Hello,
I have a policy to deploy an alert on all subs not having it (as you can not create alert with MG group scope for now)...And I was not able to have parameters bein taken into account from the Policy down to the two nested templates for the deployment...I had to repeat the default value to have the remediation task not failing (i.e. the deployement).
Any hints would be nice
{
"properties": {
"displayName": "Alert for VNET Peering",
"policyType": "Custom",
"mode": "All",
"metadata": {
"category": "Monitoring",
"createdBy": "USERID",
"createdOn": "2024-05-07T08:32:23.1194688Z",
"updatedBy": null,
"updatedOn": null
},
"version": "1.0.0",
"parameters": {
"enabled": {
"type": "String",
"metadata": {
"displayName": "Alert State",
"description": "Alert state for the alert"
},
"allowedValues": [
"true",
"false"
],
"defaultValue": "true"
},
"alertResourceGroupName": {
"type": "String",
"metadata": {
"displayName": "Resource Group Name",
"description": "Resource group the alert is placed in"
},
"defaultValue": "rg-amba-monitoring-001"
},
"MonitorDisable": {
"type": "String",
"metadata": {
"displayName": "Effect",
"description": "Tag name to disable monitoring on resource. Set to true if monitoring should be disabled"
},
"defaultValue": "MonitorDisable"
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Network/virtualNetworks/"
},
{
"field": "[concat('tags[', parameters('MonitorDisable'), ']')]",
"notEquals": "true"
}
]
},
"then": {
"effect": "deployIfNotExists",
"details": {
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"type": "Microsoft.Insights/activityLogAlerts",
"name": "AlertVNETPeering",
"existenceScope": "resourceGroup",
"resourceGroupName": "[parameters('alertResourceGroupName')]",
"deploymentScope": "subscription",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Insights/ActivityLogAlerts/enabled",
"equals": "[parameters('enabled')]"
},
{
"count": {
"field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*]",
"where": {
"anyOf": [
{
"allOf": [
{
"field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
"equals": "category"
},
{
"field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals",
"equals": "Administrative"
}
]
},
{
"allOf": [
{
"field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].field",
"equals": "operationName"
},
{
"field": "Microsoft.Insights/ActivityLogAlerts/condition.allOf[*].equals",
"equals": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write"
}
]
}
]
}
},
"equals": 2
}
]
},
"deployment": {
"location": "westeurope",
"properties": {
"mode": "incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"alertResourceGroupName": {
"type": "string",
"defaultValue": "rg-amba-monitoring-001"
},
"enabled": {
"type": "string",
"defaultValue": "true"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Resources/resourceGroups",
"apiVersion": "2021-04-01",
"location": "westeurope",
"name": "[parameters('alertResourceGroupName')]"
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2019-10-01",
"name": "AlertVNETPeering",
"resourceGroup": "[parameters('alertResourceGroupName')]",
"dependsOn": [
"[concat('Microsoft.Resources/resourceGroups/', parameters('alertResourceGroupName'))]"
],
"properties": {
"mode": "Incremental",
"template": {
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"enabled": {
"type": "string",
"defaultValue": "true"
},
"alertResourceGroupName": {
"type": "string",
"defaultValue": "rg-amba-monitoring-001"
}
},
"variables": {},
"resources": [
{
"type": "microsoft.insights/activityLogAlerts",
"apiVersion": "2020-10-01",
"name": "ActivityVNETPeeringCreateUpdate",
"location": "global",
"properties": {
"description": "Activity Log VNET Peering Create or Update",
"enabled": "[parameters('enabled')]",
"scopes": [
"[subscription().id]"
],
"condition": {
"allOf": [
{
"field": "category",
"equals": "Administrative"
},
{
"field": "operationName",
"equals": "Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write"
},
{
"field": "status",
"containsAny": [
"succeeded"
]
}
]
},
"actions": {
"actionGroups": [
{
"actionGroupId": "/subscriptions/XXXxxx/resourcegroups/RGGROUPZZZ/providers/microsoft.insights/actiongroups/ag_vnetpeeringalert",
"webhookProperties": {}
}
]
}
}
}
]
}
}
}
]
}
}
}
}
}
},
"versions": [
"1.0.0"
]
},
"id": "/providers/Microsoft.Management/managementGroups/MGID/providers/Microsoft.Authorization/policyDefinitions/POLID",
"type": "Microsoft.Authorization/policyDefinitions",
"name": "c62d80ee-da27-4fbf-be32-ef4086046a22",
"systemData": {
"createdBy": "userupn",
"createdByType": "User",
"createdAt": "2024-05-14T06:57:27.9570401Z",
"lastModifiedBy": "userupn",
"lastModifiedByType": "User",
"lastModifiedAt": "2024-05-14T12:59:29.9138366Z"
}
}