diff --git a/docs/content/patterns/alz/Cleaning-up-a-Deployment.md b/docs/content/patterns/alz/Cleaning-up-a-Deployment.md index 92085a939..f9e50e39d 100644 --- a/docs/content/patterns/alz/Cleaning-up-a-Deployment.md +++ b/docs/content/patterns/alz/Cleaning-up-a-Deployment.md @@ -39,29 +39,29 @@ Follow the instructions below to download the cleanup script file. Alternatively 3. Change directories to the location of the **Start-AMBACleanup.ps1** script 4. Configure the _**$pseudoRootManagementGroup**_ variable using the command below: - ```powershell - $pseudoRootManagementGroup = "The pseudo root management group id parenting the identity, management and connectivity management groups" - ``` + ```powershell + $pseudoRootManagementGroup = "The pseudo root management group id parenting the identity, management and connectivity management groups" + ``` 5. Sign in to the Azure with the `Connect-AzAccount` command. The account you sign in as needs to have permissions to remove Policy Assignments, Policy Definitions, and resources at the desired Management Group scope. 6. Execute the script using one of the options below: {{% include "PowerShell-ExecutionPolicy.md" %}} - **Generate a list of the resource IDs which would be deleted by this script:** + **Show output of what would happen if deletes executed:** ```powershell - ./Start-AMBACleanup.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup -ReportOnly + ./Start-AMBACleanup.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup -WhatIf ``` - **Show output of what would happen if deletes executed:** + **Execute the script asking for confirmation before deleting the resources deployed by AMBA-ALZ:** ```powershell - ./Start-AMBACleanup.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup -WhatIf + ./Start-AMBACleanup.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup ``` - **Delete all resources deployed by the ALZ-Monitor IaC without prompting for confirmation:** + **Execute the script without asking for confirmation before deleting the resources deployed by AMBA-ALZ.** ```powershell - ./Start-AMBACleanup.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup -Force + ./Start-AMBACleanup.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup -Confirm:$false ``` diff --git a/docs/content/patterns/alz/UpdateToNewReleases/Update_from_release_2023-11-14.md b/docs/content/patterns/alz/UpdateToNewReleases/Update_from_release_2023-11-14.md index dd8e2b0bd..7eb895dc3 100644 --- a/docs/content/patterns/alz/UpdateToNewReleases/Update_from_release_2023-11-14.md +++ b/docs/content/patterns/alz/UpdateToNewReleases/Update_from_release_2023-11-14.md @@ -25,20 +25,20 @@ Updating from release [2023-11-14](../../Whats-New#2023-11-14) will require runn {{% include "PowerShell-ExecutionPolicy.md" %}} - **Generate a list of the resource IDs which would be deleted by this script:** + **Show output of what would happen if deletes executed:** ```powershell - ./Start-AMBAOldArpCleanup.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup -ReportOnly + ./Start-AMBAOldArpCleanup.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup -WhatIf ``` - **Show output of what would happen if deletes executed:** + **Execute the script asking for confirmation before deleting old Service Health action group(s) deployed by AMBA-ALZ:** ```powershell - ./Start-AMBAOldArpCleanup.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup -WhatIf + ./Start-AMBAOldArpCleanup.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup ``` - **Delete all resources deployed by the ALZ-Monitor IaC without prompting for confirmation:** + **Execute the script without asking for confirmation before deleting old Service Health action group(s) deployed by AMBA-ALZ.** ```powershell - ./Start-AMBAOldArpCleanup.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup -Force + ./Start-AMBAOldArpCleanup.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup -Confirm:$false ``` diff --git a/docs/content/patterns/alz/UpdateToNewReleases/Update_from_release_2024-03-01.md b/docs/content/patterns/alz/UpdateToNewReleases/Update_from_release_2024-03-01.md index 5e1372f35..e2afadfd2 100644 --- a/docs/content/patterns/alz/UpdateToNewReleases/Update_from_release_2024-03-01.md +++ b/docs/content/patterns/alz/UpdateToNewReleases/Update_from_release_2024-03-01.md @@ -28,20 +28,20 @@ To run the script, complete the following step: {{% include "PowerShell-ExecutionPolicy.md" %}} - **Generate a list of the resource IDs which would be deleted by this script:** + **Show output of what would happen if deletes executed:** ```powershell - ./Remove-AMBANotificationAssets.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup -ReportOnly + ./Remove-AMBANotificationAssets.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup -WhatIf ``` - **Show output of what would happen if deletes executed:** + **Execute the script asking for confirmation before deleting notification asset resources deployed by AMBA-ALZ:** ```powershell - ./Remove-AMBANotificationAssets.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup -WhatIf + ./Remove-AMBANotificationAssets.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup ``` - **Delete notification asset resources deployed by the ALZ pattern without prompting for confirmation:** + **Execute the script without asking for confirmation before deleting notification asset resources deployed by AMBA-ALZ.** ```powershell - ./Remove-AMBANotificationAssets.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup -Force + ./Remove-AMBANotificationAssets.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup -Confirm:$false ``` diff --git a/docs/content/patterns/alz/UpdateToNewReleases/Update_from_release_2024-06-05.md b/docs/content/patterns/alz/UpdateToNewReleases/Update_from_release_2024-06-05.md index ec37588fa..ce88feb0d 100644 --- a/docs/content/patterns/alz/UpdateToNewReleases/Update_from_release_2024-06-05.md +++ b/docs/content/patterns/alz/UpdateToNewReleases/Update_from_release_2024-06-05.md @@ -9,7 +9,7 @@ weight: 97 # Pre update actions -Before updating to release [2024-06-30](../../Whats-New#2024-06-30), it's required to remove existing policy definitions, policy set definitions, policy assignments and role assignments. This action is required because of a breaking change caused by the redefinition of some parameters, which allows for more flexibility in disabling the policy remediation or, in some cases, the alerts. Unfortunately not all the alerts can be disabled after creation; only log-based alerts can be. Even if disabling the effect of policy was already possible in AMBA-ALZ, with this release we made sure that all the policies will honor both the ***PolicyEffect*** and the ***MonitorDisable*** parameters. +Before updating to release [2024-06-05](../../Whats-New#2024-06-05), it's required to remove existing policy definitions, policy set definitions, policy assignments and role assignments. This action is required because of a breaking change caused by the redefinition of some parameters, which allows for more flexibility in disabling the policy remediation or, in some cases, the alerts. Unfortunately not all the alerts can be disabled after creation; only log-based alerts can be. Even if disabling the effect of policy was already possible in AMBA-ALZ, with this release we made sure that all the policies will honor both the ***PolicyEffect*** and the ***MonitorDisable*** parameters. In particular, the *MonitorDisable* feature has been redesigned to allow customer to specify they own existing tag and tag value instead of forcing a hard coded one. Given the ALZ guidance and the best practice of having a consistent tagging definition, it's only allowed to one parameter name fo r the entire deployment. Instead, parameter value can be different. You can specify an array of values assigned to the same parameter. For instance, you have the ```Environment``` tag name consistently applied to several environments, saying ```Production```, ```Test```, ```Sandbox```, and so on and you want to disable alerts for resources, which are in both ```Test``` and ```Sandbox```. Now it's possible by just configuring the parameters for tag name and tag values as reported in the sample screenshot (these are the default values) below: @@ -36,14 +36,20 @@ To run the script, complete the following steps: {{% include "PowerShell-ExecutionPolicy.md" %}} - **Generate a list of policy definitions, policy set definitions, policy assignments and role assignments resources which would be deleted by this script:** + **Show output of what would happen if deletes executed:** ```powershell - ./Start-AMBAPolicyInitiativesAndAssignmentsCleanup.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup -ReportOnly + ./Start-AMBAPolicyInitiativesAndAssignmentsCleanup.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup -WhatIf ``` - **Delete policy definitions, policy set definitions, policy assignments and role assignments resources deployed by the AMBA-ALZ pattern without prompting for confirmation:** + **Execute the script asking for confirmation before deleting the policy definitions, policy set definitions, policy assignments and role assignments deployed by AMBA-ALZ:** ```powershell - ./Start-AMBAPolicyInitiativesAndAssignmentsCleanup.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup -Force + ./Start-AMBAPolicyInitiativesAndAssignmentsCleanup.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup + ``` + + **Execute the script without asking for confirmation before deleting the policy definitions, policy set definitions, policy assignments and role assignments deployed by AMBA-ALZ.