I am trying to create diagnostics settings using Bicep to export diagnostics from AAD to an Event Hub.
The part I am unsure of is the scope.
I am rewording my question as the first answer below and comments is leading to many a dead end.
My Facade Bicep Code:
module diagnosticsAAD 'diagnosticSettingAAD.bicep' = [for ds in diagnosticSettingsAAD: {
name: 'Diagnostics-${ds.diagnosticType}'
scope: resourceGroup(ds.resourceSubId, ds.resourceRG)
dependsOn: [eventHubs]
params: {
diagnosticName: ds.diagnosticName
eventHubAuthorizationRuleId: ds.eventHubAuthorizationRuleId
eventHubName: ds.eventHubName
diagnosticType: ds.diagnosticType
resourceName: ds.resourceName
logs: ds.logs
metrics: ds.metrics
}
}]
The underlying Bicep Module:
@description('Diagnostic name')
param diagnosticName string
@description('Auth ID to allow diags to be saved to Event Hub')
param eventHubAuthorizationRuleId string
@description('Event Hub name')
param eventHubName string
@description('Type of Diagnostic we are trying to create')
@allowed(['Firewall', 'SQLServer', 'AAD'])
param diagnosticType string
@description('Name of Resource we are trying to place the diagnostic on')
param resourceName string
@description('Array of Diagnostic Logs')
param logs array
@description('Array of Diagnostic Metrics')
param metrics array
// Set up Logs
var diagnosticsLogConfig = [for category in logs: {
category: category
enabled: true
retentionPolicy: {
enabled: true
days: 28
}
}]
// Set Up Metrics
var diagnosticsMetricConfig = [for category in metrics: {
category: category
enabled: true
retentionPolicy: {
enabled: true
days: 28
}
}]
// ----------------------------------------------------------------
resource activeDir 'Microsoft.AzureActiveDirectory/b2cDirectories@2021-04-01' existing = {
name: resourceName
}
// Create Diagnostics by Type
resource diagAADSetting 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (diagnosticType == 'AAD') {
name: diagnosticName
scope: activeDir
properties: {
eventHubAuthorizationRuleId: eventHubAuthorizationRuleId != null ? eventHubAuthorizationRuleId : null
eventHubName: eventHubName != null ? eventHubName : null
logs: diagnosticsLogConfig != null ? diagnosticsLogConfig : []
metrics: diagnosticsMetricConfig != null ? diagnosticsMetricConfig : []
logAnalyticsDestinationType: 'Dedicated'
}
}
And finally the Json:
{
"diagnosticSettingsAAD": {
"value": [
{
"diagnosticType": "AAD",
"diagnosticName": "my-diag",
"resourceSubId": "123",
"resourceName": "AAD (Dev)",
"resourceRG": "my-rg",
"eventHubName": "my-evh",
"eventHubAuthorizationRuleId": "/subscriptions/123/resourcegroups/my-rg/providers/Microsoft.EventHub/namespaces/my-evhns/authorizationrules/RootManageSharedAccessKey",
"logs": [
"AuditLogs",
"SignInLogs",
"ManagedIdentitySignInLogs",
"ProvisioningLogs"
],
"metrics": []
}
]
}
}
and the error returned is:
The resource write operation failed to complete successfully, because it reached terminal provisioning state 'Failed'.",rn "details": [rn {rn "code": "DeploymentFailed",rn "target": "/subscriptions/123/resourceGroups/my-rg/providers/Microsoft.Resources/deployments/Diagnostics-AAD",rn "message": "At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.",rn "details": [rn {rn "code": "ResourceNotFound",rn "message": "The Resource 'Microsoft.AzureActiveDirectory/b2cDirectories/AAD (Dev)' under resource group 'my-rg' was not found.
It appear that it is scope, unless the message is a red-herring. I have tried scope: tenant() and i get a compilation error in VS Code stating that it needs to be at resource group level.
Any suggestions would be appreciated
2
Answers
In the end I used the following code as we aren't using b2c as per code originally supplied by Jahnavi.
To obtain the scope of the resource, you can use the resourceId( ) function in bicep by giving the resource Name, provider, resource Type etc. as detailed in the given MS Doc.
After adding the required scope, your code modified as below:
I ran the sample template with the scope parameter and was successfully deployed.