boot diagnostics policy enable by default and remediate with enabling if not enabled

Question

How to enable boot diagnostics to troubleshoot virtual machines through policy and remediate with enabling if not enabled?
I know there is the documentation to enable boot diagnostics: https://learn.microsoft.com/en-us/azure/virtual-machines/troubleshooting/boot-diagnostics
but how can we enforce this feature by default?

Answer 1

This is done through Azure policy. Please leverage this built in policy and target Microsoft.Compute virtualMachines. You will create a deployIfNotExists as a part of the policy definition. If not the default will audit and enforce for new resources.

https://github.com/krnese/azure-policy-samples/tree/master/samples/Monitoring/audit-diagnostic-setting

Answer 2

@bryanhaslip I don't see how Microsoft.Insights/diagnosticSettings is the same as Microsoft.Compute/virtualMachines/diagnosticsProfile.bootDiagnostics?

What this policy enables is Monitoring Insights, providing Platform logs. Where as Boot Diagnostics provides screenshots of the splash screen and serial console information. I understand this can be deployed via the portal or via powershell. https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/boot-diagnostics#enable-boot-diagnostics-on-existing-virtual-machine

However, I would also like to deploy this via a policy. I stumbled across what seemed like a gem. https://github.com/Azure/azure-policy/issues/154

Alas, I'm unable to fully understand if what is required is simply the storage account name or the storage account URI. Specially when wanting to use a storage account in a different subscription.

Answer 3

I tried the policy, but it is not worked as expected