** + + ```powershell + ./Start-AMBAPolicyInitiativesAndAssignmentsCleanup.ps1 -pseudoRootManagementGroup $pseudoRootManagementGroup -Confirm:$false ``` diff --git a/patterns/alz/alzArm.param.json b/patterns/alz/alzArm.param.json index e6d23b0b9..b1566c096 100644 --- a/patterns/alz/alzArm.param.json +++ b/patterns/alz/alzArm.param.json @@ -1544,7 +1544,7 @@ "value": "PT10M" }, "HybridVMDisconnectedAlertAutoMitigate": { - "value": "false" + "value": "true" }, "HybridVMDisconnectedAlertPolicyEffect": { "value": "deployIfNotExists" diff --git a/patterns/alz/policyDefinitions/policies-Hybrid.json b/patterns/alz/policyDefinitions/policies-Hybrid.json index 9b9d77e1e..cbd2704c6 100644 --- a/patterns/alz/policyDefinitions/policies-Hybrid.json +++ b/patterns/alz/policyDefinitions/policies-Hybrid.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.29.47.4906", - "templateHash": "7492840284618312842" + "templateHash": "16468692433239637076" } }, "parameters": { @@ -118,7 +118,7 @@ "$fxv#0": "{\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"name\": \"Deploy_Hybrid_VM_dataDiskReadLatency_Alert\",\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy Hybrid VM Data Disk Read Latency Alert\",\n \"description\": \"Policy to audit/deploy VM dataDiskReadLatency Alert\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Hybrid Compute\",\n \"source\": \"https://github.com/Azure/azure-monitor-baseline-alerts/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ],\n \"_deployed_by_amba\": \"True\"\n },\n \"parameters\": {\n \"alertResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group Name\",\n \"description\": \"Resource group the alert is placed in\"\n },\n \"defaultValue\": \"rg-amba-monitoring-001\"\n },\n \"alertResourceGroupTags\": {\n \"type\": \"Object\",\n \"metadata\": {\n \"displayName\": \"Resource Group Tags\",\n \"description\": \"Tags on the Resource group the alert is placed in\"\n },\n \"defaultValue\": {\n \"Project\": \"amba-monitoring\"\n }\n },\n \"alertResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group Location\",\n \"description\": \"Location of the Resource group the alert is placed in\"\n },\n \"defaultValue\": \"centralus\"\n },\n \"UAMIResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"description\": \"The resource Id of the user assigned managed identity.\",\n \"displayName\": \"User Assigned managed Identity resource Id.\"\n }\n },\n \"severity\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Severity\",\n \"description\": \"Severity of the Alert\"\n },\n \"allowedValues\": [\n \"0\",\n \"1\",\n \"2\",\n \"3\",\n \"4\"\n ],\n \"defaultValue\": \"2\"\n },\n \"operator\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Operator\"\n },\n \"allowedValues\": [\n \"GreaterThan\"\n ],\n \"defaultValue\": \"GreaterThan\"\n },\n \"timeAggregation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"TimeAggregation\"\n },\n \"allowedValues\": [\n \"Count\"\n ],\n \"defaultValue\": \"Count\"\n },\n \"windowSize\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Window Size\",\n \"description\": \"Window size for the alert\"\n },\n \"allowedValues\": [\n \"PT5M\",\n \"PT15M\",\n \"PT30M\",\n \"PT1H\",\n \"PT6H\",\n \"PT12H\",\n \"PT24H\"\n ],\n \"defaultValue\": \"PT15M\"\n },\n \"evaluationFrequency\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Evaluation Frequency\",\n \"description\": \"Evaluation frequency for the alert\"\n },\n \"allowedValues\": [\n \"PT5M\",\n \"PT15M\",\n \"PT30M\",\n \"PT1H\"\n ],\n \"defaultValue\": \"PT5M\"\n },\n \"autoMitigate\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Auto Mitigate\",\n \"description\": \"Auto Mitigate for the alert\"\n },\n \"allowedValues\": [\n \"true\",\n \"false\"\n ],\n \"defaultValue\": \"true\"\n },\n \"autoResolve\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Auto Resolve\",\n \"description\": \"Auto Resolve for the alert\"\n },\n \"allowedValues\": [\n \"true\",\n \"false\"\n ],\n \"defaultValue\": \"true\"\n },\n \"autoResolveTime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Auto Resolve\",\n \"description\": \"Auto Resolve time for the alert in ISO 8601 format\"\n },\n \"defaultValue\": \"true\"\n },\n \"enabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Alert State\",\n \"description\": \"Alert state for the alert\"\n },\n \"allowedValues\": [\n \"true\",\n \"false\"\n ],\n \"defaultValue\": \"true\"\n },\n \"threshold\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Threshold\",\n \"description\": \"Threshold for the alert\"\n },\n \"defaultValue\": \"30\"\n },\n \"failingPeriods\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Failing Periods\",\n \"description\": \"Number of failing periods before alert is fired\"\n },\n \"defaultValue\": \"1\"\n },\n \"evaluationPeriods\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Evaluation Periods\",\n \"description\": \"The number of aggregated lookback points.\"\n },\n \"defaultValue\": \"1\"\n },\n \"computersToInclude\": {\n \"type\": \"array\",\n \"metadata\": {\n \"displayName\": \"Computers to be included to be monitored\",\n \"description\": \"Array of Computer to be monitored\"\n },\n \"defaultValue\": [\n \"*\"\n ]\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Effect of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n },\n \"MonitorDisableTagName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"ALZ Monitoring disabled tag name\",\n \"description\": \"Tag name to disable monitoring. Set to true if monitoring should be disabled\"\n },\n \"defaultValue\": \"MonitorDisable\"\n },\n \"MonitorDisableTagValues\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"ALZ Monitoring disabled tag values(s)\",\n \"description\": \"Tag value(s) used to disable monitoring at the resource level. Set to true if monitoring should be disabled.\"\n },\n \"defaultValue\": [\n \"true\",\n \"Test\",\n \"Dev\",\n \"Sandbox\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.HybridCompute/machines\"\n },\n {\n \"field\": \"[[concat('tags[', parameters('MonitorDisableTagName'), ']')]\",\n \"notIn\": \"[[parameters('MonitorDisableTagValues')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\n \"existenceScope\": \"resourceGroup\",\n \"resourceGroupName\": \"[[parameters('alertResourceGroupName')]\",\n \"deploymentScope\": \"subscription\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/displayName\",\n \"equals\": \"[[concat(subscription().displayName, '-HybridVMHighDataDiskReadLatencyAlert')]\"\n },\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/scopes[*]\",\n \"equals\": \"[[subscription().id]\"\n },\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/enabled\",\n \"equals\": \"[[parameters('enabled')]\"\n },\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/evaluationFrequency\",\n \"equals\": \"[[parameters('evaluationFrequency')]\"\n },\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/windowSize\",\n \"equals\": \"[[parameters('windowSize')]\"\n },\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/severity\",\n \"equals\": \"[[parameters('severity')]\"\n },\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/autoMitigate\",\n \"equals\": \"[[parameters('autoMitigate')]\"\n },\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].operator\",\n \"equals\": \"[[parameters('operator')]\"\n },\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].timeAggregation\",\n \"equals\": \"[[parameters('timeAggregation')]\"\n },\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.numberOfEvaluationPeriods\",\n \"equals\": \"[[parameters('evaluationPeriods')]\"\n },\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.minFailingPeriodsToAlert\",\n \"equals\": \"[[parameters('failingPeriods')]\"\n },\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].query\",\n \"equals\": \"[[format('let policyThresholdString = \\\"{2}\\\"; let excludedResources = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.HybridCompute/machines\\\" | project _ResourceId = id, tags | where parse_json(tostring(tags.{0})) in~ (\\\"{1}\\\")); let overridenResource = (arg(\\\"\\\").resources | where type == \\\"microsoft.hybridcompute/machines\\\" | project _ResourceId = tolower(id), tags | where tags contains \\\"_amba-ReadLatencyMs-Data-threshold-override_\\\"); InsightsMetrics | where _ResourceId has \\\"Microsoft.HybridCompute/machines\\\" | where _ResourceId !in~ (excludedResources) | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"LogicalDisk\\\" and Name == \\\"ReadLatencyMs\\\" | extend Disk=tostring(todynamic(Tags)[\\\"vm.azm.ms/mountId\\\"]) | where Disk !in (\\\"C:\\\", \\\"/\\\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | join hint.remote=left kind=leftouter overridenResource on _ResourceId | project-away _ResourceId1 | extend appliedThresholdString = iif(tags contains \\\"_amba-ReadLatencyMs-Data-threshold-override_\\\", tostring(tags.