【Azure Policy】使用deployIfNotExists 把 Azure Activity logs 导出保存在Storage Account

本文涉及的产品
应用实时监控服务-可观测链路OpenTelemetry版,每月50GB免费额度
容器服务 Serverless 版 ACK Serverless,317元额度 多规格
可观测监控 Prometheus 版,每月50GB免费额度
简介: 本文描述了如何使用 Azure Policy 对订阅下的所有 Activity Log 配置 Diagnostic Setting。具体要求包括:在 Subscription 或 Management Group 级别启用 Activity Log 功能、纠正已启用 Activity Log 的订阅参数配置、将日志存储在特定 Storage Account 中并保留 6 个月,以及收集特定类型的日志(如 Administrative、Security、Alert、Recommendation 和 ResourceHealth)。文章还介绍了常见错误及解决方法,并提供了相关参考链接。

问题描述

使用Azure Policy,对订阅下的全部Activity Log配置Diagnostic Setting,要求:

  1. 在Subscription或Management Group级别,针对未启用Activity Log功能的订阅,启用Activity Log功能;
  2. 对已经启用了Activity log功能的订阅,使用该Policy纠正并统一其参数配置;
  3. 所收集到的Azure Activity Log存储在特定的Storage Account,保留周期为6个月;
  4. Activity logs将收集一下log:
  • Administrative
  • Security
  • Alert
  • Recommendation
  • ResourceHealth

 

 

问题解答

针对需求,一条一条的匹配

 

1. 在Subscription或Management Group级别,针对未启用Activity Log功能的订阅,启用Activity Log功能

因为需要Policy Scan的资源为 Subscription,所以第一步是需要扫描所有的订阅资源。然后在检查订阅下的Microsoft.Insights/diagnosticSettings配置。

"policyRule": {

     "if": {

       "field": "type",

       "equals": "Microsoft.Resources/subscriptions"

     },

2. 对已经启用了Activity log功能的订阅,使用该Policy纠正并统一其参数配置

3. 所收集到的Azure Activity Log存储在特定的Storage Account,保留周期为6个月

第三点中:需要特定的Storage Account,所以把它作为Policy参数进行设置,然后判断storageAccountId 值是否一样。6个月的保留周期设置因为新的UI上没有这个设定值,所以需要创建Storage Account中去设置,不在Policy中实现。

第二点中:要求使用同一个Storage Acocunt,所以这里并不是判断是否配置了Storage Account,而是必须要使用ID相等。

   {

               "field": "Microsoft.Insights/diagnosticSettings/storageAccountId",

               "equals": "[parameters('storageAccount')]"

  },

4. Activity logs将收集一下log: a). Administrative b). Security c). Alert d). Recommendation e). ResourceHealth

因为DiagnosticSettings 在ARM资源中是数组对象,所以使用logs[*] , 并且通过count  where equals 运算符。

当Policy的条件满足后,接下来就是需要考虑DeployIfNotExists的配置了

  • ExistenceScope : 允许的值为 Subscription 和 ResourceGroup, 但是默认值为Resource Group。所以此处必须修改为Subscription
  • ExistenceCondition :如果任何匹配的相关资源评估结果为 true,该效果就会得到满足并且不会触发部署。
  • DeploymentScope:允许的值为 Subscription 和 ResourceGroup, 默认值是 ResourceGroup。因为修改的资源为订阅的诊断配置。所以需要设置该值,并且也必须在Deployment中指定location属性。否则会遇见the location is missing 报错。

 

