{ "type": "Microsoft.Authorization/policyDefinitions", "apiVersion": "2021-06-01", "name": "Deploy_VMSS_dataDiskSpace_Alert", "properties": { "policyType": "Custom", "mode": "All", "displayName": "[Preview]: Deploy Azure Monitor Baseline Alerts (AMBA-ALZ) - Azure VMSS Data Disk Space Alert", "description": "Policy to audit/deploy Azure VMSS data Disk Space Alert", "metadata": { "version": "1.0.0-preview", "category": "Compute", "source": "https://github.com/Azure/azure-monitor-baseline-alerts/", "alzCloudEnvironments": [ "AzureCloud" ], "_deployed_by_amba": "True" }, "parameters": { "alertResourceGroupName": { "type": "String", "metadata": { "displayName": "Resource Group Name", "description": "Resource group the alert is placed in" }, "defaultValue": "rg-amba-monitoring-001" }, "alertResourceGroupTags": { "type": "Object", "metadata": { "displayName": "Resource Group Tags", "description": "Tags on the Resource group the alert is placed in" }, "defaultValue": { "Project": "amba-monitoring" } }, "alertResourceGroupLocation": { "type": "String", "metadata": { "displayName": "Resource Group Location", "description": "Location of the Resource group the alert is placed in" }, "defaultValue": "centralus" }, "UAMIResourceId": { "type": "string", "defaultValue": "", "metadata": { "description": "The resource Id of the user assigned managed identity.", "displayName": "User Assigned managed Identity resource Id.", "assignPermissions": true } }, "severity": { "type": "String", "metadata": { "displayName": "Severity", "description": "Severity of the Alert" }, "allowedValues": [ "0", "1", "2", "3", "4" ], "defaultValue": "2" }, "operator": { "type": "String", "metadata": { "displayName": "Operator" }, "allowedValues": [ "GreaterThan" ], "defaultValue": "GreaterThan" }, "timeAggregation": { "type": "String", "metadata": { "displayName": "TimeAggregation" }, "allowedValues": [ "Count" ], "defaultValue": "Count" }, "windowSize": { "type": "String", "metadata": { "displayName": "Window Size", "description": "Window size for the alert" }, "allowedValues": [ "PT5M", "PT15M", "PT30M", "PT1H", "PT6H", "PT12H", "PT24H" ], "defaultValue": "PT15M" }, "evaluationFrequency": { "type": "String", "metadata": { "displayName": "Evaluation Frequency", "description": "Evaluation frequency for the alert" }, "allowedValues": [ "PT5M", "PT15M", "PT30M", "PT1H" ], "defaultValue": "PT5M" }, "autoMitigate": { "type": "String", "metadata": { "displayName": "Auto Mitigate", "description": "Auto Mitigate for the alert" }, "allowedValues": [ "true", "false" ], "defaultValue": "true" }, "checkWorkspaceAlertsStorageConfigured": { "type": "String", "metadata": { "displayName": "Require a workspace linked storage", "description": "Don't create the alert rule if the Log Analytics workspace doesn't have a configured linked storage account (relevant if you're using Customer Managed Keys)." }, "allowedValues": [ "true", "false" ], "defaultValue": "false" }, "autoResolve": { "type": "String", "metadata": { "displayName": "Auto Resolve", "description": "Auto Resolve for the alert" }, "allowedValues": [ "true", "false" ], "defaultValue": "true" }, "autoResolveTime": { "type": "String", "metadata": { "displayName": "Auto Resolve", "description": "Auto Resolve time for the alert in ISO 8601 format" }, "defaultValue": "true" }, "enabled": { "type": "String", "metadata": { "displayName": "Alert State", "description": "Alert state for the alert" }, "allowedValues": [ "true", "false" ], "defaultValue": "true" }, "threshold": { "type": "String", "metadata": { "displayName": "Threshold", "description": "Threshold for the alert" }, "defaultValue": "10" }, "failingPeriods": { "type": "String", "metadata": { "displayName": "Failing Periods", "description": "Number of failing periods before alert is fired" }, "defaultValue": "1" }, "evaluationPeriods": { "type": "String", "metadata": { "displayName": "Evaluation Periods", "description": "The number of aggregated lookback points." }, "defaultValue": "1" }, "effect": { "type": "String", "metadata": { "displayName": "Effect", "description": "Effect of the policy" }, "allowedValues": [ "deployIfNotExists", "disabled" ], "defaultValue": "deployIfNotExists" }, "MonitorDisableTagName": { "type": "String", "metadata": { "displayName": "ALZ Monitoring disabled tag name", "description": "Tag name to disable monitoring. Set to true if monitoring should be disabled" }, "defaultValue": "MonitorDisable" }, "MonitorDisableTagValues": { "type": "Array", "metadata": { "displayName": "ALZ Monitoring disabled tag values(s)", "description": "Tag value(s) used to disable monitoring at the resource level. Set to true if monitoring should be disabled." }, "defaultValue": [ "true", "Test", "Dev", "Sandbox" ] } }, "policyRule": { "if": { "allOf": [ { "field": "type", "equals": "Microsoft.Compute/virtualMachineScaleSets" }, { "field": "[[concat('tags[', parameters('MonitorDisableTagName'), ']')]", "notIn": "[[parameters('MonitorDisableTagValues')]" } ] }, "then": { "effect": "[[parameters('effect')]", "details": { "roleDefinitionIds": [ "/providers/Microsoft.Authorization/roleDefinitions/47be4a87-7950-4631-9daf-b664a405f074", "/providers/Microsoft.Authorization/roleDefinitions/f1a07417-d97a-45cb-824c-7a7467783830" ], "type": "Microsoft.Insights/scheduledQueryRules", "existenceScope": "resourceGroup", "resourceGroupName": "[[parameters('alertResourceGroupName')]", "deploymentScope": "subscription", "existenceCondition": { "allOf": [ { "field": "Microsoft.Insights/scheduledQueryRules/displayName", "equals": "[[concat(subscription().displayName, '-VMSSLowDataDiskSpaceAlert')]" }, { "field": "Microsoft.Insights/scheduledQueryRules/scopes[*]", "equals": "[[subscription().id]" }, { "field": "Microsoft.Insights/scheduledQueryRules/enabled", "equals": "[[parameters('enabled')]" }, { "field": "Microsoft.Insights/scheduledQueryRules/evaluationFrequency", "equals": "[[parameters('evaluationFrequency')]" }, { "field": "Microsoft.Insights/scheduledQueryRules/windowSize", "equals": "[[parameters('windowSize')]" }, { "field": "Microsoft.Insights/scheduledQueryRules/severity", "equals": "[[parameters('severity')]" }, { "field": "Microsoft.Insights/scheduledQueryRules/autoMitigate", "equals": "[[parameters('autoMitigate')]" }, { "field": "Microsoft.Insights/scheduledQueryRules/checkWorkspaceAlertsStorageConfigured", "equals": "[[parameters('checkWorkspaceAlertsStorageConfigured')]" }, { "field": "Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].operator", "equals": "[[parameters('operator')]" }, { "field": "Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].timeAggregation", "equals": "[[parameters('timeAggregation')]" }, { "field": "Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.numberOfEvaluationPeriods", "equals": "[[parameters('evaluationPeriods')]" }, { "field": "Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.minFailingPeriodsToAlert", "equals": "[[parameters('failingPeriods')]" }, { "field": "Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].query", "equals": "[[format('let policyThresholdString = \"{0}\"; let resourceTagging = (arg(\"\").resources | where (type =~ \"Microsoft.Compute/virtualMachines\" and not(isempty(properties.virtualMachineScaleSet))) or (type =~ \"microsoft.compute/virtualmachinescalesets\" and properties.orchestrationMode =~ \"uniform\") | where tags.