diff --git a/arm/Microsoft.OperationalInsights/workspaces/.parameters/parameters.json b/arm/Microsoft.OperationalInsights/workspaces/.parameters/parameters.json index 908b407660..eef49351b9 100644 --- a/arm/Microsoft.OperationalInsights/workspaces/.parameters/parameters.json +++ b/arm/Microsoft.OperationalInsights/workspaces/.parameters/parameters.json @@ -148,6 +148,21 @@ }, "useResourcePermissions": { "value": true + }, + "diagnosticLogsRetentionInDays": { + "value": 7 + }, + "diagnosticStorageAccountId": { + "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adpsxxazsaweux001" + }, + "workspaceId": { + "value": "/subscriptions/<>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-sxx-az-law-x-001" + }, + "eventHubAuthorizationRuleId": { + "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-sxx-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey" + }, + "eventHubName": { + "value": "adp-sxx-az-evh-x-001" } } } diff --git a/arm/Microsoft.OperationalInsights/workspaces/deploy.bicep b/arm/Microsoft.OperationalInsights/workspaces/deploy.bicep index 19a13b9143..a5343b7e96 100644 --- a/arm/Microsoft.OperationalInsights/workspaces/deploy.bicep +++ b/arm/Microsoft.OperationalInsights/workspaces/deploy.bicep @@ -54,6 +54,23 @@ param publicNetworkAccessForQuery string = 'Enabled' @description('Optional. Set to \'true\' to use resource or workspace permissions and \'false\' (or leave empty) to require workspace permissions.') param useResourcePermissions bool = false +@description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.') +@minValue(0) +@maxValue(365) +param diagnosticLogsRetentionInDays int = 365 + +@description('Optional. Resource ID of the diagnostic storage account.') +param diagnosticStorageAccountId string = '' + +@description('Optional. Resource ID of a log analytics workspace.') +param workspaceId string = '' + +@description('Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') +param eventHubAuthorizationRuleId string = '' + +@description('Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') +param eventHubName string = '' + @allowed([ 'CanNotDelete' 'NotSpecified' @@ -71,6 +88,41 @@ param tags object = {} @description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered') param cuaId string = '' +@description('Optional. The name of logs that will be streamed.') +@allowed([ + 'Audit' +]) +param logsToEnable array = [ + 'Audit' +] + +@description('Optional. The name of metrics that will be streamed.') +@allowed([ + 'AllMetrics' +]) +param metricsToEnable array = [ + 'AllMetrics' +] + +var diagnosticsLogs = [for log in logsToEnable: { + category: log + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } +}] + +var diagnosticsMetrics = [for metric in metricsToEnable: { + category: metric + timeGrain: null + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } +}] + var logAnalyticsSearchVersion = 1 module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { @@ -99,6 +151,19 @@ resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2020-08 } } +resource logAnalyticsWorkspace_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(workspaceId)) || (!empty(eventHubAuthorizationRuleId)) || (!empty(eventHubName))) { + name: '${logAnalyticsWorkspace.name}-diagnosticSettings' + properties: { + storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null + workspaceId: !empty(workspaceId) ? workspaceId : null + eventHubAuthorizationRuleId: !empty(eventHubAuthorizationRuleId) ? eventHubAuthorizationRuleId : null + eventHubName: !empty(eventHubName) ? eventHubName : null + metrics: diagnosticsMetrics + logs: diagnosticsLogs + } + scope: logAnalyticsWorkspace +} + module logAnalyticsWorkspace_storageInsightConfigs 'storageInsightConfigs/deploy.bicep' = [for (storageInsightsConfig, index) in storageInsightsConfigs: { name: '${uniqueString(deployment().name, location)}-LAW-StorageInsightsConfig-${index}' params: { diff --git a/arm/Microsoft.OperationalInsights/workspaces/readme.md b/arm/Microsoft.OperationalInsights/workspaces/readme.md index cab8ea6865..8ea13e7fcd 100644 --- a/arm/Microsoft.OperationalInsights/workspaces/readme.md +++ b/arm/Microsoft.OperationalInsights/workspaces/readme.md @@ -8,6 +8,7 @@ This template deploys a log analytics workspace. | :-- | :-- | | `Microsoft.Authorization/locks` | 2016-09-01 | | `Microsoft.Authorization/roleAssignments` | 2020-04-01-preview | +| `Microsoft.Insights/diagnosticSettings` | 2021-05-01-preview | | `Microsoft.OperationalInsights/workspaces` | 2020-08-01 | | `Microsoft.OperationalInsights/workspaces/dataSources` | 2020-08-01 | | `Microsoft.OperationalInsights/workspaces/linkedServices` | 2020-08-01 | @@ -23,10 +24,16 @@ This template deploys a log analytics workspace. | `dailyQuotaGb` | int | `-1` | | Optional. The workspace daily quota for ingestion. | | `dataRetention` | int | `365` | | Required. Number of days data will be retained for | | `dataSources` | _[dataSources](dataSources/readme.md)_ array | `[]` | | Optional. LAW data sources to configure. | +| `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | +| `diagnosticStorageAccountId` | string | | | Optional. Resource ID of the diagnostic storage account. | +| `eventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| `eventHubName` | string | | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | `gallerySolutions` | array | `[]` | | Optional. LAW gallerySolutions from the gallery. | | `linkedServices` | _[linkedServices](linkedServices/readme.md)_ array | `[]` | | Optional. List of services to be linked. | | `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | | `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | +| `logsToEnable` | array | `[Audit]` | `[Audit]` | Optional. The name of logs that will be streamed. | +| `metricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | Optional. The name of metrics that will be streamed. | | `name` | string | | | Required. Name of the Log Analytics workspace | | `publicNetworkAccessForIngestion` | string | `Enabled` | `[Enabled, Disabled]` | Optional. The network access type for accessing Log Analytics ingestion. | | `publicNetworkAccessForQuery` | string | `Enabled` | `[Enabled, Disabled]` | Optional. The network access type for accessing Log Analytics query. | @@ -36,6 +43,7 @@ This template deploys a log analytics workspace. | `storageInsightsConfigs` | array | `[]` | | Optional. List of storage accounts to be read by the workspace. | | `tags` | object | `{object}` | | Optional. Tags of the resource. | | `useResourcePermissions` | bool | | | Optional. Set to 'true' to use resource or workspace permissions and 'false' (or leave empty) to require workspace permissions. | +| `workspaceId` | string | | | Optional. Resource ID of a log analytics workspace. | ### Parameter Usage: `gallerySolutions` @@ -123,6 +131,7 @@ Tag names and tag values can be provided as needed. A tag can be left without a - [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) - [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-04-01-preview/roleAssignments) +- [Diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) - [Workspaces](https://docs.microsoft.com/en-us/azure/templates/Microsoft.OperationalInsights/2020-08-01/workspaces) - [Workspaces/Datasources](https://docs.microsoft.com/en-us/azure/templates/Microsoft.OperationalInsights/2020-08-01/workspaces/dataSources) - [Workspaces/Linkedservices](https://docs.microsoft.com/en-us/azure/templates/Microsoft.OperationalInsights/2020-08-01/workspaces/linkedServices) diff --git a/arm/Microsoft.Sql/servers/.parameters/parameters.json b/arm/Microsoft.Sql/servers/.parameters/parameters.json index d552c246e8..eec0231e4d 100644 --- a/arm/Microsoft.Sql/servers/.parameters/parameters.json +++ b/arm/Microsoft.Sql/servers/.parameters/parameters.json @@ -42,7 +42,12 @@ "tier": "GeneralPurpose", "skuName": "GP_Gen5_2", "maxSizeBytes": 34359738368, - "licenseType": "LicenseIncluded" + "licenseType": "LicenseIncluded", + "diagnosticLogsRetentionInDays": 7, + "diagnosticStorageAccountId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adpsxxazsaweux001", + "workspaceId": "/subscriptions/<>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-sxx-az-law-x-001", + "eventHubAuthorizationRuleId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-sxx-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey", + "eventHubName": "adp-sxx-az-evh-x-001" } ] }, diff --git a/arm/Microsoft.Sql/servers/databases/deploy.bicep b/arm/Microsoft.Sql/servers/databases/deploy.bicep index 6669798e03..8d7f953ae7 100644 --- a/arm/Microsoft.Sql/servers/databases/deploy.bicep +++ b/arm/Microsoft.Sql/servers/databases/deploy.bicep @@ -50,6 +50,74 @@ param location string = resourceGroup().location @description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered') param cuaId string = '' +@description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.') +@minValue(0) +@maxValue(365) +param diagnosticLogsRetentionInDays int = 365 + +@description('Optional. Resource ID of the diagnostic storage account.') +param diagnosticStorageAccountId string = '' + +@description('Optional. Resource ID of log analytics.') +param workspaceId string = '' + +@description('Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') +param eventHubAuthorizationRuleId string = '' + +@description('Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') +param eventHubName string = '' + +@description('Optional. The name of logs that will be streamed.') +@allowed([ + 'SQLInsights' + 'AutomaticTuning' + 'QueryStoreRuntimeStatistics' + 'QueryStoreWaitStatistics' + 'Errors' + 'DatabaseWaitStatistics' + 'Timouts' + 'Blocks' + 'Deadlocks' +]) +param logsToEnable array = [ + 'SQLInsights' + 'AutomaticTuning' + 'QueryStoreRuntimeStatistics' + 'QueryStoreWaitStatistics' + 'Errors' + 'DatabaseWaitStatistics' + 'Timouts' + 'Blocks' + 'Deadlocks' +] + +@description('Optional. The name of metrics that will be streamed.') +@allowed([ + 'Basic' +]) +param metricsToEnable array = [ + 'Basic' +] + +var diagnosticsLogs = [for log in logsToEnable: { + category: log + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } +}] + +var diagnosticsMetrics = [for metric in metricsToEnable: { + category: metric + timeGrain: null + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } +}] + @description('Optional. The storage account type to be used to store backups for this database.') @allowed([ 'Geo' @@ -99,6 +167,19 @@ resource database 'Microsoft.Sql/servers/databases@2021-02-01-preview' = { } } +resource database_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(workspaceId)) || (!empty(eventHubAuthorizationRuleId)) || (!empty(eventHubName))) { + name: '${last(split(database.name, '/'))}-diagnosticSettings' + properties: { + storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null + workspaceId: !empty(workspaceId) ? workspaceId : null + eventHubAuthorizationRuleId: !empty(eventHubAuthorizationRuleId) ? eventHubAuthorizationRuleId : null + eventHubName: !empty(eventHubName) ? eventHubName : null + metrics: diagnosticsMetrics + logs: diagnosticsLogs + } + scope: database +} + @description('The name of the deployed database') output databaseName string = database.name diff --git a/arm/Microsoft.Sql/servers/databases/readme.md b/arm/Microsoft.Sql/servers/databases/readme.md index a6ae29e4dd..4a993e8b41 100644 --- a/arm/Microsoft.Sql/servers/databases/readme.md +++ b/arm/Microsoft.Sql/servers/databases/readme.md @@ -6,6 +6,7 @@ This module deploys an Azure SQL Server. | Resource Type | API Version | | :-- | :-- | +| `Microsoft.Insights/diagnosticSettings` | 2021-05-01-preview | | `Microsoft.Sql/servers/databases` | 2021-02-01-preview | ## Parameters @@ -15,12 +16,18 @@ This module deploys an Azure SQL Server. | `autoPauseDelay` | string | | | Optional. Time in minutes after which database is automatically paused. | | `collation` | string | | | Optional. The collation of the database. | | `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered | +| `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | +| `diagnosticStorageAccountId` | string | | | Optional. Resource ID of the diagnostic storage account. | +| `eventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| `eventHubName` | string | | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | `highAvailabilityReplicaCount` | int | | | Optional. The number of readonly secondary replicas associated with the database. | | `isLedgerOn` | bool | | | Optional. Whether or not this database is a ledger database, which means all tables in the database are ledger tables. Note: the value of this property cannot be changed after the database has been created. | | `licenseType` | string | | | Optional. The license type to apply for this database. | | `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | +| `logsToEnable` | array | `[SQLInsights, AutomaticTuning, QueryStoreRuntimeStatistics, QueryStoreWaitStatistics, Errors, DatabaseWaitStatistics, Timouts, Blocks, Deadlocks]` | `[SQLInsights, AutomaticTuning, QueryStoreRuntimeStatistics, QueryStoreWaitStatistics, Errors, DatabaseWaitStatistics, Timouts, Blocks, Deadlocks]` | Optional. The name of logs that will be streamed. | | `maintenanceConfigurationId` | string | | | Optional. Maintenance configuration ID assigned to the database. This configuration defines the period when the maintenance updates will