Enhancement: Policy Refresh H2 FY24 (#785)

* Added UMI resource * Add data collection rule * Update vm insights dcr name * Add change tracking DCR * Add MDFC for SQL data collection rule * Remove legacy solutions * Change DCR default names * Update Policy Library (automated) * Update Policy Library (automated) * Update Policy Library (automated) * Update Policy Library (automated) * Update policy and policy set definition variables * Update superseded definition for mdfcconfig * Add enforce_backup assignment and deployment * Replace custom diag intiative with built-in * Added missing endpoint for using machine learning with private dns zones * Update policy assignments api version to 2024-04-01 * Add policy assignment for trusted launch initiative * Supersede Deploy-EncryptTransit with Deploy-EncryptTransit_20240509 * Added MD Endpoints AMA initiative and assignment * Update Policy Library (automated) * Cleanup param files of old workspace solutions * Generate Parameter Markdowns [oZakari/56e2292c] * Remove resource lock for umi * Generate Parameter Markdowns [oZakari/56e2292c] * Configure change tracking assignments * Add VM insights policy assignments * Add AUM-CheckUpdates enforce policy assignment * Add assignment for mdfc-sql-ama * Generate Parameter Markdowns [oZakari/56e2292c] * Update Policy Library (automated) * Remove additional unneeded LAW solutions * Change UAMI API to GA version * Generate Parameter Markdowns [oZakari/56e2292c] * Update infra-as-code/bicep/modules/logging/logging.bicep Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com> * Update infra-as-code/bicep/modules/logging/logging.bicep Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com> * Update infra-as-code/bicep/modules/logging/logging.bicep Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com> * Update VM, VMSS, and ArcVM monitoring assignments to align to enterprise-scale * Add new AMA related resource IDs to accelerator config * Add ama resource outputs and update documentation * Generate Parameter Markdowns [oZakari/56e2292c] * Update infra-as-code/bicep/modules/policy/assignments/alzDefaults/alzDefaultPolicyAssignments.bicep Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com> * Match policy assignment api version to match the version referenced in module for consistency * Added policy assignment to block deletion of UAMI * Update Policy Library (automated) * update to align to .txt file output * output typo * add outputs for UAMI * Generate Parameter Markdowns [jtracey93/56e2292c] * align to txt file --------- Co-authored-by: Zach Trocinski <ztrocinski@outlook.com> Co-authored-by: github-actions <action@github.com> Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Zach Trocinski <30884663+oZakari@users.noreply.github.com> Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com>
Azure · Jun 20, 2024 · 925a4ef · 925a4ef
1 parent 56e2292
commit 925a4ef
Show file tree

Hide file tree

Showing 246 changed files with 20,107 additions and 2,081 deletions.
diff --git a/accelerator/.config/ALZ-Powershell.config.json b/accelerator/.config/ALZ-Powershell.config.json
@@ -457,6 +457,46 @@
         }
       ]
     },
+    "DataCollectionRuleVMInsightsResourceId": {
+      "Type": "Computed",
+      "Value": "/subscriptions/{%ManagementSubscriptionId%}/resourcegroups/rg-{%Prefix%}-logging/providers/Microsoft.Insights/dataCollectionRules/alz-ama-vmi-dcr",
+      "Targets": [
+        {
+          "Name": "parDataCollectionRuleVMInsightsResourceId.value",
+          "Destination": "Parameters"
+        }
+      ]
+    },
+    "DataCollectionRuleChangeTrackingResourceId": {
+      "Type": "Computed",
+      "Value": "/subscriptions/{%ManagementSubscriptionId%}/resourcegroups/rg-{%Prefix%}-logging/providers/Microsoft.Insights/dataCollectionRules/alz-ama-ct-dcr",
+      "Targets": [
+        {
+          "Name": "parDataCollectionRuleChangeTrackingResourceId.value",
+          "Destination": "Parameters"
+        }
+      ]
+    },
+    "DataCollectionRuleMDFCSQLResourceId": {
+      "Type": "Computed",
+      "Value": "/subscriptions/{%ManagementSubscriptionId%}/resourcegroups/rg-{%Prefix%}-logging/providers/Microsoft.Insights/dataCollectionRules/ama-mdfcsql-default-dcr",
+      "Targets": [
+        {
+          "Name": "parDataCollectionRuleMDFCSQLResourceId.value",
+          "Destination": "Parameters"
+        }
+      ]
+    },
+    "UserAssignedManagedIdentityResourceId": {
+      "Type": "Computed",
+      "Value": "/subscriptions/{%ManagementSubscriptionId%}/resourcegroups/rg-{%Prefix%}-logging/providers/Microsoft.ManagedIdentity/userAssignedIdentities/alz-umi-identity",
+      "Targets": [
+        {
+          "Name": "parUserAssignedManagedIdentityResourceId.value",
+          "Destination": "Parameters"
+        }
+      ]
+    },
     "DdosPretectionPlanId": {
       "Type": "Computed",
       "Value": "/subscriptions/{%ConnectivitySubscriptionId%}/resourceGroups/rg-{%Prefix%}-connectivity/providers/Microsoft.Network/ddosProtectionPlans/alz-ddos-plan",

