英文:
Azure Bicep Diagnostics Settings for Active Directory
问题
您正在尝试使用Bicep创建诊断设置,以将诊断数据从AAD导出到事件中心。您对其范围不确定。
以下是您的代码中的翻译部分:
- "Diagnostics-${ds.diagnosticType}" 已翻译为 "诊断-${ds.diagnosticType}"
- "Diagnostic name" 已翻译为 "诊断名称"
- "Auth ID to allow diags to be saved to Event Hub" 已翻译为 "允许将诊断保存到事件中心的授权ID"
- "Event Hub name" 已翻译为 "事件中心名称"
- "Type of Diagnostic we are trying to create" 已翻译为 "我们正在尝试创建的诊断类型"
- "Name of Resource we are trying to place the diagnostic on" 已翻译为 "我们尝试放置诊断的资源名称"
- "Array of Diagnostic Logs" 已翻译为 "诊断日志数组"
- "Array of Diagnostic Metrics" 已翻译为 "诊断指标数组"
- "Set up Logs" 已翻译为 "设置日志"
- "Set Up Metrics" 已翻译为 "设置指标"
- "Microsoft.AzureActiveDirectory/b2cDirectories@2021-04-01" 已翻译为 "Microsoft.AzureActiveDirectory/b2cDirectories@2021-04-01"
- "Create Diagnostics by Type" 已翻译为 "按类型创建诊断"
- "Microsoft.Insights/diagnosticSettings@2021-05-01-preview" 已翻译为 "Microsoft.Insights/diagnosticSettings@2021-05-01-preview"
希望这可以帮助您理解代码的一部分。如果您有任何其他问题,请随时提出。
英文:
I am trying to create diagnostics settings using Bicep to export diagnostics from AAD to an Event Hub.
The part I am unsure of is the scope.
I am rewording my question as the first answer below and comments is leading to many a dead end.
My Facade Bicep Code:
module diagnosticsAAD 'diagnosticSettingAAD.bicep' = [for ds in diagnosticSettingsAAD: {
name: 'Diagnostics-${ds.diagnosticType}'
scope: resourceGroup(ds.resourceSubId, ds.resourceRG)
dependsOn: [eventHubs]
params: {
diagnosticName: ds.diagnosticName
eventHubAuthorizationRuleId: ds.eventHubAuthorizationRuleId
eventHubName: ds.eventHubName
diagnosticType: ds.diagnosticType
resourceName: ds.resourceName
logs: ds.logs
metrics: ds.metrics
}
}]
The underlying Bicep Module:
@description('Diagnostic name')
param diagnosticName string
@description('Auth ID to allow diags to be saved to Event Hub')
param eventHubAuthorizationRuleId string
@description('Event Hub name')
param eventHubName string
@description('Type of Diagnostic we are trying to create')
@allowed(['Firewall', 'SQLServer', 'AAD'])
param diagnosticType string
@description('Name of Resource we are trying to place the diagnostic on')
param resourceName string
@description('Array of Diagnostic Logs')
param logs array
@description('Array of Diagnostic Metrics')
param metrics array
// Set up Logs
var diagnosticsLogConfig = [for category in logs: {
category: category
enabled: true
retentionPolicy: {
enabled: true
days: 28
}
}]
// Set Up Metrics
var diagnosticsMetricConfig = [for category in metrics: {
category: category
enabled: true
retentionPolicy: {
enabled: true
days: 28
}
}]
// ----------------------------------------------------------------
resource activeDir 'Microsoft.AzureActiveDirectory/b2cDirectories@2021-04-01' existing = {
name: resourceName
}
// Create Diagnostics by Type
resource diagAADSetting 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (diagnosticType == 'AAD') {
name: diagnosticName
scope: activeDir
properties: {
eventHubAuthorizationRuleId: eventHubAuthorizationRuleId != null ? eventHubAuthorizationRuleId : null
eventHubName: eventHubName != null ? eventHubName : null
logs: diagnosticsLogConfig != null ? diagnosticsLogConfig : []
metrics: diagnosticsMetricConfig != null ? diagnosticsMetricConfig : []
logAnalyticsDestinationType: 'Dedicated'
}
}
And finally the Json:
{
"diagnosticSettingsAAD": {
"value": [
{
"diagnosticType": "AAD",
"diagnosticName": "my-diag",
"resourceSubId": "123",
"resourceName": "AAD (Dev)",
"resourceRG": "my-rg",
"eventHubName": "my-evh",
"eventHubAuthorizationRuleId": "/subscriptions/123/resourcegroups/my-rg/providers/Microsoft.EventHub/namespaces/my-evhns/authorizationrules/RootManageSharedAccessKey",
"logs": [
"AuditLogs",
"SignInLogs",
"ManagedIdentitySignInLogs",
"ProvisioningLogs"
],
"metrics": []
}
]
}
}
and the error returned is:
The resource write operation failed to complete successfully, because it reached terminal provisioning state 'Failed'.\",\r\n \"details\": [\r\n {\r\n \"code\": \"DeploymentFailed\",\r\n \"target\": \"/subscriptions/123/resourceGroups/my-rg/providers/Microsoft.Resources/deployments/Diagnostics-AAD\",\r\n \"message\": \"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.\",\r\n \"details\": [\r\n {\r\n \"code\": \"ResourceNotFound\",\r\n \"message\": \"The Resource 'Microsoft.AzureActiveDirectory/b2cDirectories/AAD (Dev)' under resource group 'my-rg' was not found.
