azure-policy icon indicating copy to clipboard operation
azure-policy copied to clipboard
verified publisher icon Azure

Built-in policies for Diagnostic Settings to Event Hub missing Event Hub name

Open vegazbabz opened this issue 3 years ago • 3 comments

Details of the scenario you tried and the problem that is occurring

All built-in policies deploying diagnostic settings for a service to event hub is MISSING the “eventHubName” parameter. E.g. "Deploy Diagnostic Settings for Key Vault to Event Hub" .

When you do not define the event hub name in the policy (which you cannot do in the built-in, due to the missing parameter), then Azure will throw the following exception: “If a valid EventHub name is not specified in the diagnostic setting, the EventHub authorization rule requires manage|send|listen access, this EventHub authorization rule does not have 'manage' access.”

As part of the best practice security, you do not want to grant your SAS “manage” permissions, since it is NOT needed! Furthermore, I want to choose a specific Event Hub for my diagnostic settings and not just a "random" one.

Verbose logs showing the problem

N/A

Suggested solution to the issue

Add "eventHubName" as part of the parameters and add it under resources.properties, just like "eventHubAuthorizationRuleId". Works flawless in custom policies. https://docs.microsoft.com/en-us/azure/templates/microsoft.insights/diagnosticsettings?pivots=deployment-language-arm-template

` "resources": [ { "type": "Microsoft.KeyVault/vaults/providers/diagnosticSettings", "apiVersion": "2017-05-01-preview", "name": "[concat(parameters('vaultName'), '/', 'Microsoft.Insights/', parameters('profileName'))]", "location": "[parameters('location')]", "dependsOn": [], "properties": {

/-------- HERE IT IS MISSING ----- "eventHubName": "[parameters('eventHubName')]" -------- END ------/

                  "eventHubAuthorizationRuleId": "[parameters('eventHubRuleId')]",
                  "metrics": [
                    {
                      "category": "AllMetrics",
                      "enabled": "[parameters('metricsEnabled')]",
                      "retentionPolicy": {
                        "enabled": false,
                        "days": 0
                      }
                    }
                  ],
                  "logs": [
                    {
                      "category": "AuditEvent",
                      "enabled": "[parameters('logsEnabled')]"
                    },
                    {
                      "category": "AzurePolicyEvaluationDetails",
                      "enabled": "[parameters('logsEnabled')]"
                    }
                  ]
                }
              }
]`

If policy is Guest Configuration - details about target node

N/A

vegazbabz avatar Aug 15 '22 17:08 vegazbabz

I am getting the same error here...

hendersonandrade avatar Oct 06 '22 15:10 hendersonandrade

Hi @vegazbabz, I don't know if you solved this issue. I resolved this issue today in my environment, was necessary change the API version for ARM Template from 2017-05-01-preview to 2021-05-01-preview. After this change worked well. I hope I have helped you and other guys with this issue...

hendersonandrade avatar Oct 07 '22 01:10 hendersonandrade

@hendersonandrade we resolved, as mentioned in the ticket, by adding a new parameter to specify the exact Event Hub to send the logs to --> "eventHubName": "[parameters('eventHubName')]" If you do not have this, Azure will generate a default event hub in your defined event hub namespace, e.g. activity-log-blabla. You will have one for each service you are trying to log from. It will be a mess.

vegazbabz avatar Oct 07 '22 06:10 vegazbabz