[\\\"_amba-ReadLatencyMs-Data-threshold-override_\\\"]), policyThresholdString) | extend appliedThreshold = toint(appliedThresholdString) | where AggregatedValue > appliedThreshold | project TimeGenerated, Computer, _ResourceId, Disk, AggregatedValue', parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), parameters('threshold'))]\"\n },\n {\n \"field\": \"identity.userAssignedIdentities\",\n \"containsKey\": \"[[parameters('UAMIResourceId')]\"\n }\n ]\n },\n \"deployment\": {\n \"location\": \"northeurope\",\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"alertResourceGroupName\": {\n \"type\": \"string\"\n },\n \"alertResourceGroupTags\": {\n \"type\": \"object\"\n },\n \"alertResourceGroupLocation\": {\n \"type\": \"string\"\n },\n \"UAMIResourceId\": {\n \"type\": \"string\"\n },\n \"severity\": {\n \"type\": \"String\"\n },\n \"windowSize\": {\n \"type\": \"String\"\n },\n \"evaluationFrequency\": {\n \"type\": \"String\"\n },\n \"autoMitigate\": {\n \"type\": \"String\"\n },\n \"autoResolve\": {\n \"type\": \"String\"\n },\n \"autoResolveTime\": {\n \"type\": \"String\"\n },\n \"enabled\": {\n \"type\": \"String\"\n },\n \"threshold\": {\n \"type\": \"String\"\n },\n \"operator\": {\n \"type\": \"String\"\n },\n \"timeAggregation\": {\n \"type\": \"String\"\n },\n \"failingPeriods\": {\n \"type\": \"String\"\n },\n \"evaluationPeriods\": {\n \"type\": \"String\"\n },\n \"computersToInclude\": {\n \"type\": \"array\"\n },\n \"MonitorDisableTagName\": {\n \"type\": \"String\"\n },\n \"MonitorDisableTagValues\": {\n \"type\": \"Array\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Resources/resourceGroups\",\n \"apiVersion\": \"2021-04-01\",\n \"name\": \"[[parameters('alertResourceGroupName')]\",\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\n \"tags\": \"[[parameters('alertResourceGroupTags')]\"\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2019-10-01\",\n \"name\": \"HybridVMdataDiskReadLatencyAlert\",\n \"resourceGroup\": \"[[parameters('alertResourceGroupName')]\",\n \"dependsOn\": [\n \"[[concat('Microsoft.Resources/resourceGroups/', parameters('alertResourceGroupName'))]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"enabled\": {\n \"type\": \"string\"\n },\n \"alertResourceGroupName\": {\n \"type\": \"string\"\n },\n \"alertResourceGroupLocation\": {\n \"type\": \"string\"\n },\n \"UAMIResourceId\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\n \"apiVersion\": \"2022-08-01-preview\",\n \"name\": \"[[concat(subscription().displayName, '-HybridVMHighDataDiskReadLatencyAlert')]\",\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\n \"identity\": {\n \"type\": \"UserAssigned\",\n \"userAssignedIdentities\": {\n \"[[parameters('UAMIResourceId')]\": {}\n }\n },\n \"tags\": {\n \"_deployed_by_amba\": true\n },\n \"properties\": {\n \"displayName\": \"[[concat(subscription().displayName, '-HybridVMHighDataDiskReadLatencyAlert')]\",\n \"description\": \"Log Alert for Virtual Machine dataDiskReadLatency\",\n \"severity\": \"[[parameters('severity')]\",\n \"enabled\": \"[[parameters('enabled')]\",\n \"scopes\": [\n \"[[subscription().Id]\"\n ],\n \"targetResourceTypes\": [\n \"Microsoft.HybridCompute/machines\"\n ],\n \"evaluationFrequency\": \"[[parameters('evaluationFrequency')]\",\n \"windowSize\": \"[[parameters('windowSize')]\",\n \"criteria\": {\n \"allOf\": [\n {\n \"query\": \"[[format('let policyThresholdString = \\\"{2}\\\"; let excludedResources = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.HybridCompute/machines\\\" | project _ResourceId = id, tags | where parse_json(tostring(tags.{0})) in~ (\\\"{1}\\\")); let overridenResource = (arg(\\\"\\\").resources | where type == \\\"microsoft.hybridcompute/machines\\\" | project _ResourceId = tolower(id), tags | where tags contains \\\"_amba-ReadLatencyMs-Data-threshold-override_\\\"); InsightsMetrics | where _ResourceId has \\\"Microsoft.HybridCompute/machines\\\" | where _ResourceId !in~ (excludedResources) | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"LogicalDisk\\\" and Name == \\\"ReadLatencyMs\\\" | extend Disk=tostring(todynamic(Tags)[\\\"vm.azm.ms/mountId\\\"]) | where Disk !in (\\\"C:\\\", \\\"/\\\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | join hint.remote=left kind=leftouter overridenResource on _ResourceId | project-away _ResourceId1 | extend appliedThresholdString = iif(tags contains \\\"_amba-ReadLatencyMs-Data-threshold-override_\\\", tostring(tags.[\\\"_amba-ReadLatencyMs-Data-threshold-override_\\\"]), policyThresholdString) | extend appliedThreshold = toint(appliedThresholdString) | where AggregatedValue > appliedThreshold | project TimeGenerated, Computer, _ResourceId, Disk, AggregatedValue', parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), parameters('threshold'))]\",\n \"threshold\": 0,\n \"operator\": \"[[parameters('operator')]\",\n \"resourceIdColumn\": \"_ResourceId\",\n \"timeAggregation\": \"[[parameters('timeAggregation')]\",\n \"dimensions\": [\n {\n \"name\": \"Computer\",\n \"operator\": \"Include\",\n \"values\": \"[[parameters('computersToInclude')]\"\n },\n {\n \"name\": \"Disk\",\n \"operator\": \"Include\",\n \"values\": [\n \"*\"\n ]\n }\n ],\n \"failingPeriods\": {\n \"numberOfEvaluationPeriods\": \"[[parameters('evaluationPeriods')]\",\n \"minFailingPeriodsToAlert\": \"[[parameters('failingPeriods')]\"\n }\n }\n ]\n },\n \"autoMitigate\": \"[[parameters('autoMitigate')]\",\n \"ruleResolveConfiguration\": {\n \"autoResolved\": \"[[parameters('autoResolve')]\",\n \"timeToResolve\": \"[[parameters('autoResolveTime')]\"\n },\n \"parameters\": {\n \"alertResourceGroupName\": {\n \"value\": \"[[parameters('alertResourceGroupName')]\"\n },\n \"alertResourceGroupLocation\": {\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\n },\n \"UAMIResourceId\": {\n \"value\": \"[[parameters('UAMIResourceId')]\"\n },\n \"severity\": {\n \"value\": \"[[parameters('severity')]\"\n },\n \"windowSize\": {\n \"value\": \"[[parameters('windowSize')]\"\n },\n \"evaluationFrequency\": {\n \"value\": \"[[parameters('evaluationFrequency')]\"\n },\n \"autoMitigate\": {\n \"value\": \"[[parameters('autoMitigate')]\"\n },\n \"autoResolve\": {\n \"value\": \"[[parameters('autoResolve')]\"\n },\n \"autoResolveTime\": {\n \"value\": \"[[parameters('autoResolveTime')]\"\n },\n \"enabled\": {\n \"value\": \"[[parameters('enabled')]\"\n },\n \"threshold\": {\n \"value\": \"[[parameters('threshold')]\"\n },\n \"failingPeriods\": {\n \"value\": \"[[parameters('failingPeriods')]\"\n },\n \"evaluationPeriods\": {\n \"value\": \"[[parameters('evaluationPeriods')]\"\n },\n \"computersToInclude\": {\n \"value\": \"[[parameters('computersToInclude')]\"\n },\n \"MonitorDisableTagName\": {\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\n },\n \"MonitorDisableTagValues\": {\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\n }\n }\n }\n }\n ]\n },\n \"parameters\": {\n \"enabled\": {\n \"value\": \"[[parameters('enabled')]\"\n },\n \"alertResourceGroupName\": {\n \"value\": \"[[parameters('alertResourceGroupName')]\"\n },\n \"alertResourceGroupLocation\": {\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\n },\n \"UAMIResourceId\": {\n \"value\": \"[[parameters('UAMIResourceId')]\"\n }\n }\n }\n }\n ]\n },\n \"parameters\": {\n \"alertResourceGroupName\": {\n \"value\": \"[[parameters('alertResourceGroupName')]\"\n },\n \"alertResourceGroupTags\": {\n \"value\": \"[[parameters('alertResourceGroupTags')]\"\n },\n \"alertResourceGroupLocation\": {\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\n },\n \"UAMIResourceId\": {\n \"value\": \"[[parameters('UAMIResourceId')]\"\n },\n \"severity\": {\n \"value\": \"[[parameters('severity')]\"\n },\n \"windowSize\": {\n \"value\": \"[[parameters('windowSize')]\"\n },\n \"evaluationFrequency\": {\n \"value\": \"[[parameters('evaluationFrequency')]\"\n },\n \"autoMitigate\": {\n \"value\": \"[[parameters('autoMitigate')]\"\n },\n \"autoResolve\": {\n \"value\": \"[[parameters('autoResolve')]\"\n },\n \"autoResolveTime\": {\n \"value\": \"[[parameters('autoResolveTime')]\"\n },\n \"enabled\": {\n \"value\": \"[[parameters('enabled')]\"\n },\n \"threshold\": {\n \"value\": \"[[parameters('threshold')]\"\n },\n \"operator\": {\n \"value\": \"[[parameters('operator')]\"\n },\n \"timeAggregation\": {\n \"value\": \"[[parameters('timeAggregation')]\"\n },\n \"failingPeriods\": {\n \"value\": \"[[parameters('failingPeriods')]\"\n },\n \"evaluationPeriods\": {\n \"value\": \"[[parameters('evaluationPeriods')]\"\n },\n \"computersToInclude\": {\n \"value\": \"[[parameters('computersToInclude')]\"\n },\n \"MonitorDisableTagName\": {\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\n },\n \"MonitorDisableTagValues\": {\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", "$fxv#1": "{\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"name\": \"Deploy_Hybrid_VM_dataDiskSpace_Alert\",\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy Hybrid VM Data Disk Space Alert\",\n \"description\": \"Policy to audit/deploy VM data Disk Space Alert\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Hybrid Compute\",\n \"source\": \"https://github.com/Azure/azure-monitor-baseline-alerts/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ],\n \"_deployed_by_amba\": \"True\"\n },\n \"parameters\": {\n \"alertResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group Name\",\n \"description\": \"Resource group the alert is placed in\"\n },\n \"defaultValue\": \"rg-amba-monitoring-001\"\n },\n \"alertResourceGroupTags\": {\n \"type\": \"Object\",\n \"metadata\": {\n \"displayName\": \"Resource Group Tags\",\n \"description\": \"Tags on the Resource group the alert is placed in\"\n },\n \"defaultValue\": {\n \"Project\": \"amba-monitoring\"\n }\n },\n \"alertResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group Location\",\n \"description\": \"Location of the Resource group the alert is placed in\"\n },\n \"defaultValue\": \"centralus\"\n },\n \"UAMIResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"description\": \"The resource Id of the user assigned managed identity.\",\n \"displayName\": \"User Assigned managed Identity resource Id.