+ type = "String"
}
+ logAnalytics = {
+ type = "String"
}
+ metricsEnabled = {
+ type = "String"
}
+ profileName = {
+ type = "String"
}
+ resourceName = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2017-05-01-preview"
+ dependsOn = []
+ location = "[parameters('location')]"
+ name = "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]"
+ properties = {
+ logs = []
+ metrics = [
+ {
+ category = "AllMetrics"
+ enabled = "[parameters('metricsEnabled')]"
+ retentionPolicy = {
+ days = 0
+ enabled = false
}
},
]
+ workspaceId = "[parameters('logAnalytics')]"
}
+ type = "Microsoft.Compute/virtualMachineScaleSets/providers/diagnosticSettings"
},
]
+ variables = {}
}
}
}
+ existenceCondition = {
+ allOf = [
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/metrics.enabled"
},
+ {
+ equals = "[parameters('logAnalytics')]"
+ field = "Microsoft.Insights/diagnosticSettings/workspaceId"
},
]
}
+ name = "setByPolicy"
+ roleDefinitionIds = [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
]
+ type = "Microsoft.Insights/diagnosticSettings"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VNetGW"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys the diagnostic settings for VPN Gateway to stream to a Log Analytics workspace when any VPN Gateway which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled."
+ display_name = "Deploy Diagnostic Settings for VPN Gateway to Log Analytics workspace"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Monitoring"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deploy-Diagnostics-VNetGW"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ logAnalytics = {
+ metadata = {
+ description = "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
+ displayName = "Log Analytics workspace"
+ strongType = "omsWorkspace"
}
+ type = "String"
}
+ logsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable logs stream to the Log Analytics workspace - True or False"
+ displayName = "Enable logs"
}
+ type = "String"
}
+ metricsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable metrics stream to the Log Analytics workspace - True or False"
+ displayName = "Enable metrics"
}
+ type = "String"
}
+ profileName = {
+ defaultValue = "setbypolicy"
+ metadata = {
+ description = "The diagnostic settings profile name"
+ displayName = "Profile name"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ equals = "Microsoft.Network/virtualNetworkGateways"
+ field = "type"
}
+ then = {
+ details = {
+ deployment = {
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ location = {
+ value = "[field('location')]"
}
+ logAnalytics = {
+ value = "[parameters('logAnalytics')]"
}
+ logsEnabled = {
+ value = "[parameters('logsEnabled')]"
}
+ metricsEnabled = {
+ value = "[parameters('metricsEnabled')]"
}
+ profileName = {
+ value = "[parameters('profileName')]"
}
+ resourceName = {
+ value = "[field('name')]"
}
}
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ location = {
+ type = "String"
}
+ logAnalytics = {
+ type = "String"
}
+ logsEnabled = {
+ type = "String"
}
+ metricsEnabled = {
+ type = "String"
}
+ profileName = {
+ type = "String"
}
+ resourceName = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2017-05-01-preview"
+ dependsOn = []
+ location = "[parameters('location')]"
+ name = "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]"
+ properties = {
+ logs = [
+ {
+ category = "GatewayDiagnosticLog"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "IKEDiagnosticLog"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "P2SDiagnosticLog"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "RouteDiagnosticLog"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "RouteDiagnosticLog"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "TunnelDiagnosticLog"
+ enabled = "[parameters('logsEnabled')]"
},
]
+ metrics = [
+ {
+ category = "AllMetrics"
+ enabled = "[parameters('metricsEnabled')]"
+ retentionPolicy = {
+ days = 0
+ enabled = false
}
+ timeGrain = null
},
]
+ workspaceId = "[parameters('logAnalytics')]"
}
+ type = "Microsoft.Network/virtualNetworkGateways/providers/diagnosticSettings"
},
]
+ variables = {}
}
}
}
+ existenceCondition = {
+ allOf = [
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/logs.enabled"
},
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/metrics.enabled"
},
+ {
+ equals = "[parameters('logAnalytics')]"
+ field = "Microsoft.Insights/diagnosticSettings/workspaceId"
},
]
}
+ name = "setByPolicy"
+ roleDefinitionIds = [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
]
+ type = "Microsoft.Insights/diagnosticSettings"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-VirtualNetwork"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys the diagnostic settings for Virtual Network to stream to a Log Analytics workspace when any Virtual Network which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled"
+ display_name = "Deploy Diagnostic Settings for Virtual Network to Log Analytics workspace"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Monitoring"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deploy-Diagnostics-VirtualNetwork"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ logAnalytics = {
+ metadata = {
+ description = "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
+ displayName = "Log Analytics workspace"
+ strongType = "omsWorkspace"
}
+ type = "String"
}
+ logsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable logs stream to the Log Analytics workspace - True or False"
+ displayName = "Enable logs"
}
+ type = "String"
}
+ metricsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable metrics stream to the Log Analytics workspace - True or False"
+ displayName = "Enable metrics"
}
+ type = "String"
}
+ profileName = {
+ defaultValue = "setbypolicy"
+ metadata = {
+ description = "The diagnostic settings profile name"
+ displayName = "Profile name"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ equals = "Microsoft.Network/virtualNetworks"
+ field = "type"
}
+ then = {
+ details = {
+ deployment = {
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ location = {
+ value = "[field('location')]"
}
+ logAnalytics = {
+ value = "[parameters('logAnalytics')]"
}
+ logsEnabled = {
+ value = "[parameters('logsEnabled')]"
}
+ metricsEnabled = {
+ value = "[parameters('metricsEnabled')]"
}
+ profileName = {
+ value = "[parameters('profileName')]"
}
+ resourceName = {
+ value = "[field('name')]"
}
}
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ location = {
+ type = "String"
}
+ logAnalytics = {
+ type = "String"
}
+ logsEnabled = {
+ type = "String"
}
+ metricsEnabled = {
+ type = "String"
}
+ profileName = {
+ type = "String"
}
+ resourceName = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2017-05-01-preview"
+ dependsOn = []
+ location = "[parameters('location')]"
+ name = "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]"
+ properties = {
+ logs = [
+ {
+ category = "VMProtectionAlerts"
+ enabled = "[parameters('logsEnabled')]"
},
]
+ metrics = [
+ {
+ category = "AllMetrics"
+ enabled = "[parameters('metricsEnabled')]"
+ retentionPolicy = {
+ days = 0
+ enabled = false
}
},
]
+ workspaceId = "[parameters('logAnalytics')]"
}
+ type = "Microsoft.Network/virtualNetworks/providers/diagnosticSettings"
},
]
+ variables = {}
}
}
}
+ existenceCondition = {
+ allOf = [
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/logs.enabled"
},
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/metrics.enabled"
},
+ {
+ equals = "[parameters('logAnalytics')]"
+ field = "Microsoft.Insights/diagnosticSettings/workspaceId"
},
]
}
+ name = "setByPolicy"
+ roleDefinitionIds = [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
]
+ type = "Microsoft.Insights/diagnosticSettings"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDAppGroup"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys the diagnostic settings for AVD Application group to stream to a Log Analytics workspace when any application group which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled."
+ display_name = "Deploy Diagnostic Settings for AVD Application group to Log Analytics workspace"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Monitoring"
+ version = "1.0.1"
}
)
+ mode = "Indexed"
+ name = "Deploy-Diagnostics-WVDAppGroup"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ logAnalytics = {
+ metadata = {
+ description = "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
+ displayName = "Log Analytics workspace"
+ strongType = "omsWorkspace"
}
+ type = "String"
}
+ logsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable logs stream to the Log Analytics workspace - True or False"
+ displayName = "Enable logs"
}
+ type = "String"
}
+ profileName = {
+ defaultValue = "setbypolicy"
+ metadata = {
+ description = "The diagnostic settings profile name"
+ displayName = "Profile name"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ equals = "Microsoft.DesktopVirtualization/applicationGroups"
+ field = "type"
}
+ then = {
+ details = {
+ deployment = {
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ location = {
+ value = "[field('location')]"
}
+ logAnalytics = {
+ value = "[parameters('logAnalytics')]"
}
+ logsEnabled = {
+ value = "[parameters('logsEnabled')]"
}
+ profileName = {
+ value = "[parameters('profileName')]"
}
+ resourceName = {
+ value = "[field('name')]"
}
}
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ location = {
+ type = "String"
}
+ logAnalytics = {
+ type = "String"
}
+ logsEnabled = {
+ type = "String"
}
+ profileName = {
+ type = "String"
}
+ resourceName = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2017-05-01-preview"
+ dependsOn = []
+ location = "[parameters('location')]"
+ name = "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]"
+ properties = {
+ logs = [
+ {
+ category = "Checkpoint"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "Error"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "Management"
+ enabled = "[parameters('logsEnabled')]"
},
]
+ workspaceId = "[parameters('logAnalytics')]"
}
+ type = "Microsoft.DesktopVirtualization/applicationGroups/providers/diagnosticSettings"
},
]
+ variables = {}
}
}
}
+ existenceCondition = {
+ allOf = [
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/logs.enabled"
},
+ {
+ equals = "[parameters('logAnalytics')]"
+ field = "Microsoft.Insights/diagnosticSettings/workspaceId"
},
]
}
+ name = "setByPolicy"
+ roleDefinitionIds = [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
]
+ type = "Microsoft.Insights/diagnosticSettings"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDHostPools"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys the diagnostic settings for AVD Host Pools to stream to a Log Analytics workspace when any Host Pools which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled."
