Azure Bicep Diagnostics Settings for Active Directory Azure Bicep诊断设置用于Active Directory

huangapple go评论59阅读模式
英文:

Azure Bicep Diagnostics Settings for Active Directory

问题

您正在尝试使用Bicep创建诊断设置,以将诊断数据从AAD导出到事件中心。您对其范围不确定。

以下是您的代码中的翻译部分:

  • "Diagnostics-${ds.diagnosticType}" 已翻译为 "诊断-${ds.diagnosticType}"
  • "Diagnostic name" 已翻译为 "诊断名称"
  • "Auth ID to allow diags to be saved to Event Hub" 已翻译为 "允许将诊断保存到事件中心的授权ID"
  • "Event Hub name" 已翻译为 "事件中心名称"
  • "Type of Diagnostic we are trying to create" 已翻译为 "我们正在尝试创建的诊断类型"
  • "Name of Resource we are trying to place the diagnostic on" 已翻译为 "我们尝试放置诊断的资源名称"
  • "Array of Diagnostic Logs" 已翻译为 "诊断日志数组"
  • "Array of Diagnostic Metrics" 已翻译为 "诊断指标数组"
  • "Set up Logs" 已翻译为 "设置日志"
  • "Set Up Metrics" 已翻译为 "设置指标"
  • "Microsoft.AzureActiveDirectory/b2cDirectories@2021-04-01" 已翻译为 "Microsoft.AzureActiveDirectory/b2cDirectories@2021-04-01"
  • "Create Diagnostics by Type" 已翻译为 "按类型创建诊断"
  • "Microsoft.Insights/diagnosticSettings@2021-05-01-preview" 已翻译为 "Microsoft.Insights/diagnosticSettings@2021-05-01-preview"

希望这可以帮助您理解代码的一部分。如果您有任何其他问题,请随时提出。

英文:

I am trying to create diagnostics settings using Bicep to export diagnostics from AAD to an Event Hub.

The part I am unsure of is the scope.

I am rewording my question as the first answer below and comments is leading to many a dead end.

My Facade Bicep Code:

module diagnosticsAAD 'diagnosticSettingAAD.bicep' = [for ds in diagnosticSettingsAAD: {
  name: 'Diagnostics-${ds.diagnosticType}'
  scope: resourceGroup(ds.resourceSubId, ds.resourceRG)
  dependsOn: [eventHubs]
  params: {
    diagnosticName: ds.diagnosticName
    eventHubAuthorizationRuleId: ds.eventHubAuthorizationRuleId
    eventHubName: ds.eventHubName
    diagnosticType: ds.diagnosticType
    resourceName: ds.resourceName
    logs: ds.logs
    metrics: ds.metrics
  }
}]

The underlying Bicep Module:

@description('Diagnostic name')
param diagnosticName string

@description('Auth ID to allow diags to be saved to Event Hub')
param eventHubAuthorizationRuleId string
@description('Event Hub name')
param eventHubName string

@description('Type of Diagnostic we are trying to create')
@allowed(['Firewall', 'SQLServer', 'AAD'])
param diagnosticType string
@description('Name of Resource we are trying to place the diagnostic on')
param resourceName string

@description('Array of Diagnostic Logs')
param logs array
@description('Array of Diagnostic Metrics')
param metrics array

// Set up Logs
var diagnosticsLogConfig = [for category in logs: {
  category: category
  enabled: true
  retentionPolicy: {
    enabled: true
    days: 28
  }
}]

// Set Up Metrics
var diagnosticsMetricConfig = [for category in metrics: {
  category: category
  enabled: true
  retentionPolicy: {
    enabled: true
    days: 28
  }
}]
// ----------------------------------------------------------------



resource activeDir 'Microsoft.AzureActiveDirectory/b2cDirectories@2021-04-01' existing = {
  name: resourceName
}

// Create Diagnostics by Type
resource  diagAADSetting 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (diagnosticType  ==  'AAD')  { 
  name:  diagnosticName  
  scope: activeDir
  properties:  { 
    eventHubAuthorizationRuleId: eventHubAuthorizationRuleId != null ? eventHubAuthorizationRuleId : null  
    eventHubName: eventHubName != null ? eventHubName : null  
    logs: diagnosticsLogConfig != null ? diagnosticsLogConfig : [] 
    metrics: diagnosticsMetricConfig != null ? diagnosticsMetricConfig : [] 
    logAnalyticsDestinationType: 'Dedicated' 
   } 
}

And finally the Json:

{
	"diagnosticSettingsAAD": {
		"value": [
			{
				"diagnosticType": "AAD",
				"diagnosticName": "my-diag",
				"resourceSubId": "123",				
				"resourceName": "AAD (Dev)",
				"resourceRG": "my-rg",			
				"eventHubName": "my-evh",
				"eventHubAuthorizationRuleId": "/subscriptions/123/resourcegroups/my-rg/providers/Microsoft.EventHub/namespaces/my-evhns/authorizationrules/RootManageSharedAccessKey",
				"logs": [
					"AuditLogs",
					"SignInLogs",
					"ManagedIdentitySignInLogs",
					"ProvisioningLogs"
				],
				"metrics": []					
			}		
		]
	}
}

and the error returned is:

The resource write operation failed to complete successfully, because it reached terminal provisioning state 'Failed'.\",\r\n    \"details\": [\r\n      {\r\n        \"code\": \"DeploymentFailed\",\r\n        \"target\": \"/subscriptions/123/resourceGroups/my-rg/providers/Microsoft.Resources/deployments/Diagnostics-AAD\",\r\n        \"message\": \"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.\",\r\n        \"details\": [\r\n          {\r\n            \"code\": \"ResourceNotFound\",\r\n            \"message\": \"The Resource 'Microsoft.AzureActiveDirectory/b2cDirectories/AAD (Dev)' under resource group 'my-rg' was not found.

It appear that it is scope, unless the message is a red-herring. I have tried scope: tenant() and i get a compilation error in VS Code stating that it needs to be at resource group level.

Any suggestions would be appreciated

答案1

得分: 0

To obtain the scope of the resource, you can use the resourceId() function in Bicep by giving the resource Name, provider, resource Type, etc. as detailed in the given MS Doc.

scope:resourceId('Microsoft.AzureActiveDirectory/b2cDirectories', <resource>)

After adding the required scope, your code modified as below:

resource diagAADSetting 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (diagnosticType == 'AAD') 
{ 
  name: diagnosticName  
  scope: resourceId('Microsoft.AzureActiveDirectory/b2cDirectories', resourceName)  
  properties: 
  { 
    eventHubAuthorizationRuleId: eventHubAuthorizationRuleId != null ? eventHubAuthorizationRuleId : null  
    eventHubName: eventHubName != null ? eventHubName : null  
    logs: diagnosticsLogConfig != null ? diagnosticsLogConfig : [] 
    metrics: diagnosticsMetricConfig != null ? diagnosticsMetricConfig : [] 
    logAnalyticsDestinationType: 'Dedicated' 
  } 
}

I ran the sample template with the scope parameter and was successfully deployed.

Azure Bicep Diagnostics Settings for Active Directory
Azure Bicep诊断设置用于Active Directory

英文:

To obtain the scope of the resource, you can use the resourceId( ) function in bicep by giving the resource Name, provider, resource Type etc. as detailed in the given MS Doc.

scope:resourceId(&#39;Microsoft.AzureActiveDirectory/b2cDirectories&#39;, &lt;resource&gt;)

After adding the required scope, your code modified as below:

resource  diagAADSetting &#39;Microsoft.Insights/diagnosticSettings@2021-05-01-preview&#39;  =  if  (diagnosticType  ==  &#39;AAD&#39;) 
{ 
  name:  diagnosticName  
  scope: resourceId(&#39;Microsoft.AzureActiveDirectory/b2cDirectories&#39;, resourceName)  
 properties: 
 { 
   eventHubAuthorizationRuleId: eventHubAuthorizationRuleId !=  null  ?  eventHubAuthorizationRuleId :  null  
   eventHubName:  eventHubName  !=  null  ?  eventHubName :  null  
   logs:  diagnosticsLogConfig  !=  null  ?  diagnosticsLogConfig : [] 
   metrics:  diagnosticsMetricConfig  !=  null  ? diagnosticsMetricConfig : [] 
   logAnalyticsDestinationType:  &#39;Dedicated&#39; 
   } 
}

I ran the sample template with the scope parameter and was successfully deployed.

Azure Bicep Diagnostics Settings for Active Directory
Azure Bicep诊断设置用于Active Directory

答案2

得分: 0

在最后,我使用了以下代码,因为我们不使用原本由Jahnavi提供的b2c代码。

resource aadDiagnosticSetttings 'microsoft.aadiam/diagnosticSettings@2017-04-01' = if(diagnosticType == 'AAD') {
  name: diagnosticName
  scope: tenant()
  properties: {
    eventHubAuthorizationRuleId: eventHubAuthorizationRuleId != null ? eventHubAuthorizationRuleId : null  
    eventHubName: eventHubName != null ? eventHubName : null  
    logs: diagnosticsLogConfig != null ? diagnosticsLogConfig : [] 
  }
}
英文:

In the end I used the following code as we aren't using b2c as per code originally supplied by Jahnavi.

resource aadDiagnosticSetttings &#39;microsoft.aadiam/diagnosticSettings@2017-04-01&#39; = if(diagnosticType == &#39;AAD&#39;) {
  name: diagnosticName
  scope: tenant()
  properties: {
    eventHubAuthorizationRuleId: eventHubAuthorizationRuleId != null ? eventHubAuthorizationRuleId : null  
    eventHubName: eventHubName != null ? eventHubName : null  
    logs: diagnosticsLogConfig != null ? diagnosticsLogConfig : [] 
  }
}

huangapple
  • 本文由 发表于 2023年5月25日 19:24:09
  • 转载请务必保留本文链接:https://go.coder-hub.com/76331743.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定