Hey,
I want to deploy the Azure Monitor Agent to VMs and create a DataCollectionRuleAssociation for this VMs via an Azure Policy.
In general, this is already working, but I am not sure how to define the existenceCondition for both DataCollectionRuleAssociation and Monitor Agent.
My template currently looks like this:
{
"properties": {
"displayName": "Associates a DataCollectionRule Microsoft.Insights/dataCollectionRules to a Virtual Computer",
"mode": "Indexed",
"description": "This policy automatically associates DataCollectionRule Microsoft.Insights/dataCollectionRules to a VM based on its tags.",
"metadata": {
"category": "Monitoring"
},
"parameters": {
"associationName": {
"type": "String",
"metadata": {
"displayName": "Name of Association",
"description": "The name of the Data Collection Rule association."
}
},
"dataCollectionRuleResourceId": {
"type": "String",
"metadata": {
"displayName": "DataCollectionRule ResourceId",
"description": "ResourceId of DataCollectionRule to be assigned."
}
},
"tagName": {
"type": "String",
"metadata": {
"displayName": "Tag Name",
"description": "Name of the tag"
}
},
"tagValue": {
"type": "String",
"metadata": {
"displayName": "Tag Value",
"description": "Value of the tag"
}
}
},
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Compute/virtualMachines"
},
{
"field": "[concat('tags[', parameters('tagName'), ']')]",
"equals": "[parameters('tagValue')]"
}
]
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Compute/virtualMachines",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Insights/dataCollectionRuleAssociations/dataCollectionRuleId",
"equals": "[parameters('dataCollectionRuleResourceId')]"
},
{
"field": "Microsoft.Compute/virtualMachines/extensions/publisher",
"equals": "Microsoft.Azure.Monitor"
},
{
"anyOf": [
{
"field": "Microsoft.Compute/virtualMachines/extensions/type",
"equals": "AzureMonitorWindowsAgent"
},
{
"field": "Microsoft.Compute/virtualMachines/extensions/type",
"equals": "AzureMonitorLinuxAgent"
}
]
}
]
},
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/749f88d5-cbae-40b8-bcfc-e573ddc772fa",
"/providers/Microsoft.Authorization/roleDefinitions/92aaf0da-9dab-42b6-94a3-d43ce8d16293"
],
"deployment": {
"properties": {
"mode": "incremental",
"template": {
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"name": {
"type": "string"
},
"location": {
"type": "string"
},
"dataCollectionRuleResourceId": {
"type": "string"
},
"associationName": {
"type": "string"
},
"osType": {
"type": "string"
}
},
"variables": {},
"resources": [
{
"type": "Microsoft.Compute/virtualMachines/providers/dataCollectionRuleAssociations",
"apiVersion": "2019-11-01-preview",
"name": "[concat(parameters('name'), '/', 'Microsoft.Insights/', parameters('associationName'))]",
"dependsOn": [],
"properties": {
"dataCollectionRuleId": "[parameters('dataCollectionRuleResourceId')]",
"description": "Created via Azure Policies."
}
},
{
"name": "[concat(parameters('name'),'/AzureMonitorWindowsAgent')]",
"type": "Microsoft.Compute/virtualMachines/extensions",
"condition": "[equals(parameters('osType'), 'Windows')]",
"location": "[parameters('location')]",
"apiVersion": "2020-06-01",
"properties": {
"publisher": "Microsoft.Azure.Monitor",
"type": "AzureMonitorWindowsAgent",
"typeHandlerVersion": "1.0",
"autoUpgradeMinorVersion": true
}
},
{
"name": "[concat(parameters('name'),'/AzureMonitorLinuxAgent')]",
"type": "Microsoft.Compute/virtualMachines/extensions",
"condition": "[equals(parameters('osType'), 'Linux')]",
"location": "[parameters('location')]",
"apiVersion": "2020-06-01",
"properties": {
"publisher": "Microsoft.Azure.Monitor",
"type": "AzureMonitorLinuxAgent",
"typeHandlerVersion": "1.5",
"autoUpgradeMinorVersion": true
}
}
],
"outputs": {
"policy": {
"type": "string",
"value": "[concat(parameters('associationName'), 'configured for diagnostic logs for ', ': ', parameters('name'))]"
}
}
},
"parameters": {
"dataCollectionRuleResourceId": {
"value": "[parameters('dataCollectionRuleResourceId')]"
},
"name": {
"value": "[field('name')]"
},
"location": {
"value": "[field('location')]"
},
"associationName": {
"value": "[parameters('associationName')]"
},
"osType": {
"value": "[field('Microsoft.Compute/virtualMachines/storageProfile.osDisk.osType')]"
}
}
}
}
}
}
}
}
}
As you can see, I am having the following Params:
- associationName --> the name of the DataCollectionRuleAssociation
- dataCollectionRuleResourceId --> Resource ID of the Data Collection Rule we want to associate the VMs with
- tagName --> Name of the tag we are using as a filter for the VMs to be onboarded
- tagValue --> Value of the same tag
In general, this policy is already working, but the compliance state is never marked as compliant, and errors out with the following message:
"No related resource match the effect details in the policy definition"
I guess this is due to the following part:
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Insights/dataCollectionRuleAssociations/dataCollectionRuleId",
"equals": "[parameters('dataCollectionRuleResourceId')]"
},
{
"field": "Microsoft.Compute/virtualMachines/extensions/publisher",
"equals": "Microsoft.Azure.Monitor"
},
{
"anyOf": [
{
"field": "Microsoft.Compute/virtualMachines/extensions/type",
"equals": "AzureMonitorWindowsAgent"
},
{
"field": "Microsoft.Compute/virtualMachines/extensions/type",
"equals": "AzureMonitorLinuxAgent"
}
]
}
]
}
Since I am defining a then.details.type of 'Microsoft.Compute/virtualMachines" the field 'Microsoft.Insights/dataCollectionRuleAssociations/dataCollectionRuleId' seems to be not accessible here. But since the DataCollectionRuleAssociation should be part of the VM settings, I would have expected I could validate the existence of the association in this way.
Any help would be highly appreciated to point me to the right direction here!
Regards
Christoph