Skip to content

Commit

Permalink
Merge pull request #241 from Brunoga-MS/main
Browse files Browse the repository at this point in the history 
Update to documentation for June 2024 the 5th release
  • Loading branch information
@arjenhuitema
arjenhuitema authored Jun 25, 2024
2 parents 7821197 + bfc4c09 commit 75990b0
Show file tree
Hide file tree
Showing 23 changed files with 320 additions and 113 deletions.
73 changes: 73 additions & 0 deletions docs/content/patterns/alz/Bring-your-own-Managed-Identity.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
---
title: Bring Your Own User Assigned Managed Identity (BYO UAMI)
geekdocCollapseSection: true
weight: 62
---

# Overview

The ***Bring Your Own User Assigned Managed Identity*** (BYO UAMI) feature, available with release [2024-06-05](../Whats-New#2024-06-05), allows both Greenfield and Brownfield customers to create a new User Assigned Managed Identity (UAMI) during the deployment of AMBA-ALZ. It also allows Brownfield customers, who deployed the ALZ pattern when this feature wasn't available, to use any existing one by configuring a couple of parameters. Thanks to this new feature, it's now possible to query Azure Resource Graph (ARG) using the Kusto Query Language. Log-based search alerts can now be enhanced to include ARG queries looking at resource tags.

# How this feature works

The BYO UAMI feature works by creating a new UAMI in the management subscription and assigns the ***Monitoring reader*** role on the parent pseudo root Management Group. With this new feature, it's now possible to query Azure Resource Graph (ARG) using the Kusto Query Language and to enhance Log-based search alerts that can now query ARG to look at resource tags or properties. It's enough to enter the necessary parameter values before running the ALZ pattern deployment.

Should Brownfield customers decide to use their own UAMI after the initial deployment, it will be sufficient to enter the parameter values for _bringYourOwnUserAssignedManagedIdentity_ and _bringYourOwnUserAssignedManagedIdentityResourceId_, leaving the _userAssignedManagedIdentityName_ parameter at its default and the parameter _managementSubscriptionId_ with no values:

Once parameters are set according to your needs, redeploy the AMBA-ALZ pattern and wait for the remediation to happen. You can also start the Policy remediation manually as documented at [Remediate Policies](../deploy/Remediate-Policies).

## Conditional deployment behavior

The deployment template has conditions that controls what is being deployed according to the following two scenarios:

A. ***Customers want to use existing UAMI.*** In this scenario the deployment will:

{{< hint type=Important >}}
When using an existing UAMI provided by the customer, the customer has to grant the UAMI the ***Monitoring Reader*** role at the pseudo root Management Group level <ins>**before running the deployment.**</ins>
{{< /hint >}}

- Not deploy any UAMI
- Not assign the _Monitoring Reader_ role
- Set the provided existing UAMI as the identity to be used in the necessary alerts

Here's a sample extract of the parameter file with the relevant parameter configuration for this scenario:

![Customer defined UAMI](../media/alz-UAMI-Param-Example-1.png)

B. ***Customers does not have an existing UAMI and want AMBA-ALZ to create a new one.*** In this scenario the deployment will:

{{< hint type=Info >}}
When a new UAMI is created by the deployment template, the ***Monitoring Reader*** role is <ins>*is automatically assigned at the pseudo root Management Group level during the deployment*</ins>.
{{< /hint >}}

- Deploy any UAMI
- Assign the *Monitoring Reader* role
- Set the provided existing UAMI as the identity to be used in the necessary alerts

Here's a sample extract of the parameter file with the relevant parameter configuration for this scenario:

![New UAMI deployed by the template](../media/alz-UAMI-Param-Example-2.png)

## Where is it used

This new feature is used in Log-search based alerts. At the moment of this release, there's one alert using it. The alert is part of the new ***Deploy Azure Monitor Vaseline Alerts for Hybrid VMs*** policySet added to monitor hybrid virtual machine.

![Deploy Azure Monitor Baseline Alerts for Hybrid VMs](../media/deploy-HybridVM-Alerts.png)

{{< hint type=Info >}}
We're planning to use this feature more in the future and to include it as part of other alerts.
{{< /hint >}}

<!--
## Switching between BYO UAMI and new UAMI
The [conditional deployment behavior](../alz/Bring-your-own-Managed-Identity.md#conditional-deployment-behavior) discussed earlier, allows brownfield customers to switch from a new created UAMI to an existing one and viceversa.
Should customers decide to switch, it will be enough to:
- change the values in the parameter file to match one of the two scenarios previously discussed
- redeploy the AMBA-ALZ pattern
- run the remediation. Atthe moment it is sufficient to run the remediation for the [Deploy Azure Monitor Vaseline Alerts for Hybrid VMs](https://raw.githubusercontent.com/Azure/azure-monitor-baseline-alerts/main/patterns/alz/policySetDefinitions/Deploy-HybridVM-Alerts.json) policy initiative
The code will reconfigure the necessary alerts to use either the customer's provided UAMI or the new one created during the deployment.
-->
8 changes: 4 additions & 4 deletions docs/content/patterns/alz/Bring-your-own-Notifications.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,19 +12,19 @@ The ***Bring Your Own Notifications*** (BYON) feature, available with release [2

The BYON feature works by setting the necessary parameter values before running the ALZ pattern deployment. Customers have the choice to either specify one or more existing AGs and one APR or to enter target values so the AG and the APR will be created using the actions specified in the parameter file (including the option to not specify any value and creating an empty AG).

Should Brownfield customers decide to use their own notification assets, it will be sufficient to enter the _AG resource IDs_ (separated by comma) and the _APR resource ID_ values in the parameter section called ***policyAssignmentParametersBYON***, leaving the ***policyAssignmentParametersNotificationAssets*** <ins>***with no values***</ins>:
Should Brownfield customers decide to use their own notification assets, it will be sufficient to enter the _AG resource IDs_ (separated by comma) and the _APR resource ID_ values in the respective parameters ***BYOActionGroup*** and ***BYOAlertProcessingRule***, leaving the ***ALZMonitorActionGroupEmail***, ***ALZLogicappResourceId***, ***ALZLogicappCallbackUrl***, ***ALZArmRoleId***, ***ALZEventHubResourceId***, ***ALZWebhookServiceUri***, ***ALZFunctionResourceId*** and ***ALZFunctionTriggerUrl*** <ins>***with no values***</ins>:

![policyAssignmentParametersBYON section](../../alz/media/BYON_Params.png)

Differently if they decide to use the assets provided by AMBA or if they're Greenfield customers, they'll just leave the policyAssignmentParametersBYON section with no values and populate the section called ***policyAssignmentParametersNotificationAssets***:
Differently if they decide to use the assets provided by AMBA or if they're Greenfield customers, they'll just leave the ***BYOActionGroup*** and ***BYOAlertProcessingRule*** parameters with no values and populate all the others (***ALZMonitorActionGroupEmail***, ***ALZLogicappResourceId***, ***ALZLogicappCallbackUrl***, ***ALZArmRoleId***, ***ALZEventHubResourceId***, ***ALZWebhookServiceUri***, ***ALZFunctionResourceId*** and ***ALZFunctionTriggerUrl***):

![policyAssignmentParametersNotificationAssets section](../../alz/media/NotificationAssets_Params.png)

## Conditional deployment behavior

When running the deployment, the deployment code has conditions that control the deployment behavior according to the following three possible cases:

A. ***Use your own AGs with the AMBA APR***. In this scenario, the deployment we will:
A. ***Use your own AGs with the AMBA APR***. In this scenario, the deployment will:

- Not deploy the AMBA SH AG
- Deploy the AMBA APR with customer's AGs in it
Expand All @@ -34,7 +34,7 @@ Here's an example of the parameter file with the relevant sections populated for

![policyAssignmentParametersBYON section](../../alz/media/BYON_Params_2.png)

B. ***Use your own AGs and APR***. In this scenario, the deployment we will:
B. ***Use your own AGs and APR***. In this scenario, the deployment will:

- Not deploy any AMBA notification AG or ARP (since it's not physically linked to any alert) assets or AMBA SH AG
- Deploy SH alerts pointing to customer's AGs
Expand Down
10 changes: 5 additions & 5 deletions docs/content/patterns/alz/Policy-Initiatives.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -145,9 +145,9 @@ This initiative is intended for assignment of policies relevant to service healt

## Notification Assets initiative

This initiative is intended for assignment of policies relevant to notification in ALZ. With the guidance provided in [Introduction to deploying the ALZ Pattern](../deploy/Introduction-to-deploying-the-ALZ-Pattern), this will assign to the alz intermediate root management group structure in the ALZ reference architecture. For details on which policies are included in the initiative as well as what the default enablement state of the policy is, refer to the below table.
This initiative is intended for assignment of policies relevant to notification in AMBA-ALZ. With the guidance provided in [Introduction to deploying the ALZ Pattern](../deploy/Introduction-to-deploying-the-ALZ-Pattern), this will assign to the alz intermediate root management group structure in the ALZ reference architecture. For details on which policies are included in the initiative as well as what the default enablement state of the policy is, refer to the below table.

