Share via

Check for DataCollectionRuleAssociation in Azure Policy

Christoph Distefano 101 Reputation points
2021-01-26T14:33:16.363+00:00

Hey,
I want to deploy the Azure Monitor Agent to VMs and create a DataCollectionRuleAssociation for this VMs via an Azure Policy.
In general, this is already working, but I am not sure how to define the existenceCondition for both DataCollectionRuleAssociation and Monitor Agent.

My template currently looks like this: 

{
  "properties": {
    "displayName": "Associates a DataCollectionRule Microsoft.Insights/dataCollectionRules to a Virtual Computer",
    "mode": "Indexed",
    "description": "This policy automatically associates DataCollectionRule Microsoft.Insights/dataCollectionRules to a VM based on its tags.",
    "metadata": {
      "category": "Monitoring"
    },
    "parameters": {
      "associationName": {
        "type": "String",
        "metadata": {
          "displayName": "Name of Association",
          "description": "The name of the Data Collection Rule association."
        }
      },
      "dataCollectionRuleResourceId": {
        "type": "String",
        "metadata": {
          "displayName": "DataCollectionRule ResourceId",
          "description": "ResourceId of DataCollectionRule to be assigned."
        }
      },
      "tagName": {
        "type": "String",
        "metadata": {
          "displayName": "Tag Name",
          "description": "Name of the tag"
        }
      },
      "tagValue": {
        "type": "String",
        "metadata": {
          "displayName": "Tag Value",
          "description": "Value of the tag"
        }
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.Compute/virtualMachines"
          },
          {
            "field": "[concat('tags[', parameters('tagName'), ']')]",
            "equals": "[parameters('tagValue')]"
          }
        ]
      },
      "then": {
        "effect": "deployIfNotExists",
        "details": {
          "type": "Microsoft.Compute/virtualMachines",
          "existenceCondition": {
            "allOf": [
                {
                  "field": "Microsoft.Insights/dataCollectionRuleAssociations/dataCollectionRuleId",
                  "equals": "[parameters('dataCollectionRuleResourceId')]"
                },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
                "equals": "Microsoft.Azure.Monitor"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/virtualMachines/extensions/type",
                    "equals": "AzureMonitorWindowsAgent"
                  },
                  {
                    "field": "Microsoft.Compute/virtualMachines/extensions/type",
                    "equals": "AzureMonitorLinuxAgent"
                  }
                ]
              }
            ]
          },
          "roleDefinitionIds": [
            "/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
            "/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
          ],
          "deployment": {
            "properties": {
              "mode": "incremental",
              "template": {
                "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
                "contentVersion": "1.0.0.0",
                "parameters": {
                  "name": {
                    "type": "string"
                  },
                  "location": {
                    "type": "string"
                  },
                  "dataCollectionRuleResourceId": {
                    "type": "string"
                  },
                  "associationName": {
                    "type": "string"
                  },
                  "osType": {
                    "type": "string"
                  }
                },
                "variables": {},
                "resources": [
                  {
                    "type": "Microsoft.Compute/virtualMachines/providers/dataCollectionRuleAssociations",
                    "apiVersion": "2019-11-01-preview",
                    "name": "[concat(parameters('name'), '/', 'Microsoft.Insights/', parameters('associationName'))]",
                    "dependsOn": [],
                    "properties": {
                      "dataCollectionRuleId": "[parameters('dataCollectionRuleResourceId')]",
                      "description": "Created via Azure Policies."
                    }
                  },
                  {
                    "name": "[concat(parameters('name'),'/AzureMonitorWindowsAgent')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "condition": "[equals(parameters('osType'), 'Windows')]",
                    "location": "[parameters('location')]",
                    "apiVersion": "2020-06-01",
                    "properties": {
                      "publisher": "Microsoft.Azure.Monitor",
                      "type": "AzureMonitorWindowsAgent",
                      "typeHandlerVersion": "1.0",
                      "autoUpgradeMinorVersion": true
                    }
                  },
                  {
                    "name": "[concat(parameters('name'),'/AzureMonitorLinuxAgent')]",
                    "type": "Microsoft.Compute/virtualMachines/extensions",
                    "condition": "[equals(parameters('osType'), 'Linux')]",
                    "location": "[parameters('location')]",
                    "apiVersion": "2020-06-01",
                    "properties": {
                      "publisher": "Microsoft.Azure.Monitor",
                      "type": "AzureMonitorLinuxAgent",
                      "typeHandlerVersion": "1.5",
                      "autoUpgradeMinorVersion": true
                    }
                  }
                ],
                "outputs": {
                  "policy": {
                    "type": "string",
                    "value": "[concat(parameters('associationName'), 'configured for diagnostic logs for ', ': ', parameters('name'))]"
                  }
                }
              },
              "parameters": {
                "dataCollectionRuleResourceId": {
                  "value": "[parameters('dataCollectionRuleResourceId')]"
                },
                "name": {
                  "value": "[field('name')]"
                },
                "location": {
                  "value": "[field('location')]"
                },
                "associationName": {
                  "value": "[parameters('associationName')]"
                },
                "osType": {
                  "value": "[field('Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType')]"
                }
              }
            }
          }
        }
      }
    }
  }
}

As you can see, I am having the following Params:

  • associationName --> the name of the DataCollectionRuleAssociation
  • dataCollectionRuleResourceId --> Resource ID of the Data Collection Rule we want to associate the VMs with
  • tagName --> Name of the tag we are using as a filter for the VMs to be onboarded
  • tagValue --> Value of the same tag

In general, this policy is already working, but the compliance state is never marked as compliant, and errors out with the following message:
"No related resource match the effect details in the policy definition"

I guess this is due to the following part: 

"existenceCondition": {
            "allOf": [
                {
                  "field": "Microsoft.Insights/dataCollectionRuleAssociations/dataCollectionRuleId",
                  "equals": "[parameters('dataCollectionRuleResourceId')]"
                },
              {
                "field": "Microsoft.Compute/virtualMachines/extensions/publisher",
                "equals": "Microsoft.Azure.Monitor"
              },
              {
                "anyOf": [
                  {
                    "field": "Microsoft.Compute/virtualMachines/extensions/type",
                    "equals": "AzureMonitorWindowsAgent"
                  },
                  {
                    "field": "Microsoft.Compute/virtualMachines/extensions/type",
                    "equals": "AzureMonitorLinuxAgent"
                  }
                ]
              }
            ]
          }

Since I am defining a then.details.type of 'Microsoft.Compute/virtualMachines" the field 'Microsoft.Insights/dataCollectionRuleAssociations/dataCollectionRuleId' seems to be not accessible here. But since the DataCollectionRuleAssociation should be part of the VM settings, I would have expected I could validate the existence of the association in this way.

Any help would be highly appreciated to point me to the right direction here!

Regards
Christoph

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
2,930 questions
Azure Policy
Azure Policy
An Azure service that is used to implement corporate governance and standards at scale for Azure resources.
815 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Christoph Distefano 101 Reputation points
    2021-02-02T07:38:51.53+00:00

    Hello,
    in the meantime I split the policy into two policies and organized them into a initiative.

    I concluded from my tests and research that it is not possible to check for two different types in one template, therefore I need to have one policy for the dataCollectionRuleAssociation (type Microsoft.Insights/dataCollectionRuleAssociations) and for the extensions (type Microsoft.Compute/virtualMachines/extensions).

    With these setup, I am now able to assign the initiative to my scope and get the resources marked as compliant by the initiative.

    Regards
    Christoph

    0 comments