+ display_name = "Deploy Diagnostic Settings for AVD Host Pools to Log Analytics workspace"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Monitoring"
+ version = "1.1.0"
}
)
+ mode = "Indexed"
+ name = "Deploy-Diagnostics-WVDHostPools"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ logAnalytics = {
+ metadata = {
+ description = "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
+ displayName = "Log Analytics workspace"
+ strongType = "omsWorkspace"
}
+ type = "String"
}
+ logsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable logs stream to the Log Analytics workspace - True or False"
+ displayName = "Enable logs"
}
+ type = "String"
}
+ profileName = {
+ defaultValue = "setbypolicy"
+ metadata = {
+ description = "The diagnostic settings profile name"
+ displayName = "Profile name"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ equals = "Microsoft.DesktopVirtualization/hostpools"
+ field = "type"
}
+ then = {
+ details = {
+ deployment = {
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ location = {
+ value = "[field('location')]"
}
+ logAnalytics = {
+ value = "[parameters('logAnalytics')]"
}
+ logsEnabled = {
+ value = "[parameters('logsEnabled')]"
}
+ profileName = {
+ value = "[parameters('profileName')]"
}
+ resourceName = {
+ value = "[field('name')]"
}
}
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ location = {
+ type = "String"
}
+ logAnalytics = {
+ type = "String"
}
+ logsEnabled = {
+ type = "String"
}
+ profileName = {
+ type = "String"
}
+ resourceName = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2017-05-01-preview"
+ dependsOn = []
+ location = "[parameters('location')]"
+ name = "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]"
+ properties = {
+ logs = [
+ {
+ category = "Checkpoint"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "Error"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "Management"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "Connection"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "HostRegistration"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "AgentHealthStatus"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "NetworkData"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "SessionHostManagement"
+ enabled = "[parameters('logsEnabled')]"
},
]
+ workspaceId = "[parameters('logAnalytics')]"
}
+ type = "Microsoft.DesktopVirtualization/hostpools/providers/diagnosticSettings"
},
]
+ variables = {}
}
}
}
+ existenceCondition = {
+ allOf = [
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/logs.enabled"
},
+ {
+ equals = "[parameters('logAnalytics')]"
+ field = "Microsoft.Insights/diagnosticSettings/workspaceId"
},
]
}
+ name = "setByPolicy"
+ roleDefinitionIds = [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
]
+ type = "Microsoft.Insights/diagnosticSettings"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WVDWorkspace"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys the diagnostic settings for AVD Workspace to stream to a Log Analytics workspace when any Workspace which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all and categorys enabled."
+ display_name = "Deploy Diagnostic Settings for AVD Workspace to Log Analytics workspace"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Monitoring"
+ version = "1.0.1"
}
)
+ mode = "Indexed"
+ name = "Deploy-Diagnostics-WVDWorkspace"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ logAnalytics = {
+ metadata = {
+ description = "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
+ displayName = "Log Analytics workspace"
+ strongType = "omsWorkspace"
}
+ type = "String"
}
+ logsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable logs stream to the Log Analytics workspace - True or False"
+ displayName = "Enable logs"
}
+ type = "String"
}
+ profileName = {
+ defaultValue = "setbypolicy"
+ metadata = {
+ description = "The diagnostic settings profile name"
+ displayName = "Profile name"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ equals = "Microsoft.DesktopVirtualization/workspaces"
+ field = "type"
}
+ then = {
+ details = {
+ deployment = {
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ location = {
+ value = "[field('location')]"
}
+ logAnalytics = {
+ value = "[parameters('logAnalytics')]"
}
+ logsEnabled = {
+ value = "[parameters('logsEnabled')]"
}
+ profileName = {
+ value = "[parameters('profileName')]"
}
+ resourceName = {
+ value = "[field('name')]"
}
}
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ location = {
+ type = "String"
}
+ logAnalytics = {
+ type = "String"
}
+ logsEnabled = {
+ type = "String"
}
+ profileName = {
+ type = "String"
}
+ resourceName = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2017-05-01-preview"
+ dependsOn = []
+ location = "[parameters('location')]"
+ name = "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]"
+ properties = {
+ logs = [
+ {
+ category = "Checkpoint"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "Error"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "Management"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "Feed"
+ enabled = "[parameters('logsEnabled')]"
},
]
+ workspaceId = "[parameters('logAnalytics')]"
}
+ type = "Microsoft.DesktopVirtualization/workspaces/providers/diagnosticSettings"
},
]
+ variables = {}
}
}
}
+ existenceCondition = {
+ allOf = [
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/logs.enabled"
},
+ {
+ equals = "[parameters('logAnalytics')]"
+ field = "Microsoft.Insights/diagnosticSettings/workspaceId"
},
]
}
+ name = "setByPolicy"
+ roleDefinitionIds = [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
]
