skip to Main Content

I am trying to create diagnostics settings using Bicep to export diagnostics from AAD to an Event Hub.

The part I am unsure of is the scope.

I am rewording my question as the first answer below and comments is leading to many a dead end.

My Facade Bicep Code:

module diagnosticsAAD 'diagnosticSettingAAD.bicep' = [for ds in diagnosticSettingsAAD: {
  name: 'Diagnostics-${ds.diagnosticType}'
  scope: resourceGroup(ds.resourceSubId, ds.resourceRG)
  dependsOn: [eventHubs]
  params: {
    diagnosticName: ds.diagnosticName
    eventHubAuthorizationRuleId: ds.eventHubAuthorizationRuleId
    eventHubName: ds.eventHubName
    diagnosticType: ds.diagnosticType
    resourceName: ds.resourceName
    logs: ds.logs
    metrics: ds.metrics
  }
}]

The underlying Bicep Module:

@description('Diagnostic name')
param diagnosticName string

@description('Auth ID to allow diags to be saved to Event Hub')
param eventHubAuthorizationRuleId string
@description('Event Hub name')
param eventHubName string

@description('Type of Diagnostic we are trying to create')
@allowed(['Firewall', 'SQLServer', 'AAD'])
param diagnosticType string
@description('Name of Resource we are trying to place the diagnostic on')
param resourceName string

@description('Array of Diagnostic Logs')
param logs array
@description('Array of Diagnostic Metrics')
param metrics array

// Set up Logs
var diagnosticsLogConfig = [for category in logs: {
  category: category
  enabled: true
  retentionPolicy: {
    enabled: true
    days: 28
  }
}]

// Set Up Metrics
var diagnosticsMetricConfig = [for category in metrics: {
  category: category
  enabled: true
  retentionPolicy: {
    enabled: true
    days: 28
  }
}]
// ----------------------------------------------------------------



resource activeDir 'Microsoft.AzureActiveDirectory/b2cDirectories@2021-04-01' existing = {
  name: resourceName
}

// Create Diagnostics by Type
resource  diagAADSetting 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (diagnosticType  ==  'AAD')  { 
  name:  diagnosticName  
  scope: activeDir
  properties:  { 
    eventHubAuthorizationRuleId: eventHubAuthorizationRuleId != null ? eventHubAuthorizationRuleId : null  
    eventHubName: eventHubName != null ? eventHubName : null  
    logs: diagnosticsLogConfig != null ? diagnosticsLogConfig : [] 
    metrics: diagnosticsMetricConfig != null ? diagnosticsMetricConfig : [] 
    logAnalyticsDestinationType: 'Dedicated' 
   } 
}

And finally the Json:

{
    "diagnosticSettingsAAD": {
        "value": [
            {
                "diagnosticType": "AAD",
                "diagnosticName": "my-diag",
                "resourceSubId": "123",             
                "resourceName": "AAD (Dev)",
                "resourceRG": "my-rg",          
                "eventHubName": "my-evh",
                "eventHubAuthorizationRuleId": "/subscriptions/123/resourcegroups/my-rg/providers/Microsoft.EventHub/namespaces/my-evhns/authorizationrules/RootManageSharedAccessKey",
                "logs": [
                    "AuditLogs",
                    "SignInLogs",
                    "ManagedIdentitySignInLogs",
                    "ProvisioningLogs"
                ],
                "metrics": []                   
            }       
        ]
    }
}

and the error returned is:

The resource write operation failed to complete successfully, because it reached terminal provisioning state 'Failed'.",rn    "details": [rn      {rn        "code": "DeploymentFailed",rn        "target": "/subscriptions/123/resourceGroups/my-rg/providers/Microsoft.Resources/deployments/Diagnostics-AAD",rn        "message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.",rn        "details": [rn          {rn            "code": "ResourceNotFound",rn            "message": "The Resource 'Microsoft.AzureActiveDirectory/b2cDirectories/AAD (Dev)' under resource group 'my-rg' was not found.

It appear that it is scope, unless the message is a red-herring. I have tried scope: tenant() and i get a compilation error in VS Code stating that it needs to be at resource group level.

Any suggestions would be appreciated

2

Answers


  1. Chosen as BEST ANSWER

    In the end I used the following code as we aren't using b2c as per code originally supplied by Jahnavi.

    resource aadDiagnosticSetttings 'microsoft.aadiam/diagnosticSettings@2017-04-01' = if(diagnosticType == 'AAD') {
      name: diagnosticName
      scope: tenant()
      properties: {
        eventHubAuthorizationRuleId: eventHubAuthorizationRuleId != null ? eventHubAuthorizationRuleId : null  
        eventHubName: eventHubName != null ? eventHubName : null  
        logs: diagnosticsLogConfig != null ? diagnosticsLogConfig : [] 
      }
    }
    

  2. To obtain the scope of the resource, you can use the resourceId( ) function in bicep by giving the resource Name, provider, resource Type etc. as detailed in the given MS Doc.

    scope:resourceId('Microsoft.AzureActiveDirectory/b2cDirectories', <resource>)
    

    After adding the required scope, your code modified as below:

    resource  diagAADSetting 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview'  =  if  (diagnosticType  ==  'AAD') 
    { 
      name:  diagnosticName  
      scope: resourceId('Microsoft.AzureActiveDirectory/b2cDirectories', resourceName)  
     properties: 
     { 
       eventHubAuthorizationRuleId: eventHubAuthorizationRuleId !=  null  ?  eventHubAuthorizationRuleId :  null  
       eventHubName:  eventHubName  !=  null  ?  eventHubName :  null  
       logs:  diagnosticsLogConfig  !=  null  ?  diagnosticsLogConfig : [] 
       metrics:  diagnosticsMetricConfig  !=  null  ? diagnosticsMetricConfig : [] 
       logAnalyticsDestinationType:  'Dedicated' 
       } 
    }
    

    I ran the sample template with the scope parameter and was successfully deployed.

    enter image description here

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search