完整的Policy

{
    "mode": "All",
    "policyRule": {
        "if": {
            "field": "type",
            "equals": "Microsoft.Resources/subscriptions"
        },
        "then": {
            "effect": "[parameters('effect')]",
            "details": {
                "type": "Microsoft.Insights/diagnosticSettings",
                "ExistenceScope": "Subscription",
                "existenceCondition": {
                    "allOf": [
                        {
                            "field": "Microsoft.Insights/diagnosticSettings/storageAccountId",
                            "equals": "[parameters('storageAccount')]"
                        },
                        {
                            "count": {
                                "field": "Microsoft.Insights/diagnosticSettings/logs[*]",
                                "where": {
                                    "allOf": [
                                        {
                                            "anyof": [
                                                {
                                                    "field": "Microsoft.Insights/diagnosticSettings/logs[*].category",
                                                    "equals": "Administrative"
                                                },
                                                {
                                                    "field": "Microsoft.Insights/diagnosticSettings/logs[*].category",
                                                    "equals": "Security"
                                                },
                                                {
                                                    "field": "Microsoft.Insights/diagnosticSettings/logs[*].category",
                                                    "equals": "Alert"
                                                },
                                                {
                                                    "field": "Microsoft.Insights/diagnosticSettings/logs[*].category",
                                                    "equals": "Recommendation"
                                                },
                                                {
                                                    "field": "Microsoft.Insights/diagnosticSettings/logs[*].category",
                                                    "equals": "ResourceHealth"
                                                }
                                            ]
                                        },
                                        {
                                            "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled",
                                            "equals": "true"
                                        }
                                    ]
                                }
                            },
                            "equals": 5
                        }
                    ]
                },
                "deploymentScope": "subscription",
                "deployment": {
                    "location": "chinaeast2",
                    "properties": {
                        "mode": "incremental",
                        "template": {
                            "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
                            "contentVersion": "1.0.0.0",
                            "parameters": {
                                "storageAccount": {
                                    "type": "string"
                                },
                                "logsEnabled": {
                                    "type": "string"
                                },
                                "profileName": {
                                    "type": "string"
                                }
                            },
                            "variables": {},
                            "resources": [
                                {
                                    "type": "Microsoft.Insights/diagnosticSettings",
                                    "apiVersion": "2017-05-01-preview",
                                    "name": "[parameters('profileName')]",
                                    "location": "global",
                                    "dependsOn": [],
                                    "properties": {
                                        "storageAccountId": "[parameters('storageAccount')]",
                                        "logs": [
                                            {
                                                "category": "Administrative",
                                                "enabled": "[parameters('logsEnabled')]"
                                            },
                                            {
                                                "category": "Security",
                                                "enabled": "[parameters('logsEnabled')]"
                                            },
                                            {
                                                "category": "Alert",
                                                "enabled": "[parameters('logsEnabled')]"
                                            },
                                            {
                                                "category": "Recommendation",
                                                "enabled": "[parameters('logsEnabled')]"
                                            },
                                            {
                                                "category": "ResourceHealth",
                                                "enabled": "[parameters('logsEnabled')]"
                                            }
                                        ]
                                    }
                                }
                            ],
                            "outputs": {}
                        },
                        "parameters": {
                            "storageAccount": {
                                "value": "[parameters('storageAccount')]"
                            },
                            "logsEnabled": {
                                "value": "[parameters('logsEnabled')]"
                            },
                            "profileName": {
                                "value": "[parameters('profileName')]"
                            }
                        }
                    }
                },
                "roleDefinitionIds": [
                    "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
                    "/providers/Microsoft.Authorization/roleDefinitions/17d1049b-9a84-46fb-8f53-869881c3d3ab"
                ]
            }
        }
    },
    "parameters": {
        "effect": {
            "type": "String",
            "metadata": {
                "displayName": "Effect",
                "description": "Enable or disable the execution of the policy"
            },
            "allowedValues": [
                "DeployIfNotExists",
                "Disabled"
            ],
            "defaultValue": "DeployIfNotExists"
        },
        "profileName": {
            "type": "String",
            "metadata": {
                "displayName": "Profile name",
                "description": "The diagnostic settings profile name"
            },
            "defaultValue": "setbypolicy_storageaccount"
        },
        "storageAccount": {
            "type": "String",
            "metadata": {
                "displayName": "Storage Account Name",
                "description": "Select storage account from dropdown list. If this workspace is outside of the scope of the assignment you must manually grant 'Log Analytics Contributor' permissions (or similar) to the policy assignment's principal ID.",
                "strongType": "Microsoft.Storage/storageAccounts",
                "assignPermissions": true
            },
            "defaultValue": "/subscriptions/<subscription id>/resourcegroups/<resource group name>/providers/microsoft.storage/storageaccounts/<storage account name>"
        },
        "logsEnabled": {
            "type": "String",
            "metadata": {
                "displayName": "Enable logs",
                "description": "Whether to enable logs stream to the Log Analytics workspace - True or False"
            },
            "allowedValues": [
                "True",
                "False"
            ],
            "defaultValue": "True"
        }
    }
}

可能遇见的错误

1: location 错误

          "deploymentScope": "subscription",

          "deployment": {

            "location": "chinaeast2",

            "properties": {

Code

LocationNotAvailableForDeployment

Message

The provided location 'global' is not available for deployment. List of available regions is 'chinaeast2,chinaeast,chinanorth3,chinanorth,chinanorth2'.

Note:  If the location is missing or the value is incorrect, you will encounter the LocationNotAvailableForDeployment error, the Error Message will be "The provided location 'global' is not available for deployment. List of available regions is 'chinaeast2, chinaeast, chinanorth3, chinanorth, chinanorth2'."