[\"{1}\"] !in~ (\"{2}\") | project _ResourceId = tolower(id), resourceTags = tags); let vmssFlexible = (InsightsMetrics | where _ResourceId has \"Microsoft.Compute/virtualMachines\" | where Origin == \"vm.azm.ms\" | where Namespace == \"LogicalDisk\" and Name == \"FreeSpacePercentage\" | extend Disk=tostring(todynamic(Tags)[\"vm.azm.ms/mountId\"]) | where Disk !in (\"C:\", \"/\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | lookup kind=inner (resourceTagging) on _ResourceId); let vmssUniform = (InsightsMetrics | where _ResourceId matches regex \"microsoft.compute/virtualmachinescalesets/.*/\" | where Origin == \"vm.azm.ms\" | where Namespace == \"LogicalDisk\" and Name == \"FreeSpacePercentage\" | extend Disk=tostring(todynamic(Tags)[\"vm.azm.ms/mountId\"]) | where Disk !in (\"C:\", \"/\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | extend reducedResourceId = tostring(split(_ResourceId, \"/virtualmachines/\")[0]) | lookup kind=inner (resourceTagging) on $left.reducedResourceId == $right._ResourceId); union kind=outer vmssFlexible, vmssUniform | project-away reducedResourceId | extend excludedLogicalVolumes = iif(isnotempty(resourceTags.[\"{4}\"]),resourceTags.[\"{4}\"], \"No logical volumes excluded\") | where excludedLogicalVolumes !has Disk | extend newThresholdString = tostring(resourceTags.[\"{3}\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue < appliedThreshold | project TimeGenerated, Computer, _ResourceId, Disk, AggregatedValue, appliedThreshold, excludedLogicalVolumes', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\",\"'), '_amba-FreeSpacePercentage-Data-threshold-Override_', '_amba-ExcludedLogicalVolumes-DiskSpace_')]" }, { "field": "identity.userAssignedIdentities", "containsKey": "[[parameters('UAMIResourceId')]" } ] }, "deployment": { "location": "northeurope", "properties": { "mode": "incremental", "template": { "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "alertResourceGroupName": { "type": "string" }, "alertResourceGroupTags": { "type": "object" }, "alertResourceGroupLocation": { "type": "string" }, "UAMIResourceId": { "type": "string" }, "severity": { "type": "String" }, "windowSize": { "type": "String" }, "evaluationFrequency": { "type": "String" }, "autoMitigate": { "type": "String" }, "checkWorkspaceAlertsStorageConfigured": { "type": "String" }, "autoResolve": { "type": "String" }, "autoResolveTime": { "type": "String" }, "enabled": { "type": "String" }, "threshold": { "type": "String" }, "operator": { "type": "String" }, "timeAggregation": { "type": "String" }, "failingPeriods": { "type": "String" }, "evaluationPeriods": { "type": "String" }, "MonitorDisableTagName": { "type": "String" }, "MonitorDisableTagValues": { "type": "Array" } }, "variables": {}, "resources": [ { "type": "Microsoft.Resources/resourceGroups", "apiVersion": "2021-04-01", "name": "[[parameters('alertResourceGroupName')]", "location": "[[parameters('alertResourceGroupLocation')]", "tags": "[[parameters('alertResourceGroupTags')]" }, { "type": "Microsoft.Resources/deployments", "apiVersion": "2019-10-01", "name": "VMSSdataDiskSpaceAlert", "resourceGroup": "[[parameters('alertResourceGroupName')]", "dependsOn": [ "[[concat('Microsoft.Resources/resourceGroups/', parameters('alertResourceGroupName'))]" ], "properties": { "mode": "Incremental", "template": { "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "enabled": { "type": "string" }, "alertResourceGroupName": { "type": "string" }, "alertResourceGroupLocation": { "type": "string" }, "UAMIResourceId": { "type": "string" } }, "variables": {}, "resources": [ { "type": "Microsoft.Insights/scheduledQueryRules", "apiVersion": "2022-08-01-preview", "name": "[[concat(subscription().displayName, '-VMSSLowDataDiskSpaceAlert')]", "location": "[[parameters('alertResourceGroupLocation')]", "identity": { "type": "UserAssigned", "userAssignedIdentities": { "[[parameters('UAMIResourceId')]": {} } }, "tags": { "_deployed_by_amba": true }, "properties": { "displayName": "[[concat(subscription().displayName, '-VMSSLowDataDiskSpaceAlert')]", "description": "Log Alert for Virtual Machine Scale Set dataDiskSpace", "severity": "[[parameters('severity')]", "enabled": "[[parameters('enabled')]", "scopes": [ "[[subscription().Id]" ], "targetResourceTypes": [ "Microsoft.Compute/virtualMachines" ], "evaluationFrequency": "[[parameters('evaluationFrequency')]", "windowSize": "[[parameters('windowSize')]", "criteria": { "allOf": [ { "query": "[[format('let policyThresholdString = \"{0}\"; let resourceTagging = (arg(\"\").resources | where (type =~ \"Microsoft.Compute/virtualMachines\" and not(isempty(properties.virtualMachineScaleSet))) or (type =~ \"microsoft.compute/virtualmachinescalesets\" and properties.orchestrationMode =~ \"uniform\") | where tags.[\"{1}\"] !in~ (\"{2}\") | project _ResourceId = tolower(id), resourceTags = tags); let vmssFlexible = (InsightsMetrics | where _ResourceId has \"Microsoft.Compute/virtualMachines\" | where Origin == \"vm.azm.ms\" | where Namespace == \"LogicalDisk\" and Name == \"FreeSpacePercentage\" | extend Disk=tostring(todynamic(Tags)[\"vm.azm.ms/mountId\"]) | where Disk !in (\"C:\", \"/\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | lookup kind=inner (resourceTagging) on _ResourceId); let vmssUniform = (InsightsMetrics | where _ResourceId matches regex \"microsoft.compute/virtualmachinescalesets/.*/\" | where Origin == \"vm.azm.ms\" | where Namespace == \"LogicalDisk\" and Name == \"FreeSpacePercentage\" | extend Disk=tostring(todynamic(Tags)[\"vm.azm.ms/mountId\"]) | where Disk !in (\"C:\", \"/\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | extend reducedResourceId = tostring(split(_ResourceId, \"/virtualmachines/\")[0]) | lookup kind=inner (resourceTagging) on $left.reducedResourceId == $right._ResourceId); union kind=outer vmssFlexible, vmssUniform | project-away reducedResourceId | extend excludedLogicalVolumes = iif(isnotempty(resourceTags.[\"{4}\"]),resourceTags.[\"{4}\"], \"No logical volumes excluded\") | where excludedLogicalVolumes !has Disk | extend newThresholdString = tostring(resourceTags.[\"{3}\"]) | extend appliedThreshold = iif(isempty(newThresholdString), toint(policyThresholdString), toint(newThresholdString)) | where AggregatedValue < appliedThreshold | project TimeGenerated, Computer, _ResourceId, Disk, AggregatedValue, appliedThreshold, excludedLogicalVolumes', parameters('threshold'), parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\",\"'), '_amba-FreeSpacePercentage-Data-threshold-Override_', '_amba-ExcludedLogicalVolumes-DiskSpace_')]", "threshold": 