+ type = "Microsoft.Insights/diagnosticSettings"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-WebServerFarm"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys the diagnostic settings for App Service Plan to stream to a Log Analytics workspace when any App Service Plan which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled"
+ display_name = "Deploy Diagnostic Settings for App Service Plan to Log Analytics workspace"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Monitoring"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deploy-Diagnostics-WebServerFarm"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ logAnalytics = {
+ metadata = {
+ description = "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
+ displayName = "Log Analytics workspace"
+ strongType = "omsWorkspace"
}
+ type = "String"
}
+ metricsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable metrics stream to the Log Analytics workspace - True or False"
+ displayName = "Enable metrics"
}
+ type = "String"
}
+ profileName = {
+ defaultValue = "setbypolicy"
+ metadata = {
+ description = "The diagnostic settings profile name"
+ displayName = "Profile name"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ equals = "Microsoft.Web/serverfarms"
+ field = "type"
}
+ then = {
+ details = {
+ deployment = {
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ location = {
+ value = "[field('location')]"
}
+ logAnalytics = {
+ value = "[parameters('logAnalytics')]"
}
+ metricsEnabled = {
+ value = "[parameters('metricsEnabled')]"
}
+ profileName = {
+ value = "[parameters('profileName')]"
}
+ resourceName = {
+ value = "[field('name')]"
}
}
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ location = {
+ type = "String"
}
+ logAnalytics = {
+ type = "String"
}
+ metricsEnabled = {
+ type = "String"
}
+ profileName = {
+ type = "String"
}
+ resourceName = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2017-05-01-preview"
+ dependsOn = []
+ location = "[parameters('location')]"
+ name = "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]"
+ properties = {
+ logs = []
+ metrics = [
+ {
+ category = "AllMetrics"
+ enabled = "[parameters('metricsEnabled')]"
+ retentionPolicy = {
+ days = 0
+ enabled = false
}
+ timeGrain = null
},
]
+ workspaceId = "[parameters('logAnalytics')]"
}
+ type = "Microsoft.Web/serverfarms/providers/diagnosticSettings"
},
]
+ variables = {}
}
}
}
+ existenceCondition = {
+ allOf = [
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/metrics.enabled"
},
+ {
+ equals = "[parameters('logAnalytics')]"
+ field = "Microsoft.Insights/diagnosticSettings/workspaceId"
},
]
}
+ name = "setByPolicy"
+ roleDefinitionIds = [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
]
+ type = "Microsoft.Insights/diagnosticSettings"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-Website"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys the diagnostic settings for Web App to stream to a Log Analytics workspace when any Web App which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled"
+ display_name = "Deploy Diagnostic Settings for App Service to Log Analytics workspace"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Monitoring"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deploy-Diagnostics-Website"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ logAnalytics = {
+ metadata = {
+ description = "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
+ displayName = "Log Analytics workspace"
+ strongType = "omsWorkspace"
}
+ type = "String"
}
+ logsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable logs stream to the Log Analytics workspace - True or False"
+ displayName = "Enable logs"
}
+ type = "String"
}
+ metricsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable metrics stream to the Log Analytics workspace - True or False"
+ displayName = "Enable metrics"
}
+ type = "String"
}
+ profileName = {
+ defaultValue = "setbypolicy"
+ metadata = {
+ description = "The diagnostic settings profile name"
+ displayName = "Profile name"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ allOf = [
+ {
+ equals = "Microsoft.Web/sites"
+ field = "type"
},
+ {
+ notContains = "functionapp"
+ value = "[field('kind')]"
},
]
}
+ then = {
+ details = {
+ deployment = {
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ location = {
+ value = "[field('location')]"
}
+ logAnalytics = {
+ value = "[parameters('logAnalytics')]"
}
+ logsEnabled = {
+ value = "[parameters('logsEnabled')]"
}
+ metricsEnabled = {
+ value = "[parameters('metricsEnabled')]"
}
+ profileName = {
+ value = "[parameters('profileName')]"
}
+ resourceName = {
+ value = "[field('name')]"
}
}
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ location = {
+ type = "String"
}
+ logAnalytics = {
+ type = "String"
}
+ logsEnabled = {
+ type = "String"
}
+ metricsEnabled = {
+ type = "String"
}
+ profileName = {
+ type = "String"
}
+ resourceName = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2017-05-01-preview"
+ dependsOn = []
+ location = "[parameters('location')]"
+ name = "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]"
+ properties = {
+ logs = [
+ {
+ category = "AppServiceAntivirusScanAuditLogs"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "AppServiceHTTPLogs"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "AppServiceConsoleLogs"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "AppServiceHTTPLogs"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "AppServiceAppLogs"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "AppServiceFileAuditLogs"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "AppServiceAuditLogs"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "AppServiceIPSecAuditLogs"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "AppServicePlatformLogs"
+ enabled = "[parameters('logsEnabled')]"
},
]
+ metrics = [
+ {
+ category = "AllMetrics"