occur. | | `maxSizeBytes` | int | | | Optional. The max size of the database expressed in bytes. | +| `metricsToEnable` | array | `[Basic]` | `[Basic]` | Optional. The name of metrics that will be streamed. | | `minCapacity` | string | | | Optional. Minimal capacity that database will always have allocated. | | `name` | string | | | Required. The name of the database. | | `readScale` | string | `Disabled` | `[Enabled, Disabled]` | Optional. The state of read-only routing. | @@ -30,6 +37,7 @@ This module deploys an Azure SQL Server. | `skuName` | string | | | Required. The name of the SKU. | | `tags` | object | `{object}` | | Optional. Tags of the resource. | | `tier` | string | | | Optional. The tier or edition of the particular SKU. | +| `workspaceId` | string | | | Optional. Resource ID of log analytics. | | `zoneRedundant` | bool | | | Optional. Whether or not this database is zone redundant. | ### Parameter Usage: `tags` @@ -59,4 +67,5 @@ Tag names and tag values can be provided as needed. A tag can be left without a ## Template references +- [Diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) - [Servers/Databases](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Sql/2021-02-01-preview/servers/databases) diff --git a/arm/Microsoft.Sql/servers/deploy.bicep b/arm/Microsoft.Sql/servers/deploy.bicep index cd2fc6746e..f511afbb35 100644 --- a/arm/Microsoft.Sql/servers/deploy.bicep +++ b/arm/Microsoft.Sql/servers/deploy.bicep @@ -95,16 +95,23 @@ module server_databases 'databases/deploy.bicep' = [for (database, index) in dat skuName: database.skuName collation: database.collation autoPauseDelay: contains(database, 'autoPauseDelay') ? database.autoPauseDelay : '' + diagnosticLogsRetentionInDays: contains(database, 'diagnosticLogsRetentionInDays') ? database.diagnosticLogsRetentionInDays : 365 + diagnosticStorageAccountId: contains(database, 'diagnosticStorageAccountId') ? database.diagnosticStorageAccountId : '' + eventHubAuthorizationRuleId: contains(database, 'eventHubAuthorizationRuleId') ? database.eventHubAuthorizationRuleId : '' + eventHubName: contains(database, 'eventHubName') ? database.eventHubName : '' isLedgerOn: contains(database, 'isLedgerOn') ? database.isLedgerOn : false location: contains(database, 'location') ? database.location : server.location + logsToEnable: contains(database, 'logsToEnable') ? database.logsToEnable : [] licenseType: contains(database, 'licenseType') ? database.licenseType : '' maintenanceConfigurationId: contains(database, 'maintenanceConfigurationId') ? database.maintenanceConfigurationId : '' minCapacity: contains(database, 'minCapacity') ? database.minCapacity : '' + metricsToEnable: contains(database, 'metricsToEnable') ? database.metricsToEnable : [] highAvailabilityReplicaCount: contains(database, 'highAvailabilityReplicaCount') ? database.highAvailabilityReplicaCount : 0 readScale: contains(database, 'readScale') ? database.readScale : 'Disabled' requestedBackupStorageRedundancy: contains(database, 'requestedBackupStorageRedundancy') ? database.requestedBackupStorageRedundancy : '' sampleName: contains(database, 'sampleName') ? database.sampleName : '' tags: contains(database, 'tags') ? database.tags : {} + workspaceId: contains(database, 'workspaceId') ? database.workspaceId : '' zoneRedundant: contains(database, 'zoneRedundant') ? database.zoneRedundant : false } }] diff --git a/arm/Microsoft.Sql/servers/readme.md b/arm/Microsoft.Sql/servers/readme.md index 8993b04958..a11a2cb394 100644 --- a/arm/Microsoft.Sql/servers/readme.md +++ b/arm/Microsoft.Sql/servers/readme.md @@ -8,6 +8,7 @@ This module deploys a SQL server. | :-- | :-- | | `Microsoft.Authorization/locks` | 2016-09-01 | | `Microsoft.Authorization/roleAssignments` | 2020-04-01-preview | +| `Microsoft.Insights/diagnosticSettings` | 2021-05-01-preview | | `Microsoft.Sql/servers` | 2021-05-01-preview | | `Microsoft.Sql/servers/databases` | 2021-02-01-preview | | `Microsoft.Sql/servers/firewallRules` | 2021-05-01-preview | @@ -96,6 +97,7 @@ You can specify multiple user assigned identities to a resource by providing add - [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) - [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-04-01-preview/roleAssignments) +- [Diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) - [Servers](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Sql/2021-05-01-preview/servers) - [Servers/Databases](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Sql/2021-02-01-preview/servers/databases) - [Servers/Firewallrules](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Sql/2021-05-01-preview/servers/firewallRules) diff --git a/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json b/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json index 247e0496df..78c725d89c 100644 --- a/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json +++ b/arm/Microsoft.Storage/storageAccounts/.parameters/parameters.json @@ -13,6 +13,11 @@ }, "blobServices": { "value": { + "diagnosticLogsRetentionInDays": 7, + "diagnosticStorageAccountId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adpsxxazsaweux001", + "workspaceId": "/subscriptions/<>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-sxx-az-law-x-001", + "eventHubAuthorizationRuleId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-sxx-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey", + "eventHubName": "adp-sxx-az-evh-x-001", "containers": [ { "name": "avdscripts", @@ -38,6 +43,11 @@ }, "fileServices": { "value": { + "diagnosticLogsRetentionInDays": 7, + "diagnosticStorageAccountId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adpsxxazsaweux001", + "workspaceId": "/subscriptions/<>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-sxx-az-law-x-001", + "eventHubAuthorizationRuleId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-sxx-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey", + "eventHubName": "adp-sxx-az-evh-x-001", "shares": [ { "name": "avdprofiles", @@ -60,6 +70,11 @@ }, "tableServices": { "value": { + "diagnosticLogsRetentionInDays": 7, + "diagnosticStorageAccountId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adpsxxazsaweux001", + "workspaceId": "/subscriptions/<>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-sxx-az-law-x-001", + "eventHubAuthorizationRuleId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-sxx-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey", + "eventHubName": "adp-sxx-az-evh-x-001", "tables": [ "table1", "table2" @@ -68,6 +83,11 @@ }, "queueServices": { "value": { + "diagnosticLogsRetentionInDays": 