Azure policy to deny creation of second diagnostic setting if the first one already exists.

[gmounica39]

Is there a way for Azure policy to deny creation of second diagnostic setting if the first one already exists?

I tried below, but it doesn't seem to work for my use case

{ "mode": "All", "policyRule": { "if": { "field": "type", "equals": "Microsoft.Insights/diagnosticSettings" }, "then": { "effect": "deny" } }, "parameters": {} }

I don't think we could do the audit policy too since we can't use Microsoft.Insights/diagnosticSettings[*] in the count field.

{ "mode": "All", "policyRule": { "if": { "allOf": [ { "field": "type", "equals": "Microsoft.Insights/diagnosticSettings" }, { "count": { "field": "Microsoft.Insights/diagnosticSettings[*]", "where": { "allOf": [ { "field": "Microsoft.Insights/diagnosticSettings/workspaceId", "exists": "true" } ] } }, "greater": 1 } ] }, "then": { "effect": "audit" } }, "parameters": {} }

This is erroring out saying

The 'field' property 'Microsoft.Insights/diagnosticSettings[*]' of the policy rule does not exist as an alias under provider 'Microsoft.Insights'.

[s4parke]

Diagnostic settings profiles are created on a resource, and it is certainly possible to have more than one of them. You can use an existenceCondition in an AuditIfNotExists policy to check for a specific profile name on a specific resource type.