Azure Landing Zones Documentation
Home GitHub Issue Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Toggle Dark/Light/Auto mode Back to homepage
  1. Azure Landing Zones Documentation
  2. /
  3. Accelerator
  4. /
  5. Starter Modules
  6. /
  7. Terraform - Azure Verified Modules for Platform Landing Zone (ALZ)
  8. /
  9. Options
  10. /
  11. 12 - Deploy Azure Monitoring Baseline Alerts (AMBA)
Edit page

12 - Deploy Azure Monitoring Baseline Alerts (AMBA)

Azure Monitoring Baseline Alerts (AMBA) is a set of alerts that are deployed to the Azure Monitor workspace.

Initially, you have to update your library reference to include the AMBA library so you have access to their archetypes.

  1. Locate the terraform.tf file and amend your alz provider library references to include the latest AMBA version.

For example:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

provider "alz" {
  library_overwrite_enabled = true
  library_references = [
     {
      path = "platform/amba"
      ref  = "0000.00.0" # check the latest library version https://github.com/Azure/Azure-Landing-Zones-Library/tags
    },
    {
      custom_url = "${path.root}/lib"
    }
  ]
}
  1. The AMBA library is now available and you can deploy the AMBA archetypes that suit your organization, in the alz.alz_architecture_definition.yaml file. For example, to deploy the root AMBA archetype, it would look like:
1
2
3
4
5
6
7
8
9

name: alz_custom
management_groups:
  - id: alz
    display_name: Azure Landing Zones
    archetypes:
      - root_custom
      - amba_root
    exists: false
    parent_id: null
  1. Before deployment, there are a couple of pre-requisites that need to be completed, they include creating a managed identity in order to query Resource Graph for alerts and a resource group to store the alert/monitoring assets. Start by locating the platform-landing-zone.auto.tfvars >custom_replacements > names block setting and add the following code:
1
2
3
4
5
6

custom_replacements = {
  names = {
    amba_resource_group_name                 = "rg-amba-$${starter_location_01}"
    amba_user_assigned_managed_identity_name = "uami-mgmt-amba-$${starter_location_01}"
  }
}
  1. Then in the main.management.tf file, paste the following:
The bootstrap process generates a YAML file by default, but JSON format is also supported. Make sure to use the appropriate decoding function and file extension to correctly parse the architecture definition files.
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

locals {
  root_management_group_name = yamldecode(file("${path.root}/lib/architecture_definitions/alz.alz_architecture_definition.yaml")).management_groups[0].id

  # root_management_group_name = jsondecode(file("${path.root}/lib/architecture_definitions/alz.alz_architecture_definition.json")).management_groups[0].id
}

module "amba" {
  source  = "Azure/avm-ptn-monitoring-amba-alz/azurerm"
  version = "0.1.1"
  providers = {
    azurerm = azurerm.management
  }
  location                            = var.starter_locations[0]
  root_management_group_name          = local.root_management_group_name
  resource_group_name                 = module.config.custom_replacements.amba_resource_group_name
  user_assigned_managed_identity_name = module.config.custom_replacements.amba_user_assigned_managed_identity_name
}

This module creates a resource group and managed identity and it pulls the names from the custom_replacements > names block.

  1. Finally, you need to amend the policy default values that share common parameters like the managed identity, resource group and any other customizations. To achieve this, locate the platform-landing-zone.auto.tfvars > management_group_settings > policy_default_values and append the following code:
Ensure you amend the amba_alz_action_group_email option if you want to receive email notifications.
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

management_group_settings = {
  location           = "$${starter_location_01}"
  parent_resource_id = "$${root_parent_management_group_id}"
  policy_default_values = {
    amba_alz_management_subscription_id            = "$${subscription_id_management}"
    amba_alz_resource_group_location               = "$${starter_location_01}"
    amba_alz_resource_group_name                   = "$${amba_resource_group_name}"
    amba_alz_user_assigned_managed_identity_name   = "$${amba_user_assigned_managed_identity_name}"
    amba_alz_action_group_email                    = []
    amba_alz_arm_role_id                           = []
    amba_alz_resource_group_tags                   = {}
    amba_alz_byo_user_assigned_managed_identity_id = ""
    amba_alz_disable_tag_name                      = ""
    amba_alz_disable_tag_values                    = []
    amba_alz_webhook_service_uri                   = []
    amba_alz_event_hub_resource_id                 = []
    amba_alz_function_resource_id                  = ""
    amba_alz_function_trigger_url                  = ""
    amba_alz_logicapp_resource_id                  = ""
    amba_alz_logicapp_callback_url                 = ""
    amba_alz_byo_alert_processing_rule             = ""
    amba_alz_byo_action_group                      = []
  }
}

The options for the policy default values and the policies they’re used for, can be found in the Azure Landing Zone AMBA Library.

gdoc_arrow_left_alt 11 - Turn off Azure Monitoring Agent 13 - Turn off Defender Plans gdoc_arrow_right_alt