Merge pull request #92 from Brunoga-MS/Dev

AMBA Decoupling Service Health, Alert Rules and Action Groups
Azure · Jan 22, 2024 · 9c7df64 · 9c7df64
2 parents 79f157a + 21783f1
commit 9c7df64
Show file tree

Hide file tree

Showing 19 changed files with 2,168 additions and 668 deletions.
diff --git a/patterns/alz/alzArm.json b/patterns/alz/alzArm.json
@@ -104,6 +104,17 @@
                 "description": "Assign Service health initiative"
             }
         },
+        "enableAMBANotificationAssets": {
+            "type": "string",
+            "defaultValue": "Yes",
+            "allowedValues": [
+                "Yes",
+                "No"
+            ],
+            "metadata": {
+                "description": "Assign Action assets initiative"
+            }
+        },
         "delayCount": {
             "type": "int",
             "defaultValue": 1,
@@ -124,6 +135,10 @@
             "type": "object",
             "defaultValue": {}
         },
+        "policyAssignmentParametersNotificationAssets": {
+            "type": "object",
+            "defaultValue": {}
+        },
         "policyAssignmentParametersConnectivity": {
             "type": "object",
             "defaultValue": {}
@@ -151,7 +166,8 @@
         "policyAssignmentParametersIdentity": "[union(parameters('policyAssignmentParametersCommon'), parameters('policyAssignmentParametersIdentity'))]",
         "policyAssignmentParametersLandingZone": "[union(parameters('policyAssignmentParametersCommon'), parameters('policyAssignmentParametersLandingZone'))]",
         "policyAssignmentParametersManagement": "[union(parameters('policyAssignmentParametersCommon'), parameters('policyAssignmentParametersManagement'))]",
-        "policyAssignmentParametersServiceHealth": "[union(parameters('policyAssignmentParametersCommon'), parameters('policyAssignmentParametersServiceHealth'))]",
+        "policyAssignmentParametersServiceHealth": "[union(parameters('policyAssignmentParametersCommon'), parameters('policyAssignmentParametersServiceHealth'), parameters('policyAssignmentParametersNotificationAssets'))]",
+        "policyAssignmentParametersNotificationAssets": "[union(parameters('policyAssignmentParametersCommon'), parameters('policyAssignmentParametersNotificationAssets'))]",
 
         // Declaring all required deployment uri's used for deployments of composite ARM templates for ESLZ
         "deploymentUris": {
@@ -160,7 +176,8 @@
             "AMBAIdentityInitiative": "[uri(deployment().properties.templateLink.uri, 'policyAssignments/DINE-IdentityAssignment.json')]",
             "AMBALandingZoneInitiative": "[uri(deployment().properties.templateLink.uri, 'policyAssignments/DINE-LandingZoneAssignment.json')]",
             "AMBAManagementInitiative": "[uri(deployment().properties.templateLink.uri, 'policyAssignments/DINE-ManagementAssignment.json')]",
-            "AMBAServiceHealthInitiative": "[uri(deployment().properties.templateLink.uri, 'policyAssignments/DINE-ServiceHealthAssignment.json')]"
+            "AMBAServiceHealthInitiative": "[uri(deployment().properties.templateLink.uri, 'policyAssignments/DINE-ServiceHealthAssignment.json')]",
+            "AMBANotificationAssetsInitiative": "[uri(deployment().properties.templateLink.uri, 'policyAssignments/DINE-NotificationAssetsAssignment.json')]"
         },
 
