-
Notifications
You must be signed in to change notification settings - Fork 69
/
Copy pathazure-policy.json
98 lines (98 loc) · 2.88 KB
/
azure-policy.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
{
"properties": {
"displayName": "Deploy diagnostic settings for SQL Databases to Log Analytics workspace",
"policyType": "BuiltIn",
"mode": "Indexed",
"description": "This policy automatically deploys a diagnostic setting to any SQL Database that does not already have one. The diagnostic setting will send all categories of logs to a specified Log Analytics workspace.",
"metadata": {
"version": "1.0.0",
"category": "Monitoring"
},
"parameters": {
"workspaceId": {
"type": "String",
"metadata": {
"displayName": "Log Analytics workspace",
"description": "Select Log Analytics workspace from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's identity."
}
}
},
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Sql/servers/databases"
},
"then": {
"effect": "DeployIfNotExists",
"details": {
"type": "Microsoft.Insights/diagnosticSettings",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Insights/diagnosticSettings/workspaceId",
"equals": "[parameters('workspaceId')]"
}
]
},
"roleDefinitionIds": [
"/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
],
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"name": {
"type": "string"
},
"workspaceId": {
"type": "string"
}
},
"resources": [
{
"type": "Microsoft.Sql/servers/databases/providers/diagnosticSettings",
"name": "[concat(parameters('name'), '/Microsoft.Insights/service')]",
"apiVersion": "2017-05-01-preview",
"properties": {
"workspaceId": "[parameters('workspaceId')]",
"logs": [
{
"category": "SQLSecurityAuditEvents",
"enabled": true
}
],
"metrics": [
{
"timeGrain": "PT1M",
"enabled": true,
"retentionPolicy": {
"enabled": true,
"days": 7
}
}
]
}
}
]
},
"parameters": {
"name": {
"value": "[field('name')]"
},
"workspaceId": {
"value": "[parameters('workspaceId')]"
}
}
}
}
}
}
}
},
"id": "/providers/Microsoft.Authorization/policyDefinitions/0a914e76-4921-4c19-b460-a2d36003525a",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "0a914e76-4921-4c19-b460-a2d36003525a"
}