\"\n }\n },\n \"severity\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Severity\",\n \"description\": \"Severity of the Alert\"\n },\n \"allowedValues\": [\n \"0\",\n \"1\",\n \"2\",\n \"3\",\n \"4\"\n ],\n \"defaultValue\": \"2\"\n },\n \"operator\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Operator\"\n },\n \"allowedValues\": [\n \"GreaterThan\"\n ],\n \"defaultValue\": \"GreaterThan\"\n },\n \"timeAggregation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"TimeAggregation\"\n },\n \"allowedValues\": [\n \"Count\"\n ],\n \"defaultValue\": \"Count\"\n },\n \"windowSize\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Window Size\",\n \"description\": \"Window size for the alert\"\n },\n \"allowedValues\": [\n \"PT5M\",\n \"PT15M\",\n \"PT30M\",\n \"PT1H\",\n \"PT6H\",\n \"PT12H\",\n \"PT24H\"\n ],\n \"defaultValue\": \"PT15M\"\n },\n \"evaluationFrequency\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Evaluation Frequency\",\n \"description\": \"Evaluation frequency for the alert\"\n },\n \"allowedValues\": [\n \"PT5M\",\n \"PT15M\",\n \"PT30M\",\n \"PT1H\"\n ],\n \"defaultValue\": \"PT5M\"\n },\n \"autoMitigate\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Auto Mitigate\",\n \"description\": \"Auto Mitigate for the alert\"\n },\n \"allowedValues\": [\n \"true\",\n \"false\"\n ],\n \"defaultValue\": \"true\"\n },\n \"autoResolve\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Auto Resolve\",\n \"description\": \"Auto Resolve for the alert\"\n },\n \"allowedValues\": [\n \"true\",\n \"false\"\n ],\n \"defaultValue\": \"true\"\n },\n \"autoResolveTime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Auto Resolve\",\n \"description\": \"Auto Resolve time for the alert in ISO 8601 format\"\n },\n \"defaultValue\": \"true\"\n },\n \"enabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Alert State\",\n \"description\": \"Alert state for the alert\"\n },\n \"allowedValues\": [\n \"true\",\n \"false\"\n ],\n \"defaultValue\": \"true\"\n },\n \"threshold\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Threshold\",\n \"description\": \"Threshold for the alert\"\n },\n \"defaultValue\": \"10\"\n },\n \"failingPeriods\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Failing Periods\",\n \"description\": \"Number of failing periods before alert is fired\"\n },\n \"defaultValue\": \"1\"\n },\n \"evaluationPeriods\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Evaluation Periods\",\n \"description\": \"The number of aggregated lookback points.\"\n },\n \"defaultValue\": \"1\"\n },\n \"computersToInclude\": {\n \"type\": \"array\",\n \"metadata\": {\n \"displayName\": \"Computers to be included to be monitored\",\n \"description\": \"Array of Computer to be monitored\"\n },\n \"defaultValue\": [\n \"*\"\n ]\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Effect of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n },\n \"MonitorDisableTagName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"ALZ Monitoring disabled tag name\",\n \"description\": \"Tag name to disable monitoring. Set to true if monitoring should be disabled\"\n },\n \"defaultValue\": \"MonitorDisable\"\n },\n \"MonitorDisableTagValues\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"ALZ Monitoring disabled tag values(s)\",\n \"description\": \"Tag value(s) used to disable monitoring at the resource level. Set to true if monitoring should be disabled.\"\n },\n \"defaultValue\": [\n \"true\",\n \"Test\",\n \"Dev\",\n \"Sandbox\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.HybridCompute/machines\"\n },\n {\n \"field\": \"[[concat('tags[', parameters('MonitorDisableTagName'), ']')]\",\n \"notIn\": \"[[parameters('MonitorDisableTagValues')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\n \"existenceScope\": \"resourceGroup\",\n \"resourceGroupName\": \"[[parameters('alertResourceGroupName')]\",\n \"deploymentScope\": \"subscription\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/displayName\",\n \"equals\": \"[[concat(subscription().displayName, '-HybridVMLowDataDiskSpaceAlert')]\"\n },\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/scopes[*]\",\n \"equals\": \"[[subscription().id]\"\n },\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/enabled\",\n \"equals\": \"[[parameters('enabled')]\"\n },\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/evaluationFrequency\",\n \"equals\": \"[[parameters('evaluationFrequency')]\"\n },\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/windowSize\",\n \"equals\": \"[[parameters('windowSize')]\"\n },\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/severity\",\n \"equals\": \"[[parameters('severity')]\"\n },\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/autoMitigate\",\n \"equals\": \"[[parameters('autoMitigate')]\"\n },\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].operator\",\n \"equals\": \"[[parameters('operator')]\"\n },\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].timeAggregation\",\n \"equals\": \"[[parameters('timeAggregation')]\"\n },\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.numberOfEvaluationPeriods\",\n \"equals\": \"[[parameters('evaluationPeriods')]\"\n },\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.minFailingPeriodsToAlert\",\n \"equals\": \"[[parameters('failingPeriods')]\"\n },\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].query\",\n \"equals\": \"[[format('let policyThresholdString = \\\"{2}\\\"; let excludedResources = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.HybridCompute/machines\\\" | project _ResourceId = id, tags | where parse_json(tostring(tags.{0})) in~ (\\\"{1}\\\")); let overridenResource = (arg(\\\"\\\").resources | where type == \\\"microsoft.hybridcompute/machines\\\" | project _ResourceId = tolower(id), tags | where tags contains \\\"_amba-FreeSpacePercentage-Data-threshold-override_\\\"); InsightsMetrics | where _ResourceId has \\\"Microsoft.HybridCompute/machines\\\" | where _ResourceId !in~ (excludedResources) | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"LogicalDisk\\\" and Name == \\\"FreeSpacePercentage\\\" | extend Disk=tostring(todynamic(Tags)[\\\"vm.azm.ms/mountId\\\"]) | where Disk !in (\\\"C:\\\",\\\"/\\\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | join hint.remote=left kind=leftouter overridenResource on _ResourceId | project-away _ResourceId1 | extend appliedThresholdString = iif(tags contains \\\"_amba-FreeSpacePercentage-Data-threshold-override_\\\", tostring(tags.[\\\"_amba-FreeSpacePercentage-Data-threshold-override_\\\"]), policyThresholdString) | extend appliedThreshold = toint(appliedThresholdString) | where AggregatedValue < appliedThreshold | project TimeGenerated, Computer, _ResourceId, Disk, AggregatedValue', parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), parameters('threshold'))]\"\n },\n {\n \"field\": \"identity.userAssignedIdentities\",\n \"containsKey\": \"[[parameters('UAMIResourceId')]\"\n }\n ]\n },\n \"deployment\": {\n \"location\": \"northeurope\",\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"alertResourceGroupName\": {\n \"type\": \"string\"\n },\n \"alertResourceGroupTags\": {\n \"type\": \"object\"\n },\n \"alertResourceGroupLocation\": {\n \"type\": \"string\"\n },\n \"UAMIResourceId\": {\n \"type\": \"string\"\n },\n \"severity\": {\n \"type\": \"String\"\n },\n \"windowSize\": {\n \"type\": \"String\"\n },\n \"evaluationFrequency\": {\n \"type\": \"String\"\n },\n \"autoMitigate\": {\n \"type\": \"String\"\n },\n \"autoResolve\": {\n \"type\": \"String\"\n },\n \"autoResolveTime\": {\n \"type\": \"String\"\n },\n \"enabled\": {\n \"type\": \"String\"\n },\n \"threshold\": {\n \"type\": \"String\"\n },\n \"operator\": {\n \"type\": \"String\"\n },\n \"timeAggregation\": {\n \"type\": \"String\"\n },\n \"failingPeriods\": {\n \"type\": \"String\"\n },\n \"evaluationPeriods\": {\n \"type\": \"String\"\n },\n \"computersToInclude\": {\n \"type\": \"array\"\n },\n \"MonitorDisableTagName\": {\n \"type\": \"String\"\n },\n \"MonitorDisableTagValues\": {\n \"type\": \"Array\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Resources/resourceGroups\",\n \"apiVersion\": \"2021-04-01\",\n \"name\": \"[[parameters('alertResourceGroupName')]\",\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\n \"tags\": \"[[parameters('alertResourceGroupTags')]\"\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2019-10-01\",\n \"name\": \"HybridVMdataDiskSpaceAlert\",\n \"resourceGroup\": \"[[parameters('alertResourceGroupName')]\",\n \"dependsOn\": [\n \"[[concat('Microsoft.Resources/resourceGroups/', parameters('alertResourceGroupName'))]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"enabled\": {\n \"type\": \"string\"\n },\n \"alertResourceGroupName\": {\n \"type\": \"string\"\n },\n \"alertResourceGroupLocation\": {\n \"type\": \"string\"\n },\n \"UAMIResourceId\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\n \"apiVersion\": \"2022-08-01-preview\",\n \"name\": \"[[concat(subscription().displayName, '-HybridVMLowDataDiskSpaceAlert')]\",\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\n \"identity\": {\n \"type\": \"UserAssigned\",\n \"userAssignedIdentities\": {\n \"[[parameters('UAMIResourceId')]\": {}\n }\n },\n \"tags\": {\n \"_deployed_by_amba\": true\n },\n \"properties\": {\n \"displayName\": \"[[concat(subscription().displayName, '-HybridVMLowDataDiskSpaceAlert')]\",\n \"description\": \"Log Alert for Virtual Machine dataDiskSpace\",\n \"severity\": \"[[parameters('severity')]\",\n \"enabled\": \"[[parameters('enabled')]\",\n \"scopes\": [\n \"[[subscription().Id]\"\n ],\n \"targetResourceTypes\": [\n \"Microsoft.HybridCompute/machines\"\n ],\n \"evaluationFrequency\": \"[[parameters('evaluationFrequency')]\",\n \"windowSize\": \"[[parameters('windowSize')]\",\n \"criteria\": {\n \"allOf\": [\n {\n \"query\": \"[[format('let policyThresholdString = \\\"{2}\\\"; let excludedResources = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.HybridCompute/machines\\\" | project _ResourceId = id, tags | where parse_json(tostring(tags.{0})) in~ (\\\"{1}\\\")); let overridenResource = (arg(\\\"\\\").resources | where type == \\\"microsoft.hybridcompute/machines\\\" | project _ResourceId = tolower(id), tags | where tags contains \\\"_amba-FreeSpacePercentage-Data-threshold-override_\\\"); InsightsMetrics | where _ResourceId has \\\"Microsoft.HybridCompute/machines\\\" | where _ResourceId !in~ (excludedResources) | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"LogicalDisk\\\" and Name == \\\"FreeSpacePercentage\\\" | extend Disk=tostring(todynamic(Tags)[\\\"vm.azm.ms/mountId\\\"]) | where Disk !in (\\\"C:\\\",\\\"/\\\") | summarize AggregatedValue = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceId, Disk | join hint.remote=left kind=leftouter overridenResource on _ResourceId | project-away _ResourceId1 | extend appliedThresholdString = iif(tags contains \\\"_amba-FreeSpacePercentage-Data-threshold-override_\\\", tostring(tags.