+ enabled = "[parameters('metricsEnabled')]"
+ retentionPolicy = {
+ days = 0
+ enabled = false
}
+ timeGrain = null
},
]
+ workspaceId = "[parameters('logAnalytics')]"
}
+ type = "Microsoft.Web/sites/providers/diagnosticSettings"
},
]
+ variables = {}
}
}
}
+ existenceCondition = {
+ allOf = [
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/logs.enabled"
},
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/metrics.enabled"
},
+ {
+ equals = "[parameters('logAnalytics')]"
+ field = "Microsoft.Insights/diagnosticSettings/workspaceId"
},
]
}
+ name = "setByPolicy"
+ roleDefinitionIds = [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
]
+ type = "Microsoft.Insights/diagnosticSettings"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-Diagnostics-iotHub"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys the diagnostic settings for IoT Hub to stream to a Log Analytics workspace when any IoT Hub which is missing this diagnostic settings is created or updated. The Policy will set the diagnostic with all metrics and category enabled"
+ display_name = "Deploy Diagnostic Settings for IoT Hub to Log Analytics workspace"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Monitoring"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deploy-Diagnostics-iotHub"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ logAnalytics = {
+ metadata = {
+ description = "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
+ displayName = "Log Analytics workspace"
+ strongType = "omsWorkspace"
}
+ type = "String"
}
+ logsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable logs stream to the Log Analytics workspace - True or False"
+ displayName = "Enable logs"
}
+ type = "String"
}
+ metricsEnabled = {
+ allowedValues = [
+ "True",
+ "False",
]
+ defaultValue = "True"
+ metadata = {
+ description = "Whether to enable metrics stream to the Log Analytics workspace - True or False"
+ displayName = "Enable metrics"
}
+ type = "String"
}
+ profileName = {
+ defaultValue = "setbypolicy"
+ metadata = {
+ description = "The diagnostic settings profile name"
+ displayName = "Profile name"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ equals = "Microsoft.Devices/IotHubs"
+ field = "type"
}
+ then = {
+ details = {
+ deployment = {
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ location = {
+ value = "[field('location')]"
}
+ logAnalytics = {
+ value = "[parameters('logAnalytics')]"
}
+ logsEnabled = {
+ value = "[parameters('logsEnabled')]"
}
+ metricsEnabled = {
+ value = "[parameters('metricsEnabled')]"
}
+ profileName = {
+ value = "[parameters('profileName')]"
}
+ resourceName = {
+ value = "[field('name')]"
}
}
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ location = {
+ type = "String"
}
+ logAnalytics = {
+ type = "String"
}
+ logsEnabled = {
+ type = "String"
}
+ metricsEnabled = {
+ type = "String"
}
+ profileName = {
+ type = "String"
}
+ resourceName = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2017-05-01-preview"
+ dependsOn = []
+ location = "[parameters('location')]"
+ name = "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]"
+ properties = {
+ logs = [
+ {
+ category = "Connections"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "DeviceTelemetry"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "C2DCommands"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "DeviceIdentityOperations"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "FileUploadOperations"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "Routes"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "D2CTwinOperations"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "C2DTwinOperations"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "TwinQueries"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "JobsOperations"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "DirectMethods"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "DistributedTracing"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "Configurations"
+ enabled = "[parameters('logsEnabled')]"
},
+ {
+ category = "DeviceStreams"
+ enabled = "[parameters('logsEnabled')]"
},
]
+ metrics = [
+ {
+ category = "AllMetrics"
+ enabled = "[parameters('metricsEnabled')]"
+ retentionPolicy = {
+ days = 0
+ enabled = false
}
+ timeGrain = null
},
]
+ workspaceId = "[parameters('logAnalytics')]"
}
+ type = "Microsoft.Devices/IotHubs/providers/diagnosticSettings"
},
]
+ variables = {}
}
}
}
+ existenceCondition = {
+ allOf = [
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/logs.enabled"
},
+ {
+ equals = "true"
+ field = "Microsoft.Insights/diagnosticSettings/metrics.enabled"
},
+ {
+ equals = "[parameters('logAnalytics')]"
+ field = "Microsoft.Insights/diagnosticSettings/workspaceId"
},
]
}
+ name = "setByPolicy"
+ roleDefinitionIds = [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
]
+ type = "Microsoft.Insights/diagnosticSettings"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-FirewallPolicy"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys Azure Firewall Manager policy in subscription where the policy is assigned."
+ display_name = "Deploy Azure Firewall Manager policy in the subscription"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Network"
+ version = "1.0.0"
}
)
+ mode = "All"
+ name = "Deploy-FirewallPolicy"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ fwPolicyRegion = {
+ metadata = {
+ description = "Select Azure region for Azure Firewall Policy"
+ displayName = "fwPolicyRegion"
+ strongType = "location"
}
+ type = "String"
}
+ fwpolicy = {
+ defaultValue = {}
+ metadata = {
+ description = "Object describing Azure Firewall Policy"
+ displayName = "fwpolicy"
}
+ type = "Object"
}
+ rgName = {
+ metadata = {
+ description = "Provide name for resource group."
