last sync: 2021-Sep-22 19:36:51 UTC

Azure Policy definition

Deploy Diagnostic Settings for Network Security Groups

Name Deploy Diagnostic Settings for Network Security Groups
Azure Portal
Id c9c29499-c1d1-4195-99bd-2ec9e3a9dc89
Version 1.0.0
details on versioning
Category Monitoring
Microsoft docs
Description This policy automatically deploys diagnostic settings to network security groups. A storage account with name '{storagePrefixParameter}{NSGLocation}' will be automatically created.
Mode Indexed
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Fixed: deployIfNotExists
Used RBAC Role
Role Name Role Id
Monitoring Contributor 749f88d5-cbae-40b8-bcfc-e573ddc772fa
Storage Account Contributor 17d1049b-9a84-46fb-8f53-869881c3d3ab
History none
Used in Initiatives
Initiative DisplayName Initiative Id Initiative Category State
[Preview]: Motion Picture Association of America (MPAA) 92646f03-e39d-47a9-9e24-58d60ef49af8 Regulatory Compliance Preview
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA
JSON
{
  "displayName": "Deploy Diagnostic Settings for Network Security Groups",
  "policyType": "BuiltIn",
  "mode": "Indexed",
  "description": "This policy automatically deploys diagnostic settings to network security groups. A storage account with name '{storagePrefixParameter}{NSGLocation}' will be automatically created.",
  "metadata": {
    "version": "1.0.0",
    "category": "Monitoring"
  },
  "parameters": {
    "storagePrefix": {
      "type": "String",
      "metadata": {
        "displayName": "Storage Account Prefix for Regional Storage Account",
        "description": "This prefix will be combined with the network security group location to form the created storage account name."
      }
    },
    "rgName": {
      "type": "String",
      "metadata": {
        "displayName": "Resource Group Name for Storage Account (must exist)",
        "description": "The resource group that the storage account will be created in. This resource group must already exist.",
        "strongType": "ExistingResourceGroups"
      }
    }
  },
  "policyRule": {
    "if": {
      "field": "type",
      "equals": "Microsoft.Network/networkSecurityGroups"
    },
    "then": {
      "effect": "deployIfNotExists",
      "details": {
        "type": "Microsoft.Insights/diagnosticSettings",
        "name": "setbypolicy",
        "roleDefinitionIds": [
          "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
          "/providers/microsoft.authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"
        ],
        "deployment": {
          "properties": {
            "mode": "incremental",
            "template": {
              "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
              "contentVersion": "1.0.0.0",
              "parameters": {
                "location": {
                  "type": "string"
                },
                "storagePrefix": {
                  "type": "string"
                },
                "nsgName": {
                  "type": "string"
                },
                "rgName": {
                  "type": "string"
                }
              },
              "variables": {
                "storageDeployName": "[concat('policyStorage_', uniqueString(parameters('location'), parameters('nsgName')))]"
              },
              "resources": [
                {
                  "type": "Microsoft.Network/networkSecurityGroups/providers/diagnosticSettings",
                  "name": "[concat(parameters('nsgName'),'/Microsoft.Insights/setbypolicy')]",
                  "apiVersion": "2017-05-01-preview",
                  "location": "[parameters('location')]",
                  "dependsOn": [
                    "[variables('storageDeployName')]"
                  ],
                  "properties": {
                    "storageAccountId": "[reference(variables('storageDeployName')).outputs.storageAccountId.value]",
                    "logs": [
                      {
                        "category": "NetworkSecurityGroupEvent",
                        "enabled": true,
                        "retentionPolicy": {
                          "enabled": false,
                          "days": 0
                        }
                      },
                      {
                        "category": "NetworkSecurityGroupRuleCounter",
                        "enabled": true,
                        "retentionPolicy": {
                          "enabled": false,
                          "days": 0
                        }
                      }
                    ]
                  }
                },
                {
                  "apiVersion": "2017-05-10",
                  "name": "[variables('storageDeployName')]",
                  "type": "Microsoft.Resources/deployments",
                  "resourceGroup": "[parameters('rgName')]",
                  "properties": {
                    "mode": "incremental",
                    "parameters": {
                      "location": {
                        "value": "[parameters('location')]"
                      },
                      "storagePrefix": {
                        "value": "[parameters('storagePrefix')]"
                      }
                    },
                    "template": {
                      "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
                      "contentVersion": "1.0.0.0",
                      "parameters": {
                        "location": {
                          "type": "string"
                        },
                        "storagePrefix": {
                          "type": "string"
                        }
                      },
                      "resources": [
                        {
                          "apiVersion": "2017-06-01",
                          "type": "Microsoft.Storage/storageAccounts",
                          "name": "[concat(parameters('storageprefix'), parameters('location'))]",
                          "sku": {
                            "name": "Standard_LRS",
                            "tier": "Standard"
                          },
                          "kind": "Storage",
                          "location": "[parameters('location')]",
                          "tags": {
                            "created-by": "policy"
                          },
                          "scale": null,
                          "properties": {
                            "networkAcls": {
                              "bypass": "AzureServices",
                              "defaultAction": "Allow",
                              "ipRules": [],
                              "virtualNetworkRules": []
                            },
                            "supportsHttpsTrafficOnly": true
                          }
                        }
                      ],
                      "outputs": {
                        "storageAccountId": {
                          "type": "string",
                          "value": "[resourceId(parameters('rgName'), 'Microsoft.Storage/storageAccounts',concat(parameters('storagePrefix'), parameters('location')))]"
                        }
                      }
                    }
                  }
                }
              ]
            },
            "parameters": {
              "location": {
                "value": "[field('location')]"
              },
              "storagePrefix": {
                "value": "[parameters('storagePrefix')]"
              },
              "rgName": {
                "value": "[parameters('rgName')]"
              },
              "nsgName": {
                "value": "[field('name')]"
              }
            }
          }
        }
      }
    }
  }
}