2:设置: logs[*].enabled条件错误

{

   "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled",

   "equals": "true"

}

结果:

 

3: 设置:logs[*].category 条件错误

{

   "field": "Microsoft.Insights/diagnosticSettings/logs[*].category",

   "equals": "Administrative"

}

结果:

 

参考资料

  1. Azure Policy 模式:count 运算符 : https://docs.azure.cn/zh-cn/governance/policy/samples/pattern-count-operator
  2. 了解 [*] 别名 : https://docs.azure.cn/zh-cn/governance/policy/concepts/definition-structure#understanding-the--alias
  3. DeployIfNotExists 评估 :https://docs.azure.cn/zh-cn/governance/policy/concepts/effects#deployifnotexists-evaluation  

 

 


 

 

当在复杂的环境中面临问题,格物之道需:浊而静之徐清,安以动之徐生。 云中,恰是如此!

相关文章
|
3月前
|
存储 安全 BI
【Azure Storage Account】使用Azure Policy来检查Storage Account中是否有开启匿名访问的Container
【Azure Storage Account】使用Azure Policy来检查Storage Account中是否有开启匿名访问的Container
【Azure Storage Account】使用Azure Policy来检查Storage Account中是否有开启匿名访问的Container
|
2月前
【Azure Policy】分享Policy实现对Azure Activity Log导出到Log A workspace中
在Policy Rule部分中,选择资源的类型为 "Microsoft.Resources/subscriptions", 效果使用 DeployIfNotExists (如果不存在,则通过修复任务进行修正。 在 existenceCondition 条件中,如果当前订阅已经启用了 diagnostic setting并且输出日志到同一个Log A workspace,表示满足Policy要求,不需要进行修正。 在 deployment 中,使用了 ARM 模板, 为订阅添加Diagnostic Setting并且所有的日志Category均启用。
|
3月前
|
存储 网络安全 数据中心
【Azure 存储服务】App Service 访问开启防火墙的存储账号时遇见 403 (This request is not authorized to perform this operation.)
【Azure 存储服务】App Service 访问开启防火墙的存储账号时遇见 403 (This request is not authorized to perform this operation.)
【Azure 存储服务】App Service 访问开启防火墙的存储账号时遇见 403 (This request is not authorized to perform this operation.)
|
3月前
|
存储 安全 API
【Azure 存储服务】关于对Azure Storage Account 的 Folder 权限管理和设定
【Azure 存储服务】关于对Azure Storage Account 的 Folder 权限管理和设定
|
3月前
|
存储 Linux API
【Azure 应用服务】Azure App Service能否使用Storage Account File Share
【Azure 应用服务】Azure App Service能否使用Storage Account File Share
|
3月前
【Azure 应用服务】Azure Function 启用 Managed Identity后, Powershell Funciton出现 ERROR: ManagedIdentityCredential authentication failed
【Azure 应用服务】Azure Function 启用 Managed Identity后, Powershell Funciton出现 ERROR: ManagedIdentityCredential authentication failed
|
3月前
【Azure 应用服务】App Service 配置 Application Settings 访问Storage Account得到 could not be resolved: '*.file.core.windows.net'的报错。没有解析成对应中国区 Storage Account地址 *.file.core.chinacloudapi.cn
【Azure 应用服务】App Service 配置 Application Settings 访问Storage Account得到 could not be resolved: '*.file.core.windows.net'的报错。没有解析成对应中国区 Storage Account地址 *.file.core.chinacloudapi.cn
|
3月前
|
Java
【Azure 应用服务】在App Service 中如何通过Managed Identity获取访问Azure资源的Token呢? 如Key Vault
【Azure 应用服务】在App Service 中如何通过Managed Identity获取访问Azure资源的Token呢? 如Key Vault
|
3月前
|
存储 安全 API
【Azure API Management】实现在API Management服务中使用MI(管理标识 Managed Identity)访问启用防火墙的Storage Account
【Azure API Management】实现在API Management服务中使用MI(管理标识 Managed Identity)访问启用防火墙的Storage Account
|
3月前
|
JSON API 网络架构
【Azure Developer】Azure REST API: 如何通过 API查看 Recovery Services Vaults(恢复保管库)的备份策略信息? 如备份中是否含有虚拟机的Disk
【Azure Developer】Azure REST API: 如何通过 API查看 Recovery Services Vaults(恢复保管库)的备份策略信息? 如备份中是否含有虚拟机的Disk