+ displayName = "rgName"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ allOf = [
+ {
+ equals = "Microsoft.Resources/subscriptions"
+ field = "type"
},
]
}
+ then = {
+ details = {
+ deployment = {
+ location = "northeurope"
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ fwPolicy = {
+ value = "[parameters('fwPolicy')]"
}
+ fwPolicyRegion = {
+ value = "[parameters('fwPolicyRegion')]"
}
+ rgName = {
+ value = "[parameters('rgName')]"
}
}
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ fwPolicy = {
+ type = "object"
}
+ fwPolicyRegion = {
+ type = "String"
}
+ rgName = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2018-05-01"
+ location = "[deployment().location]"
+ name = "[parameters('rgName')]"
+ properties = {}
+ type = "Microsoft.Resources/resourceGroups"
},
+ {
+ apiVersion = "2018-05-01"
+ dependsOn = [
+ "[resourceId('Microsoft.Resources/resourceGroups/', parameters('rgName'))]",
]
+ name = "fwpolicies"
+ properties = {
+ mode = "Incremental"
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {}
+ resources = [
+ {
+ apiVersion = "2019-09-01"
+ dependsOn = []
+ location = "[parameters('fwpolicy').location]"
+ name = "[parameters('fwpolicy').firewallPolicyName]"
+ properties = {}
+ resources = [
+ {
+ apiVersion = "2019-09-01"
+ dependsOn = [
+ "[resourceId('Microsoft.Network/firewallPolicies',parameters('fwpolicy').firewallPolicyName)]",
]
+ name = "[parameters('fwpolicy').ruleGroups.name]"
+ properties = {
+ priority = "[parameters('fwpolicy').ruleGroups.properties.priority]"
+ rules = "[parameters('fwpolicy').ruleGroups.properties.rules]"
}
+ type = "ruleGroups"
},
]
+ tags = {}
+ type = "Microsoft.Network/firewallPolicies"
},
]
+ variables = {}
}
}
+ resourceGroup = "[parameters('rgName')]"
+ type = "Microsoft.Resources/deployments"
},
]
}
}
}
+ deploymentScope = "subscription"
+ existenceScope = "resourceGroup"
+ resourceGroupName = "[parameters('rgName')]"
+ roleDefinitionIds = [
+ "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
]
+ type = "Microsoft.Network/firewallPolicies"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-MySQL-sslEnforcement"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploy a specific min TLS version requirement and enforce SSL on Azure Database for MySQL server. Enforce the Server to client applications using minimum version of Tls to secure the connection between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server."
+ display_name = "Azure Database for MySQL server deploy a specific min TLS version and enforce SSL."
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "SQL"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deploy-MySQL-sslEnforcement"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy minimum TLS version Azure Database for MySQL server"
+ displayName = "Effect minimum TLS version Azure Database for MySQL server"
}
+ type = "String"
}
+ minimalTlsVersion = {
+ allowedValues = [
+ "TLS1_2",
+ "TLS1_0",
+ "TLS1_1",
+ "TLSEnforcementDisabled",
]
+ defaultValue = "TLS1_2"
+ metadata = {
+ description = "Select version minimum TLS version Azure Database for MySQL server to enforce"
+ displayName = "Select version minimum TLS for MySQL server"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ allOf = [
+ {
+ equals = "Microsoft.DBforMySQL/servers"
+ field = "type"
},
+ {
+ anyOf = [
+ {
+ field = "Microsoft.DBforMySQL/servers/sslEnforcement"
+ notEquals = "Enabled"
},
+ {
+ field = "Microsoft.DBforMySQL/servers/minimalTlsVersion"
+ notequals = "[parameters('minimalTlsVersion')]"
},
]
},
]
}
+ then = {
+ details = {
+ deployment = {
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ location = {
+ value = "[field('location')]"
}
+ minimalTlsVersion = {
+ value = "[parameters('minimalTlsVersion')]"
}
+ resourceName = {
+ value = "[field('name')]"
}
}
+ template = {
+ "$schema" = "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ location = {
+ type = "String"
}
+ minimalTlsVersion = {
+ type = "String"
}
+ resourceName = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2017-12-01"
+ location = "[parameters('location')]"
+ name = "[concat(parameters('resourceName'))]"
+ properties = {
+ minimalTlsVersion = "[parameters('minimalTlsVersion')]"
+ sslEnforcement = "[if(equals(parameters('minimalTlsVersion'), 'TLSEnforcementDisabled'),'Disabled', 'Enabled')]"
}
+ type = "Microsoft.DBforMySQL/servers"
},
]
+ variables = {}
}
}
}
+ existenceCondition = {
+ allOf = [
+ {
+ equals = "Enabled"
+ field = "Microsoft.DBforMySQL/servers/sslEnforcement"
},
+ {
+ equals = "[parameters('minimalTlsVersion')]"
+ field = "Microsoft.DBforMySQL/servers/minimalTlsVersion"
},
]
}
+ roleDefinitionIds = [
+ "/providers/microsoft.authorization/roleDefinitions/8e3af657-a8ff-443c-a75c-2fe8c4bcb635",
]
+ type = "Microsoft.DBforMySQL/servers"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-Nsg-FlowLogs"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys NSG flow logs and traffic analytics to a storageaccountid with a specfied retention period."