7, + "diagnosticStorageAccountId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adpsxxazsaweux001", + "workspaceId": "/subscriptions/<>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-sxx-az-law-x-001", + "eventHubAuthorizationRuleId": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-sxx-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey", + "eventHubName": "adp-sxx-az-evh-x-001", "queues": [ { "name": "queue1", @@ -105,6 +125,21 @@ ] } ] + }, + "diagnosticLogsRetentionInDays": { + "value": 7 + }, + "diagnosticStorageAccountId": { + "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adpsxxazsaweux001" + }, + "workspaceId": { + "value": "/subscriptions/<>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-sxx-az-law-x-001" + }, + "eventHubAuthorizationRuleId": { + "value": "/subscriptions/<>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-sxx-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey" + }, + "eventHubName": { + "value": "adp-sxx-az-evh-x-001" } } } diff --git a/arm/Microsoft.Storage/storageAccounts/blobServices/deploy.bicep b/arm/Microsoft.Storage/storageAccounts/blobServices/deploy.bicep index 3f6c6081c2..38973f1598 100644 --- a/arm/Microsoft.Storage/storageAccounts/blobServices/deploy.bicep +++ b/arm/Microsoft.Storage/storageAccounts/blobServices/deploy.bicep @@ -17,9 +17,65 @@ param automaticSnapshotPolicyEnabled bool = false @description('Optional. Blob containers to create.') param containers array = [] +@description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.') +@minValue(0) +@maxValue(365) +param diagnosticLogsRetentionInDays int = 365 + +@description('Optional. Resource ID of the diagnostic storage account.') +param diagnosticStorageAccountId string = '' + +@description('Optional. Resource ID of a log analytics workspace.') +param workspaceId string = '' + +@description('Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') +param eventHubAuthorizationRuleId string = '' + +@description('Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') +param eventHubName string = '' + @description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered') param cuaId string = '' +@description('Optional. The name of logs that will be streamed.') +@allowed([ + 'StorageRead' + 'StorageWrite' + 'StorageDelete' +]) +param logsToEnable array = [ + 'StorageRead' + 'StorageWrite' + 'StorageDelete' +] + +@description('Optional. The name of metrics that will be streamed.') +@allowed([ + 'Transaction' +]) +param metricsToEnable array = [ + 'Transaction' +] + +var diagnosticsLogs = [for log in logsToEnable: { + category: log + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } +}] + +var diagnosticsMetrics = [for metric in metricsToEnable: { + category: metric + timeGrain: null + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } +}] + module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { name: 'pid-${cuaId}' params: {} @@ -41,6 +97,19 @@ resource blobServices 'Microsoft.Storage/storageAccounts/blobServices@2021-06-01 } } +resource blobServices_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(workspaceId)) || (!empty(eventHubAuthorizationRuleId)) || (!empty(eventHubName))) { + name: '${blobServices.name}-diagnosticSettings' + properties: { + storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null + workspaceId: !empty(workspaceId) ? workspaceId : null + eventHubAuthorizationRuleId: !empty(eventHubAuthorizationRuleId) ? eventHubAuthorizationRuleId : null + eventHubName: !empty(eventHubName) ? eventHubName : null + metrics: diagnosticsMetrics + logs: diagnosticsLogs + } + scope: blobServices +} + module blobServices_container 'containers/deploy.bicep' = [for (container, index) in containers: { name: '${deployment().name}-Container-${index}' params: { diff --git a/arm/Microsoft.Storage/storageAccounts/blobServices/readme.md b/arm/Microsoft.Storage/storageAccounts/blobServices/readme.md index fea80fa65c..d553636eb1 100644 --- a/arm/Microsoft.Storage/storageAccounts/blobServices/readme.md +++ b/arm/Microsoft.Storage/storageAccounts/blobServices/readme.md @@ -7,6 +7,7 @@ This module can be used to deploy a blob service into a storage account. | Resource Type | API Version | | :-- | :-- | | `Microsoft.Authorization/roleAssignments` | 2020-04-01-preview | +| `Microsoft.Insights/diagnosticSettings` | 2021-05-01-preview | | `Microsoft.Storage/storageAccounts/blobServices` | 2021-06-01 | | `Microsoft.Storage/storageAccounts/blobServices/containers` | 2019-06-01 | | `Microsoft.Storage/storageAccounts/blobServices/containers/immutabilityPolicies` | 2019-06-01 | @@ -20,8 +21,15 @@ This module can be used to deploy a blob service into a storage account. | `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered | | `deleteRetentionPolicy` | bool | `True` | | Optional. Indicates whether DeleteRetentionPolicy is enabled for the Blob service. | | `deleteRetentionPolicyDays` | int | `7` | | Optional. Indicates the number of days that the deleted blob should be retained. The minimum specified value can be 1 and the maximum value can be 365. | +| `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | +| `diagnosticStorageAccountId` | string | | | Optional. Resource ID of the diagnostic storage account. | +| `eventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| `eventHubName` | string | | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| `logsToEnable` | array | `[StorageRead, StorageWrite, StorageDelete]` | `[StorageRead, StorageWrite, StorageDelete]` | Optional. The name of logs that will be streamed. | +| `metricsToEnable` | array | `[Transaction]` | `[Transaction]` | Optional. The name of metrics that will be streamed. | | `name` | string | `default` | | Optional. The name of the blob service | | `storageAccountName` | string | | | Required. Name of the Storage Account. | +| `workspaceId` | string | | | Optional. Resource ID of a log analytics workspace. | ## Outputs @@ -35,6 +43,7 @@ This module can be used to deploy a blob service into a storage account. ## Template references - [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-04-01-preview/roleAssignments) +- [Diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) - [Storageaccounts/Blobservices](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Storage/2021-06-01/storageAccounts/blobServices) - [Storageaccounts/Blobservices/Containers](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Storage/2019-06-01/storageAccounts/blobServices/containers) - [Storageaccounts/Blobservices/Containers/Immutabilitypolicies](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Storage/2019-06-01/storageAccounts/blobServices/containers/immutabilityPolicies) diff --git a/arm/Microsoft.Storage/storageAccounts/deploy.bicep b/arm/Microsoft.Storage/storageAccounts/deploy.bicep index d2e4888a19..5d69da5544 100644 --- a/arm/Microsoft.Storage/storageAccounts/deploy.bicep +++ b/arm/Microsoft.Storage/storageAccounts/deploy.bicep @@ -85,6 +85,23 @@ param minimumTlsVersion string = 'TLS1_2' @description('Optional. If true, enables Hierarchical Namespace for the storage account') param enableHierarchicalNamespace bool = false +@description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.') +@minValue(0) +@maxValue(365) +param diagnosticLogsRetentionInDays int = 365 + +@description('Optional. Resource ID of the diagnostic storage account.') +param diagnosticStorageAccountId string = '' + +@description('Optional. Resource ID of a log analytics workspace.') +param workspaceId string = '' + +@description('Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') +param eventHubAuthorizationRuleId string = '' + +@description('Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') +param eventHubName string = '' + @allowed([ 'CanNotDelete' 'NotSpecified' @@ -102,6 +119,24 @@ param cuaId string = '' @description('Generated. Do not provide a value! This date value is used to generate a SAS token to access the modules.') param basetime string = utcNow('u') +@description('Optional. The name of metrics that will be streamed.') +@allowed([ + 'Transaction' +]) +param metricsToEnable array = [ + 'Transaction' +] + +var diagnosticsMetrics = [for metric in metricsToEnable: { + category: metric + timeGrain: null + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } +}] + var virtualNetworkRules = [for index in range(0, (empty(networkAcls) ? 0 : length(networkAcls.virtualNetworkRules))): { id: '${vNetId}/subnets/${networkAcls.virtualNetworkRules[index].subnet}' }] @@ -161,6 +196,18 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2021-06-01' = { properties: saProperties } +resource storageAccount_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(workspaceId)) || (!empty(eventHubAuthorizationRuleId)) || (!empty(eventHubName))) { + name: '${storageAccount.name}-diagnosticSettings' + properties: { + storageAccountId: empty(diagnosticStorageAccountId) ? null : diagnosticStorageAccountId + workspaceId: empty(workspaceId) ? null : workspaceId + eventHubAuthorizationRuleId: empty(eventHubAuthorizationRuleId) ? null : eventHubAuthorizationRuleId + eventHubName: empty(eventHubName) ? null : eventHubName + metrics: diagnosticsMetrics + } + scope: storageAccount +} + resource storageAccount_lock 'Microsoft.Authorization/locks@2016-09-01' = if (lock != 'NotSpecified') { name: '${storageAccount.name}-${lock}-lock' properties: { @@ -207,6 +254,13 @@ module storageAccount_blobServices 'blobServices/deploy.bicep' = if (!empty(blob automaticSnapshotPolicyEnabled: contains(blobServices, 'automaticSnapshotPolicyEnabled') ? blobServices.automaticSnapshotPolicyEnabled : false deleteRetentionPolicy: contains(blobServices, 'deleteRetentionPolicy') ? blobServices.deleteRetentionPolicy : true deleteRetentionPolicyDays: contains(blobServices, 'deleteRetentionPolicyDays') ? blobServices.deleteRetentionPolicyDays : 7 + diagnosticLogsRetentionInDays: contains(blobServices, 'diagnosticLogsRetentionInDays') ? blobServices.diagnosticLogsRetentionInDays : 365 + diagnosticStorageAccountId: contains(blobServices, 'diagnosticStorageAccountId') ? blobServices.diagnosticStorageAccountId : '' + eventHubAuthorizationRuleId: contains(blobServices, 'eventHubAuthorizationRuleId') ? blobServices.eventHubAuthorizationRuleId : '' + eventHubName: contains(blobServices, 'eventHubName') ? blobServices.eventHubName : '' + logsToEnable: contains(blobServices, 'logsToEnable') ? blobServices.logsToEnable : [] + metricsToEnable: contains(blobServices, 'metricsToEnable') ? blobServices.metricsToEnable : [] + workspaceId: contains(blobServices, 'workspaceId') ? blobServices.workspaceId : '' } } @@ -215,12 +269,19 @@ module storageAccount_fileServices 'fileServices/deploy.bicep' = if (!empty(file name: '${uniqueString(deployment().name, location)}-Storage-FileServices' params: { storageAccountName: storageAccount.name + diagnosticLogsRetentionInDays: contains(fileServices, 'diagnosticLogsRetentionInDays') ? fileServices.diagnosticLogsRetentionInDays : 365 + diagnosticStorageAccountId: contains(fileServices, 'diagnosticStorageAccountId') ? fileServices.diagnosticStorageAccountId : '' + eventHubAuthorizationRuleId: contains(fileServices, 'eventHubAuthorizationRuleId') ? fileServices.eventHubAuthorizationRuleId : '' + eventHubName: contains(fileServices, 'eventHubName') ? fileServices.eventHubName : '' + logsToEnable: contains(fileServices, 'logsToEnable') ? fileServices.logsToEnable : [] + metricsToEnable: contains(fileServices, 'metricsToEnable') ? fileServices.metricsToEnable : [] protocolSettings: contains(fileServices, 'protocolSettings') ? fileServices.protocolSettings : {} shareDeleteRetentionPolicy: contains(fileServices, 'shareDeleteRetentionPolicy') ? fileServices.shareDeleteRetentionPolicy : { enabled: true days: 7 } shares: contains(fileServices, 'shares') ? fileServices.shares : [] + workspaceId: contains(fileServices, 'workspaceId') ? fileServices.workspaceId : '' } } @@ -229,7 +290,14 @@ module storageAccount_queueServices 'queueServices/deploy.bicep' = if (!empty(qu name: '${uniqueString(deployment().name, location)}-Storage-QueueServices' params: { storageAccountName: storageAccount.name + diagnosticLogsRetentionInDays: contains(queueServices, 'diagnosticLogsRetentionInDays') ? queueServices.diagnosticLogsRetentionInDays : 365 + diagnosticStorageAccountId: contains(queueServices, 'diagnosticStorageAccountId') ? queueServices.diagnosticStorageAccountId : '' + eventHubAuthorizationRuleId: contains(queueServices, 'eventHubAuthorizationRuleId') ? queueServices.eventHubAuthorizationRuleId : '' + eventHubName: contains(queueServices, 'eventHubName') ? queueServices.eventHubName : '' + logsToEnable: contains(queueServices, 'logsToEnable') ? queueServices.logsToEnable : [] + metricsToEnable: contains(queueServices, 'metricsToEnable') ? queueServices.metricsToEnable : [] queues: contains(queueServices, 'queues') ? queueServices.queues : [] + workspaceId: contains(queueServices, 'workspaceId') ? queueServices.workspaceId : '' } } @@ -238,7 +306,14 @@ module storageAccount_tableServices 'tableServices/deploy.bicep' = if (!empty(ta name: '${uniqueString(deployment().name, location)}-Storage-TableServices' params: { storageAccountName: storageAccount.name + diagnosticLogsRetentionInDays: contains(tableServices, 'diagnosticLogsRetentionInDays') ? tableServices.diagnosticLogsRetentionInDays : 365 + diagnosticStorageAccountId: contains(tableServices, 'diagnosticStorageAccountId') ? tableServices.diagnosticStorageAccountId : '' + eventHubAuthorizationRuleId: contains(tableServices, 'eventHubAuthorizationRuleId') ? tableServices.eventHubAuthorizationRuleId : '' + eventHubName: contains(tableServices, 'eventHubName') ? tableServices.eventHubName : '' + logsToEnable: contains(tableServices, 'logsToEnable') ? tableServices.logsToEnable : [] + metricsToEnable: contains(tableServices, 'metricsToEnable') ? tableServices.metricsToEnable : [] tables: contains(tableServices, 'tables') ? tableServices.tables : [] + workspaceId: contains(tableServices, 'workspaceId') ? tableServices.workspaceId : '' } } diff --git a/arm/Microsoft.Storage/storageAccounts/fileServices/deploy.bicep b/arm/Microsoft.Storage/storageAccounts/fileServices/deploy.bicep index 1533ddc584..6282c2e47e 100644 --- a/arm/Microsoft.Storage/storageAccounts/fileServices/deploy.bicep +++ b/arm/Microsoft.Storage/storageAccounts/fileServices/deploy.bicep @@ -14,12 +14,68 @@ param shareDeleteRetentionPolicy object = { days: 7 } +@description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.') +@minValue(0) +@maxValue(365) +param diagnosticLogsRetentionInDays int = 365 + +@description('Optional. Resource ID of the diagnostic storage account.') +param diagnosticStorageAccountId string = '' + +@description('Optional. Resource ID of a log analytics workspace.') +param workspaceId string = '' + +@description('Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') +param eventHubAuthorizationRuleId string = '' + +@description('Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') +param eventHubName string = '' + @description('Optional. File shares to create.') param shares array = [] @description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered') param cuaId string = '' +@description('Optional. The name of logs that will be streamed.') +@allowed([ + 'StorageRead' + 'StorageWrite' + 'StorageDelete' +]) +param logsToEnable array = [ + 'StorageRead' + 'StorageWrite' + 'StorageDelete' +] + +@description('Optional. The name of metrics that will be streamed.') +@allowed([ + 'Transaction' +]) +param metricsToEnable array = [ + 'Transaction' +] + +var diagnosticsLogs = [for log in logsToEnable: { + category: log + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } +}] + +var diagnosticsMetrics = [for metric in metricsToEnable: { + category: metric + timeGrain: null + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } +}] + module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { name: 'pid-${cuaId}' params: {} @@ -38,6 +94,19 @@ resource fileServices 'Microsoft.Storage/storageAccounts/fileServices@2021-04-01 } } +resource fileServices_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(workspaceId)) || (!empty(eventHubAuthorizationRuleId)) || (!empty(eventHubName))) { + name: '${fileServices.name}-diagnosticSettings' + properties: { + storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null + workspaceId: !empty(workspaceId) ? workspaceId : null + eventHubAuthorizationRuleId: !empty(eventHubAuthorizationRuleId) ? eventHubAuthorizationRuleId : null + eventHubName: !empty(eventHubName) ? eventHubName : null + metrics: diagnosticsMetrics + logs: diagnosticsLogs + } + scope: fileServices +} + module fileServices_shares 'shares/deploy.bicep' = [for (share, index) in shares: { name: '${deployment().name}-File-${index}' params: { diff --git a/arm/Microsoft.Storage/storageAccounts/fileServices/readme.md b/arm/Microsoft.Storage/storageAccounts/fileServices/readme.md index 3f905df4be..3334761911 100644 --- a/arm/Microsoft.Storage/storageAccounts/fileServices/readme.md +++ b/arm/Microsoft.Storage/storageAccounts/fileServices/readme.md @@ -7,6 +7,7 @@ This module can be used to deploy a file share service into a storage account. | Resource Type | API Version | | :-- | :-- | | `Microsoft.Authorization/roleAssignments` | 2020-04-01-preview | +| `Microsoft.Insights/diagnosticSettings` | 2021-05-01-preview | | `Microsoft.Storage/storageAccounts/fileServices` | 2021-04-01 | | `Microsoft.Storage/storageAccounts/fileServices/shares` | 2019-06-01 | @@ -15,11 +16,18 @@ This module can be used to deploy a file share service into a storage account. | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | | `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered | +| `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | +| `diagnosticStorageAccountId` | string | | | Optional. Resource ID of the diagnostic storage account. | +| `eventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| `eventHubName` | string | | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| `logsToEnable` | array | `[StorageRead, StorageWrite, StorageDelete]` | `[StorageRead, StorageWrite, StorageDelete]` | Optional. The name of logs that will be streamed. | +| `metricsToEnable` | array | `[Transaction]` | `[Transaction]` | Optional. The name of metrics that will be streamed. | | `name` | string | `default` | | Optional. The name of the file service | | `protocolSettings` | object | `{object}` | | Protocol settings for file service | | `shareDeleteRetentionPolicy` | object | `{object}` | | The service properties for soft delete. | | `shares` | _[shares](shares/readme.md)_ array | `[]` | | Optional. File shares to create. | | `storageAccountName` | string | | | Required. Name of the Storage Account. | +| `workspaceId` | string | | | Optional. Resource ID of a log analytics workspace. | ## Outputs @@ -32,5 +40,6 @@ This module can be used to deploy a file share service into a storage account. ## Template references - [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-04-01-preview/roleAssignments) +- [Diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) - [Storageaccounts/Fileservices](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Storage/2021-04-01/storageAccounts/fileServices) - [Storageaccounts/Fileservices/Shares](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Storage/2019-06-01/storageAccounts/fileServices/shares) diff --git a/arm/Microsoft.Storage/storageAccounts/queueServices/deploy.bicep b/arm/Microsoft.Storage/storageAccounts/queueServices/deploy.bicep index 27f7e9d453..5a7ba6cb5c 100644 --- a/arm/Microsoft.Storage/storageAccounts/queueServices/deploy.bicep +++ b/arm/Microsoft.Storage/storageAccounts/queueServices/deploy.bicep @@ -8,9 +8,65 @@ param name string = 'default' @description('Optional. Queues to create.') param queues array = [] +@description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.') +@minValue(0) +@maxValue(365) +param diagnosticLogsRetentionInDays int = 365 + +@description('Optional. Resource ID of the diagnostic storage account.') +param diagnosticStorageAccountId string = '' + +@description('Optional. Resource ID of a log analytics