Azure Policy for enabling diagnostic settings for WebApp/Function App - No resources remediated

Senthil Ramadoss 0 Reputation points
2024-06-21T12:39:52.0933333+00:00

I am working in an existing Azure environment where there is no governance and I am in the process of creating Azure Policies. Currently I am working on creating Azure Policy to enable Diagnostic settings for Azure Web App, Azure Function App and Web API. Initially I had one Azure Policy for all type of Web Apps. Later I split into two.

  1. Web App & Web API
  2. Function App

I thought to address the Function App with the below Policy Rule. But no resources where remediated.

We have about 60+ web apps without any governance and now when I want to implement Diagnostic settings to most of the azure services I find it difficult to debug why the azure policies are not remediated. Because when you remediate a policy it tries to perform the DeployIfNotExists action for azure web apps which is not an efficient way. How do we validate the policy rule conditions from a Cloud engineer point of view? Use Kusto Queries or Powershell/Azure CLI on the policyrule.

I tried with the built-in policy for function app (Enable logging by category group for Function App (microsoft.web/sites) to Log Analytics) but it didnt work as well.

  "if": {
                "allOf": [
                    {
                        "field": "type",
                        "equals": "Microsoft.Web/sites"
                    },
                    {
                        "not": {
                            "anyof": [
                                {
                                    "field": "kind",
                                    "like": "app"
                                },
                                {
                                    "field": "kind",
                                    "like": "api"
                                },
                                {
                                    "field": "kind",
                                    "like": "app,linux"
                                },
                                {
                                    "field": "kind",
                                    "like": "app,windows"
                                }
                            ]
                        }
                    },
                    {
                        "field": "kind",
                        "like": "functionapp"
                    },
                    {
                        "field": "kind",
                        "like": "functionapp,linux"
                    }
                ]
            },
            "then": {
                "effect": "[parameters('effect')]",
                "details": {
                    "type": "Microsoft.Insights/diagnosticSettings",
                    "name": "[parameters('profileName')]",
                    "existenceCondition": {
                        "allOf": [
                            {
                                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                                "equals": "[parameters('logAnalytics')]"
                            }
                        ]
                    },
                    "roleDefinitionIds": [

                    ],
                    "deployment": {
                        "properties": {
                            "mode": "incremental",
                            "template": {
                                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                                "contentVersion": "1.0.0.0",
                                "parameters": {
                                    "resourceName": {
                                        "type": "string"
                                    },
                                    "logAnalytics": {
                                        "type": "string"
                                    },
                                    "location": {
                                        "type": "string"
                                    },
                                    "profileName": {
                                        "type": "string"
                                    },
                                    "functionAppLogs": {
                                        "type": "string"
                                    },
                                    "appServiceAuthenticationLogs": {
                                        "type": "string"
                                    }
                                },
                                "variables": {},
                                "resources": [
                                    {
                                        "type": "Microsoft.Web/sites/providers/diagnosticSettings",
                                        "apiVersion": "2017-05-01-preview",
                                        "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                                        "location": "[parameters('location')]",
                                        "dependsOn": [],
                                        "properties": {
                                            "workspaceId": "[parameters('logAnalytics')]",
                                            "logs": [
                                                {
                                                    "category": "FunctionAppLogs",
                                                    "enabled": "[parameters('functionAppLogs')]"
                                                },
                                                {
                                                    "category": "AppServiceAuthenticationLogs",
                                                    "enabled": "[parameters('appServiceAuthenticationLogs')]"
                                                }
                                            ]
                                        }
                                    }
                                ],
                                "outputs": {}
                            },
                            "parameters": {
                                "logAnalytics": {
                                    "value": "[parameters('logAnalytics')]"
                                },
                                "resourceName": {
                                    "value": "[field('name')]"
                                },
                                "location": {
                                    "value": "[field('location')]"
                                },
                                "profileName": {
                                    "value": "[parameters('profileName')]"
                                },
                                "functionAppLogs": {
                                    "value": "[parameters('functionAppLogs')]"
                                },
                                "appServiceAuthenticationLogs": {
                                    "value": "[parameters('appServiceAuthenticationLogs')]"
                                }
                            }
                        }
                    }
                }
            }
        }
    }```
Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,331 questions
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
924 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,937 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Prashant Kumar 780 Reputation points Microsoft Employee
    2024-07-05T05:45:52.4333333+00:00

    Hi Senthil,

    Since you are only targeting function apps, could you please try after removing all the like conditions and have the below one only. This will help to scan only function app resources.

    Also, when we use like operator, we should use Asterisk ot check if value starts-with or ends-with any particular string. Like explained in the below example.

    https://learn.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure-policy-rule#conditions

    https://learn.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure-policy-rule#value-examples

           {
                "field": "kind",
                "contains": "functionapp"
              },
    
    0 comments No comments

  2. Senthil Ramadoss 0 Reputation points
    2024-07-05T07:40:26.84+00:00

    I followed the below policy rule and it worked for function app, Anyway thanks for taking the time to look into it. @prashant kumar

                "if": {
                    "allOf": [
                        {
                            "field": "type",
                            "equals": "Microsoft.Web/sites"
                        },
                        {
                        "anyOf": [
                            {
                                "field": "kind",
                                "equals": "functionapp"
                            },
                            {
                                "field": "kind",
                                "equals": "functionapp,linux"
                            }
                        ]
                        }
                    ]
                }
    

  3. Abdul 2,615 Reputation points Microsoft Vendor
    2024-07-19T09:47:00.26+00:00

    Hi @Senthil Ramadoss,

    Since the Microsoft Q&A community has a policy that the question author cannot accept their own answer. They can only accept answers by others, Summarized and posted the solution that you shared, request you to Accept the answer, it will benefit the community find the answers quickly.

    Scenario:

    Creating Azure Policies to enable Diagnostic settings for Web App, Function App, and Web API in an existing Azure environment without governance.

    Issue:

    Despite specifying the desired conditions, the policy for Function Apps is not remediating any resources. Additionally, with 60+ web apps lacking governance, it is difficult to debug why the Azure policies are not being remediated efficiently.

    Things Tried:

    By implementing this specific policy rule, it was able to successfully enable the Diagnostic settings for the Function Apps, resolving the issue.

    Shared by @Senthil Ramadoss,

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.