Help with modifying built-in policy "Deploy Diagnostic Settings for Key Vault to Event Hub" so that it forwards logs Event Hub based on key vault's region

Question

With the limitation of Event Hub namespaces only being able to receive logs from resources in the same region, trying avoid creating an assignment for every region we operate, and instead, simplify it in one custom policy assignment, so that the logs for services such as Key Vault can detect and assign logs to be forwarded to the correct event hub for the location where the resource resides.

Hoping for some assistance in crafting this (I am new to Azure policy), I assume this is a commonly solved problem for this limitation but I didn't find examples in the docs or online.

The built-in policy I would like to base this off of is ed7c8c13-51e7-49d1-8a43-8490431a0da2 "Deploy Diagnostic Settings for Key Vault to Event Hub". Is there anyone willing to help with this?

Answer 1

Hi, Nick

I am not entirely sure you can achieve what you want to achieve; the closest thing I could think of would be to use the same name and resource group for each region, but it still wouldn't be supported.

I had a look at a range of official and community-driven policies for reference: https://www.azadvertizer.net/azpolicyadvertizer_all.html - however, nothing comes close.

This is something that you may need to use Azure Automation runbooks, running PowerShell scripts to help supplement and implement.