Skip to main content

Adding Azure Monitor Link Scope via Bicep


Howdy Folks. 

As per my previous blog post, I mentioned my next post is going to be about deploying azure Link scope using bicep. So here am I with the latest blog post on that.

So let's cut to the chase, I have explained the importance of securing the log analytics workplaces using different methods. you can dig into my old post from this.

In most cases, we deploy the log analytics resources during the initial provisioning stage (Landing Zone preparation). So enabling this via BICEP is more suitable or via Json using a pipeline

Note - I have already discussed how to deploy bicep using Azure DevOps in of my earlier posts

There is a key thing before you go ahead with the deployment. The deployment user account must have

Microsoft.Authorization/roleAssignments/write permissions, such as User Access Administrator or Owner

reason for this is during this provisioning, a deployment user account will grant access to the link scope. so that it can talk to the monitor resources and also private endpoints. If the deployment account does not have permission, the Azure resource manager will show deployment is successful but this will not get properly configured.

The bicep template is part of 5 main components

  • Microsoft.Network/privateEndpoint
  • Microsoft.Network/privateEndpoints/privateDnsZoneGroups
  • Microsoft.insights/privateLinkScopes
  • Microsoft.Authorization/roleAssignments
  • Microsoft.Insights/privateLinkScopes/scopedResources

Below is the entire code

@description('Resource Group Name')
param rgName string

@description('Resource Group Name')
param location string =  resourceGroup().location

@description('appliction shortname. Used for resource naming.')
param lzShortName string 

@description('Customer shortname. Used for resource naming.')
param custShortName string

@description('Shortname of evironment. Used for resource naming.')
param envShortName string

@description('Type of the Private Endpoint')
param type string = 'azuremonitor'

@description('Subnet ID of the Private Endpoint Connection')
param subnetId string

@description('Ingetion Mode for the Link Scope')
param ingestionAccessMode string = 'Open'

@description('Query Mode for the Link Scope')
param queryAccessMode string = 'Open'

@description('Linked ResourceDetailes')
param linkedResources array

param principalIds array = [
  'd81fadde-2449-455f-92d2-3d7e3c952862'
]

param roleDefinitionIdOrName string = 'Reader'

var linkScopeName = 'links-${lzShortName}-${envShortName}-${custShortName}'
var resourceName = 'azure-monitor'
var builtInRoleNames = {
  'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')
  'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
  'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')
  'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')
  'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')
  'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')
  'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')
  'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')
  'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')
  'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb')
  'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')
  'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')
  'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')
}


resource privateEndpoint 'Microsoft.Network/privateEndpoints@2021-05-01' = {
  name: '${resourceName}-pe'
  location: location
  properties: {
    subnet: {
      id: subnetId
    }
    privateLinkServiceConnections: [
      {
        name: '${resourceName}-${type}-plink'
        properties: {
          privateLinkServiceId: privateLinkScope.id
          groupIds: [
            type
          ]
        }
      }
    ]
  }
}

resource privateDNSZoneGroup 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2020-06-01' = {
  name: '${privateEndpoint.name}/default'
  properties: {
    privateDnsZoneConfigs: [
      {
        name: 'privatelink-monitor-azure-com'
        properties: {
          privateDnsZoneId: resourceId(subscription().subscriptionId,resourceGroup().name,'Microsoft.Network/privateDnsZones','privatelink.monitor.azure.com')
        }
      }
      {
        name: 'privatelink-oms-opinsights-azure-com'
        properties: {
          privateDnsZoneId: resourceId(subscription().subscriptionId,resourceGroup().name,'Microsoft.Network/privateDnsZones','privatelink.oms.opinsights.azure.com')
        }
      }
      {
        name: 'privatelink-ods-opinsights-azure-com'
        properties: {
          privateDnsZoneId: resourceId(subscription().subscriptionId,resourceGroup().name,'Microsoft.Network/privateDnsZones','privatelink.ods.opinsights.azure.com')
        }
      }
      {
        name: 'privatelink-agentsvc-azure-automation-net'
        properties: {
          privateDnsZoneId: resourceId(subscription().subscriptionId,resourceGroup().name,'Microsoft.Network/privateDnsZones','privatelink.agentsvc.azure-automation.net')
        }
      }
      {
        name: 'privatelink-blob-core-windows-net'
        properties: {
          privateDnsZoneId: resourceId(subscription().subscriptionId,resourceGroup().name,'Microsoft.Network/privateDnsZones','privatelink.blob.core.windows.net')
        }
      }
    ]
  }
}