+ display_name = "Deploys NSG flow logs and traffic analytics"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Monitoring"
+ version = "1.0.0"
}
)
+ mode = "Indexed"
+ name = "Deploy-Nsg-FlowLogs"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ flowAnalyticsEnabled = {
+ defaultValue = false
+ metadata = {
+ displayName = "Enable Traffic Analytics"
}
+ type = "Boolean"
}
+ logAnalytics = {
+ defaultValue = ""
+ metadata = {
+ description = "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
+ displayName = "Resource ID of Log Analytics workspace"
+ strongType = "omsWorkspace"
}
+ type = "String"
}
+ retention = {
+ defaultValue = 5
+ metadata = {
+ displayName = "Retention"
}
+ type = "Integer"
}
+ storageAccountResourceId = {
+ metadata = {
+ displayName = "Storage Account Resource Id"
+ strongType = "Microsoft.Storage/storageAccounts"
}
+ type = "String"
}
+ trafficAnalyticsInterval = {
+ defaultValue = 60
+ metadata = {
+ displayName = "Traffic Analytics processing interval mins (10/60)"
}
+ type = "Integer"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ equals = "Microsoft.Network/networkSecurityGroups"
+ field = "type"
}
+ then = {
+ details = {
+ deployment = {
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ flowAnalyticsEnabled = {
+ value = "[parameters('flowAnalyticsEnabled')]"
}
+ location = {
+ value = "[field('location')]"
}
+ logAnalytics = {
+ value = "[parameters('logAnalytics')]"
}
+ networkSecurityGroupName = {
+ value = "[field('name')]"
}
+ resourceGroupName = {
+ value = "[resourceGroup().name]"
}
+ retention = {
+ value = "[parameters('retention')]"
}
+ storageAccountResourceId = {
+ value = "[parameters('storageAccountResourceId')]"
}
+ trafficAnalyticsInterval = {
+ value = "[parameters('trafficAnalyticsInterval')]"
}
}
+ template = {
+ "$schema" = "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ flowAnalyticsEnabled = {
+ type = "bool"
}
+ location = {
+ type = "String"
}
+ logAnalytics = {
+ type = "String"
}
+ networkSecurityGroupName = {
+ type = "String"
}
+ resourceGroupName = {
+ type = "String"
}
+ retention = {
+ type = "int"
}
+ storageAccountResourceId = {
+ type = "String"
}
+ trafficAnalyticsInterval = {
+ type = "int"
}
}
+ resources = [
+ {
+ apiVersion = "2020-05-01"
+ location = "[parameters('location')]"
+ name = "[take(concat('NetworkWatcher_', toLower(parameters('location')), '/', parameters('networkSecurityGroupName'), '-', parameters('resourceGroupName'), '-flowlog' ), 80)]"
+ properties = {
+ enabled = true
+ flowAnalyticsConfiguration = {
+ networkWatcherFlowAnalyticsConfiguration = {
+ enabled = "[bool(parameters('flowAnalyticsEnabled'))]"
+ trafficAnalyticsInterval = "[parameters('trafficAnalyticsInterval')]"
+ workspaceId = "[if(not(empty(parameters('logAnalytics'))), reference(parameters('logAnalytics'), '2020-03-01-preview', 'Full').properties.customerId, json('null')) ]"
+ workspaceRegion = "[if(not(empty(parameters('logAnalytics'))), reference(parameters('logAnalytics'), '2020-03-01-preview', 'Full').location, json('null')) ]"
+ workspaceResourceId = "[if(not(empty(parameters('logAnalytics'))), parameters('logAnalytics'), json('null'))]"
}
}
+ format = {
+ type = "JSON"
+ version = 2
}
+ retentionPolicy = {
+ days = "[parameters('retention')]"
+ enabled = true
}
+ storageId = "[parameters('storageAccountResourceId')]"
+ targetResourceId = "[resourceId(parameters('resourceGroupName'), 'Microsoft.Network/networkSecurityGroups', parameters('networkSecurityGroupName'))]"
}
+ type = "Microsoft.Network/networkWatchers/flowLogs"
},
]
+ variables = {}
}
}
}
+ existenceCondition = {
+ allOf = [
+ {
+ equals = "true"
+ field = "Microsoft.Network/networkWatchers/flowLogs/enabled"
},
+ {
+ equals = "[parameters('flowAnalyticsEnabled')]"
+ field = "Microsoft.Network/networkWatchers/flowLogs/flowAnalyticsConfiguration.networkWatcherFlowAnalyticsConfiguration.enabled"
},
]
}
+ resourceGroupName = "NetworkWatcherRG"
+ roleDefinitionIds = [
+ "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
+ "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293",
]
+ type = "Microsoft.Network/networkWatchers/flowLogs"
}
+ effect = "[parameters('effect')]"
}
}
)
+ policy_type = "Custom"
+ role_definition_ids = (known after apply)
}
 # module.enterprise_scale.azurerm_policy_definition.enterprise_scale["/providers/Microsoft.Management/managementGroups/engeneon/providers/Microsoft.Authorization/policyDefinitions/Deploy-Nsg-FlowLogs-to-LA"] will be created
 + resource "azurerm_policy_definition" "enterprise_scale" {
+ description = "Deploys NSG flow logs and traffic analytics to Log Analytics with a specfied retention period."