[\\\"_amba-FreeSpacePercentage-Data-threshold-override_\\\"]), policyThresholdString) | extend appliedThreshold = toint(appliedThresholdString) | where AggregatedValue < appliedThreshold | project TimeGenerated, Computer, _ResourceId, Disk, AggregatedValue', parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), parameters('threshold'))]\",\n \"threshold\": 0,\n \"operator\": \"[[parameters('operator')]\",\n \"resourceIdColumn\": \"_ResourceId\",\n \"timeAggregation\": \"[[parameters('timeAggregation')]\",\n \"dimensions\": [\n {\n \"name\": \"Computer\",\n \"operator\": \"Include\",\n \"values\": \"[[parameters('computersToInclude')]\"\n },\n {\n \"name\": \"Disk\",\n \"operator\": \"Include\",\n \"values\": [\n \"*\"\n ]\n }\n ],\n \"failingPeriods\": {\n \"numberOfEvaluationPeriods\": \"[[parameters('evaluationPeriods')]\",\n \"minFailingPeriodsToAlert\": \"[[parameters('failingPeriods')]\"\n }\n }\n ]\n },\n \"autoMitigate\": \"[[parameters('autoMitigate')]\",\n \"ruleResolveConfiguration\": {\n \"autoResolved\": \"[[parameters('autoResolve')]\",\n \"timeToResolve\": \"[[parameters('autoResolveTime')]\"\n },\n \"parameters\": {\n \"alertResourceGroupName\": {\n \"value\": \"[[parameters('alertResourceGroupName')]\"\n },\n \"alertResourceGroupLocation\": {\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\n },\n \"UAMIResourceId\": {\n \"value\": \"[[parameters('UAMIResourceId')]\"\n },\n \"severity\": {\n \"value\": \"[[parameters('severity')]\"\n },\n \"windowSize\": {\n \"value\": \"[[parameters('windowSize')]\"\n },\n \"evaluationFrequency\": {\n \"value\": \"[[parameters('evaluationFrequency')]\"\n },\n \"autoMitigate\": {\n \"value\": \"[[parameters('autoMitigate')]\"\n },\n \"autoResolve\": {\n \"value\": \"[[parameters('autoResolve')]\"\n },\n \"autoResolveTime\": {\n \"value\": \"[[parameters('autoResolveTime')]\"\n },\n \"enabled\": {\n \"value\": \"[[parameters('enabled')]\"\n },\n \"threshold\": {\n \"value\": \"[[parameters('threshold')]\"\n },\n \"failingPeriods\": {\n \"value\": \"[[parameters('failingPeriods')]\"\n },\n \"evaluationPeriods\": {\n \"value\": \"[[parameters('evaluationPeriods')]\"\n },\n \"computersToInclude\": {\n \"value\": \"[[parameters('computersToInclude')]\"\n },\n \"MonitorDisableTagName\": {\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\n },\n \"MonitorDisableTagValues\": {\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\n }\n }\n }\n }\n ]\n },\n \"parameters\": {\n \"enabled\": {\n \"value\": \"[[parameters('enabled')]\"\n },\n \"alertResourceGroupName\": {\n \"value\": \"[[parameters('alertResourceGroupName')]\"\n },\n \"alertResourceGroupLocation\": {\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\n },\n \"UAMIResourceId\": {\n \"value\": \"[[parameters('UAMIResourceId')]\"\n }\n }\n }\n }\n ]\n },\n \"parameters\": {\n \"alertResourceGroupName\": {\n \"value\": \"[[parameters('alertResourceGroupName')]\"\n },\n \"alertResourceGroupTags\": {\n \"value\": \"[[parameters('alertResourceGroupTags')]\"\n },\n \"alertResourceGroupLocation\": {\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\n },\n \"UAMIResourceId\": {\n \"value\": \"[[parameters('UAMIResourceId')]\"\n },\n \"severity\": {\n \"value\": \"[[parameters('severity')]\"\n },\n \"windowSize\": {\n \"value\": \"[[parameters('windowSize')]\"\n },\n \"evaluationFrequency\": {\n \"value\": \"[[parameters('evaluationFrequency')]\"\n },\n \"autoMitigate\": {\n \"value\": \"[[parameters('autoMitigate')]\"\n },\n \"autoResolve\": {\n \"value\": \"[[parameters('autoResolve')]\"\n },\n \"autoResolveTime\": {\n \"value\": \"[[parameters('autoResolveTime')]\"\n },\n \"enabled\": {\n \"value\": \"[[parameters('enabled')]\"\n },\n \"threshold\": {\n \"value\": \"[[parameters('threshold')]\"\n },\n \"operator\": {\n \"value\": \"[[parameters('operator')]\"\n },\n \"timeAggregation\": {\n \"value\": \"[[parameters('timeAggregation')]\"\n },\n \"failingPeriods\": {\n \"value\": \"[[parameters('failingPeriods')]\"\n },\n \"evaluationPeriods\": {\n \"value\": \"[[parameters('evaluationPeriods')]\"\n },\n \"computersToInclude\": {\n \"value\": \"[[parameters('computersToInclude')]\"\n },\n \"MonitorDisableTagName\": {\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\n },\n \"MonitorDisableTagValues\": {\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", "$fxv#10": "{\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"name\": \"Deploy_Hybrid_VM_Memory_Alert\",\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy Hybrid VM Memory Alert\",\n \"description\": \"Policy to audit/deploy VM Memory Alert\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Hybrid Compute\",\n \"source\": \"https://github.com/Azure/azure-monitor-baseline-alerts/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ],\n \"_deployed_by_amba\": \"True\"\n },\n \"parameters\": {\n \"alertResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group Name\",\n \"description\": \"Resource group the alert is placed in\"\n },\n \"defaultValue\": \"rg-amba-monitoring-001\"\n },\n \"alertResourceGroupTags\": {\n \"type\": \"Object\",\n \"metadata\": {\n \"displayName\": \"Resource Group Tags\",\n \"description\": \"Tags on the Resource group the alert is placed in\"\n },\n \"defaultValue\": {\n \"Project\": \"amba-monitoring\"\n }\n },\n \"alertResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group Location\",\n \"description\": \"Location of the Resource group the alert is placed in\"\n },\n \"defaultValue\": \"centralus\"\n },\n \"UAMIResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"description\": \"The resource Id of the user assigned managed identity.\",\n \"displayName\": \"User Assigned managed Identity resource Id.\"\n }\n },\n \"severity\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Severity\",\n \"description\": \"Severity of the Alert\"\n },\n \"allowedValues\": [\n \"0\",\n \"1\",\n \"2\",\n \"3\",\n \"4\"\n ],\n \"defaultValue\": \"2\"\n },\n \"operator\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Operator\"\n },\n \"allowedValues\": [\n \"GreaterThan\"\n ],\n \"defaultValue\": \"GreaterThan\"\n },\n \"timeAggregation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"TimeAggregation\"\n },\n \"allowedValues\": [\n \"Count\"\n ],\n \"defaultValue\": \"Count\"\n },\n \"windowSize\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Window Size\",\n \"description\": \"Window size for the alert\"\n },\n \"allowedValues\": [\n \"PT5M\",\n \"PT15M\",\n \"PT30M\",\n \"PT1H\",\n \"PT6H\",\n \"PT12H\",\n \"PT24H\"\n ],\n \"defaultValue\": \"PT15M\"\n },\n \"evaluationFrequency\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Evaluation Frequency\",\n \"description\": \"Evaluation frequency for the alert\"\n },\n \"allowedValues\": [\n \"PT5M\",\n \"PT15M\",\n \"PT30M\",\n \"PT1H\"\n ],\n \"defaultValue\": \"PT5M\"\n },\n \"autoMitigate\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Auto Mitigate\",\n \"description\": \"Auto Mitigate for the alert\"\n },\n \"allowedValues\": [\n \"true\",\n \"false\"\n ],\n \"defaultValue\": \"true\"\n },\n \"autoResolve\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Auto Resolve\",\n \"description\": \"Auto Resolve for the alert\"\n },\n \"allowedValues\": [\n \"true\",\n \"false\"\n ],\n \"defaultValue\": \"true\"\n },\n \"autoResolveTime\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Auto Resolve\",\n \"description\": \"Auto Resolve time for the alert in ISO 8601 format\"\n },\n \"defaultValue\": \"true\"\n },\n \"enabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Alert State\",\n \"description\": \"Alert state for the alert\"\n },\n \"allowedValues\": [\n \"true\",\n \"false\"\n ],\n \"defaultValue\": \"true\"\n },\n \"threshold\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Threshold\",\n \"description\": \"Threshold for the alert\"\n },\n \"defaultValue\": \"10\"\n },\n \"failingPeriods\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Failing Periods\",\n \"description\": \"Number of failing periods before alert is fired\"\n },\n \"defaultValue\": \"1\"\n },\n \"evaluationPeriods\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Evaluation Periods\",\n \"description\": \"The number of aggregated lookback points.\"\n },\n \"defaultValue\": \"1\"\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Effect of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n },\n \"MonitorDisableTagName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"ALZ Monitoring disabled tag name\",\n \"description\": \"Tag name to disable monitoring. Set to true if monitoring should be disabled\"\n },\n \"defaultValue\": \"MonitorDisable\"\n },\n \"MonitorDisableTagValues\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"ALZ Monitoring disabled tag values(s)\",\n \"description\": \"Tag value(s) used to disable monitoring at the resource level. Set to true if monitoring should be disabled.