diff --git a/infra-as-code/bicep/modules/logging/README.md b/infra-as-code/bicep/modules/logging/README.md
@@ -4,18 +4,11 @@ Deploys Azure Log Analytics Workspace, Automation Account (linked together) & mu
 
 Automation Account will be linked to Log Analytics Workspace to provide integration for Update Management, Change Tracking and Inventory, and Start/Stop VMs during off-hours for your servers and virtual machines.  Only one mapping can exist between Log Analytics Workspace and Automation Account.
 
+We provision several data collection rules (VM Insights, Change Tracking, and Defender for SQL) as well as a user-assigned managed identity (UAMI). These resources are utilized in tandem with various policies as part of deploying the Azure Monitor Agent (AMA).
+
 The module will deploy the following Log Analytics Workspace solutions by default.  Solutions can be customized as required:
 
-- AgentHealthAssessment
-- AntiMalware
-- ChangeTracking
-- Security
 - SecurityInsights (Azure Sentinel)
-- SQLAdvancedThreatProtection
-- SQLVulnerabilityAssessment
-- SQLAssessment
-- Updates
-- VMInsights
 
  > Only certain regions are supported to link Log Analytics Workspace & Automation Account together (linked workspaces). Reference:  [Supported regions for linked Log Analytics workspace](https://learn.microsoft.com/azure/automation/how-to/region-mappings)
 
@@ -115,7 +108,9 @@ New-AzResourceGroup `
 
 New-AzResourceGroupDeployment @inputObject
 ```
+
 OR
+
 ```powershell
 # For Azure China regions
 # Set Platform management subscripion ID as the the current subscription