         // Declaring deterministic deployment names
@@ -172,19 +189,22 @@
             "AMBALandingZoneDeploymentName": "[take(concat('amba-LandingZone', variables('deploymentSuffix')), 64)]",
             "AMBAManagementDeploymentName": "[take(concat('amba-Management', variables('deploymentSuffix')), 64)]",
             "AMBAServiceHealthDeploymentName": "[take(concat('amba-ServiceHealth', variables('deploymentSuffix')), 64)]",
-            "pidCuaDeploymentName": "[take(concat('pid-', variables('cuaid'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'))), 64)]",
-            "pidCuaConnectivityDeploymentName": "[take(concat('pid-', variables('cuaidConnectivity'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'))), 64)]",
-            "pidCuaIdentityDeploymentName": "[take(concat('pid-', variables('cuaidIdentity'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'))), 64)]",
-            "pidCuaManagementDeploymentName": "[take(concat('pid-', variables('cuaidManagement'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'))), 64)]",
-            "pidCuaLandingZoneDeploymentName": "[take(concat('pid-', variables('cuaidLandingZone'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'))), 64)]",
-            "pidCuaServiceHealthDeploymentName": "[take(concat('pid-', variables('cuaidServiceHealth'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'))), 64)]"
+            "AMBANotificationAssetsDeploymentName": "[take(concat('amba-NotificationAssets', variables('deploymentSuffix')), 64)]",
+            "pidCuaDeploymentName": "[take(concat('amba-pid-', variables('cuaid'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'))), 64)]",
+            "pidCuaConnectivityDeploymentName": "[take(concat('amba-pid-', variables('cuaidConnectivity'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'))), 64)]",
+            "pidCuaIdentityDeploymentName": "[take(concat('amba-pid-', variables('cuaidIdentity'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'))), 64)]",
+            "pidCuaManagementDeploymentName": "[take(concat('amba-pid-', variables('cuaidManagement'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'))), 64)]",
+            "pidCuaLandingZoneDeploymentName": "[take(concat('amba-pid-', variables('cuaidLandingZone'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'))), 64)]",
+            "pidCuaServiceHealthDeploymentName": "[take(concat('amba-pid-', variables('cuaidServiceHealth'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'))), 64)]",
+            "pidCuaNotificationAssetsDeploymentName": "[take(concat('amba-pid-', variables('cuaidNotificationAssets'), '-' , uniqueString(deployment().location, parameters('enterpriseScaleCompanyPrefix'), parameters('currentDateTimeUtcNow'))), 64)]"
         },
         "cuaid": "d6b3b08c-5825-4b89-a62b-e3168d3d8fb0",
         "cuaidConnectivity": "2d69aa07-8780-4697-a431-79882cb9f00e",
         "cuaidIdentity": "8d257c20-97bf-4d14-acb3-38dd1436d13a",
         "cuaidManagement": "d87415c4-01ef-4667-af89-0b5adc14af1b",
         "cuaidLandingZone": "7bcfc615-be78-43da-b81d-98959a9465a5",
-        "cuaidServiceHealth": "860d2afd-b71e-452f-9d3a-e56196cba570"
+        "cuaidServiceHealth": "860d2afd-b71e-452f-9d3a-e56196cba570",
+        "cuaidNotificationAssets": "eabaaf0b-eed4-48a9-9f91-4f7e431ba807"
     },
     "resources": [
         /*
@@ -215,7 +235,7 @@
             // One of Azure's untold stories.....
             "type": "Microsoft.Resources/deployments",
             "apiVersion": "2020-10-01",
-            "name": "[concat('ambaPreparingToLaunch', copyIndex())]",
+            "name": "[concat('amba-PreparingToLaunch', copyIndex())]",
             "location": "[deployment().location]",
             "scope": "[concat('Microsoft.Management/managementGroups/', parameters('enterpriseScaleCompanyPrefix'))]",
             "dependsOn": [
@@ -373,6 +393,33 @@
                 }
             }
         },
+        {
+            // Assigning AMBA notification assets PolicySet to the pseudo management group if condition is true
+            "condition": "[equals(parameters('enableAMBANotificationAssets'), 'Yes')]",
+            "type": "Microsoft.Resources/deployments",
+            "apiVersion": "2020-10-01",
+            "name": "[variables('deploymentNames').AMBANotificationAssetsDeploymentName]",
+            "scope": "[concat('Microsoft.Management/managementGroups/', parameters('enterpriseScaleCompanyPrefix'))]",
+            "location": "[deployment().location]",
+            "dependsOn": [
+                "ambaPolicyCompletion"
+            ],
+            "properties": {
+                "mode": "Incremental",
+                "templateLink": {
+                    "contentVersion": "1.0.0.0",
+                    "uri": "[variables('deploymentUris').AMBANotificationAssetsInitiative]"
+                },
+                "parameters": {
+                    "topLevelManagementGroupPrefix": {
+                        "value": "[parameters('enterpriseScaleCompanyPrefix')]"
+                    },
+                    "policyAssignmentParameters": {
+                        "value": "[variables('policyAssignmentParametersNotificationAssets')]"
+                    }
+                }
+            }
+        },
         {
             "condition": "[equals(parameters('telemetryOptOut'), 'No')]",
             "apiVersion": "2020-06-01",
@@ -462,6 +509,21 @@
                     "resources": []
                 }
             }
+        },
+        {
+            "condition": "[and(equals(parameters('telemetryOptOut'), 'No'), equals(parameters('enableAMBANotificationAssets'), 'Yes'))]",
+            "apiVersion": "2020-06-01",
+            "name": "[variables('deploymentNames').pidCuaNotificationAssetsDeploymentName]",
+            "location": "[deployment().location]",
+            "type": "Microsoft.Resources/deployments",
+            "properties": {
+                "mode": "Incremental",
+                "template": {
+                    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+                    "contentVersion": "1.0.0.0",
+                    "resources": []
+                }
+            }
         }
     ],
     "outputs": {