workspace.') +param workspaceId string = '' + +@description('Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') +param eventHubAuthorizationRuleId string = '' + +@description('Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') +param eventHubName string = '' + @description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered') param cuaId string = '' +@description('Optional. The name of logs that will be streamed.') +@allowed([ + 'StorageRead' + 'StorageWrite' + 'StorageDelete' +]) +param logsToEnable array = [ + 'StorageRead' + 'StorageWrite' + 'StorageDelete' +] + +@description('Optional. The name of metrics that will be streamed.') +@allowed([ + 'Transaction' +]) +param metricsToEnable array = [ + 'Transaction' +] + +var diagnosticsLogs = [for log in logsToEnable: { + category: log + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } +}] + +var diagnosticsMetrics = [for metric in metricsToEnable: { + category: metric + timeGrain: null + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } +}] + module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { name: 'pid-${cuaId}' params: {} @@ -26,6 +82,19 @@ resource queueServices 'Microsoft.Storage/storageAccounts/queueServices@2021-04- properties: {} } +resource queueServices_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(workspaceId)) || (!empty(eventHubAuthorizationRuleId)) || (!empty(eventHubName))) { + name: '${queueServices.name}-diagnosticSettings' + properties: { + storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null + workspaceId: !empty(workspaceId) ? workspaceId : null + eventHubAuthorizationRuleId: !empty(eventHubAuthorizationRuleId) ? eventHubAuthorizationRuleId : null + eventHubName: !empty(eventHubName) ? eventHubName : null + metrics: diagnosticsMetrics + logs: diagnosticsLogs + } + scope: queueServices +} + module queueServices_queues 'queues/deploy.bicep' = [for (queue, index) in queues: { name: '${deployment().name}-Queue-${index}' params: { diff --git a/arm/Microsoft.Storage/storageAccounts/queueServices/readme.md b/arm/Microsoft.Storage/storageAccounts/queueServices/readme.md index dbcd3a6b61..32afcf82d4 100644 --- a/arm/Microsoft.Storage/storageAccounts/queueServices/readme.md +++ b/arm/Microsoft.Storage/storageAccounts/queueServices/readme.md @@ -7,6 +7,7 @@ This module can be used to deploy a file share service into a storage account. | Resource Type | API Version | | :-- | :-- | | `Microsoft.Authorization/roleAssignments` | 2020-04-01-preview | +| `Microsoft.Insights/diagnosticSettings` | 2021-05-01-preview | | `Microsoft.Storage/storageAccounts/queueServices` | 2021-04-01 | | `Microsoft.Storage/storageAccounts/queueServices/queues` | 2019-06-01 | @@ -15,9 +16,17 @@ This module can be used to deploy a file share service into a storage account. | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | | `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered | +| `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | +| `diagnosticStorageAccountId` | string | | | Optional. Resource ID of the diagnostic storage account. | +| `eventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| `eventHubName` | string | | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| `logsToEnable` | array | `[StorageRead, StorageWrite, StorageDelete]` | `[StorageRead, StorageWrite, StorageDelete]` | Optional. The name of logs that will be streamed. | +| `metricsToEnable` | array | `[Transaction]` | `[Transaction]` | Optional. The name of metrics that will be streamed. | | `name` | string | `default` | | Optional. The name of the queue service | | `queues` | _[queues](queues/readme.md)_ array | `[]` | | Optional. Queues to create. | | `storageAccountName` | string | | | Required. Name of the Storage Account. | +| `workspaceId` | string | | | Optional. Resource ID of a log analytics workspace. | + ## Outputs @@ -30,5 +39,6 @@ This module can be used to deploy a file share service into a storage account. ## Template references - [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-04-01-preview/roleAssignments) +- [Diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) - [Storageaccounts/Queueservices](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Storage/2021-04-01/storageAccounts/queueServices) - [Storageaccounts/Queueservices/Queues](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Storage/2019-06-01/storageAccounts/queueServices/queues) diff --git a/arm/Microsoft.Storage/storageAccounts/readme.md b/arm/Microsoft.Storage/storageAccounts/readme.md index 286e6647a0..9ba12d0657 100644 --- a/arm/Microsoft.Storage/storageAccounts/readme.md +++ b/arm/Microsoft.Storage/storageAccounts/readme.md @@ -8,6 +8,7 @@ This module is used to deploy a storage account, with the ability to deploy 1 or | :-- | :-- | | `Microsoft.Authorization/locks` | 2016-09-01 | | `Microsoft.Authorization/roleAssignments` | 2020-04-01-preview | +| `Microsoft.Insights/diagnosticSettings` | 2021-05-01-preview | | `Microsoft.Network/privateEndpoints` | 2021-05-01 | | `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | 2021-02-01 | | `Microsoft.Storage/storageAccounts` | 2021-06-01 | @@ -31,11 +32,16 @@ This module is used to deploy a storage account, with the ability to deploy 1 or | `basetime` | string | `[utcNow('u')]` | | Generated. Do not provide a value! This date value is used to generate a SAS token to access the modules. | | `blobServices` | _[blobServices](blobServices/readme.md)_ object | `{object}` | | Optional. Blob service and containers to deploy | | `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered | +| `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | +| `diagnosticStorageAccountId` | string | | | Optional. Resource ID of the diagnostic storage account. | | `enableHierarchicalNamespace` | bool | | | Optional. If true, enables Hierarchical Namespace for the storage account | +| `eventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| `eventHubName` | string | | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | | `fileServices` | _[fileServices](fileServices/readme.md)_ object | `{object}` | | Optional. File service and shares to deploy | | `location` | string | `[resourceGroup().location]` | | Optional. Location for all resources. | | `lock` | string | `NotSpecified` | `[CanNotDelete, NotSpecified, ReadOnly]` | Optional. Specify the type of lock. | | `managementPolicyRules` | array | `[]` | | Optional. The Storage Account ManagementPolicies Rules. | +| `metricsToEnable` | array | `[Transaction]` | `[Transaction]` | Optional. The name of metrics that will be streamed. | | `minimumTlsVersion` | string | `TLS1_2` | `[TLS1_0, TLS1_1, TLS1_2]` | Optional. Set the minimum TLS version