-
Notifications
You must be signed in to change notification settings - Fork 56
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improvement for Policy: Audit diagnostic setting #41
Comments
@SenthuranSivananthan can you be more specific? This is already enabled in the script and can be utilized today to turn metrics off (it is by default) while turning logs on, vice versa. This is also useful for enabling and disabling the configuration on demand across the environment (by also leveraging the remediation script I have for Policy Initiatives in this repo). See below the snip from an exported policy generated from the script that provides both metrics and logs to be independently toggled. "metricsEnabled": {
"type": "String",
"metadata": {
"displayName": "Enable Metrics",
"description": "Enable Metrics - True or False"
},
"allowedValues": [
"True",
"False"
],
"defaultValue": "False"
},
"logsEnabled": {
"type": "String",
"metadata": {
"displayName": "Enable Logs",
"description": "Enable Logs - True or False"
},
"allowedValues": [
"True",
"False"
],
"defaultValue": "True"
} Related to the subject of the issue on Audit, I plan on looking at implementing auditIfNotExists as a parameter along with deployIfNotExists and Disable (essentially making them parameters for effect) but not until I get the latest PR merged and released. |
Thanks for the chat yesterday @JimGBritt. I think I opened this issue in the wrong repo given it's a built-in policy. I've copied the details to Azure/azure-policy#870 so that Azure Policy engineering team can evaluate the change. Given this will have a cascading impact to initiatives as well. |
This policy doesn't allow for customizing the type of diagnostic information to send to a sink like Log Analytics Workspace. It assumes that
metrics
&logs
will always be forwarded. Unfortunately, my customers don't push metrics to LAW due to ingestion latency and cost implications. We leverage Azure Monitor Metrics for all metrics.Recommendation
Add two parameters:
LogsEnabled
andMetricsEnabled
so that we can set the correct type of data to be forwarded during assignment. Assignment can be either of the policy or the initiative that uses this policy.This policy is used by initiatives such as Canada Federal PBMM and HITRUST/HIPAA.
Current Policy Definition
The text was updated successfully, but these errors were encountered: