Fixed app insights for function apps

jonathan-vella · May 3, 2021 · 4818f44 · 4818f44
1 parent ccedcf8
commit 4818f44
Show file tree

Hide file tree

Showing 4 changed files with 145 additions and 118 deletions.
diff --git a/bicep/naming-convention-log.bicep b/bicep/naming-convention-log.bicep
@@ -1,11 +1,61 @@
 targetScope = 'subscription'
 
-module log '../modules/naming-convention-generic.bicep' = {
- name: 'policy-naming-convention-log'
- params: {
- pattern: 'log-*'
- policyName: 'policy-naming-convention-log'
- assignmentName: 'assignment-naming-convention-log'
- type: 'Microsoft.OperationalInsights/workspaces'
+var policyName = 'policy-naming-convention-log'
+var assignmentName = 'assignment-naming-convention-log'
+var type = 'Microsoft.OperationalInsights/workspaces'
+
+@allowed([
+ 'Deny'
+ 'Audit'
+ 'Disabled'
+])
+@description('The effect determines what happens when the policy rule is evaluated to match')
+param effect string = 'Deny'
+
+@allowed([
+ 'Default'
+ 'DoNotEnforce'
+])
+@description('When enforcement mode is disabled, the policy effect isn\'t enforced (i.e. deny policy won\'t deny resources). Compliance assessment results are still available.')
+param enforcementMode string = 'Default'
+
+resource logPolicy 'Microsoft.Authorization/policyDefinitions@2020-03-01' = {
+ name: policyName
+ properties: {
+ policyType: 'Custom'
+ mode: 'All'
+ policyRule: {
+ if: {
+ allOf: [
+ {
+ field: 'type'
+ equals: type
+ }
+ {
+ allOf:[
+ {
+ field: 'name'
+ notLike: 'log-*'
+ }
+ {
+ field: 'name'
+ notLike: 'DefaultWorkspace-*' // Required by function app with app insights turned on
+ }
+ ]
+ }
+ ]
+ }
+ then: {
+ effect: effect
+ }
+ }
+ }
+}
+
+resource logAssignment 'Microsoft.Authorization/policyAssignments@2020-03-01' = {
+ name: assignmentName
+ properties: {
+ policyDefinitionId: logPolicy.id
+ enforcementMode: enforcementMode
  }
 }
diff --git a/bicep/naming-convention-plan.bicep b/bicep/naming-convention-plan.bicep
@@ -1,5 +1,9 @@
 targetScope = 'subscription'
 
+var policyName = 'policy-naming-convention-plan'
+var assignmentName = 'assignment-naming-convention-plan'
+var type = 'Microsoft.Web/serverfarms'
+
 @allowed([
  'Deny'
  'Audit'
@@ -15,8 +19,8 @@ param effect string = 'Deny'
 @description('When enforcement mode is disabled, the policy effect isn\'t enforced (i.e. deny policy won\'t deny resources). Compliance assessment results are still available.')
 param enforcementMode string = 'Default'
 
-resource genericPolicy 'Microsoft.Authorization/policyDefinitions@2020-03-01' = {
- name: 'policy-naming-convention-plan'
+resource planPolicy 'Microsoft.Authorization/policyDefinitions@2020-03-01' = {
+ name: policyName
  properties: {
  policyType: 'Custom'
  mode: 'All'
@@ -25,7 +29,7 @@ resource genericPolicy 'Microsoft.Authorization/policyDefinitions@2020-03-01' =
  allOf: [
  {
  field: 'type' 
- equals: 'Microsoft.Web/serverfarms'
+ equals: type
  }
  {
  allOf:[
@@ -49,9 +53,9 @@ resource genericPolicy 'Microsoft.Authorization/policyDefinitions@2020-03-01' =
 }
 