diff --git a/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md b/infra-as-code/bicep/modules/logging/generateddocs/logging.bicep.md
@@ -9,12 +9,20 @@ Parameter name | Required | Description
 parGlobalResourceLock | No       | Global Resource Lock Configuration used for all resources deployed in this module.  - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock.  
 parLogAnalyticsWorkspaceName | No       | Log Analytics Workspace name.
 parLogAnalyticsWorkspaceLocation | No       | Log Analytics region name - Ensure the regions selected is a supported mapping as per: https://docs.microsoft.com/azure/automation/how-to/region-mappings.
+parDataCollectionRuleVMInsightsName | No       | VM Insights Data Collection Rule name for AMA integration.
+parDataCollectionRuleVMInsightsLock | No       | Resource Lock Configuration for VM Insights Data Collection Rule.  - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock.  
+parDataCollectionRuleChangeTrackingName | No       | Change Tracking Data Collection Rule name for AMA integration.
+parDataCollectionRuleChangeTrackingLock | No       | Resource Lock Configuration for Change Tracking Data Collection Rule.  - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock.  
+parDataCollectionRuleMDFCSQLName | No       | MDFC for SQL Data Collection Rule name for AMA integration.
+parDataCollectionRuleMDFCSQLLock | No       | Resource Lock Configuration for MDFC Defender for SQL Data Collection Rule.  - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock.  
 parLogAnalyticsWorkspaceSkuName | No       | Log Analytics Workspace sku name.
 parLogAnalyticsWorkspaceCapacityReservationLevel | No       | Log Analytics Workspace Capacity Reservation Level. Only used if parLogAnalyticsWorkspaceSkuName is set to CapacityReservation.
 parLogAnalyticsWorkspaceLogRetentionInDays | No       | Number of days of log retention for Log Analytics Workspace.
 parLogAnalyticsWorkspaceLock | No       | Resource Lock Configuration for Log Analytics Workspace.  - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock.  
 parLogAnalyticsWorkspaceSolutions | No       | Solutions that will be added to the Log Analytics Workspace.
 parLogAnalyticsWorkspaceSolutionsLock | No       | Resource Lock Configuration for Log Analytics Workspace Solutions.  - `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None. - `notes` - Notes about this lock.  
+parUserAssignedManagedIdentityName | No       | Name of the User Assigned Managed Identity required for authenticating Azure Monitoring Agent to Azure.
+parUserAssignedManagedIdentityLocation | No       | User Assigned Managed Identity location.
 parLogAnalyticsWorkspaceLinkAutomationAccount | No       | Log Analytics Workspace should be linked with the automation account.
 parAutomationAccountName | No       | Automation account name.
 parAutomationAccountLocation | No       | Automation Account region name. - Ensure the regions selected is a supported mapping as per: https://docs.microsoft.com/azure/automation/how-to/region-mappings.
@@ -57,6 +65,69 @@ Log Analytics region name - Ensure the regions selected is a supported mapping a
 
 - Default value: `[resourceGroup().location]`
 
+### parDataCollectionRuleVMInsightsName
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+VM Insights Data Collection Rule name for AMA integration.
+
+- Default value: `alz-ama-vmi-dcr`
+
+### parDataCollectionRuleVMInsightsLock
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+Resource Lock Configuration for VM Insights Data Collection Rule.
+
+- `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None.
+- `notes` - Notes about this lock.
+
+
+
+- Default value: `@{kind=None; notes=This lock was created by the ALZ Bicep Logging Module.}`
+
+### parDataCollectionRuleChangeTrackingName
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+Change Tracking Data Collection Rule name for AMA integration.
+
+- Default value: `alz-ama-ct-dcr`
+
+### parDataCollectionRuleChangeTrackingLock
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+Resource Lock Configuration for Change Tracking Data Collection Rule.
+
+- `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None.
+- `notes` - Notes about this lock.
+
+
+
+- Default value: `@{kind=None; notes=This lock was created by the ALZ Bicep Logging Module.}`
+
+### parDataCollectionRuleMDFCSQLName
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+MDFC for SQL Data Collection Rule name for AMA integration.
+
+- Default value: `alz-ama-mdfcsql-dcr`
+
+### parDataCollectionRuleMDFCSQLLock
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+Resource Lock Configuration for MDFC Defender for SQL Data Collection Rule.
+
+- `kind` - The lock settings of the service which can be CanNotDelete, ReadOnly, or None.
+- `notes` - Notes about this lock.
+
+
+
+- Default value: `@{kind=None; notes=This lock was created by the ALZ Bicep Logging Module.}`
+
 ### parLogAnalyticsWorkspaceSkuName
 
 ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
@@ -104,9 +175,9 @@ Resource Lock Configuration for Log Analytics Workspace.
 
 Solutions that will be added to the Log Analytics Workspace.
 
-- Default value: `AgentHealthAssessment AntiMalware ChangeTracking Security SecurityInsights SQLAdvancedThreatProtection SQLVulnerabilityAssessment SQLAssessment Updates VMInsights`
+- Default value: `SecurityInsights`
 
-- Allowed values: `AgentHealthAssessment`, `AntiMalware`, `ChangeTracking`, `Security`, `SecurityInsights`, `ServiceMap`, `SQLAdvancedThreatProtection`, `SQLVulnerabilityAssessment`, `SQLAssessment`, `Updates`, `VMInsights`
+- Allowed values: `SecurityInsights`
 
 ### parLogAnalyticsWorkspaceSolutionsLock
 
@@ -121,6 +192,22 @@ Resource Lock Configuration for Log Analytics Workspace Solutions.
 
