diff --git a/src/bicep/form/mlz.portal.json b/src/bicep/form/mlz.portal.json index e427d20c..77cc1d79 100644 --- a/src/bicep/form/mlz.portal.json +++ b/src/bicep/form/mlz.portal.json @@ -948,7 +948,20 @@ "name": "sentinelOptionalDetailsText", "type": "Microsoft.Common.TextBlock", "options": { - "text": "Please note further configuration of Sentinel is required to take advantage of threat detection, log retention and response capabilities." + "text": "Please note further configuration of Sentinel is required to take advantage of threat detection, log retention and response capabilities. Please check the following article to determine what regions support Sentinel.", + "link": { + "label": "Learn more about Sentinel regions", + "uri": "https://learn.microsoft.com/en-us/azure/sentinel/geographical-availability-data-residency" + } + } + }, + { + "name": "sentinelFeatureAvailability", + "type": "Microsoft.Common.InfoBox", + "options": { + "style": "Info", + "text": "Please check the following article to see what features are available for Sentinel in different Azure environments.", + "uri": "https://learn.microsoft.com/en-us/azure/sentinel/feature-availability" } }, { diff --git a/src/bicep/mlz.bicep b/src/bicep/mlz.bicep index d336ea36..d94951f0 100644 --- a/src/bicep/mlz.bicep +++ b/src/bicep/mlz.bicep @@ -323,6 +323,13 @@ param logStorageSkuName string = 'Standard_GRS' // REMOTE ACCESS PARAMETERS +param bastionDiagnosticsLogs array = [ + { + category: 'BastionAuditLogs' + enabled: true + } +] + @description('When set to "true", provisions Azure Bastion Host only. It defaults to "false".') param deployBastion bool = false @@ -732,6 +739,7 @@ module storage 'modules/storage.bicep' = { module diagnostics 'modules/diagnostics.bicep' = { name: 'deploy-resource-diag-${deploymentNameSuffix}' params: { + bastionDiagnosticsLogs: bastionDiagnosticsLogs deployBastion: deployBastion deploymentNameSuffix: deploymentNameSuffix firewallDiagnosticsLogs: firewallDiagnosticsLogs diff --git a/src/bicep/mlz.json b/src/bicep/mlz.json index 274afd35..f230510e 100644 --- a/src/bicep/mlz.json +++ b/src/bicep/mlz.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.29.47.4906", - "templateHash": "14639382000576629473" + "templateHash": "15931306768940102159" } }, "parameters": { @@ -549,6 +549,15 @@ "description": "The Storage Account SKU to use for log storage. It defaults to \"Standard_GRS\". See https://docs.microsoft.com/en-us/rest/api/storagerp/srp_sku_types for valid settings." } }, + "bastionDiagnosticsLogs": { + "type": "array", + "defaultValue": [ + { + "category": "BastionAuditLogs", + "enabled": true + } + ] + }, "deployBastion": { "type": "bool", "defaultValue": false, @@ -7121,6 +7130,9 @@ }, "mode": "Incremental", "parameters": { + "bastionDiagnosticsLogs": { + "value": "[parameters('bastionDiagnosticsLogs')]" + }, "deployBastion": { "value": "[parameters('deployBastion')]" }, @@ -7171,10 +7183,13 @@ "_generator": { "name": "bicep", "version": "0.29.47.4906", - "templateHash": "7558548205011970878" + "templateHash": "13699796498043220180" } }, "parameters": { + "bastionDiagnosticsLogs": { + "type": "array" + }, "deployBastion": { "type": "bool" }, @@ -7341,7 +7356,7 @@ "_generator": { "name": "bicep", "version": "0.29.47.4906", - "templateHash": "17680455217420763544" + "templateHash": "6318152353890797757" } }, "parameters": { @@ -7368,7 +7383,12 @@ "properties": { "workspaceId": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('logAnalyticsWorkspaceName'))]", "storageAccountId": "[resourceId('Microsoft.Storage/storageAccounts', parameters('diagnosticStorageAccountName'))]", - "logs": "[if(equals(environment().name, 'AzureCloud'), createArray(createObject('category', 'Audit', 'enabled', true())), createArray())]", + "logs": [ + { + "category": "Audit", + "enabled": true + } + ], "metrics": [ { "category": "AllMetrics", @@ -7781,6 +7801,77 @@ ] } } + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('deploy-bastion-diags-{0}', parameters('deploymentNameSuffix'))]", + "subscriptionId": "[variables('hub').subscriptionId]", + "resourceGroup": "[variables('hubResourceGroupName')]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "bastionDiagnosticSettingName": { + "value": "[replace(variables('hub').namingConvention.bastionHostPublicIPAddressDiagnosticSetting, parameters('serviceToken'), '')]" + }, + "bastionName": { + "value": "[variables('hub').namingConvention.bastionHost]" + }, + "bastionStorageAccountId": { + "value": "[parameters('storageAccountResourceIds')[0]]" + }, + "logAnalyticsWorkspaceResourceId": { + "value": "[parameters('logAnalyticsWorkspaceResourceId')]" + }, + "logs": { + "value": "[parameters('bastionDiagnosticsLogs')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.29.47.4906", + "templateHash": "1417962456788904727" + } + }, + "parameters": { + "bastionDiagnosticSettingName": { + "type": "string" + }, + "bastionName": { + "type": "string" + }, + "bastionStorageAccountId": { + "type": "string" + }, + "logAnalyticsWorkspaceResourceId": { + "type": "string" + }, + "logs": { + "type": "array" + } + }, + "resources": [ + { + "type": "Microsoft.Insights/diagnosticSettings", + "apiVersion": "2017-05-01-preview", + "scope": "[format('Microsoft.Network/bastionHosts/{0}', parameters('bastionName'))]", + "name": "[parameters('bastionDiagnosticSettingName')]", + "properties": { + "storageAccountId": "[parameters('bastionStorageAccountId')]", + "workspaceId": "[parameters('logAnalyticsWorkspaceResourceId')]", + "logs": "[parameters('logs')]" + } + } + ] + } + } } ] } diff --git a/src/bicep/modules/bastion-diagnostics.bicep b/src/bicep/modules/bastion-diagnostics.bicep new file mode 100644 index 00000000..2c177855 --- /dev/null +++ b/src/bicep/modules/bastion-diagnostics.bicep @@ -0,0 +1,24 @@ +/* +Copyright (c) Microsoft Corporation. +Licensed under the MIT License. +*/ + +param bastionDiagnosticSettingName string +param bastionName string +param bastionStorageAccountId string +param logAnalyticsWorkspaceResourceId string +param logs array + +resource bastionHost 'Microsoft.Network/bastionHosts@2021-02-01' existing = { + name: bastionName +} + +resource diagnostics 'Microsoft.Insights/diagnosticSettings@2017-05-01-preview' = { + scope: bastionHost + name: bastionDiagnosticSettingName + properties: { + storageAccountId: bastionStorageAccountId + workspaceId: logAnalyticsWorkspaceResourceId + logs: logs + } +} diff --git a/src/bicep/modules/diagnostics.bicep b/src/bicep/modules/diagnostics.bicep index 51ec92fe..766eb9db 100644 --- a/src/bicep/modules/diagnostics.bicep +++ b/src/bicep/modules/diagnostics.bicep @@ -5,6 +5,7 @@ Licensed under the MIT License. targetScope = 'subscription' +param bastionDiagnosticsLogs array param deployBastion bool param deploymentNameSuffix string param firewallDiagnosticsLogs array @@ -122,3 +123,15 @@ module keyvaultDiagnostics '../modules/key-vault-diagnostics.bicep' = { logs: keyVaultDiagnosticLogs } } + +module bastionDiagnostics '../modules/bastion-diagnostics.bicep' = { + name: 'deploy-bastion-diags-${deploymentNameSuffix}' + scope: resourceGroup(hub.subscriptionId, hubResourceGroupName) + params: { + bastionDiagnosticSettingName: replace(hub.namingConvention.bastionHostPublicIPAddressDiagnosticSetting, serviceToken, '') + bastionName: hub.namingConvention.bastionHost + bastionStorageAccountId: storageAccountResourceIds[0] + logAnalyticsWorkspaceResourceId: logAnalyticsWorkspaceResourceId + logs: bastionDiagnosticsLogs + } +} diff --git a/src/bicep/modules/log-analytics-diagnostic-setting.bicep b/src/bicep/modules/log-analytics-diagnostic-setting.bicep index a53a9d6d..5e023c6e 100644 --- a/src/bicep/modules/log-analytics-diagnostic-setting.bicep +++ b/src/bicep/modules/log-analytics-diagnostic-setting.bicep @@ -23,12 +23,12 @@ resource diagnosticSetting 'Microsoft.Insights/diagnosticSettings@2017-05-01-pre properties: { workspaceId: logAnalyticsWorkspace.id storageAccountId: stg.id - logs: environment().name == 'AzureCloud' ? [ + logs: [ { category: 'Audit' enabled: true } - ] : [] + ] metrics: [ { category: 'AllMetrics'