resource privateLinkScope 'microsoft.insights/privateLinkScopes@2021-07-01-preview' = {
  name: linkScopeName
  location: 'global'
  properties: {
    accessModeSettings: {
      exclusions: [ 
      ]
      ingestionAccessMode: ingestionAccessMode
      queryAccessMode: queryAccessMode
    }
  }
}


resource roleAssignment 'Microsoft.Authorization/roleAssignments@2020-10-01-preview' = [for principalId in principalIds: {
  name: guid(privateLinkScope.name, principalId, roleDefinitionIdOrName)
  properties: {
    roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName
    principalId: principalId
  }
  scope: privateLinkScope
}]

resource linkResources 'Microsoft.Insights/privateLinkScopes/scopedResources@2021-07-01-preview' = [for linkedResource in linkedResources:{
  name: 'scoped-${linkedResource.name}'
  parent: privateLinkScope
  properties: {
    linkedResourceId: linkedResource.id
  }
  dependsOn: [
    privateDNSZoneGroup
  ]
}]


#
output linkScopeName string = linkScopeName




You can also find the code in Github

https://github.com/dckloud-repo/Bicep-Public/blob/AzureMonitor/Azure_Monitor_Link_Scope.bicep

Like always please do comment down below, if I made any mistake or if you have any questions,


Labels:

Comments

Post a Comment

Popular posts from this blog

Deploying an Automation Account with a Runbook and Schedule Using Bicep

Introduction Automation is a key component in many organizations' cloud strategy. Azure Automation allows you to automate the creation, deployment, and management of resources in your Azure environment. In this post, we will walk through the process of deploying an Automation Account with a Runbook and Schedule using Bicep, a new domain-specific language for deploying Azure resources. Intention My intention at the  end is to run a PowerShell  script to start and shutdown Azure VMs based on tag values. PowerShell  script that I have used is from below l ink.  And two  of me   collogue s ( Michael Turnley   and Saudh Mohomad helped to modify the  PowerShell  script. Prerequisites Before we begin, you will need the following: An Azure subscription The Azure CLI installed on your machine. The Azure Bicep extension for the Azure CLI Creating the Automation Account The first step in deploying an Automation Account with a R...
Post a Comment
Read more

Securing Azure Services with Fetian FIDO

Hey Folks  Here again with another security topic with Fetian Fido. And once again Fetian devices proved their excellent quality and stability. For this I choose Fetian K33 -  AllinPass FIDO Security Key – FEITIAN (ftsafe.com) and  K39 -  Single-button FIDO Security Keys | FEITIAN (ftsafe.com) Use case  In an organization following changes needs to be implemented.  1. Update the password policy 2. Update the user session time out to 30 minutes Once these changes being implemented, the following issues need to be addressed 1. Users' complaint new passwords need to be so long 2. Users complain sessions time out makes them work so much slower with the longer passwords 3. Etc... Solution  One of my friends reached out to me to help solve this problem. All I could think of was using passwordless auth with FIDO devices. We have decided to use Fido2 keys for better security and flexibility for the users. The FIDO (Fast IDentity Online) Alliance helps to pro...
Post a Comment
Read more

Migrating Azure DevOps Variable Groups

Howdy Folks, I was working on an application modernization project. And there was a requirement to migrate application deployments from one project to another in Azure DevOps. deployment pipelines were heavily dependent on variable groups. So, we wanted to migrate these variables group to the new project. Couldn't find any solutions in internet for this, so came up with the below scripts. You can grab the scripts from the below GitHub URL. DaniduWeerasinghe911/Migrate-Azure-DevOps-Variable-Groups: This Repo Include PowerShell Scripts relating to Migrating Azure DevOps Variable Groups (github.com) Azure DevOps Variable Groups Azure DevOps Variable Groups are a way to store and manage sets of variables that can be used across multiple pipelines in Azure DevOps. These variables can include secrets, connection strings, and other sensitive information that is needed for builds and releases. Variable Groups provide a centralized way to manage these variables and ensure that they are cons...
Post a Comment
Read more