Updated from upstream (#13)

matt-FFFFFF · System · web-flow · commit 9deae352df49 · 2020-10-20T16:23:13.000+01:00
Co-authored-by: System &lt;noreply@azure.com&gt;
diff --git a/policydefinition-deploy_diagnostics_databricks.tf b/policydefinition-deploy_diagnostics_databricks.tf
@@ -0,0 +1,151 @@
+# This file was auto generated
+resource "azurerm_policy_definition" "deploy_diagnostics_databricks" {
+  name         = "Deploy-Diagnostics-Databricks"
+  policy_type  = "Custom"
+  mode         = "All"
+  display_name = "Deploy-Diagnostics-Databricks"
+  description  = "Apply diagnostic settings for Databricks - Log Analytics"
+
+  management_group_name = var.management_group_name
+  policy_rule           = <<POLICYRULE
+{
+  "if": {
+    "field": "type",
+    "equals": "Microsoft.Databricks/workspaces"
+  },
+  "then": {
+    "effect": "deployIfNotExists",
+    "details": {
+      "type": "Microsoft.Insights/diagnosticSettings",
+      "name": "setByPolicy",
+      "existenceCondition": {
+        "allOf": [
+          {
+            "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
+            "equals": "true"
+          },
+          {
+            "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
+            "equals": "true"
+          },
+          {
+            "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
+            "equals": "[parameters('logAnalytics')]"
+          }
+        ]
+      },
+      "roleDefinitionIds": [
+        "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
+      ],
+      "deployment": {
+        "properties": {
+          "mode": "incremental",
+          "template": {
+            "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+            "contentVersion": "1.0.0.0",
+            "parameters": {
+              "resourceName": {
+                "type": "string"
+              },
+              "logAnalytics": {
+                "type": "string"
+              },
+              "location": {
+                "type": "string"
+              }
+            },
+            "variables": {},
+            "resources": [
+              {
+                "type": "Microsoft.Databricks/workspaces/providers/diagnosticSettings",
+                "apiVersion": "2017-05-01-preview",
+                "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]",
+                "location": "[parameters('location')]",
+                "dependsOn": [],
+                "properties": {
+                  "workspaceId": "[parameters('logAnalytics')]",
+                  "metrics": [],
+                  "logs": [
+                    {
+                      "category": "dbfs",
+                      "enabled": true
+                    },
+                    {
+                      "category": "clusters",
+                      "enabled": true
+                    },
+                    {
+                      "category": "accounts",
+                      "enabled": true
+                    },
+                    {
+                      "category": "jobs",
+                      "enabled": true
+                    },
+                    {
+                      "category": "notebook",
+                      "enabled": true
+                    },
+                    {
+                      "category": "ssh",
+                      "enabled": true
+                    },
+                    {
+                      "category": "workspace",
+                      "enabled": true
+                    },
+                    {
+                      "category": "secrets",
+                      "enabled": true
+                    },
+                    {
+                      "category": "sqlPermissions",
+                      "enabled": true
+                    },
+                    {
+                      "category": "instancePools",
+                      "enabled": true
+                    }
+                  ]
+                }
+              }
+            ],
+            "outputs": {}
+          },
+          "parameters": {
+            "logAnalytics": {
+              "value": "[parameters('logAnalytics')]"
+            },
+            "location": {
+              "value": "[field('location')]"
+            },
+            "resourceName": {
+              "value": "[field('name')]"
+            }
+          }
+        }
+      }
+    }
+  }
+}
+POLICYRULE
+
+  parameters = <<PARAMETERS
+{
+  "logAnalytics": {
+    "type": "String",
+    "metadata": {
+      "displayName": "Log Analytics workspace",
+      "description": "Select the Log Analytics workspace from dropdown list",
+      "strongType": "omsWorkspace"
+    }
+  }
+}
+PARAMETERS
+
+}
+
+output "policydefinition_deploy_diagnostics_databricks" {
+  value = azurerm_policy_definition.deploy_diagnostics_databricks
+}
+
diff --git a/policydefinition-deploy_diagnostics_function.tf b/policydefinition-deploy_diagnostics_function.tf
@@ -0,0 +1,128 @@
+# This file was auto generated
+resource "azurerm_policy_definition" "deploy_diagnostics_function" {
+  name         = "Deploy-Diagnostics-Function"
+  policy_type  = "Custom"
+  mode         = "All"
+  display_name = "Deploy-Diagnostics-Function"
+  description  = "Apply diagnostic settings for Azure Function"
+
