last sync: 2020-Oct-01 14:15:17 UTC

Azure Policy

Deploy a flow log resource with target network security group

Policy DisplayName Deploy a flow log resource with target network security group
Policy Id 0db34a60-64f4-4bf6-bd44-f95c16cf34b9
Policy Category Network
Policy Description Configures flow log for specific network security group. It will allow to log information about IP traffic flowing through an network security group. Flow log helps to identify unknown or undesired traffic, verify network isolation and compliance with enterprise access rules, analyze network flows from compromised IPs and network interfaces.
Policy Mode Indexed
Policy Type BuiltIn
Policy in Preview FALSE
Policy Deprecated FALSE
Policy Effect Fixed: deployIfNotExists
Roles used
Role Name Role Id
Contributor b24988ac-6180-42a0-ab88-20f7382dd24c
Policy Changes
Date/Time (UTC ymd) (i) Change Change detail
2020-08-27 15:39:26 add: Policy 0db34a60-64f4-4bf6-bd44-f95c16cf34b9
Used in Policy Initiative(s) none
Policy Rule
{
  "properties": {
    "displayName": "Deploy a flow log resource with target network security group",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Configures flow log for specific network security group. It will allow to log information about IP traffic flowing through an network security group. Flow log helps to identify unknown or undesired traffic, verify network isolation and compliance with enterprise access rules, analyze network flows from compromised IPs and network interfaces.",
    "metadata": {
      "version": "1.0.0",
      "category": "Network"
    },
    "parameters": {
      "nsgRegion": {
        "type": "String",
        "metadata": {
          "displayName": "NSG Region",
          "description": "This Policy will review NSGs only in the selected region. You can create other assignments to include other regions.",
          "strongType": "location"
        }
      },
      "storageId": {
        "type": "String",
        "metadata": {
          "displayName": "Storage id",
        "description": "A string with the storage id for the flowlogs to be sent to. It will be used for deployment purposes only. Make sure this storage account is located in the same region as the NSG. The format must be: '/subscriptions/{subscription id}/resourceGroups/{resourceGroup name}/providers/Microsoft.Storage/storageAccounts/{storage account name}",
          "assignPermissions": "true"
        }
      },
      "networkWatcherRG": {
        "type": "String",
        "metadata": {
          "displayName": "Network Watchers RG",
          "description": "The name of the resource group where the flowLog resources will be created. This will be used only if a deployment is required. This is the resource group where the Network Watchers are located.",
          "strongType": "existingResourceGroups"
        }
      },
      "networkWatcherName": {
        "type": "String",
        "metadata": {
          "displayName": "Network Watcher name",
          "description": "The name of the network watcher under which the flowLog resources will be created. Make sure it belongs to the same region as the NSG."
        }
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Network/networkSecurityGroups"
          },
          {
            "field": "location",
          "equals": "[parameters('nsgRegion')]"
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "type": "Microsoft.Network/networkWatchers/flowlogs",
        "resourceGroupName": "[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs'))), parameters('networkWatcherRG'), split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[4])]",
        "name": "[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id'))), 'null/null', concat(split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[8], '/', split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[10]))]",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Network/networkWatchers/flowLogs/enabled",
                "equals": "true"
              },
              {
                "field": "Microsoft.Network/networkWatchers/flowLogs/storageId",
              "equals": "[parameters('storageId')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "storageId": {
                    "type": "String"
                  },
                  "networkWatcherRG": {
                    "type": "String"
                  },
                  "networkWatcherName": {
                    "type": "String"
                  },
                  "flowlogName": {
                    "type": "String"
                  },
                  "location": {
                    "type": "String"
                  },
                  "targetResource": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "type": "Microsoft.Resources/deployments",
                  "name": "[concat('flowlogDeployment-', uniqueString(parameters('flowlogName')))]",
                    "apiVersion": "2019-10-01",
                  "resourceGroup": "[parameters('networkWatcherRG')]",
                    "properties": {
                      "mode": "incremental",
                      "parameters": {
                        
                      },
                      "template": {
                        "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                        "contentVersion": "1.0.0.0",
                        "parameters": {
                          
                        },
                        "resources": [
                          {
                            "type": "Microsoft.Network/networkWatchers/flowLogs",
                          "name": "[concat(parameters('networkWatcherName'), '/', parameters('flowlogName'))]",
                            "apiVersion": "2019-11-01",
                          "location": "[parameters('location')]",
                            "properties": {
                            "targetResourceId": "[parameters('targetResource')]",
                            "storageId": "[parameters('storageId')]",
                              "enabled": "true",
                              "retentionPolicy": {
                                "days": "0",
                                "enabled": "false"
                              }
                            }
                          }
                        ]
                      }
                    }
                  }
                ]
              },
              "parameters": {
                "storageId": {
                "value": "[parameters('storageId')]"
                },
                "networkWatcherRG": {
                "value": "[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs'))), parameters('networkWatcherRG'), split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[4])]"
                },
                "networkWatcherName": {
                "value": "[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs'))), parameters('networkWatcherName'), split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[8])]"
                },
                "flowlogName": {
                "value": "[if(empty(coalesce(field('Microsoft.Network/networkSecurityGroups/flowLogs'))), concat(field('name'), '-', resourceGroup().name, '-', 'flowlog'), split(first(field('Microsoft.Network/networkSecurityGroups/flowLogs[*].id')), '/')[10])]"
                },
                "location": {
                "value": "[field('location')]"
                },
                "targetResource": {
                "value": "[concat(resourceGroup().id, '/providers/Microsoft.Network/networkSecurityGroups/', field('name'))]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/0db34a60-64f4-4bf6-bd44-f95c16cf34b9",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "0db34a60-64f4-4bf6-bd44-f95c16cf34b9"
}