12 - Deploy Azure Monitoring Baseline Alerts (AMBA)
Azure Monitoring Baseline Alerts (AMBA) is a set of alerts that are deployed to the Azure Monitor workspace.
Initially, you have to update your library reference to include the AMBA library so you have access to their archetypes.
- Locate the
terraform.tf
file and amend your alz
provider library references to include the latest AMBA version.
For example:
1
2
3
4
5
6
7
8
9
10
11
12
| provider "alz" {
library_overwrite_enabled = true
library_references = [
{
path = "platform/amba"
ref = "0000.00.0" # check the latest library version https://github.com/Azure/Azure-Landing-Zones-Library/tags
},
{
custom_url = "${path.root}/lib"
}
]
}
|
- The AMBA library is now available and you can deploy the AMBA archetypes that suit your organization, in the
alz.alz_architecture_definition.yaml
file. For example, to deploy the root
AMBA archetype, it would look like:
1
2
3
4
5
6
7
8
9
| name: alz_custom
management_groups:
- id: alz
display_name: Azure Landing Zones
archetypes:
- root_custom
- amba_root
exists: false
parent_id: null
|
- Before deployment, there are a couple of pre-requisites that need to be completed, they include creating a managed identity in order to query Resource Graph for alerts and a resource group to store the alert/monitoring assets. Start by locating the
platform-landing-zone.auto.tfvars
>custom_replacements
> names
block setting and add the following code:
1
2
3
4
5
6
| custom_replacements = {
names = {
amba_resource_group_name = "rg-amba-$${starter_location_01}"
amba_user_assigned_managed_identity_name = "uami-mgmt-amba-$${starter_location_01}"
}
}
|
- Then in the
main.management.tf
file, paste the following:
The bootstrap process generates a YAML file by default, but JSON format is also supported. Make sure to use the appropriate decoding function and file extension to correctly parse the architecture definition files.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| locals {
root_management_group_name = yamldecode(file("${path.root}/lib/architecture_definitions/alz.alz_architecture_definition.yaml")).management_groups[0].id
# root_management_group_name = jsondecode(file("${path.root}/lib/architecture_definitions/alz.alz_architecture_definition.json")).management_groups[0].id
}
module "amba" {
source = "Azure/avm-ptn-monitoring-amba-alz/azurerm"
version = "0.1.1"
providers = {
azurerm = azurerm.management
}
location = var.starter_locations[0]
root_management_group_name = local.root_management_group_name
resource_group_name = module.config.custom_replacements.amba_resource_group_name
user_assigned_managed_identity_name = module.config.custom_replacements.amba_user_assigned_managed_identity_name
}
|
This module creates a resource group and managed identity and it pulls the names from the custom_replacements
> names
block.
- Finally, you need to amend the policy default values that share common parameters like the managed identity, resource group and any other customizations. To achieve this, locate the
platform-landing-zone.auto.tfvars
> management_group_settings
> policy_default_values
and append the following code:
Ensure you amend the amba_alz_action_group_email
option if you want to receive email notifications.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
| management_group_settings = {
location = "$${starter_location_01}"
parent_resource_id = "$${root_parent_management_group_id}"
policy_default_values = {
amba_alz_management_subscription_id = "$${subscription_id_management}"
amba_alz_resource_group_location = "$${starter_location_01}"
amba_alz_resource_group_name = "$${amba_resource_group_name}"
amba_alz_user_assigned_managed_identity_name = "$${amba_user_assigned_managed_identity_name}"
amba_alz_action_group_email = []
amba_alz_arm_role_id = []
amba_alz_resource_group_tags = {}
amba_alz_byo_user_assigned_managed_identity_id = ""
amba_alz_disable_tag_name = ""
amba_alz_disable_tag_values = []
amba_alz_webhook_service_uri = []
amba_alz_event_hub_resource_id = []
amba_alz_function_resource_id = ""
amba_alz_function_trigger_url = ""
amba_alz_logicapp_resource_id = ""
amba_alz_logicapp_callback_url = ""
amba_alz_byo_alert_processing_rule = ""
amba_alz_byo_action_group = []
}
}
|
The options for the policy default values and the policies they’re used for, can be found in the Azure Landing Zone AMBA Library.