diff --git a/patterns/alz/alzArm.param.json b/patterns/alz/alzArm.param.json
@@ -35,6 +35,9 @@
     "enableAMBAServiceHealth": {
       "value": "Yes"
     },
+    "enableAMBANotificationAssets": {
+      "value": "Yes"
+    },
     "telemetryOptOut": {
       "value": "No"
     },
@@ -53,11 +56,42 @@
         }
       }
     },
-    "policyAssignmentParametersServiceHealth": {
+    "policyAssignmentParametersNotificationAssets": {
       "value": {
         "ALZMonitorActionGroupEmail": {
           "value": "[email protected]"
         },
+        "ALZLogicappResourceId": {
+          "value": ""
+        },
+        "ALZLogicappCallbackUrl":{
+          "value": ""
+        },
+        "ALZArmRoleId": {
+          "value": ""
+        },
+        "ALZEventHubResourceId": {
+          "value": ""
+        },
+        "ALZWebhookServiceUri": {
+          "value": ""
+        },
+        "ALZWebhookObjectId": {
+          "value": ""
+        },
+        "ALZWebhookIdentifierUri": {
+          "value": ""
+        },
+        "ALZFunctionResourceId": {
+          "value": ""
+        },
+        "ALZFunctionTriggerUrl": {
+          "value": ""
+        }
+      }
+    },
+    "policyAssignmentParametersServiceHealth": {
+      "value": {
         "ResHlthUnhealthyAlertState": {
           "value": "true"
         },

diff --git a/patterns/alz/policyAssignments/DINE-NotificationAssetsAssignment.json b/patterns/alz/policyAssignments/DINE-NotificationAssetsAssignment.json
@@ -0,0 +1,88 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+      "topLevelManagementGroupPrefix": {
+          "type": "string",
+          "metadata": {
+              "description": "Provide the ESLZ prefix to your intermediate root management group containing the policy definitions."
+          }
+      },
+      "enforcementMode": {
+          "type": "string",
+          "allowedValues": [
+              "Default",
+              "DoNotEnforce"
+          ],
+          "defaultValue": "Default"
+      },
+      "nonComplianceMessagePlaceholder": {
+          "type": "string",
+          "defaultValue": "{enforcementMode}"
+      },
+      "policyAssignmentParameters": {
+          "type": "object",
+          "defaultValue": {}
+      }
+  },
+  "variables": {
+      "policyDefinitions": {
+          "deployAMBANotificationAssets": "[concat('/providers/Microsoft.Management/managementGroups/', parameters('topLevelManagementGroupPrefix'), '/providers/Microsoft.Authorization/policySetDefinitions/Notification-Assets')]"
+      },
+      "policyAssignmentNames": {
+          "ambaNotificationAssets": "Deploy-AMBA-Notification",
+          "description": "Initiative to deploy AMBA Notification Assets",
+          "displayName": "Deploy Azure Monitor Baseline Alerts - Notification Assets"
+      },
+      "nonComplianceMessage": {
+          "message": "Notification Assets {enforcementMode} be deployed to Azure services.",
+          "Default": "must",
+          "DoNotEnforce": "should"
+      },
+      "rbacContributor": "b24988ac-6180-42a0-ab88-20f7382dd24c",
+      "roleAssignmentNames": {
+          "deployAMBANotificationAssets": "[guid(concat(parameters('topLevelManagementGroupPrefix'), variables('policyAssignmentNames').ambaNotificationAssets))]"
+      }
+  },
+  "resources": [
+      {
+          "type": "Microsoft.Authorization/policyAssignments",
+          "apiVersion": "2020-09-01",
+          "name": "[variables('policyAssignmentNames').ambaNotificationAssets]",
+          "location": "[deployment().location]",
+          "identity": {
+              "type": "SystemAssigned"
+          },
+          "properties": {
+              "description": "[variables('policyAssignmentNames').description]",
+              "displayName": "[variables('policyAssignmentNames').displayName]",
+              "policyDefinitionId": "[variables('policyDefinitions').deployAMBANotificationAssets]",
+              "enforcementMode": "[parameters('enforcementMode')]",
+              "nonComplianceMessages": [
+                  {
+                      "message": "[replace(variables('nonComplianceMessage').message, parameters('nonComplianceMessagePlaceholder'), variables('nonComplianceMessage')[parameters('enforcementMode')])]"
+                  }
+              ],
+              "parameters": "[parameters('policyAssignmentParameters')]",
+              "metadata": {
+                  "_deployed_by_amba": true
+              }
+          }
+      },
+      {
+          "type": "Microsoft.Authorization/roleAssignments",
+          "apiVersion": "2022-04-01",
+          "name": "[variables('roleAssignmentNames').deployAMBANotificationAssets]",
+          "dependsOn": [
+              "[variables('policyAssignmentNames').ambaNotificationAssets]"
+          ],
+          "properties": {
+              "principalType": "ServicePrincipal",
+              "roleDefinitionId": "[concat('/providers/Microsoft.Authorization/roleDefinitions/', variables('rbacContributor'))]",
+              "principalId": "[toLower(reference(concat('/providers/Microsoft.Authorization/policyAssignments/', variables('policyAssignmentNames').ambaNotificationAssets), '2019-09-01', 'Full' ).identity.principalId)]",
+              "description": "_deployed_by_amba"
+          }
+      }
+  ],
+  "outputs": {}
+}