It appear that it is scope, unless the message is a red-herring. I have tried scope: tenant() and i get a compilation error in VS Code stating that it needs to be at resource group level.
Any suggestions would be appreciated
答案1
得分: 0
To obtain the scope of the resource, you can use the resourceId() function in Bicep by giving the resource Name, provider, resource Type, etc. as detailed in the given MS Doc.
scope:resourceId('Microsoft.AzureActiveDirectory/b2cDirectories', <resource>)
After adding the required scope, your code modified as below:
resource diagAADSetting 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (diagnosticType == 'AAD')
{
name: diagnosticName
scope: resourceId('Microsoft.AzureActiveDirectory/b2cDirectories', resourceName)
properties:
{
eventHubAuthorizationRuleId: eventHubAuthorizationRuleId != null ? eventHubAuthorizationRuleId : null
eventHubName: eventHubName != null ? eventHubName : null
logs: diagnosticsLogConfig != null ? diagnosticsLogConfig : []
metrics: diagnosticsMetricConfig != null ? diagnosticsMetricConfig : []
logAnalyticsDestinationType: 'Dedicated'
}
}
I ran the sample template with the scope parameter and was successfully deployed.
英文:
To obtain the scope of the resource, you can use the resourceId( ) function in bicep by giving the resource Name, provider, resource Type etc. as detailed in the given MS Doc.
scope:resourceId('Microsoft.AzureActiveDirectory/b2cDirectories', <resource>)
After adding the required scope, your code modified as below:
resource diagAADSetting 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (diagnosticType == 'AAD')
{
name: diagnosticName
scope: resourceId('Microsoft.AzureActiveDirectory/b2cDirectories', resourceName)
properties:
{
eventHubAuthorizationRuleId: eventHubAuthorizationRuleId != null ? eventHubAuthorizationRuleId : null
eventHubName: eventHubName != null ? eventHubName : null
logs: diagnosticsLogConfig != null ? diagnosticsLogConfig : []
metrics: diagnosticsMetricConfig != null ? diagnosticsMetricConfig : []
logAnalyticsDestinationType: 'Dedicated'
}
}
I ran the sample template with the scope parameter and was successfully deployed.
答案2
得分: 0
在最后,我使用了以下代码,因为我们不使用原本由Jahnavi提供的b2c代码。
resource aadDiagnosticSetttings 'microsoft.aadiam/diagnosticSettings@2017-04-01' = if(diagnosticType == 'AAD') {
name: diagnosticName
scope: tenant()
properties: {
eventHubAuthorizationRuleId: eventHubAuthorizationRuleId != null ? eventHubAuthorizationRuleId : null
eventHubName: eventHubName != null ? eventHubName : null
logs: diagnosticsLogConfig != null ? diagnosticsLogConfig : []
}
}
英文:
In the end I used the following code as we aren't using b2c as per code originally supplied by Jahnavi.
resource aadDiagnosticSetttings 'microsoft.aadiam/diagnosticSettings@2017-04-01' = if(diagnosticType == 'AAD') {
name: diagnosticName
scope: tenant()
properties: {
eventHubAuthorizationRuleId: eventHubAuthorizationRuleId != null ? eventHubAuthorizationRuleId : null
eventHubName: eventHubName != null ? eventHubName : null
logs: diagnosticsLogConfig != null ? diagnosticsLogConfig : []
}
}
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论