From 3374651345823722fe2867a0671f6f8bdd6ac948 Mon Sep 17 00:00:00 2001 From: Arjen Huitema Date: Tue, 24 Dec 2024 12:02:52 +0100 Subject: [PATCH 1/3] fix: Update conditions for AMBA --- eslzArm/eslzArm.json | 53 ++++++++++++++++++++++---------------------- 1 file changed, 26 insertions(+), 27 deletions(-) diff --git a/eslzArm/eslzArm.json b/eslzArm/eslzArm.json index 23c19d82e..274b1b182 100644 --- a/eslzArm/eslzArm.json +++ b/eslzArm/eslzArm.json @@ -2214,7 +2214,7 @@ }, { // Deploying AMBA custom policies. Note: These policies are pulled from AMBA remote repo (https://www.github.com/Azure/azure-monitor-baseline-alerts). See definition of deploymentUris.monitorPolicyDefinitions for more details - "condition": "[and(empty(parameters('singlePlatformSubscriptionId')), equals(parameters('enableMonitorBaselines'), 'Yes'))]", + "condition": "[and(empty(parameters('singlePlatformSubscriptionId')), or(equals(parameters('enableMonitorBaselines'), 'Yes'), equals(parameters('enableServiceHealth'), 'Yes')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2019-10-01", "name": "[variables('deploymentNames').monitorPolicyDeploymentName]", @@ -2253,40 +2253,40 @@ "value": "[variables('mgmtGroups').lzs]" }, "enableAMBAConnectivity": { - "value": "[parameters('enableMonitorConnectivity')]" + "value": "[if(and(equals(parameters('enableMonitorBaselines'), 'No'), equals(parameters('enableServiceHealth'), 'Yes')), 'No', parameters('enableMonitorConnectivity'))]" }, "enableAMBAIdentity": { - "value": "[parameters('enableMonitorIdentity')]" + "value": "[if(and(equals(parameters('enableMonitorBaselines'), 'No'), equals(parameters('enableServiceHealth'), 'Yes')), 'No', parameters('enableMonitorIdentity'))]" }, "enableAMBAManagement": { - "value": "[parameters('enableMonitorManagement')]" + "value": "[if(and(equals(parameters('enableMonitorBaselines'), 'No'), equals(parameters('enableServiceHealth'), 'Yes')), 'No', parameters('enableMonitorManagement'))]" }, "enableAMBAServiceHealth": { "value": "[parameters('enableServiceHealth')]" }, "enableAMBAHybridVM": { - "value": "[parameters('enableAMBAHybridVM')]" + "value": "[if(and(equals(parameters('enableMonitorBaselines'), 'No'), equals(parameters('enableServiceHealth'), 'Yes')), 'No', parameters('enableAMBAHybridVM'))]" }, "enableAMBAKeyManagement": { - "value": "[parameters('enableAMBAKeyManagement')]" + "value": "[if(and(equals(parameters('enableMonitorBaselines'), 'No'), equals(parameters('enableServiceHealth'), 'Yes')), 'No', parameters('enableAMBAKeyManagement'))]" }, "enableAMBALoadBalancing": { - "value": "[parameters('enableAMBALoadBalancing')]" + "value": "[if(and(equals(parameters('enableMonitorBaselines'), 'No'), equals(parameters('enableServiceHealth'), 'Yes')), 'No', parameters('enableAMBALoadBalancing'))]" }, "enableAMBANetworkChanges": { - "value": "[parameters('enableAMBANetworkChanges')]" + "value": "[if(and(equals(parameters('enableMonitorBaselines'), 'No'), equals(parameters('enableServiceHealth'), 'Yes')), 'No', parameters('enableAMBANetworkChanges'))]" }, "enableAMBARecoveryServices": { - "value": "[parameters('enableAMBARecoveryServices')]" + "value": "[if(and(equals(parameters('enableMonitorBaselines'), 'No'), equals(parameters('enableServiceHealth'), 'Yes')), 'No', parameters('enableAMBARecoveryServices'))]" }, "enableAMBAStorage": { - "value": "[parameters('enableAMBAStorage')]" + "value": "[if(and(equals(parameters('enableMonitorBaselines'), 'No'), equals(parameters('enableServiceHealth'), 'Yes')), 'No', parameters('enableAMBAStorage'))]" }, "enableAMBAVM": { - "value": "[parameters('enableAMBAVM')]" + "value": "[if(and(equals(parameters('enableMonitorBaselines'), 'No'), equals(parameters('enableServiceHealth'), 'Yes')), 'No', parameters('enableAMBAVM'))]" }, "enableAMBAWeb": { - "value": "[parameters('enableAMBAWeb')]" + "value": "[if(and(equals(parameters('enableMonitorBaselines'), 'No'), equals(parameters('enableServiceHealth'), 'Yes')), 'No', parameters('enableAMBAWeb'))]" }, "userAssignedManagedIdentityName": { "value": "[parameters('userAssignedManagedIdentityName')]" @@ -2317,7 +2317,7 @@ }, { /// Deploying AMBA custom policies. Note: These policies are pulled from AMBA remote repo (https://www.github.com/Azure/azure-monitor-baseline-alerts). See definition of deploymentUris.monitorPolicyDefinitions for more details - "condition": "[and(not(empty(parameters('singlePlatformSubscriptionId'))), equals(parameters('enableMonitorBaselines'), 'Yes'))]", + "condition": "[and(not(empty(parameters('singlePlatformSubscriptionId'))), or(equals(parameters('enableMonitorBaselines'), 'Yes'), equals(parameters('enableServiceHealth'), 'Yes')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2019-10-01", "name": "[variables('esLiteDeploymentNames').monitorPolicyLiteDeploymentName]", @@ -2355,46 +2355,46 @@ "value": "[variables('mgmtGroups').lzs]" }, "enableAMBAConnectivity": { - "value": "[parameters('enableMonitorConnectivity')]" + "value": "[if(and(equals(parameters('enableMonitorBaselines'), 'No'), equals(parameters('enableServiceHealth'), 'Yes')), 'No', parameters('enableMonitorConnectivity'))]" }, "enableAMBAIdentity": { - "value": "[parameters('enableMonitorIdentity')]" + "value": "[if(and(equals(parameters('enableMonitorBaselines'), 'No'), equals(parameters('enableServiceHealth'), 'Yes')), 'No', parameters('enableMonitorIdentity'))]" }, "enableAMBAManagement": { - "value": "[parameters('enableMonitorManagement')]" + "value": "[if(and(equals(parameters('enableMonitorBaselines'), 'No'), equals(parameters('enableServiceHealth'), 'Yes')), 'No', parameters('enableMonitorManagement'))]" }, "enableAMBAServiceHealth": { "value": "[parameters('enableServiceHealth')]" }, "enableAMBAHybridVM": { - "value": "[parameters('enableAMBAHybridVM')]" + "value": "[if(and(equals(parameters('enableMonitorBaselines'), 'No'), equals(parameters('enableServiceHealth'), 'Yes')), 'No', parameters('enableAMBAHybridVM'))]" }, "enableAMBAKeyManagement": { - "value": "[parameters('enableAMBAKeyManagement')]" + "value": "[if(and(equals(parameters('enableMonitorBaselines'), 'No'), equals(parameters('enableServiceHealth'), 'Yes')), 'No', parameters('enableAMBAKeyManagement'))]" }, "enableAMBALoadBalancing": { - "value": "[parameters('enableAMBALoadBalancing')]" + "value": "[if(and(equals(parameters('enableMonitorBaselines'), 'No'), equals(parameters('enableServiceHealth'), 'Yes')), 'No', parameters('enableAMBALoadBalancing'))]" }, "enableAMBANetworkChanges": { - "value": "[parameters('enableAMBANetworkChanges')]" + "value": "[if(and(equals(parameters('enableMonitorBaselines'), 'No'), equals(parameters('enableServiceHealth'), 'Yes')), 'No', parameters('enableAMBANetworkChanges'))]" }, "enableAMBARecoveryServices": { - "value": "[parameters('enableAMBARecoveryServices')]" + "value": "[if(and(equals(parameters('enableMonitorBaselines'), 'No'), equals(parameters('enableServiceHealth'), 'Yes')), 'No', parameters('enableAMBARecoveryServices'))]" }, "enableAMBAStorage": { - "value": "[parameters('enableAMBAStorage')]" + "value": "[if(and(equals(parameters('enableMonitorBaselines'), 'No'), equals(parameters('enableServiceHealth'), 'Yes')), 'No', parameters('enableAMBAStorage'))]" }, "enableAMBAVM": { - "value": "[parameters('enableAMBAVM')]" + "value": "[if(and(equals(parameters('enableMonitorBaselines'), 'No'), equals(parameters('enableServiceHealth'), 'Yes')), 'No', parameters('enableAMBAVM'))]" }, "enableAMBAWeb": { - "value": "[parameters('enableAMBAWeb')]" + "value": "[if(and(equals(parameters('enableMonitorBaselines'), 