0, "operator": "[[parameters('operator')]", "resourceIdColumn": "_ResourceId", "timeAggregation": "[[parameters('timeAggregation')]", "dimensions": [ { "name": "Computer", "operator": "Include", "values": [ "*" ] }, { "name": "Disk", "operator": "Include", "values": [ "*" ] } ], "failingPeriods": { "numberOfEvaluationPeriods": "[[parameters('evaluationPeriods')]", "minFailingPeriodsToAlert": "[[parameters('failingPeriods')]" } } ] }, "autoMitigate": "[[parameters('autoMitigate')]", "checkWorkspaceAlertsStorageConfigured": "[[parameters('checkWorkspaceAlertsStorageConfigured')]", "ruleResolveConfiguration": { "autoResolved": "[[parameters('autoResolve')]", "timeToResolve": "[[parameters('autoResolveTime')]" }, "parameters": { "alertResourceGroupName": { "value": "[[parameters('alertResourceGroupName')]" }, "alertResourceGroupLocation": { "value": "[[parameters('alertResourceGroupLocation')]" }, "UAMIResourceId": { "value": "[[parameters('UAMIResourceId')]" }, "severity": { "value": "[[parameters('severity')]" }, "windowSize": { "value": "[[parameters('windowSize')]" }, "evaluationFrequency": { "value": "[[parameters('evaluationFrequency')]" }, "autoMitigate": { "value": "[[parameters('autoMitigate')]" }, "checkWorkspaceAlertsStorageConfigured": { "value": "[[parameters('checkWorkspaceAlertsStorageConfigured')]" }, "autoResolve": { "value": "[[parameters('autoResolve')]" }, "autoResolveTime": { "value": "[[parameters('autoResolveTime')]" }, "enabled": { "value": "[[parameters('enabled')]" }, "threshold": { "value": "[[parameters('threshold')]" }, "failingPeriods": { "value": "[[parameters('failingPeriods')]" }, "evaluationPeriods": { "value": "[[parameters('evaluationPeriods')]" }, "MonitorDisableTagName": { "value": "[[parameters('MonitorDisableTagName')]" }, "MonitorDisableTagValues": { "value": "[[parameters('MonitorDisableTagValues')]" } } } } ] }, "parameters": { "enabled": { "value": "[[parameters('enabled')]" }, "alertResourceGroupName": { "value": "[[parameters('alertResourceGroupName')]" }, "alertResourceGroupLocation": { "value": "[[parameters('alertResourceGroupLocation')]" }, "UAMIResourceId": { "value": "[[parameters('UAMIResourceId')]" } } } } ] }, "parameters": { "alertResourceGroupName": { "value": "[[parameters('alertResourceGroupName')]" }, "alertResourceGroupTags": { "value": "[[parameters('alertResourceGroupTags')]" }, "alertResourceGroupLocation": { "value": "[[parameters('alertResourceGroupLocation')]" }, "UAMIResourceId": { "value": "[[parameters('UAMIResourceId')]" }, "severity": { "value": "[[parameters('severity')]" }, "windowSize": { "value": "[[parameters('windowSize')]" }, "evaluationFrequency": { "value": "[[parameters('evaluationFrequency')]" }, "autoMitigate": { "value": "[[parameters('autoMitigate')]" }, "checkWorkspaceAlertsStorageConfigured": { "value": "[[parameters('checkWorkspaceAlertsStorageConfigured')]" }, "autoResolve": { "value": "[[parameters('autoResolve')]" }, "autoResolveTime": { "value": "[[parameters('autoResolveTime')]" }, "enabled": { "value": "[[parameters('enabled')]" }, "threshold": { "value": "[[parameters('threshold')]" }, "operator": { "value": "[[parameters('operator')]" }, "timeAggregation": { "value": "[[parameters('timeAggregation')]" }, "failingPeriods": { "value": "[[parameters('failingPeriods')]" }, "evaluationPeriods": { "value": "[[parameters('evaluationPeriods')]" }, "MonitorDisableTagName": { "value": "[[parameters('MonitorDisableTagName')]" }, "MonitorDisableTagValues": { "value": "[[parameters('MonitorDisableTagValues')]" } } } } } } } } }