azure-policy icon indicating copy to clipboard operation
azure-policy copied to clipboard

Published 20 hours ago verified publisher icon Azure

Collection of built-in policies for diagnostics parameters "metricsEnabled" and "logsEnabled" some are type boolean and others are string.

Open pmatthews05 opened this issue 1 year ago • 1 comments

Details of the scenario you tried and the problem that is occurring

The following Diagnostic policies have both MetricsEnabled and LogsEnabled parameters as type boolean

  • Configure diagnostic settings for File Services to Log Analytics workspace
  • Configure diagnostic settings for Queue Services to Log Analytics workspace
  • Configure diagnostic settings for Storage Accounts to Log Analytics workspace
  • Configure diagnostic settings for Table Services to Log Analytics workspace
  • Deploy - Configure diagnostic settings for Azure Kubernetes Service to Log Analytics workspace
  • Deploy - Configure diagnostic settings for SQL Databases to Log Analytics workspace
  • Deploy Diagnostic Settings for Recovery Services Vault to Log Analytics workspace for resource specific categories. <- Also why has this title have a full stop at the end.

The following diagnostic policies have both MetricsEnabled and LogsEnabled parameters as type string

  • Deploy Diagnostic Settings for Service Bus to Log Analytics workspace
  • Configure diagnostic settings for Blob Services to Log Analytics workspace
  • Deploy Diagnostic Settings for Batch Account to Log Analytics workspace
  • Deploy Diagnostic Settings for Data Lake Analytics to Log Analytics workspace
  • Deploy Diagnostic Settings for Event Hub to Log Analytics workspace
  • Deploy Diagnostic Settings for Key Vault to Log Analytics workspace
  • Deploy Diagnostic Settings for Logic Apps to Log Analytics workspace
  • Deploy Diagnostic Settings for Search Services to Log Analytics workspace
  • Deploy Diagnostic Settings for Stream Analytics to Log Analytics workspace
  • Public IP addresses should have resource logs enabled for Azure DDoS Protection Standard

Suggested solution to the issue

Make all policies use the same type, either string or boolean. Personally I think they should be boolean as the value is either true or false.

pmatthews05 avatar Mar 10 '23 16:03 pmatthews05

This type inconsistency also causes some issues when combining Diagnostic Policies from Enterprise Scale and built-in policies, especially through Terraform

All diagnostic policies in Enterprise Scale uses the type "String" for metricsEnabled. This needs to be taken into consideration as well

NikolaiKleppe avatar Mar 22 '23 12:03 NikolaiKleppe