 - Default value: `@{kind=None; notes=This lock was created by the ALZ Bicep Logging Module.}`
 
+### parUserAssignedManagedIdentityName
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+Name of the User Assigned Managed Identity required for authenticating Azure Monitoring Agent to Azure.
+
+- Default value: `alz-logging-mi`
+
+### parUserAssignedManagedIdentityLocation
+
+![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
+
+User Assigned Managed Identity location.
+
+- Default value: `[resourceGroup().location]`
+
 ### parLogAnalyticsWorkspaceLinkAutomationAccount
 
 ![Parameter Setting](https://img.shields.io/badge/parameter-optional-green?style=flat-square)
@@ -224,6 +311,14 @@ Set Parameter to true to Opt-out of deployment telemetry
 
 Name | Type | Description
 ---- | ---- | -----------
+outUserAssignedManagedIdentityId | string |
+outUserAssignedManagedIdentityPrincipalId | string |
+outDataCollectionRuleVMInsightsName | string |
+outDataCollectionRuleVMInsightsId | string |
+outDataCollectionRuleChangeTrackingName | string |
+outDataCollectionRuleChangeTrackingId | string |
+outDataCollectionRuleMDFCSQLName | string |
+outDataCollectionRuleMDFCSQLId | string |
 outLogAnalyticsWorkspaceName | string |
 outLogAnalyticsWorkspaceId | string |
 outLogAnalyticsCustomerId | string |
@@ -255,6 +350,33 @@ outAutomationAccountId | string |
         "parLogAnalyticsWorkspaceLocation": {
             "value": "[resourceGroup().location]"
         },
+        "parDataCollectionRuleVMInsightsName": {
+            "value": "alz-ama-vmi-dcr"
+        },
+        "parDataCollectionRuleVMInsightsLock": {
+            "value": {
+                "kind": "None",
+                "notes": "This lock was created by the ALZ Bicep Logging Module."
+            }
+        },
+        "parDataCollectionRuleChangeTrackingName": {
+            "value": "alz-ama-ct-dcr"
+        },
+        "parDataCollectionRuleChangeTrackingLock": {
+            "value": {
+                "kind": "None",
+                "notes": "This lock was created by the ALZ Bicep Logging Module."
+            }
+        },
+        "parDataCollectionRuleMDFCSQLName": {
+            "value": "alz-ama-mdfcsql-dcr"
+        },
+        "parDataCollectionRuleMDFCSQLLock": {
+            "value": {
+                "kind": "None",
+                "notes": "This lock was created by the ALZ Bicep Logging Module."
+            }
+        },
         "parLogAnalyticsWorkspaceSkuName": {
             "value": "PerGB2018"
         },
@@ -272,16 +394,7 @@ outAutomationAccountId | string |
         },
         "parLogAnalyticsWorkspaceSolutions": {
             "value": [
-                "AgentHealthAssessment",
-                "AntiMalware",
-                "ChangeTracking",
-                "Security",
-                "SecurityInsights",
-                "SQLAdvancedThreatProtection",
-                "SQLVulnerabilityAssessment",
-                "SQLAssessment",
-                "Updates",
-                "VMInsights"
+                "SecurityInsights"
             ]
         },
         "parLogAnalyticsWorkspaceSolutionsLock": {
@@ -290,6 +403,12 @@ outAutomationAccountId | string |
                 "notes": "This lock was created by the ALZ Bicep Logging Module."
             }
         },
+        "parUserAssignedManagedIdentityName": {
+            "value": "alz-logging-mi"
+        },
+        "parUserAssignedManagedIdentityLocation": {
+            "value": "[resourceGroup().location]"
+        },
         "parLogAnalyticsWorkspaceLinkAutomationAccount": {
             "value": true
         },