Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Alias request: "Microsoft.Web/sites/eligibleLogCategories" #1395

Open
mortenlerudjordet opened this issue Oct 21, 2024 · 1 comment
Open

Alias request: "Microsoft.Web/sites/eligibleLogCategories" #1395

mortenlerudjordet opened this issue Oct 21, 2024 · 1 comment

Comments

@mortenlerudjordet
Copy link

mortenlerudjordet commented Oct 21, 2024
edited
Loading

Scenario
Dynamically find supported log category for all types of web apps as these are different depending on windows,linux and container.
Code tries to show a concept of how to activate only supported logs on a given web app type.

"resources": [
  {
	"type": "Microsoft.Web/sites/providers/diagnosticSettings",
	"apiVersion": "2021-05-01-preview",
	"name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
	"location": "[parameters('location')]",
	"dependsOn": [],
	"properties": {
	  "workspaceId": "[parameters('logAnalytics')]",
	  "metrics": [
		{
		  "category": "AllMetrics",
		  "timeGrain": null,
		  "enabled": "[parameters('metricsEnabled')]",
		  "retentionPolicy": {
			"days": 0,
			"enabled": false
		  }
		}
	  ],
	  "copy": [
		{
			"name": "logs",
			"count": "[length(parameters('resourceLogCategories'))]",
			"input": {
				"category": "[parameters('resourceLogCategories')[copyIndex('logs')]]",
				"enabled": "[or(contains(parameters('logsEnabled'),parameters('resourceLogCategories')[copyIndex('logs')]),contains(parameters('logsEnabled'), 'AllLogs'))]"
			}
		}
	  ]
	}
  }
],
"outputs": {
  "policy": {
	"type": "string",
	"value": "[concat('Diagnostic setting name: ', parameters('profileName'), ', resourceName: ', parameters('resourceName'), ' to Log Analytics: ', parameters('logAnalytics'), ' configured')]"
  }
}
},
"parameters": {
"resourceLogCategories": {
  "value": "[split(field('Microsoft.Web/sites/eligibleLogCategories'),',')]"
}

Compliance logic:

{
    "details": {
        "type": "Microsoft.Insights/diagnosticSettings",
        "evaluationDelay": "[parameters('evaluationDelay')]",
        "roleDefinitionIds": [
            "/providers/microsoft.authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/microsoft.authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
        ],
        "existenceCondition": {
            "allOf": [
                {
                    "field": "name",
                    "equals": "[parameters('profileName')]"
                },
                {
                    "count": {
                        "field": "Microsoft.Insights/diagnosticSettings/logs[*]",
                        "where": {
                            "allOf": [
                                {
                                    "value": "[current('Microsoft.Insights/diagnosticSettings/logs[*].enabled')]",
                                    "equals": "True"
                                },
                                {
                                    "value": "[current('Microsoft.Insights/diagnosticSettings/logs[*].category')]",
                                    "in": "[if(contains(parameters('logsEnabled'), 'AllLogs'),split(field('Microsoft.Web/sites/eligibleLogCategories),',')), intersection(parameters('logsEnabled'),split(field('Microsoft.Web/sites/eligibleLogCategories),',')))]"
                                }
                            ]
                        }
                    },
                    "equals": "[if(contains(array(parameters('logsEnabled')), 'AllLogs'), length(split(field('Microsoft.Web/sites/eligibleLogCategories),','))), length(intersection(array(array(parameters('logsEnabled'))),split(field('Microsoft.Web/sites/eligibleLogCategories),','))))]"
                },
                {
                    "field": "Microsoft.Insights/diagnosticSettings/metrics.enabled",
                    "equals": "[parameters('metricsEnabled')]"
                },
                {
                    "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                    "matchInsensitively": "[parameters('logAnalytics')]"
                }
            ]
        }
    }
}

Log parameter:

    "logsEnabled": {
      "type": "array",
      "metadata": {
        "displayName": "Logs to enable",
        "description": "Name of logs to enable for web app, supports multiple selections. Use syntax: AppServiceHTTPLogs;AppServiceAppLogs or just AllLogs"
      },
      "allowedValues": [
        "AllLogs",
        "AppServiceConsoleLogs",
        "AppServiceHTTPLogs",
        "AppServiceEnvironmentPlatformLogs",
        "AppServiceAuditLogs",
        "AppServiceFileAuditLogs",
        "AppServiceAppLogs",
        "AppServiceIPSecAuditLogs",
        "AppServicePlatformLogs",
        "AppServiceAntivirusScanAuditLogs"
      ],
      "defaultValue": ["AllLogs"]
    }
@mortenlerudjordet
Copy link
Author

mortenlerudjordet commented Oct 25, 2024
edited
Loading

The requested value can be retireved inside the template, though for compliancy to report correctly for the different kinds of web apps one needs to have the field('Microsoft.Web/sites/eligibleLogCategories) available in existenceCondition to have a robust way of making sure the correct chosen logs are active.

The following code works for dynamically activating the suported log categories on a given web app.
One note, for some web apps eligibleLogCategories contains invalid categories, before using the content of the parameter one needs to strip these out. Example is the value ScanLogs, as from the code below can be seen stripped out before using.

Code:

"resources": [
{
  "type": "Microsoft.Resources/deployments",
  "apiVersion": "2024-03-01",
  "name": "diag_web_app_parent",
  "properties": {
	"mode": "Incremental",
	"expressionEvaluationOptions": {
	  "scope": "inner"
	},
	"parameters": {
	  "resourceLogCategories": {
		"value": "[split(replace(reference(resourceId('Microsoft.Web/sites', parameters('resourceName')),'2022-09-01').eligibleLogCategories, ',ScanLogs', ''),',')]"
	  },
	  "profileName": {
		"value": "[parameters('profileName')]"
	  },
	  "logAnalytics": {
		"value": "[parameters('logAnalytics')]"
	  },
	  "metricsEnabled": {
		"value": "[parameters('metricsEnabled')]"
	  },
	  "logsEnabled": {
		"value": "[parameters('logsEnabled')]"
	  },
	  "location": {
		"value": "[parameters('location')]"
	  },
	  "resourceName": {
		"value": "[parameters('resourceName')]"
	  }
	},
	"template": {
	  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
	  "contentVersion": "1.0.0.0",
	  "parameters": {
		"resourceLogCategories": {
		  "type": "array"
		},
		"profileName": {
		  "type": "string"
		},
		"resourceName": {
		  "type": "string"
		},
		"logAnalytics": {
		  "type": "string"
		},
		"metricsEnabled": {
		  "type": "string"
		},
		"logsEnabled": {
		  "type": "array"
		},
		"location": {
		  "type": "string"
		}
	  },
	  "resources": [
		{
		  "type": "Microsoft.Web/sites/providers/diagnosticSettings",
		  "apiVersion": "2021-05-01-preview",
		  "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
		  "location": "[parameters('location')]",
		  "dependsOn": [],
		  "properties": {
			"workspaceId": "[parameters('logAnalytics')]",
			"metrics": [
			  {
				"category": "AllMetrics",
				"timeGrain": null,
				"enabled": "[parameters('metricsEnabled')]",
				"retentionPolicy": {
				  "days": 0,
				  "enabled": false
				}
			  }
			],
			"copy": [
			  {
				"name": "logs",
				"count": "[length(parameters('resourceLogCategories'))]",
				"input": {
				  "category": "[parameters('resourceLogCategories')[copyIndex('logs')]]",
				  "enabled": "[or(contains(parameters('logsEnabled'),parameters('resourceLogCategories')[copyIndex('logs')]),contains(parameters('logsEnabled'),'AllLogs'))]"
				}
			  }
			]
		  }
		}
	  ]
	}
  }
}
]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mortenlerudjordet