 resource genericAssignment 'Microsoft.Authorization/policyAssignments@2020-03-01' = {
- name: 'assignment-naming-convention-plan'
+ name: assignmentName
  properties: {
- policyDefinitionId: genericPolicy.id
+ policyDefinitionId: planPolicy.id
  enforcementMode: enforcementMode
  }
 }
diff --git a/dist/naming-convention-log.json b/dist/naming-convention-log.json
@@ -1,122 +1,90 @@
 {
  "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
+ "parameters": {
+ "effect": {
+ "type": "string",
+ "defaultValue": "Deny",
+ "metadata": {
+ "description": "The effect determines what happens when the policy rule is evaluated to match"
+ },
+ "allowedValues": [
+ "Deny",
+ "Audit",
+ "Disabled"
+ ]
+ },
+ "enforcementMode": {
+ "type": "string",
+ "defaultValue": "Default",
+ "metadata": {
+ "description": "When enforcement mode is disabled, the policy effect isn't enforced (i.e. deny policy won't deny resources). Compliance assessment results are still available."
+ },
+ "allowedValues": [
+ "Default",
+ "DoNotEnforce"
+ ]
+ }
+ },
  "functions": [],
+ "variables": {
+ "policyName": "policy-naming-convention-log",
+ "assignmentName": "assignment-naming-convention-log",
+ "type": "Microsoft.OperationalInsights/workspaces"
+ },
  "resources": [
  {
- "type": "Microsoft.Resources/deployments",
- "apiVersion": "2019-10-01",
- "name": "policy-naming-convention-log",
- "location": "[deployment().location]",
+ "type": "Microsoft.Authorization/policyDefinitions",
+ "apiVersion": "2020-03-01",
+ "name": "[variables('policyName')]",
  "properties": {
- "expressionEvaluationOptions": {
- "scope": "inner"
- },
- "mode": "Incremental",
- "parameters": {
- "pattern": {
- "value": "log-*"
- },
- "policyName": {
- "value": "policy-naming-convention-log"
- },
- "assignmentName": {
- "value": "assignment-naming-convention-log"
- },
- "type": {
- "value": "Microsoft.OperationalInsights/workspaces"
- }
- },
- "template": {
- "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
- "contentVersion": "1.0.0.0",
- "parameters": {
- "pattern": {
- "type": "string"
- },
- "policyName": {
- "type": "string"
- },
- "assignmentName": {
- "type": "string"
- },
- "type": {
- "type": "string"
- },
- "effect": {
- "type": "string",
- "defaultValue": "Deny",
- "metadata": {
- "description": "The effect determines what happens when the policy rule is evaluated to match"
- },
- "allowedValues": [
- "Deny",
- "Audit",
- "Disabled"
- ]
- },
- "enforcementMode": {
- "type": "string",
- "defaultValue": "Default",
- "metadata": {
- "description": "When enforcement mode is disabled, the policy effect isn't enforced (i.e. deny policy won't deny resources). Compliance assessment results are still available."
+ "policyType": "Custom",
+ "mode": "All",
+ "policyRule": {
+ "if": {
+ "allOf": [
+ {
+ "field": "type",
+ "equals": "[variables('type')]"
  },
- "allowedValues": [
- "Default",
- "DoNotEnforce"
- ]
- }
- },
- "functions": [],
- "resources": [
- {
- "type": "Microsoft.Authorization/policyDefinitions",
- "apiVersion": "2020-03-01",
- "name": "[parameters('policyName')]",
- "properties": {
- "policyType": "Custom",
- "mode": "All",
- "policyRule": {
- "if": {
- "allOf": [
- {
- "field": "type",
- "equals": "[parameters('type')]"
- },
- {
- "field": "name",
- "notLike": "[parameters('pattern')]"
- }
- ]
+ {
+ "allOf": [
+ {
+ "field": "name",
+ "notLike": "log-*"
  },
- "then": {
- "effect": "[parameters('effect')]"
+ {
+ "field": "name",
+ "notLike": "DefaultWorkspace-*"
  }
- }
+ ]
  }
- },
- {
- "type": "Microsoft.Authorization/policyAssignments",
- "apiVersion": "2020-03-01",
- "name": "[parameters('assignmentName')]",
- "properties": {
- "policyDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/policyDefinitions', parameters('policyName'))]",
- "enforcementMode": "[parameters('enforcementMode')]"
- },
- "dependsOn": [
- "[subscriptionResourceId('Microsoft.Authorization/policyDefinitions', parameters('policyName'))]"
- ]
- }
- ]
+ ]
+ },
+ "then": {
+ "effect": "[parameters('effect')]"
+ }
  }
  }
+ },
+ {
+ "type": "Microsoft.Authorization/policyAssignments",
+ "apiVersion": "2020-03-01",
+ "name": "[variables('assignmentName')]",
+ "properties": {
+ "policyDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/policyDefinitions', variables('policyName'))]",
+ "enforcementMode": "[parameters('enforcementMode')]"
+ },
+ "dependsOn": [
+ "[subscriptionResourceId('Microsoft.Authorization/policyDefinitions', variables('policyName'))]"
+ ]
  }
  ],
  "metadata": {
  "_generator": {
  "name": "bicep",
  "version": "0.3.1.62928",
- "templateHash": "13665525336705176722"
+ "templateHash": "5787499302193795859"
  }
  }
 }
diff --git a/dist/naming-convention-plan.json b/dist/naming-convention-plan.json
@@ -27,11 +27,16 @@
  }
  },
  "functions": [],
+ "variables": {
+ "policyName": "policy-naming-convention-plan",
+ "assignmentName": "assignment-naming-convention-plan",
+ "type": "Microsoft.Web/serverfarms"
+ },
  "resources": [
  {
  "type": "Microsoft.Authorization/policyDefinitions",
  "apiVersion": "2020-03-01",
- "name": "policy-naming-convention-plan",
+ "name": "[variables('policyName')]",
  "properties": {
  "policyType": "Custom",
  "mode": "All",
@@ -40,7 +45,7 @@
  "allOf": [
  {
  "field": "type",
- "equals": "Microsoft.Web/serverfarms"
+ "equals": "[variables('type')]"
  },
  {
  "allOf": [
@@ -65,21 +70,21 @@
  {
  "type": "Microsoft.Authorization/policyAssignments",
  "apiVersion": "2020-03-01",
- "name": "assignment-naming-convention-plan",
+ "name": "[variables('assignmentName')]",
  "properties": {
- "policyDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/policyDefinitions', 'policy-naming-convention-plan')]",
+ "policyDefinitionId": "[subscriptionResourceId('Microsoft.Authorization/policyDefinitions', variables('policyName'))]",
  "enforcementMode": "[parameters('enforcementMode')]"
  },
  "dependsOn": [
- "[subscriptionResourceId('Microsoft.Authorization/policyDefinitions', 'policy-naming-convention-plan')]"
+ "[subscriptionResourceId('Microsoft.Authorization/policyDefinitions', variables('policyName'))]"
  ]
  }
  ],
  "metadata": {
  "_generator": {
  "name": "bicep",
  "version": "0.3.1.62928",
- "templateHash": "6562831825047563319"
+ "templateHash": "4943640268419423142"
  }
  }
 }