| **Policy Display Name** | **Reference ID** | **Path to policy json file** | **Policy default effect** |
| ------------------------------------------ | ------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------- | ------------------------- |
| Deploy AMBA Notification Assets | ALZ_AlertProcessing_Rule | [deploy-AlertProcessingRule-deploy.json](../../../services/AlertsManagement/actionRules/Deploy-AlertProcessingRule-Deploy.json) | deployIfNotExists |
| Deploy AMBA Notification Suppression Asset | ALZ_Suppression_AlertProcessing_Rule | [deploy-AlertProcessingRule-Suppression.json](../../../services/AlertsManagement/actionRules/Deploy-AlertProcessingRule-Suppression.json) | deployIfNotExists |
| **Policy Display Name** | **Reference ID** | **Path to policy json file** | **Policy default effect** |
| ----------------------- | ---------------- | ---------------------------- | ------------------------- |
| Deploy AMBA Notification Assets | ALZ_AlertProcessing_Rule | [deploy-AlertProcessingRule-deploy.json](../../../services/AlertsManagement/actionRules/Deploy-AlertProcessingRule-Deploy.json) | deployIfNotExists |
| Deploy AMBA Notification Suppression Asset | ALZ_Suppression_AlertProcessing_Rule | [deploy-AlertProcessingRule-Suppression.json](../../../services/AlertsManagement/actionRules/Deploy-AlertProcessingRule-Suppression.json) | deployIfNotExists |
10 changes: 5 additions & 5 deletions docs/content/patterns/alz/UpdateToNewReleases/Update_from_release_2023-11-14.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,22 +6,22 @@ weight: 100

## Post update actions

Updating from release 2023-11-14 will require running a post update script to remove the old Service Health action group(s) no longer in use.
Updating from release [2023-11-14](../../Whats-New#2023-11-14) will require running a post update script to remove the old Service Health action group(s) no longer in use.

To run the script, follow the instructions below:
To run the script, follow the following instructions:

1. Open PowerShell
2. Install the **Az.ResourceGraph** module: `Install-Module Az.ResourceGraph`
3. Change directories to the location of the **Start-AMBAOldArpCleanup.ps1** script
4. Configure the _**$pseudoRootManagementGroup**_ variable using the command below:
4. Configure the _**$pseudoRootManagementGroup**_ variable using the following command:

```powershell
$pseudoRootManagementGroup = "The pseudo root management group id parenting the identity, management and connectivity management groups"
```

1. Sign in to the Azure with the `Connect-AzAccount` command. The account you sign in as needs to have permissions to remove Policy Assignments, Policy Definitions, and resources at the desired Management Group scope.
1. Sign in to the Azure with the `Connect-AzAccount` command. The account you sign in as needs to have permissions to remove Policy Assignments, Policy Definitions, and resources at the wanted Management Group scope.

2. Execute the script using one of the options below:
2. Execute the script using one of the following options:

{{% include "PowerShell-ExecutionPolicy.md" %}}

Expand Down
40 changes: 40 additions & 0 deletions docs/content/patterns/alz/UpdateToNewReleases/Update_from_release_2024-04-12.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
---
title: Updating from release 2024-04-12
geekdocCollapseSection: true
weight: 98
---
{{< hint type=Important >}}
***The parameter file structure has changed to accommodate a new feature coming soon.***
{{< /hint >}}

# Pre update actions

The parameter file structure has changed to accommodate a new feature coming soon. For this reason, updating from release [2024-04-12](../../Whats-New#2024-04-12) requires the alignment of the parameter file structure you have been using so far with the new one coming with the release.

In particular the new parameter file has the following differences:

1. Contains new parameters for using an existing User Assigned Managed Identity or creating a new one during the AMBA-ALZ deployment. It's required by the new hybrid virtual machine alert set. Make sure to review and set the following parameters correctly:

1. ***bringYourOwnUserAssignedManagedIdentity***: set it to **Yes** if you would like to use your own User Assigned Managed Identity (UAMI) or to **No** if you don't have one and would like the deployment of AMBA-ALZ to create one.