\"\n },\n \"defaultValue\": [\n \"true\",\n \"Test\",\n \"Dev\",\n \"Sandbox\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.HybridCompute/machines\"\n },\n {\n \"field\": \"[[concat('tags[', parameters('MonitorDisableTagName'), ']')]\",\n \"notIn\": \"[[parameters('MonitorDisableTagValues')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\n \"existenceScope\": \"resourceGroup\",\n \"resourceGroupName\": \"[[parameters('alertResourceGroupName')]\",\n \"deploymentScope\": \"subscription\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/displayName\",\n \"equals\": \"[[concat(subscription().displayName, '-HybridVMLowMemoryAlert')]\"\n },\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/scopes[*]\",\n \"equals\": \"[[subscription().id]\"\n },\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/enabled\",\n \"equals\": \"[[parameters('enabled')]\"\n },\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/evaluationFrequency\",\n \"equals\": \"[[parameters('evaluationFrequency')]\"\n },\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/windowSize\",\n \"equals\": \"[[parameters('windowSize')]\"\n },\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/severity\",\n \"equals\": \"[[parameters('severity')]\"\n },\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/autoMitigate\",\n \"equals\": \"[[parameters('autoMitigate')]\"\n },\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].operator\",\n \"equals\": \"[[parameters('operator')]\"\n },\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].timeAggregation\",\n \"equals\": \"[[parameters('timeAggregation')]\"\n },\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.numberOfEvaluationPeriods\",\n \"equals\": \"[[parameters('evaluationPeriods')]\"\n },\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.minFailingPeriodsToAlert\",\n \"equals\": \"[[parameters('failingPeriods')]\"\n },\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].query\",\n \"equals\": \"[[format('let policyThresholdString = \\\"{2}\\\"; let excludedResources = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.HybridCompute/machines\\\" | project _ResourceId = id, tags | where parse_json(tostring(tags.{0})) in~ (\\\"{1}\\\")); let overridenResource = (arg(\\\"\\\").resources | where type == \\\"microsoft.hybridcompute/machines\\\" | project _ResourceId = tolower(id), tags | where tags contains \\\"_amba-AvailableMemoryPercentage-threshold-override_\\\"); InsightsMetrics | where _ResourceId has \\\"Microsoft.HybridCompute/machines\\\" | where _ResourceId !in~ (excludedResources) | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"Memory\\\" and Name == \\\"AvailableMB\\\" | extend TotalMemory = toreal(todynamic(Tags)[\\\"vm.azm.ms/memorySizeMB\\\"]) | extend AvailableMemoryPercentage = (toreal(Val) / TotalMemory) * 100.0 | summarize AggregatedValue = avg(AvailableMemoryPercentage) by bin(TimeGenerated, 15m), Computer, _ResourceId | join hint.remote=left kind=leftouter overridenResource on _ResourceId | project-away _ResourceId1 | extend appliedThresholdString = iif(tags contains \\\"_amba-AvailableMemoryPercentage-threshold-override_\\\", tostring(tags.[\\\"_amba-AvailableMemoryPercentage-threshold-override_\\\"]), policyThresholdString) | extend appliedThreshold = toint(appliedThresholdString) | where AggregatedValue < appliedThreshold | project TimeGenerated, Computer, _ResourceId, AggregatedValue', parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), parameters('threshold'))]\"\n },\n {\n \"field\": \"identity.userAssignedIdentities\",\n \"containsKey\": \"[[parameters('UAMIResourceId')]\"\n }\n ]\n },\n \"deployment\": {\n \"location\": \"northeurope\",\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"alertResourceGroupName\": {\n \"type\": \"string\"\n },\n \"alertResourceGroupTags\": {\n \"type\": \"object\"\n },\n \"alertResourceGroupLocation\": {\n \"type\": \"string\"\n },\n \"UAMIResourceId\": {\n \"type\": \"string\"\n },\n \"severity\": {\n \"type\": \"String\"\n },\n \"windowSize\": {\n \"type\": \"String\"\n },\n \"evaluationFrequency\": {\n \"type\": \"String\"\n },\n \"autoMitigate\": {\n \"type\": \"String\"\n },\n \"autoResolve\": {\n \"type\": \"String\"\n },\n \"autoResolveTime\": {\n \"type\": \"String\"\n },\n \"enabled\": {\n \"type\": \"String\"\n },\n \"threshold\": {\n \"type\": \"String\"\n },\n \"operator\": {\n \"type\": \"String\"\n },\n \"timeAggregation\": {\n \"type\": \"String\"\n },\n \"failingPeriods\": {\n \"type\": \"String\"\n },\n \"evaluationPeriods\": {\n \"type\": \"String\"\n },\n \"MonitorDisableTagName\": {\n \"type\": \"String\"\n },\n \"MonitorDisableTagValues\": {\n \"type\": \"Array\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Resources/resourceGroups\",\n \"apiVersion\": \"2021-04-01\",\n \"name\": \"[[parameters('alertResourceGroupName')]\",\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\n \"tags\": \"[[parameters('alertResourceGroupTags')]\"\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2019-10-01\",\n \"name\": \"HybridVMMemoryAlert\",\n \"resourceGroup\": \"[[parameters('alertResourceGroupName')]\",\n \"dependsOn\": [\n \"[[concat('Microsoft.Resources/resourceGroups/', parameters('alertResourceGroupName'))]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"enabled\": {\n \"type\": \"string\"\n },\n \"alertResourceGroupName\": {\n \"type\": \"string\"\n },\n \"alertResourceGroupLocation\": {\n \"type\": \"string\"\n },\n \"UAMIResourceId\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\n \"apiVersion\": \"2022-08-01-preview\",\n \"name\": \"[[concat(subscription().displayName, '-HybridVMLowMemoryAlert')]\",\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\n \"identity\": {\n \"type\": \"UserAssigned\",\n \"userAssignedIdentities\": {\n \"[[parameters('UAMIResourceId')]\": {}\n }\n },\n \"tags\": {\n \"_deployed_by_amba\": true\n },\n \"properties\": {\n \"displayName\": \"[[concat(subscription().displayName, '-HybridVMLowMemoryAlert')]\",\n \"description\": \"Log Alert for Virtual Machine Memory\",\n \"severity\": \"[[parameters('severity')]\",\n \"enabled\": \"[[parameters('enabled')]\",\n \"scopes\": [\n \"[[subscription().Id]\"\n ],\n \"targetResourceTypes\": [\n \"Microsoft.HybridCompute/machines\"\n ],\n \"evaluationFrequency\": \"[[parameters('evaluationFrequency')]\",\n \"windowSize\": \"[[parameters('windowSize')]\",\n \"criteria\": {\n \"allOf\": [\n {\n \"query\": \"[[format('let policyThresholdString = \\\"{2}\\\"; let excludedResources = (arg(\\\"\\\").resources | where type =~ \\\"Microsoft.HybridCompute/machines\\\" | project _ResourceId = id, tags | where parse_json(tostring(tags.{0})) in~ (\\\"{1}\\\")); let overridenResource = (arg(\\\"\\\").resources | where type == \\\"microsoft.hybridcompute/machines\\\" | project _ResourceId = tolower(id), tags | where tags contains \\\"_amba-AvailableMemoryPercentage-threshold-override_\\\"); InsightsMetrics | where _ResourceId has \\\"Microsoft.HybridCompute/machines\\\" | where _ResourceId !in~ (excludedResources) | where Origin == \\\"vm.azm.ms\\\" | where Namespace == \\\"Memory\\\" and Name == \\\"AvailableMB\\\" | extend TotalMemory = toreal(todynamic(Tags)[\\\"vm.azm.ms/memorySizeMB\\\"]) | extend AvailableMemoryPercentage = (toreal(Val) / TotalMemory) * 100.0 | summarize AggregatedValue = avg(AvailableMemoryPercentage) by bin(TimeGenerated, 15m), Computer, _ResourceId | join hint.remote=left kind=leftouter overridenResource on _ResourceId | project-away _ResourceId1 | extend appliedThresholdString = iif(tags contains \\\"_amba-AvailableMemoryPercentage-threshold-override_\\\", tostring(tags.[\\\"_amba-AvailableMemoryPercentage-threshold-override_\\\"]), policyThresholdString) | extend appliedThreshold = toint(appliedThresholdString) | where AggregatedValue < appliedThreshold | project TimeGenerated, Computer, _ResourceId, AggregatedValue', parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), parameters('threshold'))]\",\n \"threshold\": 0,\n \"operator\": \"[[parameters('operator')]\",\n \"resourceIdColumn\": \"_ResourceId\",\n \"timeAggregation\": \"[[parameters('timeAggregation')]\",\n \"dimensions\": [\n {\n \"name\": \"Computer\",\n \"operator\": \"Include\",\n \"values\": [\n \"*\"\n ]\n }\n ],\n \"failingPeriods\": {\n \"numberOfEvaluationPeriods\": \"[[parameters('evaluationPeriods')]\",\n \"minFailingPeriodsToAlert\": \"[[parameters('failingPeriods')]\"\n }\n }\n ]\n },\n \"autoMitigate\": \"[[parameters('autoMitigate')]\",\n \"ruleResolveConfiguration\": {\n \"autoResolved\": \"[[parameters('autoResolve')]\",\n \"timeToResolve\": \"[[parameters('autoResolveTime')]\"\n },\n \"parameters\": {\n \"alertResourceGroupName\": {\n \"value\": \"[[parameters('alertResourceGroupName')]\"\n },\n \"alertResourceGroupLocation\": {\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\n },\n \"UAMIResourceId\": {\n \"value\": \"[[parameters('UAMIResourceId')]\"\n },\n \"severity\": {\n \"value\": \"[[parameters('severity')]\"\n },\n \"windowSize\": {\n \"value\": \"[[parameters('windowSize')]\"\n },\n \"evaluationFrequency\": {\n \"value\": \"[[parameters('evaluationFrequency')]\"\n },\n \"autoMitigate\": {\n \"value\": \"[[parameters('autoMitigate')]\"\n },\n \"autoResolve\": {\n \"value\": \"[[parameters('autoResolve')]\"\n },\n \"autoResolveTime\": {\n \"value\": \"[[parameters('autoResolveTime')]\"\n },\n \"enabled\": {\n \"value\": \"[[parameters('enabled')]\"\n },\n \"threshold\": {\n \"value\": \"[[parameters('threshold')]\"\n },\n \"failingPeriods\": {\n \"value\": \"[[parameters('failingPeriods')]\"\n },\n \"evaluationPeriods\": {\n \"value\": \"[[parameters('evaluationPeriods')]\"\n },\n \"MonitorDisableTagName\": {\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\n },\n \"MonitorDisableTagValues\": {\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\n }\n }\n }\n }\n ]\n },\n \"parameters\": {\n \"enabled\": {\n \"value\": \"[[parameters('enabled')]\"\n },\n \"alertResourceGroupName\": {\n \"value\": \"[[parameters('alertResourceGroupName')]\"\n },\n \"alertResourceGroupLocation\": {\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\n },\n \"UAMIResourceId\": {\n \"value\": \"[[parameters('UAMIResourceId')]\"\n }\n }\n }\n }\n ]\n },\n \"parameters\": {\n \"alertResourceGroupName\": {\n \"value\": \"[[parameters('alertResourceGroupName')]\"\n },\n \"alertResourceGroupTags\": {\n \"value\": \"[[parameters('alertResourceGroupTags')]\"\n },\n \"alertResourceGroupLocation\": {\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\n },\n \"UAMIResourceId\": {\n \"value\": \"[[parameters('UAMIResourceId')]\"\n },\n \"severity\": {\n \"value\": \"[[parameters('severity')]\"\n },\n \"windowSize\": {\n \"value\": \"[[parameters('windowSize')]\"\n },\n \"evaluationFrequency\": {\n \"value\": \"[[parameters('evaluationFrequency')]\"\n },\n \"autoMitigate\": {\n \"value\": \"[[parameters('autoMitigate')]\"\n },\n \"autoResolve\": {\n \"value\": \"[[parameters('autoResolve')]\"\n },\n \"autoResolveTime\": {\n \"value\": \"[[parameters('autoResolveTime')]\"\n },\n \"enabled\": {\n \"value\": \"[[parameters('enabled')]\"\n },\n \"threshold\": {\n \"value\": \"[[parameters('threshold')]\"\n },\n \"operator\": {\n \"value\": \"[[parameters('operator')]\"\n },\n \"timeAggregation\": {\n \"value\": \"[[parameters('timeAggregation')]\"\n },\n \"failingPeriods\": {\n \"value\": \"[[parameters('failingPeriods')]\"\n },\n \"evaluationPeriods\": {\n \"value\": \"[[parameters('evaluationPeriods')]\"\n },\n \"MonitorDisableTagName\": {\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\n },\n \"MonitorDisableTagValues\": {\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", - "$fxv#11": "{\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"name\": \"Deploy_Hybrid_VM_Disconnected_Alert\",\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy Hybrid VM Disconnected Alert\",\n \"description\": \"Policy to Deploy Hybrid VM Disconnected Alert\",\n \"metadata\": {\n \"version\": \"1.2.0\",\n \"category\": \"Hybrid Compute\",\n \"source\": \"https://github.com/Azure/azure-monitor-baseline-alerts/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ],\n \"_deployed_by_amba\": \"True\"\n },\n \"parameters\": {\n \"alertResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group Name\",\n \"description\": \"Resource group the alert is placed in\"\n },\n \"defaultValue\": \"rg-amba-monitoring-001\"\n },\n \"alertResourceGroupTags\": {\n \"type\": \"Object\",\n \"metadata\": {\n \"displayName\": \"Resource Group Tags\",\n \"description\": \"Tags on the Resource group the alert is placed in\"\n },\n \"defaultValue\": {\n \"Project\": \"amba-monitoring\"\n }\n },\n \"alertResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group Location\",\n \"description\": \"Location of the Resource group the alert is placed in\"\n },\n \"defaultValue\": \"centralus\"\n },\n \"UAMIResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"description\": \"The resource Id of the user assigned managed identity.\",\n \"displayName\": \"User Assigned managed Identity resource Id.\"\n }\n },\n \"severity\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Severity\",\n \"description\": \"Severity of the Alert\"\n },\n \"allowedValues\": [\n \"0\",\n \"1\",\n \"2\",\n \"3\",\n \"4\"\n ],\n \"defaultValue\": \"1\"\n },\n \"operator\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Operator\"\n },\n \"allowedValues\": [\n \"GreaterThan\"\n ],\n \"defaultValue\": \"GreaterThan\"\n },\n \"timeAggregation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"TimeAggregation\"\n },\n \"allowedValues\": [\n \"Count\"\n ],\n \"defaultValue\": \"Count\"\n },\n \"windowSize\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Window Size\",\n \"description\": \"Window size for the alert\"\n },\n \"allowedValues\": [\n \"PT12H\",\n \"P1D\"\n ],\n \"defaultValue\": \"P1D\"\n },\n \"evaluationFrequency\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Evaluation Frequency\",\n \"description\": \"Evaluation frequency for the alert\"\n },\n \"allowedValues\": [\n \"PT5M\",\n \"PT10M\",\n \"PT15M\",\n \"PT30M\",\n \"PT1H\",\n \"PT2H\",\n \"PT6H\",\n \"PT12H\",\n \"P1D\"\n ],\n \"defaultValue\": \"PT10M\"\n },\n \"autoMitigate\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Auto Mitigate\",\n \"description\": \"Auto Mitigate for the alert\"\n },\n \"allowedValues\": [\n \"true\",\n \"false\"\n ],\n \"defaultValue\": \"true\"\n },\n \"enabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Alert State\",\n \"description\": \"Alert state for the alert\"\n },\n \"allowedValues\": [\n \"true\",\n \"false\"\n ],\n \"defaultValue\": \"true\"\n },\n \"threshold\": {\n \"type\": \"String\",\n \"defaultValue\": \"10m\",\n \"allowedValues\": [\n \"5m\",\n \"10m\",\n \"15m\",\n \"30m\",\n \"1h\",\n \"2h\",\n \"3h\",\n \"6h\",\n \"12h\",\n \"1d\",\n \"2d\",\n \"3d\",\n \"7d\"\n ],\n \"metadata\": {\n \"displayName\": \"Hybrid VM Disconnected Threshold (expressed in timespan)\",\n \"description\": \"Threshold in timespan value for the Hybrid VM Disconnected alert\"\n }\n },\n \"failingPeriods\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Failing Periods\",\n \"description\": \"Number of failing periods before alert is fired\"\n },\n \"defaultValue\": \"1\"\n },\n \"evaluationPeriods\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Evaluation Periods\",\n \"description\": \"The number of aggregated lookback points.\"\n },\n \"defaultValue\": \"1\"\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Effect of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n },\n \"MonitorDisableTagName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"ALZ Monitoring disabled tag name\",\n \"description\": \"Tag name to disable monitoring. Set to true if monitoring should be disabled\"\n },\n \"defaultValue\": \"MonitorDisable\"\n },\n \"MonitorDisableTagValues\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"ALZ Monitoring disabled tag values(s)\",\n \"description\": \"Tag value(s) used to disable monitoring at the resource level. Set to true if monitoring should be disabled.\"\n },\n \"defaultValue\": [\n \"true\",\n \"Test\",\n \"Dev\",\n \"Sandbox\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.HybridCompute/machines\"\n },\n {\n \"field\": \"[[concat('tags[', parameters('MonitorDisableTagName'), ']')]\",\n \"notIn\": \"[[parameters('MonitorDisableTagValues')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\n \"existenceScope\": \"resourceGroup\",\n \"resourceGroupName\": \"[[parameters('alertResourceGroupName')]\",\n \"deploymentScope\": \"subscription\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/displayName\",\n \"equals\": \"[[concat(subscription().displayName, '-HybridVMDisconnectedAlert')]\"\n },\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/scopes[*]\",\n \"equals\": \"[[subscription().id]\"\n },\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/enabled\",\n \"equals\": \"[[parameters('enabled')]\"\n },\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/evaluationFrequency\",\n \"equals\": \"[[parameters('evaluationFrequency')]\"\n },\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/windowSize\",\n \"equals\": \"[[parameters('windowSize')]\"\n },\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/severity\",\n \"equals\": \"[[parameters('severity')]\"\n },\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/autoMitigate\",\n \"equals\": \"[[parameters('autoMitigate')]\"\n },\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].operator\",\n \"equals\": \"[[parameters('operator')]\"\n },\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].timeAggregation\",\n \"equals\": \"[[parameters('timeAggregation')]\"\n },\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.numberOfEvaluationPeriods\",\n \"equals\": \"[[parameters('evaluationPeriods')]\"\n },\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.minFailingPeriodsToAlert\",\n \"equals\": \"[[parameters('failingPeriods')]\"\n },\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].query\",\n \"equals\": \"[[format('let policyThresholdString = \\\"{2}\\\"; arg(\\\"\\\").resources | where type == \\\"microsoft.hybridcompute/machines\\\" | where parse_json(tostring(tags.{0})) !in~ (\\\"{1}\\\") | where tostring(properties.status) == \\\"Disconnected\\\" | extend appliedThresholdString = iif(tags contains \\\"_amba-Disconnected-threshold-override_\\\", tostring(tags.[\\\"_amba-Disconnected-threshold-override_\\\"]), policyThresholdString) | extend appliedThreshold = totimespan(appliedThresholdString) | extend lastContactedDate = todatetime(properties.lastStatusChange) | where lastContactedDate >= ago(appliedThreshold) | extend status = tostring(properties.status) | project id, Computer=name, status, lastContactedDate', parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), parameters('threshold'))]\"\n },\n {\n \"field\": \"identity.userAssignedIdentities\",\n \"containsKey\": \"[[parameters('UAMIResourceId')]\"\n }\n ]\n },\n \"deployment\": {\n \"location\": \"northeurope\",\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"alertResourceGroupName\": {\n \"type\": \"string\"\n },\n \"alertResourceGroupTags\": {\n \"type\": \"object\"\n },\n \"alertResourceGroupLocation\": {\n \"type\": \"string\"\n },\n \"UAMIResourceId\": {\n \"type\": \"string\"\n },\n \"severity\": {\n \"type\": \"String\"\n },\n \"windowSize\": {\n \"type\": \"String\"\n },\n \"evaluationFrequency\": {\n \"type\": \"String\"\n },\n \"autoMitigate\": {\n \"type\": \"String\"\n },\n \"enabled\": {\n \"type\": \"String\"\n },\n \"threshold\": {\n \"type\": \"String\"\n },\n \"operator\": {\n \"type\": \"String\"\n },\n \"timeAggregation\": {\n \"type\": \"String\"\n },\n \"failingPeriods\": {\n \"type\": \"String\"\n },\n \"evaluationPeriods\": {\n \"type\": \"String\"\n },\n \"MonitorDisableTagName\": {\n \"type\": \"String\"\n },\n \"MonitorDisableTagValues\": {\n \"type\": \"Array\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Resources/resourceGroups\",\n \"apiVersion\": \"2021-04-01\",\n \"name\": \"[[parameters('alertResourceGroupName')]\",\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\n \"tags\": \"[[parameters('alertResourceGroupTags')]\"\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2019-10-01\",\n \"name\": \"HybridVMDisconnectedAlert\",\n \"resourceGroup\": \"[[parameters('alertResourceGroupName')]\",\n \"dependsOn\": [\n \"[[concat('Microsoft.Resources/resourceGroups/', parameters('alertResourceGroupName'))]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"enabled\": {\n \"type\": \"string\"\n },\n \"alertResourceGroupName\": {\n \"type\": \"string\"\n },\n \"alertResourceGroupLocation\": {\n \"type\": \"string\"\n },\n \"UAMIResourceId\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\n \"apiVersion\": \"2022-08-01-preview\",\n \"name\": \"[[concat(subscription().displayName, '-HybridVMDisconnectedAlert')]\",\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\n \"identity\": {\n \"type\": \"UserAssigned\",\n \"userAssignedIdentities\": {\n \"[[parameters('UAMIResourceId')]\": {}\n }\n },\n \"tags\": {\n \"_deployed_by_amba\": true\n },\n \"properties\": {\n \"displayName\": \"[[concat(subscription().displayName, '-HybridVMDisconnectedAlert')]\",\n \"description\": \"Hybrid VM in disconnected state. Not being connected, prevents extensions to be correctly managed from the portal and Azure policies to be correctly applied. Ensure that both server the specific service (Azure Hybrid Instance Metadata Service on Windows or azcmagent on Linux) are running.