Azure Policy for enabling diagnostic settings for WebApp/Function App - No resources remediated

Senthil Ramadoss 0 Reputation points
2024-06-21T12:39:52.0933333+00:00

I am working in an existing Azure environment where there is no governance and I am in the process of creating Azure Policies. Currently I am working on creating Azure Policy to enable Diagnostic settings for Azure Web App, Azure Function App and Web API. Initially I had one Azure Policy for all type of Web Apps. Later I split into two.

  1. Web App & Web API
  2. Function App

I thought to address the Function App with the below Policy Rule. But no resources where remediated.

We have about 60+ web apps without any governance and now when I want to implement Diagnostic settings to most of the azure services I find it difficult to debug why the azure policies are not remediated. Because when you remediate a policy it tries to perform the DeployIfNotExists action for azure web apps which is not an efficient way. How do we validate the policy rule conditions from a Cloud engineer point of view? Use Kusto Queries or Powershell/Azure CLI on the policyrule.

I tried with the built-in policy for function app (Enable logging by category group for Function App (microsoft.web/sites) to Log Analytics) but it didnt work as well.

  "if": {
                "allOf": [
                    {
                        "field": "type",
                        "equals": "Microsoft.Web/sites"
                    },
                    {
                        "not": {
                            "anyof": [
                                {
                                    "field": "kind",
                                    "like": "app"
                                },
                                {
                                    "field": "kind",
                                    "like": "api"
                                },
                                {
                                    "field": "kind",
                                    "like": "app,linux"
                                },
                                {
                                    "field": "kind",
                                    "like": "app,windows"
                                }
                            ]
                        }
                    },
                    {
                        "field": "kind",
                        "like": "functionapp"
                    },
                    {
                        "field": "kind",
                        "like": "functionapp,linux"
                    }
                ]
            },
            "then": {
                "effect": "[parameters('effect')]",
                "details": {
                    "type": "Microsoft.Insights/diagnosticSettings",
                    "name": "[parameters('profileName')]",
                    "existenceCondition": {
                        "allOf": [
                            {
                                "field": "Microsoft.Insights/diagnosticSettings/workspaceId",
                                "equals": "[parameters('logAnalytics')]"
                            }
                        ]
                    },
                    "roleDefinitionIds": [

                    ],
                    "deployment": {
                        "properties": {
                            "mode": "incremental",
                            "template": {
                                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                                "contentVersion": "1.0.0.0",
                                "parameters": {
                                    "resourceName": {
                                        "type": "string"
                                    },
                                    "logAnalytics": {
                                        "type": "string"
                                    },
                                    "location": {
                                        "type": "string"
                                    },
                                    "profileName": {
                                        "type": "string"
                                    },
                                    "functionAppLogs": {
                                        "type": "string"
                                    },
                                    "appServiceAuthenticationLogs": {
                                        "type": "string"
                                    }
                                },
                                "variables": {},
                                "resources": [
                                    {
                                        "type": "Microsoft.Web/sites/providers/diagnosticSettings",
                                        "apiVersion": "2017-05-01-preview",
                                        "name": "[concat(parameters('resourceName'), '/', 'Microsoft.Insights/', parameters('profileName'))]",
                                        "location": "[parameters('location')]",
                                        "dependsOn": [],
                                        "properties": {
                                            "workspaceId": "[parameters('logAnalytics')]",
                                            "logs": [
                                                {
                                                    "category": "FunctionAppLogs",
                                                    "enabled": "[parameters('functionAppLogs')]"
                                                },
                                                {
                                                    "category": "AppServiceAuthenticationLogs",
                                                    "enabled": "[parameters('appServiceAuthenticationLogs')]"
                                                }
                                            ]
                                        }
                                    }
                                ],
                                "outputs": {}
                            },
                            "parameters": {
                                "logAnalytics": {
                                    "value": "[parameters('logAnalytics')]"
                                },
                                "resourceName": {
                                    "value": "[field('name')]"
                                },
                                "location": {
                                    "value": "[field('location')]"
                                },
                                "profileName": {
                                    "value": "[parameters('profileName')]"
                                },
                                "functionAppLogs": {
                                    "value": "[parameters('functionAppLogs')]"
                                },
                                "appServiceAuthenticationLogs": {
                                    "value": "[parameters('appServiceAuthenticationLogs')]"
                                }
                            }
                        }
                    }
                }
            }
        }
    }```
Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
2,986 questions
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
829 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,325 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Prashant Kumar 225 Reputation points Microsoft Employee
    2024-07-05T05:45:52.4333333+00:00

    Hi Senthil,

    Since you are only targeting function apps, could you please try after removing all the like conditions and have the below one only. This will help to scan only function app resources.

    Also, when we use like operator, we should use Asterisk ot check if value starts-with or ends-with any particular string. Like explained in the below example.

    https://learn.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure-policy-rule#conditions

    https://learn.microsoft.com/en-us/azure/governance/policy/concepts/definition-structure-policy-rule#value-examples

           {
                "field": "kind",
                "contains": "functionapp"
              },
    
    0 comments No comments

  2. Senthil Ramadoss 0 Reputation points
    2024-07-05T07:40:26.84+00:00

    I followed the below policy rule and it worked for function app, Anyway thanks for taking the time to look into it. @prashant kumar

                "if": {
                    "allOf": [
                        {
                            "field": "type",
                            "equals": "Microsoft.Web/sites"
                        },
                        {
                        "anyOf": [
                            {
                                "field": "kind",
                                "equals": "functionapp"
                            },
                            {
                                "field": "kind",
                                "equals": "functionapp,linux"
                            }
                        ]
                        }
                    ]
                }
    
    0 comments No comments