'No'), equals(parameters('enableServiceHealth'), 'Yes')), 'No', parameters('enableAMBAWeb'))]" }, "userAssignedManagedIdentityName": { "value": "[parameters('userAssignedManagedIdentityName')]" }, "ALZWebhookServiceUri": { - "value": "[array(parameters('ambaAgServiceHook'))]" + "value": "[if(empty(parameters('ambaAgServiceHook')), null(), array(parameters('ambaAgServiceHook')))]" }, "ALZArmRoleId": { "value": "[array(parameters('ambaAgArmRole'))]" @@ -2406,12 +2406,11 @@ "value": "[deployment().location]" }, "ALZMonitorActionGroupEmail": { - "value": "[array(parameters('ambaAgEmailContact'))]" + "value": "[if(empty(parameters('ambaAgEmailContact')), null(), array(parameters('ambaAgEmailContact')))]" }, "managementSubscriptionId": { "value": "[parameters('singlePlatformSubscriptionId')]" }, - "deployALZPortalAccelerator": { "value": "Yes" } From 599a8b7c60c048c41a3e9e3fc7470ad01a41eb62 Mon Sep 17 00:00:00 2001 From: Arjen Huitema Date: Tue, 24 Dec 2024 16:04:55 +0100 Subject: [PATCH 2/3] Update whats new --- docs/wiki/Whats-new.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md index d88d9b5bb..885493e4c 100644 --- a/docs/wiki/Whats-new.md +++ b/docs/wiki/Whats-new.md @@ -55,6 +55,7 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones: #### Tooling - Updated the ***Baseline alerts and monitoring*** integration section in the portal accelerator to deploy the latest release of AMBA (2024-12-10). To read more on the changes, see the [What's new](https://aka.ms/amba/alz/whatsnew) page in the AMBA documentation. +- Resolved deployment issues related to Service Health alerts. Previously, Service Health was not deployed when selected unless Azure Monitor Baseline Alerts were also selected. ### November 2024 From 49bb6c55a9fd9ac5baffe65dce444db3fad4e012 Mon Sep 17 00:00:00 2001 From: Jack Tracey <41163455+jtracey93@users.noreply.github.com> Date: Tue, 28 Jan 2025 18:19:26 +0000 Subject: [PATCH 3/3] Update What's-new.md with resolved deployment issues --- docs/wiki/Whats-new.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/wiki/Whats-new.md b/docs/wiki/Whats-new.md index f029b0d8b..ec4fc8977 100644 --- a/docs/wiki/Whats-new.md +++ b/docs/wiki/Whats-new.md @@ -58,6 +58,7 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones: - Updated the ***Baseline alerts and monitoring*** integration section in the portal accelerator to deploy the latest release of AMBA (2025-01-10). To read more on the changes, see the [What's new](https://aka.ms/amba/alz/whatsnew) page in the AMBA documentation. - Added SQL Advanced Threat Protection status log to [dataCollectionRule-DefenderSQL.json](Enterprise-Scale/eslzArm/resourceGroupTemplates/dataCollectionRule-DefenderSQL.json) data collection rule. The logs allows identifying machines connected to the workspace with SQL ATP and the protection status on each instance on those machines and is used by MDfC Defender for SQL. +- Resolved deployment issues related to Service Health alerts. Previously, Service Health was not deployed when selected unless Azure Monitor Baseline Alerts were also selected. ### 🔃 Policy Refresh Q2 FY25 @@ -81,7 +82,6 @@ Here's what's changed in Enterprise Scale/Azure Landing Zones: #### Tooling - Updated the ***Baseline alerts and monitoring*** integration section in the portal accelerator to deploy the latest release of AMBA (2024-12-10). To read more on the changes, see the [What's new](https://aka.ms/amba/alz/whatsnew) page in the AMBA documentation. -- Resolved deployment issues related to Service Health alerts. Previously, Service Health was not deployed when selected unless Azure Monitor Baseline Alerts were also selected. ### November 2024