+  management_group_name = var.management_group_name
+  policy_rule           = <<POLICYRULE
+{
+  "if": {
+    "allOf": [
+      {
+        "field": "type",
+        "equals": "Microsoft.Web/sites"
+      },
+      {
+        "field": "kind",
+        "equals": "functionapp"
+      }
+    ]
+  },
+  "then": {
+    "effect": "deployIfNotExists",
+    "details": {
+      "type": "Microsoft.Insights/diagnosticSettings",
+      "name": "setByPolicy",
+      "existenceCondition": {
+        "allOf": [
+          {
+            "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
+            "equals": "true"
+          },
+          {
+            "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
+            "equals": "[parameters('logAnalytics')]"
+          }
+        ]
+      },
+      "roleDefinitionIds": [
+        "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
+      ],
+      "deployment": {
+        "properties": {
+          "mode": "incremental",
+          "template": {
+            "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
+            "contentVersion": "1.0.0.0",
+            "parameters": {
+              "resourceName": {
+                "type": "string"
+              },
+              "logAnalytics": {
+                "type": "string"
+              },
+              "location": {
+                "type": "string"
+              }
+            },
+            "variables": {},
+            "resources": [
+              {
+                "type": "Microsoft.Web/sites/providers/diagnosticSettings",
+                "apiVersion": "2017-05-01-preview",
+                "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/setByPolicy')]",
+                "location": "[parameters('location')]",
+                "dependsOn": [],
+                "properties": {
+                  "workspaceId": "[parameters('logAnalytics')]",
+                  "metrics": [
+                    {
+                      "category": "AllMetrics",
+                      "enabled": true,
+                      "retentionPolicy": {
+                        "days": 0,
+                        "enabled": false
+                      }
+                    }
+                  ],
+                  "logs": [
+                    {
+                      "category": "FunctionAppLogs",
+                      "enabled": true
+                    }
+                  ]
+                }
+              }
+            ],
+            "outputs": {}
+          },
+          "parameters": {
+            "logAnalytics": {
+              "value": "[parameters('logAnalytics')]"
+            },
+            "location": {
+              "value": "[field('location')]"
+            },
+            "resourceName": {
+              "value": "[field('name')]"
+            }
+          }
+        }
+      }
+    }
+  }
+}
+POLICYRULE
+
+  parameters = <<PARAMETERS
+{
+  "logAnalytics": {
+    "type": "String",
+    "metadata": {
+      "displayName": "Log Analytics workspace",
+      "description": "Select the Log Analytics workspace from dropdown list",
+      "strongType": "omsWorkspace"
+    }
+  }
+}
+PARAMETERS
+
+}
+
+output "policydefinition_deploy_diagnostics_function" {
+  value = azurerm_policy_definition.deploy_diagnostics_function
+}
+
diff --git a/policydefinition-deploy_diagnostics_website.tf b/policydefinition-deploy_diagnostics_website.tf
@@ -10,8 +10,16 @@ resource "azurerm_policy_definition" "deploy_diagnostics_website" {
   policy_rule           = <<POLICYRULE
 {
   "if": {
-    "field": "type",
-    "equals": "Microsoft.Web/sites"
+    "allOf": [
+      {
+        "field": "type",
+        "equals": "Microsoft.Web/sites"
+      },
+      {
+        "field": "kind",
+        "notEquals": "functionapp"
+      }
+    ]
   },
   "then": {
     "effect": "deployIfNotExists",
@@ -70,7 +78,40 @@ resource "azurerm_policy_definition" "deploy_diagnostics_website" {
                       }
                     }
                   ],
-                  "logs": []
+                  "logs": [
+                    {
+                      "category": "AppServiceAntivirusScanAuditLogs",
+                      "enabled": true
+                    },
+                    {
+                      "category": "AppServiceHTTPLogs",
+                      "enabled": true
+                    },
+                    {
+                      "category": "AppServiceConsoleLogs",
+                      "enabled": true
+                    },
+                    {
+                      "category": "AppServiceAppLogs",
+                      "enabled": true
+                    },
+                    {
+                      "category": "AppServiceFileAuditLogs",
+                      "enabled": true
+                    },
+                    {
+                      "category": "AppServiceAuditLogs",
+                      "enabled": true
+                    },
+                    {
+                      "category": "AppServiceIPSecAuditLogs",
+                      "enabled": true
+                    },
+                    {
+                      "category": "AppServicePlatformLogs",
+                      "enabled": true
+                    }
+                  ]
                 }
               }
             ],
