Write Azure policy to deny adding a second diagnostic setting to any resource if the first diagnostic setting already exists

jarvis-8094 0 Reputation points
2023-11-06T04:17:46.31+00:00

I tried the below code, but it doesn't seem to have any resource details and it doesn't work

{ "mode": "All", "policyRule": { "if": { "field": "type", "equals": "Microsoft.Insights/diagnosticSettings" }, "then": { "effect": "deny" } }, "parameters": {} }

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,371 questions
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
934 questions
{count} votes

1 answer

Sort by: Most helpful
  1. AnuragSingh-MSFT 21,386 Reputation points
    2023-12-19T05:47:58.9766667+00:00

    jarvis-8094, Apologies for the delayed response.

    Today, it is not possible through Azure Policy for a policy to take effect based on the existence of other resources. We do have deployIfNotExists policies which can automate the process of deploying diagnostic settings if they do not yet exist for a resource, but these do not prevent manual deployment of another diagnostic setting on the same resource.

    You would need to use another method to check for existence of such diagnostic settings before deployment. This could be done using an automation runbook or a logic app, which could call the diagnosticSettings API for this information.

    Hope this helps.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.