2. ***bringYourOwnUserAssignedManagedIdentityResourceId***: If you set the **bringYourOwnUserAssignedManagedIdentity** parameter to **Yes**:

1.1. Enter the UAMI resource ID, leaving the **managementSubscriptionId** blank

![UAMI resource ID](../../media/alz-BYO-UAMI.png)

1.2. Configure it with the ***Monitoring Reader*** role on the pseudo root Management Group.

3. ***userAssignedManagedIdentityName***: If you set the **bringYourOwnUserAssignedManagedIdentity** parameter to **No**, leave the default value or set a different one to specify a different name for the UAMI created during the deployment. The provided default name aligns with the ALZ standard naming convention.

![UAMI default name](../../media/alz-UAMI-Default-Name.png)

4. ***managementSubscriptionId***: If you set the **bringYourOwnUserAssignedManagedIdentity** parameter to **No**, enter the subscription ID of the subscription under the Management management group. The deployment procedure will create the UAMI in this subscription and assign it the ***Monitoring Reader*** role on the pseudo root Management Group

![Management subscription ID](../../media/alz-ManagementSubscription.png)

![](../../media/alz-UAMI-Management-SubscriptionID.png)

2. Changes the previous parameter objects, such as ***policyAssignmentParametersCommon***, ***policyAssignmentParametersBYON*** and ***policyAssignmentParametersNotificationAssets*** into classic parameters using the same name as before. As result, the previous sections of the parameter you'll now look like the following image:

![New parameter file sample](../../media/alz-New-ParamterFile-Structure.png)
26 changes: 16 additions & 10 deletions docs/content/patterns/alz/UpdateToNewReleases/_index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ geekdocCollapseSection: true
weight: 71
---

## What is the latest release
## What is included in the latest release

The list of enhancement, additions and fixed bugs contained in every release can be seen by navigating to corresponding page linked in the home page of the [azure-monitor-baseline-alerts](https://github.com/Azure/azure-monitor-baseline-alerts) repository.

Expand All @@ -26,9 +26,10 @@ Depending if you used the official code from the official GitHub repository or f

1. Sync your fork *(only required if you forked the original repo)*
2. Update your local copy of the repo *(only required if you cloned your fork on your local hard drive)*
3. Deploy ***(always required)***
4. Check for specific requirements when updating to a newer release ***(always required)***
5. Start the policy remediation ***(always required)***
3. Check for specific requirements when updating to a newer release ***(always required)***
4. Update the parameter file with any new parameter and configuration
5. Deploy ***(always required)***
6. Start the policy remediation ***(always required)***

### Sync your fork (only required if you forked the original repo)

Expand Down Expand Up @@ -68,6 +69,17 @@ Within the code editor of your choice, make sure you pull the changes from your

</br>

### Check for detailed requirement when updating to a newer release (always required)

Check the content of the page corresponding to the release you are updating from, to see if there's any pre or post deployment action required. For instance, if you're updating from release **2023-11-14**, check the page called ***Updating from release 2023-11-14***

![Updating from release](../media/UpdatingFromRelease.png)

### Update the parameter file with any new parameter and configuration

The parameter may undergo changes in the structure or in the number of parameters that need to be configured.
For this reason, based on what documented in the [What's new](../Whats-New.md) or in the [Releases](https://github.com/Azure/azure-monitor-baseline-alerts/releases) pages. For this reason it mandatory that you check your current parameter file content with the one coming with the release, making sure you with new or refactored parameters.

### Deploy (always required)

Once you reached this stage, you are ready to deploy the latest release. You can deploy using a method of your choice among the allowed one:
Expand All @@ -77,12 +89,6 @@ Once you reached this stage, you are ready to deploy the latest release. You can
- To deploy with Azure CLI, please proceed with [Deploy with Azure CLI](../deploy/Deploy-with-Azure-CLI)
- To deploy with Azure PowerShell, please proceed with [Deploy with Azure PowerShell](../deploy/Deploy-with-Azure-PowerShell)

### Check for detailed requirement when updating to a newer release (always required)

Check the content of the page corresponding to the release you are updating from, to see if there's any pre or post deployment action required. For instance, if you're updating from release **2023-11-14**, check the page called ***Updating from release 2023-11-14***

![Updating from release](../media/UpdatingFromRelease.png)

### Start the policy remediation (always required)

To remediate non-compliant policies, continue with Policy remediation documented at [Remediate Policies](../deploy/Remediate-Policies)
Loading

0 comments on commit 75990b0

Please sign in to comment.