+ display_name = "Deploys NSG flow logs and traffic analytics to Log Analytics"
+ id = (known after apply)
+ management_group_id = "/providers/Microsoft.Management/managementGroups/engeneon"
+ metadata = jsonencode(
{
+ category = "Monitoring"
+ version = "1.1.0"
}
)
+ mode = "Indexed"
+ name = "Deploy-Nsg-FlowLogs-to-LA"
+ parameters = jsonencode(
{
+ effect = {
+ allowedValues = [
+ "DeployIfNotExists",
+ "Disabled",
]
+ defaultValue = "DeployIfNotExists"
+ metadata = {
+ description = "Enable or disable the execution of the policy"
+ displayName = "Effect"
}
+ type = "String"
}
+ interval = {
+ defaultValue = 60
+ metadata = {
+ displayName = "Traffic Analytics processing interval mins (10/60)"
}
+ type = "Integer"
}
+ retention = {
+ defaultValue = 5
+ metadata = {
+ displayName = "Retention"
}
+ type = "Integer"
}
+ workspace = {
+ defaultValue = ""
+ metadata = {
+ description = "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID."
+ displayName = "Resource ID of Log Analytics workspace"
+ strongType = "omsWorkspace"
}
+ type = "String"
}
}
)
+ policy_rule = jsonencode(
{
+ if = {
+ allOf = [
+ {
+ equals = "Microsoft.Network/networkSecurityGroups"
+ field = "type"
},
]
}
+ then = {
+ details = {
+ deployment = {
+ location = "northeurope"
+ properties = {
+ mode = "Incremental"
+ parameters = {
+ interval = {
+ value = "[parameters('interval')]"
}
+ location = {
+ value = "[field('location')]"
}
+ networkSecurityGroup = {
+ value = "[field('id')]"
}
+ retention = {
+ value = "[parameters('retention')]"
}
+ workspace = {
+ value = "[parameters('workspace')]"
}
}
+ template = {
+ "$schema" = "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ outputs = {}
+ parameters = {
+ interval = {
+ type = "int"
}
+ location = {
+ type = "String"
}
+ networkSecurityGroup = {
+ type = "String"
}
+ retention = {
+ type = "int"
}
+ time = {
+ defaultValue = "[utcNow()]"
+ type = "String"
}
+ workspace = {
+ type = "String"
}
}
+ resources = [
+ {
+ apiVersion = "2019-10-01"
+ name = "[concat(variables('resourceGroupName'), '.', variables('securityGroupName'))]"
+ properties = {
+ mode = "Incremental"
+ template = {
+ "$schema" = "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ resources = [
+ {
+ apiVersion = "2019-06-01"
+ kind = "StorageV2"
+ location = "[parameters('location')]"
+ name = "[variables('storageAccountName')]"
+ properties = {}
+ sku = {
+ name = "Standard_LRS"
+ tier = "Standard"
}
+ type = "Microsoft.Storage/storageAccounts"
},
]
}
}
+ resourceGroup = "[variables('resourceGroupName')]"
+ type = "Microsoft.Resources/deployments"
},
+ {
+ apiVersion = "2019-10-01"
+ dependsOn = [
+ "[concat(variables('resourceGroupName'), '.', variables('securityGroupName'))]",
]
+ name = "[concat('NetworkWatcherRG', '.', variables('securityGroupName'))]"
+ properties = {
+ mode = "Incremental"
+ template = {
+ "$schema" = "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#"
+ contentVersion = "1.0.0.0"
+ resources = [
+ {
+ apiVersion = "2020-05-01"
+ location = "[parameters('location')]"
+ name = "[concat('NetworkWatcher_', toLower(parameters('location')))]"
+ properties = {}
+ resources = [
+ {
+ apiVersion = "2019-11-01"
+ dependsOn = [
+ "[concat('NetworkWatcher_', toLower(parameters('location')))]",
]
+ location = "[parameters('location')]"
+ name = "[concat(variables('securityGroupName'), '-Network-flowlog')]"
+ properties = {
+ enabled = true
+ flowAnalyticsConfiguration = {
+ networkWatcherFlowAnalyticsConfiguration = {
+ enabled = true
+ trafficAnalyticsInterval = "[parameters('interval')]"
+ workspaceResourceId = "[parameters('workspace')]"
}
}
+ format = {
+ type = "JSON"
+ version = 2
}
+ retentionPolicy = {
+ days = "[parameters('retention')]"
+ enabled = true
}
+ storageId = "[concat(subscription().id, '/resourceGroups/', variables('resourceGroupName'), '/providers/Microsoft.Storage/storageAccounts/', variables('storageAccountName'))]"
+ targetResourceId = "[parameters('networkSecurityGroup')]"
}
+ type = "flowLogs"
},
]
+ type = "Microsoft.Network/networkWatchers"
},
]
}
}
+ resourceGroup = "NetworkWatcherRG"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment