0

In the course of an observability initiative I want to ensure all Azure Storage accounts always log into one specific Analytics Workspace.

I have tried to achieve this with assigning an Azure Policy ("Configure diagnostic settings for storage accounts to Log Analytics workspace") and creating a remediation task. This led to consistent "diagnostic settings" over the entire subscription and all storage accounts logging into the same workspace as desired.

I have used terraform for assigning the policy and creating the remediation task. This is all similar to the solution described here: Enable diagnostic settings for Storage account using Azure Policy Definition

Unfortunately, manual changes to the diagnostic settings after the initial creation are neither prevented nor remediated, although they are detected and raised as issues in the "compliance" tab.

How can I ensure the "Configure diagnostic settings for storage accounts to Log Analytics workspace" policy is permanently enforced?

hey
  • 2,643
  • 7
  • 29
  • 50
  • hello, do you want to add deploy if not exits as well as deny for the same policy ? – Ansuman Bal Jan 17 '22 at 11:35
  • is it possible? I am also not sure if "modify" could work, but it does not exist for the policy I mention :( – hey Jan 18 '22 at 19:51
  • You will have to create a custom policy but not sure if both effect will work or not.. will test it and get back if I get sonething. – Ansuman Bal Jan 18 '22 at 19:55
  • I have tried to just add the "modify" option to the existing policy, but it seems to be much more complex than that... – hey Jan 19 '22 at 00:43

1 Answers1

1

I tried the same in my environment but it seems complicated or not possible .AFAIK and also as mentioned in this Github Issue, It is not possible to remediate the existing resources automatically.For diagnostics settings as it has deployifnotexists effect, only the new resources get automatically remediated and existing resources have to be remediated manually or by PowerShell or CLI script.

So to automate the remediation , you can Run Scheduled Scripts using Task Schedulers or Cron Jobs or use Azure Automation scheduled Tasks.

Ansuman Bal
  • 9,705
  • 2
  • 10
  • 27
  • Thank you for investigating; highly appreciated! You suggest three methods for automating remediation. Do I understand it correctly that, after each run, there would be a new remediation task? So after a while there would be quite a number of remediation tasks? – hey Jan 19 '22 at 18:13
  • The reference to the github issue sounds very interesting as well. Do you still have the link? – hey Jan 19 '22 at 18:15
  • 1
    @hey ,Sorry the github link was some left out .. added it now .. – Ansuman Bal Jan 20 '22 at 05:23
  • yes I gave 3 ways in which you can automate remediation tasks.. and also it will be scheduled according to your requirement .. so that one remediation gets completed first .. you have to give a sufficient gap between the two scheduled scripts so that they won't overlap .. – Ansuman Bal Jan 20 '22 at 05:26