last sync: 2020-Sep-18 14:08:07 UTC

Azure Policy

Deploy Diagnostic Settings for Key Vault to Event Hub

Policy DisplayName Deploy Diagnostic Settings for Key Vault to Event Hub
Policy Id ed7c8c13-51e7-49d1-8a43-8490431a0da2
Policy Category Key Vault
Policy Description Deploys the diagnostic settings for Key Vault to stream to a regional Event Hub when any Key Vault which is missing this diagnostic settings is created or updated.
Policy Mode Indexed
Policy Type BuiltIn
Policy in Preview FALSE
Policy Deprecated FALSE
Policy Effect Fixed: deployIfNotExists
Roles used
Role Name Role Id
Contributor b24988ac-6180-42a0-ab88-20f7382dd24c
Policy Changes no changes
Used in Policy Initiative(s) none
Policy Rule
{
  "properties": {
    "displayName": "Deploy Diagnostic Settings for Key Vault to Event Hub",
    "policyType": "BuiltIn",
    "mode": "Indexed",
    "description": "Deploys the diagnostic settings for Key Vault to stream to a regional Event Hub when any Key Vault which is missing this diagnostic settings is created or updated.",
    "metadata": {
      "version": "2.0.0",
      "category": "Key Vault"
    },
    "parameters": {
      "profileName": {
        "type": "String",
        "metadata": {
          "displayName": "Profile name",
          "description": "The diagnostic settings profile name"
        },
        "defaultValue": "setbypolicy"
      },
      "eventHubRuleId": {
        "type": "String",
        "metadata": {
          "displayName": "Event Hub Authorization Rule Id",
        "description": "The Event Hub authorization rule Id for Azure Diagnostics. The authorization rule needs to be at Event Hub namespace level. e.g. /subscriptions/{subscription Id}/resourceGroups/{resource group}/providers/Microsoft.EventHub/namespaces/{Event Hub namespace}/authorizationrules/{authorization rule}",
          "strongType": "Microsoft.EventHub/Namespaces/AuthorizationRules",
          "assignPermissions": true
        }
      },
      "eventHubLocation": {
        "type": "String",
        "metadata": {
          "displayName": "Event Hub Location",
          "description": "The location the Event Hub resides in. Only Key Vaults in this location will be linked to this Event Hub.",
          "strongType": "location"
        },
        "defaultValue": ""
      },
      "metricsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable metrics",
          "description": "Whether to enable metrics stream to the Event Hub - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "False"
      },
      "logsEnabled": {
        "type": "String",
        "metadata": {
          "displayName": "Enable logs",
          "description": "Whether to enable logs stream to the Event Hub  - True or False"
        },
        "allowedValues": [
          "True",
          "False"
        ],
        "defaultValue": "True"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.KeyVault/vaults"
          },
          {
            "anyOf": [
              {
              "value": "[parameters('eventHubLocation')]",
                "equals": ""
              },
              {
                "field": "location",
              "equals": "[parameters('eventHubLocation')]"
              }
            ]
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "type": "Microsoft.Insights/diagnosticSettings",
        "name": "[parameters('profileName')]",
          "existenceCondition": {
            "allOf": [
              {
                "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
              "equals": "[parameters('logsEnabled')]"
              },
              {
                "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
              "equals": "[parameters('metricsEnabled')]"
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "vaultName": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "eventHubRuleId": {
                    "type": "string"
                  },
                  "metricsEnabled": {
                    "type": "string"
                  },
                  "logsEnabled": {
                    "type": "string"
                  },
                  "profileName": {
                    "type": "string"
                  }
                },
                "resources": [
                  {
                    "type": "Microsoft.KeyVault/vaults/providers/diagnosticSettings",
                    "apiVersion": "2017-05-01-preview",
                  "name": "[concat(parameters('vaultName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                  "location": "[parameters('location')]",
                    "dependsOn": [
                      
                    ],
                    "properties": {
                    "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]",
                      "metrics": [
                        {
                          "category": "AllMetrics",
                        "enabled": "[parameters('metricsEnabled')]",
                          "retentionPolicy": {
                            "enabled": false,
                            "days": 0
                          }
                        }
                      ],
                      "logs": [
                        {
                          "category": "AuditEvent",
                        "enabled": "[parameters('logsEnabled')]"
                        }
                      ]
                    }
                  }
                ],
                "outputs": {
                  "policy": {
                    "type": "string",
                  "value": "[concat('Enabled diagnostic settings for ', parameters('vaultName'))]"
                  }
                }
              },
              "parameters": {
                "location": {
                "value": "[field('location')]"
                },
                "vaultName": {
                "value": "[field('name')]"
                },
                "eventHubRuleId": {
                "value": "[parameters('eventHubRuleId')]"
                },
                "metricsEnabled": {
                "value": "[parameters('metricsEnabled')]"
                },
                "logsEnabled": {
                "value": "[parameters('logsEnabled')]"
                },
                "profileName": {
                "value": "[parameters('profileName')]"
                }
              }
            }
          }
        }
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/ed7c8c13-51e7-49d1-8a43-8490431a0da2",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "ed7c8c13-51e7-49d1-8a43-8490431a0da2"
}