on request to storage. | | `name` | string | | | Optional. Name of the Storage Account. | | `networkAcls` | object | `{object}` | | Optional. Networks ACLs, this value contains IPs to whitelist and/or Subnet information. | @@ -50,6 +56,7 @@ This module is used to deploy a storage account, with the ability to deploy 1 or | `tags` | object | `{object}` | | Optional. Tags of the resource. | | `userAssignedIdentities` | object | `{object}` | | Optional. The ID(s) to assign to the resource. | | `vNetId` | string | | | Optional. Virtual Network Identifier used to create a service endpoint. | +| `workspaceId` | string | | | Optional. Resource ID of a log analytics workspace. | ### Parameter Usage: `roleAssignments` @@ -175,6 +182,7 @@ The hierarchical namespace of the storage account (see parameter `enableHierarch - [Locks](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2016-09-01/locks) - [Roleassignments](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-04-01-preview/roleAssignments) +- [Diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) - [Privateendpoints](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-05-01/privateEndpoints) - [Privateendpoints/Privatednszonegroups](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-02-01/privateEndpoints/privateDnsZoneGroups) - [Storageaccounts](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Storage/2021-06-01/storageAccounts) diff --git a/arm/Microsoft.Storage/storageAccounts/tableServices/deploy.bicep b/arm/Microsoft.Storage/storageAccounts/tableServices/deploy.bicep index 90e1ce5712..bd8d531e66 100644 --- a/arm/Microsoft.Storage/storageAccounts/tableServices/deploy.bicep +++ b/arm/Microsoft.Storage/storageAccounts/tableServices/deploy.bicep @@ -8,9 +8,65 @@ param name string = 'default' @description('Optional. tables to create.') param tables array = [] +@description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.') +@minValue(0) +@maxValue(365) +param diagnosticLogsRetentionInDays int = 365 + +@description('Optional. Resource ID of the diagnostic storage account.') +param diagnosticStorageAccountId string = '' + +@description('Optional. Resource ID of a log analytics workspace.') +param workspaceId string = '' + +@description('Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') +param eventHubAuthorizationRuleId string = '' + +@description('Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.') +param eventHubName string = '' + @description('Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered') param cuaId string = '' +@description('Optional. The name of logs that will be streamed.') +@allowed([ + 'StorageRead' + 'StorageWrite' + 'StorageDelete' +]) +param logsToEnable array = [ + 'StorageRead' + 'StorageWrite' + 'StorageDelete' +] + +@description('Optional. The name of metrics that will be streamed.') +@allowed([ + 'Transaction' +]) +param metricsToEnable array = [ + 'Transaction' +] + +var diagnosticsLogs = [for log in logsToEnable: { + category: log + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } +}] + +var diagnosticsMetrics = [for metric in metricsToEnable: { + category: metric + timeGrain: null + enabled: true + retentionPolicy: { + enabled: true + days: diagnosticLogsRetentionInDays + } +}] + module pid_cuaId '.bicep/nested_cuaId.bicep' = if (!empty(cuaId)) { name: 'pid-${cuaId}' params: {} @@ -26,6 +82,19 @@ resource tableServices 'Microsoft.Storage/storageAccounts/tableServices@2021-04- properties: {} } +resource tableServices_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(workspaceId)) || (!empty(eventHubAuthorizationRuleId)) || (!empty(eventHubName))) { + name: '${tableServices.name}-diagnosticSettings' + properties: { + storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null + workspaceId: !empty(workspaceId) ? workspaceId : null + eventHubAuthorizationRuleId: !empty(eventHubAuthorizationRuleId) ? eventHubAuthorizationRuleId : null + eventHubName: !empty(eventHubName) ? eventHubName : null + metrics: diagnosticsMetrics + logs: diagnosticsLogs + } + scope: tableServices +} + module tableServices_tables 'tables/deploy.bicep' = [for (tableName, index) in tables: { name: '${deployment().name}-Table-${index}' params: { diff --git a/arm/Microsoft.Storage/storageAccounts/tableServices/readme.md b/arm/Microsoft.Storage/storageAccounts/tableServices/readme.md index 53352bc756..499eea50a0 100644 --- a/arm/Microsoft.Storage/storageAccounts/tableServices/readme.md +++ b/arm/Microsoft.Storage/storageAccounts/tableServices/readme.md @@ -6,6 +6,7 @@ This module deploys a storage account table service | Resource Type | API Version | | :-- | :-- | +| `Microsoft.Insights/diagnosticSettings` | 2021-05-01-preview | | `Microsoft.Storage/storageAccounts/tableServices` | 2021-04-01 | | `Microsoft.Storage/storageAccounts/tableServices/tables` | 2021-06-01 | @@ -14,10 +15,16 @@ This module deploys a storage account table service | Parameter Name | Type | Default Value | Possible Values | Description | | :-- | :-- | :-- | :-- | :-- | | `cuaId` | string | | | Optional. Customer Usage Attribution ID (GUID). This GUID must be previously registered | +| `diagnosticLogsRetentionInDays` | int | `365` | | Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. | +| `diagnosticStorageAccountId` | string | | | Optional. Resource ID of the diagnostic storage account. | +| `eventHubAuthorizationRuleId` | string | | | Optional. Resource ID of the event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. | +| `eventHubName` | string | | | Optional. Name of the event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. | +| `logsToEnable` | array | `[StorageRead, StorageWrite, StorageDelete]` | `[StorageRead, StorageWrite, StorageDelete]` | Optional. The name of logs that will be streamed. | +| `metricsToEnable` | array | `[Transaction]` | `[Transaction]` | Optional. The name of metrics that will be streamed. | | `name` | string | `default` | | Optional. The name of the table service | | `storageAccountName` | string | | | Required. Name of the Storage Account. | | `tables` | _[tables](tables/readme.md)_ array | `[]` | | Optional. tables to create. | - +| `workspaceId` | string | | | Optional. Resource ID of a log analytics workspace. | ## Outputs @@ -29,5 +36,6 @@ This module deploys a storage account table service ## Template references +- [Diagnosticsettings](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) - [Storageaccounts/Tableservices](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Storage/2021-04-01/storageAccounts/tableServices) - [Storageaccounts/Tableservices/Tables](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Storage/2021-06-01/storageAccounts/tableServices/tables)