Enterprise-Scale icon indicating copy to clipboard operation
Enterprise-Scale copied to clipboard

Published 20 hours ago verified publisher icon Azure

Policydefinition Enable diagnostics for resources does not have param for keyvault metrics

Open neok-g opened this issue 2 years ago • 7 comments

The policy definition Enable diagnostics for resources uses the built-in policy Deploy Diagnostic Settings for Key Vault to Log Analytics workspace. This policy has parameters logsEnabled (default value: true) and metricsEnabled (default value:false!) Unfortunately it is not possible to set metricsEnabled to true via the policy initiative. We would like to have key vault metrics enabled.

neok-g avatar Jul 07 '22 14:07 neok-g

Hey @neok-g,

thanks for raising the issue. This seems to be the default for most of these diagnostic settings policies where the logs are enabled by default, but the metrics are disabled by default. This is likely due to cost in retention of metrics.

You can see this here with the built in definition that we reference as part of this initiative for key vaults: https://www.azadvertizer.net/azpolicyadvertizer/bef3f64c-5290-43b7-85b0-9b254eef4c47.html

Do you think we should add a parameter for metrics enabled for all of the policies that we use in this initiative?

e.g. Create an individual parameter for each child policy definition/resource for both logs and metrics as booleans, like:

  • KeyVaultLogAnalyticsLogsEnabled
  • KeyVaultLogAnalyticsMetricsEnabled

Interested in feedback, this would be a considerable amount of work, but I personally see some value to this.

cc: @jfaurskov, @ejhenry, @krowlandson & @matt-FFFFFF for visibility and inputs also

jtracey93 avatar Jul 07 '22 15:07 jtracey93

Yes I can imagine the amount of work since 2 extra parameters for 64 policies. But I probably would advise to do it because at this moment we notice inconsistent behaviour. All the custom Enterprise Scale policies that deploy diagnostic settings have the metricsEnabled parameter default on true whilst the built-in policies have the metricsEnabled parameter default on false. Besides we also have to use the ISO-27001 initiative because of compliance and regulation which contains the AuditDiagnosticSettings. This policy works different as well: it audits a parameter array containing a list of provided resources and for all those resources it uses a single logsEnabled and metricsEnabled parameter to inspect. So at this moment are key-vaults are compliant according to 'ISO-27001' but they non-compliant according to 'Enable diagnostics for resources'.

neok-g avatar Jul 08 '22 06:07 neok-g

Thanks for your feedback @neok-g.

We are completing some policy refactoring work to make updates like this easier for us to manage and pull requests throughout July and early August. Once this is complete, we can prioritise getting this work done as well as some other policy updates.

Watch this space

Thanks

Jack

cc: @krowlandson @jfaurskov @ejhenry @matt-FFFFFF

jtracey93 avatar Jul 08 '22 08:07 jtracey93

Could you please provide an update on this one?

neok-g avatar Aug 30 '22 11:08 neok-g

Hey @neok-g,

We are awaiting to review and merge PR #1022 before working on these. We hope to review and merge this PR this week.

jtracey93 avatar Aug 30 '22 11:08 jtracey93

Trigger ADO Sync 1

jtracey93 avatar Sep 11 '22 07:09 jtracey93

Trigger ADO Sync 2

jtracey93 avatar Sep 11 '22 07:09 jtracey93

@neok-g I have received a response from the Monitor team that this is by design as this is not the recommended way to ingest metrics at scale in Azure due to performance limitations. Metric API or use the new batch API can be used and there are plans to enhance the metrics explorer https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/metrics-getting-started but no timelines currently.

paulgrimley avatar Nov 01 '22 18:11 paulgrimley