Is it possible to audit App Service Autoscale Diagnostic Settings via Policy?

Question

We've got a bunch of App Services that have AutoScale-settings attached to them. They've got Diagnostic-Settings enabled in order to forward autoScaleActions and Evaluation Events to Log Analytics and a Storage Account. What I'd like to do is create Policy to check these settings in order to detect configuration drift (for example that it has to be sent to a specific Storage Account).

I've done something similar for http logging for Web Apps by creating the following rule:

"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Web/sites/config/logs.httpLogs.azureBlobStorage.sasUrl",
"exists": "True"
},
{
"field": "Microsoft.Web/sites/config/logs.httpLogs.azureBlobStorage.sasUrl",
"like": "[concat(parameters('StorageAccountURL'),'*')]"
}
]
}

However I'm having trouble finding the correct field for the diagnostic settings of the AutoScale. I know that AutoScale is part of Microsoft.Insights and not Microsoft.Web/ServerFarms but Resource Explorer doesn't show me anything related to Diagnostics Settings under Microsoft.Insights/AutoScaleSettings.

Any idea's or am I looking at it the wrong way?

Answer 1

Hi,
You can try some logic like the one below. It is not the full policy code, but I am sure you can figure it out depending on your requirements. Effect will be AuditIfNotExists.

"if": {  
        "field": "type",  
        "equals": "Microsoft.Insights/autoscaleSettings"  
      },  
      "then": {  
        "effect": "[parameters('effect')]",  
        "details": {  
          "type": "Microsoft.Insights/diagnosticSettings",  
          "existenceCondition": {  
            "count": {  
              "field": "Microsoft.Insights/diagnosticSettings/logs[*]",  
              "where": {  
                "anyOf": [  
                  {  
                    "allOf": [  
                      {  
                        "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled",  
                        "equals": "true"  
                      },  
                      {  
                        "anyOf": [  
                          {  
                            "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days",  
                            "equals": "0"  
                          },  
                          {  
                            "value": "[padLeft(current('Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.days'), 3, '0')]",  
                            "greaterOrEquals": "[padLeft(parameters('requiredRetentionDays'), 3, '0')]"  
                          }  
                        ]  
                      },  
                      {  
                        "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",  
                        "equals": "true"  
                      }  
                    ]  
                  },  
                  {  
                    "allOf": [  
                      {  
                        "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",  
                        "equals": "true"  
                      },  
                      {  
                        "anyOf": [  
                          {  
                            "field": "Microsoft.Insights/diagnosticSettings/logs[*].retentionPolicy.enabled",  
                            "notEquals": "true"  
                          },  
                          {  
                            "field": "Microsoft.Insights/diagnosticSettings/storageAccountId",  
                            "exists": false  
                          }  
                        ]  
                      }  
                    ]  
                  }  
                ]  
              }  
            },  
            "greaterOrEquals": 1  
          }  

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

Hi @Stanislav Zhelyazkov ,

Thank you very much for your answer. It put me on the right way and in the end I created the following DeployIfNotExists Policy... hopefully it can help someone else as well.

{  
  "if": {  
    "allOf": [  
      {  
        "field": "type",  
        "equals": "Microsoft.Insights/autoscaleSettings"  
      }  
    ]  
  },  
  "then": {  
    "effect": "deployIfNotExists",  
    "details": {  
      "type": "Microsoft.Insights/diagnosticSettings",  
      "roleDefinitionIds": [  
        "/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"  
      ],  
      "existenceCondition": {  
        "allOf": [  
          {  
            "field": "Microsoft.Insights/diagnosticSettings/logs.enabled",  
            "equals": "True"  
          },  
          {  
            "field": "Microsoft.Insights/diagnosticSettings/workspaceId",  
            "matchInsensitively": "[parameters('WorkspaceId')]"  
          },  
          {  
            "field": "Microsoft.Insights/diagnosticSettings/StorageAccountId",  
            "matchInsensitively": "[parameters('StorageAccountId')]"  
          }  
        ]  
      },  
      "deployment": {  
        "properties": {  
          "mode": "incremental",  
          "template": {  
            "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",  
            "contentVersion": "1.0.0.0",  
            "parameters": {  
              "RetentionDays": {  
                "type": "int"  
              },  
              "StorageAccountId": {  
                "type": "string"  
              },  
              "WorkspaceID": {  
                "type": "string"  
              },  
              "ScaleName": {  
                "type": "string"  
              },  
              "location": {  
                "type": "string"  
              }  
            },  
            "variables": {},  
              "resources": [  
                {  
                  "type": "microsoft.insights/autoscalesettings/providers/diagnosticSettings",  
                  "apiVersion": "2017-05-01-preview",  
                  "name": "[concat(parameters('ScaleName'), '/', 'Microsoft.Insights/Logs')]",  
                  "location": "[parameters('location')]",  
                  "dependsOn": [],  
                  "properties": {  
                    "logs": [  
                      {  
                        "category": "AutoscaleEvaluations",  
                        "enabled": true,  
                        "retentionPolicy": {  
                          "days": "[parameters('RetentionDays')]",  
                          "enabled": true  
                        }  
                      },  
                      {  
                        "category": "AutoscaleScaleActions",  
                        "enabled": true,  
                        "retentionPolicy": {  
                          "days": "[parameters('RetentionDays')]",  
                          "enabled": true  
                        }  
                      }  
                    ],  
                    "storageAccountId": "[parameters('StorageAccountId')]",  
                    "workspaceId": "[parameters('WorkspaceId')]",  
                    "logAnalyticsDestinationType": null  
                  }  
                }  
              ]  
            },  
            "parameters": {  
              "RetentionDays": {  
                "value": "[parameters('RetentionDays')]"  
              },  
              "StorageAccountId": {  
                "value": "[parameters('StorageAccountId')]"  
              },  
              "WorkspaceID": {  
                "value": "[parameters('WorkspaceId')]"  
              },  
              "ScaleName": {  
                "value": "[field('name')]"  
              },  
              "location": {  
                "value": "[field('location')]"  
              }  
            }  
          }  
        }  
      }  
    }  
  }