\",\n \"severity\": \"[[parameters('severity')]\",\n \"enabled\": \"[[parameters('enabled')]\",\n \"scopes\": [\n \"[[subscription().Id]\"\n ],\n \"targetResourceTypes\": [\n \"Microsoft.HybridCompute/machines\"\n ],\n \"evaluationFrequency\": \"[[parameters('evaluationFrequency')]\",\n \"windowSize\": \"[[parameters('windowSize')]\",\n \"criteria\": {\n \"allOf\": [\n {\n \"query\": \"[[format('let policyThresholdString = \\\"{2}\\\"; arg(\\\"\\\").resources | where type == \\\"microsoft.hybridcompute/machines\\\" | where parse_json(tostring(tags.{0})) !in~ (\\\"{1}\\\") | where tostring(properties.status) == \\\"Disconnected\\\" | extend lastContactedDate = todatetime(properties.lastStatusChange) | where lastContactedDate <= ago(totimespan(policyThresholdString)) | extend status = tostring(properties.status) | project id, Computer=name, status, lastContactedDate', parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), parameters('threshold'))]\",\n \"resourceIdColumn\": \"id\",\n \"threshold\": 0,\n \"operator\": \"[[parameters('operator')]\",\n \"timeAggregation\": \"[[parameters('timeAggregation')]\",\n \"dimensions\": [\n {\n \"name\": \"Computer\",\n \"operator\": \"Include\",\n \"values\": [\n \"*\"\n ]\n }\n ],\n \"failingPeriods\": {\n \"numberOfEvaluationPeriods\": \"[[parameters('evaluationPeriods')]\",\n \"minFailingPeriodsToAlert\": \"[[parameters('failingPeriods')]\"\n }\n }\n ]\n },\n \"autoMitigate\": \"false\",\n \"parameters\": {\n \"alertResourceGroupName\": {\n \"value\": \"[[parameters('alertResourceGroupName')]\"\n },\n \"alertResourceGroupLocation\": {\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\n },\n \"UAMIResourceId\": {\n \"value\": \"[[parameters('UAMIResourceId')]\"\n },\n \"severity\": {\n \"value\": \"[[parameters('severity')]\"\n },\n \"windowSize\": {\n \"value\": \"[[parameters('windowSize')]\"\n },\n \"evaluationFrequency\": {\n \"value\": \"[[parameters('evaluationFrequency')]\"\n },\n \"autoMitigate\": {\n \"value\": \"[[parameters('autoMitigate')]\"\n },\n \"enabled\": {\n \"value\": \"[[parameters('enabled')]\"\n },\n \"threshold\": {\n \"value\": \"[[parameters('threshold')]\"\n },\n \"failingPeriods\": {\n \"value\": \"[[parameters('failingPeriods')]\"\n },\n \"evaluationPeriods\": {\n \"value\": \"[[parameters('evaluationPeriods')]\"\n },\n \"MonitorDisableTagName\": {\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\n },\n \"MonitorDisableTagValues\": {\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\n }\n }\n }\n }\n ]\n },\n \"parameters\": {\n \"enabled\": {\n \"value\": \"[[parameters('enabled')]\"\n },\n \"alertResourceGroupName\": {\n \"value\": \"[[parameters('alertResourceGroupName')]\"\n },\n \"alertResourceGroupLocation\": {\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\n },\n \"UAMIResourceId\": {\n \"value\": \"[[parameters('UAMIResourceId')]\"\n }\n }\n }\n }\n ]\n },\n \"parameters\": {\n \"alertResourceGroupName\": {\n \"value\": \"[[parameters('alertResourceGroupName')]\"\n },\n \"alertResourceGroupTags\": {\n \"value\": \"[[parameters('alertResourceGroupTags')]\"\n },\n \"alertResourceGroupLocation\": {\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\n },\n \"UAMIResourceId\": {\n \"value\": \"[[parameters('UAMIResourceId')]\"\n },\n \"severity\": {\n \"value\": \"[[parameters('severity')]\"\n },\n \"windowSize\": {\n \"value\": \"[[parameters('windowSize')]\"\n },\n \"evaluationFrequency\": {\n \"value\": \"[[parameters('evaluationFrequency')]\"\n },\n \"autoMitigate\": {\n \"value\": \"[[parameters('autoMitigate')]\"\n },\n \"enabled\": {\n \"value\": \"[[parameters('enabled')]\"\n },\n \"threshold\": {\n \"value\": \"[[parameters('threshold')]\"\n },\n \"operator\": {\n \"value\": \"[[parameters('operator')]\"\n },\n \"timeAggregation\": {\n \"value\": \"[[parameters('timeAggregation')]\"\n },\n \"failingPeriods\": {\n \"value\": \"[[parameters('failingPeriods')]\"\n },\n \"evaluationPeriods\": {\n \"value\": \"[[parameters('evaluationPeriods')]\"\n },\n \"MonitorDisableTagName\": {\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\n },\n \"MonitorDisableTagValues\": {\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", + "$fxv#11": "{\n \"type\": \"Microsoft.Authorization/policyDefinitions\",\n \"apiVersion\": \"2021-06-01\",\n \"name\": \"Deploy_Hybrid_VM_Disconnected_Alert\",\n \"properties\": {\n \"policyType\": \"Custom\",\n \"mode\": \"All\",\n \"displayName\": \"Deploy Hybrid VM Disconnected Alert\",\n \"description\": \"Policy to Deploy Hybrid VM Disconnected Alert\",\n \"metadata\": {\n \"version\": \"1.3.0\",\n \"category\": \"Hybrid Compute\",\n \"source\": \"https://github.com/Azure/azure-monitor-baseline-alerts/\",\n \"alzCloudEnvironments\": [\n \"AzureCloud\"\n ],\n \"_deployed_by_amba\": \"True\"\n },\n \"parameters\": {\n \"alertResourceGroupName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group Name\",\n \"description\": \"Resource group the alert is placed in\"\n },\n \"defaultValue\": \"rg-amba-monitoring-001\"\n },\n \"alertResourceGroupTags\": {\n \"type\": \"Object\",\n \"metadata\": {\n \"displayName\": \"Resource Group Tags\",\n \"description\": \"Tags on the Resource group the alert is placed in\"\n },\n \"defaultValue\": {\n \"Project\": \"amba-monitoring\"\n }\n },\n \"alertResourceGroupLocation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Resource Group Location\",\n \"description\": \"Location of the Resource group the alert is placed in\"\n },\n \"defaultValue\": \"centralus\"\n },\n \"UAMIResourceId\": {\n \"type\": \"string\",\n \"defaultValue\": \"\",\n \"metadata\": {\n \"description\": \"The resource Id of the user assigned managed identity.\",\n \"displayName\": \"User Assigned managed Identity resource Id.\"\n }\n },\n \"severity\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Severity\",\n \"description\": \"Severity of the Alert\"\n },\n \"allowedValues\": [\n \"0\",\n \"1\",\n \"2\",\n \"3\",\n \"4\"\n ],\n \"defaultValue\": \"1\"\n },\n \"operator\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Operator\"\n },\n \"allowedValues\": [\n \"GreaterThan\"\n ],\n \"defaultValue\": \"GreaterThan\"\n },\n \"timeAggregation\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"TimeAggregation\"\n },\n \"allowedValues\": [\n \"Count\"\n ],\n \"defaultValue\": \"Count\"\n },\n \"windowSize\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Window Size\",\n \"description\": \"Window size for the alert\"\n },\n \"allowedValues\": [\n \"PT12H\",\n \"P1D\"\n ],\n \"defaultValue\": \"P1D\"\n },\n \"evaluationFrequency\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Evaluation Frequency\",\n \"description\": \"Evaluation frequency for the alert\"\n },\n \"allowedValues\": [\n \"PT5M\",\n \"PT10M\",\n \"PT15M\",\n \"PT30M\",\n \"PT1H\",\n \"PT2H\",\n \"PT6H\",\n \"PT12H\",\n \"P1D\"\n ],\n \"defaultValue\": \"PT10M\"\n },\n \"autoMitigate\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Auto Mitigate\",\n \"description\": \"Auto Mitigate for the alert\"\n },\n \"allowedValues\": [\n \"true\",\n \"false\"\n ],\n \"defaultValue\": \"true\"\n },\n \"enabled\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Alert State\",\n \"description\": \"Alert state for the alert\"\n },\n \"allowedValues\": [\n \"true\",\n \"false\"\n ],\n \"defaultValue\": \"true\"\n },\n \"threshold\": {\n \"type\": \"String\",\n \"defaultValue\": \"10m\",\n \"allowedValues\": [\n \"5m\",\n \"10m\",\n \"15m\",\n \"30m\",\n \"1h\",\n \"2h\",\n \"3h\",\n \"6h\",\n \"12h\",\n \"1d\",\n \"2d\",\n \"3d\",\n \"7d\"\n ],\n \"metadata\": {\n \"displayName\": \"Hybrid VM Disconnected Threshold (expressed in timespan)\",\n \"description\": \"Threshold in timespan value for the Hybrid VM Disconnected alert\"\n }\n },\n \"failingPeriods\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Failing Periods\",\n \"description\": \"Number of failing periods before alert is fired\"\n },\n \"defaultValue\": \"1\"\n },\n \"evaluationPeriods\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Evaluation Periods\",\n \"description\": \"The number of aggregated lookback points.\"\n },\n \"defaultValue\": \"1\"\n },\n \"effect\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"Effect\",\n \"description\": \"Effect of the policy\"\n },\n \"allowedValues\": [\n \"deployIfNotExists\",\n \"disabled\"\n ],\n \"defaultValue\": \"deployIfNotExists\"\n },\n \"MonitorDisableTagName\": {\n \"type\": \"String\",\n \"metadata\": {\n \"displayName\": \"ALZ Monitoring disabled tag name\",\n \"description\": \"Tag name to disable monitoring. Set to true if monitoring should be disabled\"\n },\n \"defaultValue\": \"MonitorDisable\"\n },\n \"MonitorDisableTagValues\": {\n \"type\": \"Array\",\n \"metadata\": {\n \"displayName\": \"ALZ Monitoring disabled tag values(s)\",\n \"description\": \"Tag value(s) used to disable monitoring at the resource level. Set to true if monitoring should be disabled.\"\n },\n \"defaultValue\": [\n \"true\",\n \"Test\",\n \"Dev\",\n \"Sandbox\"\n ]\n }\n },\n \"policyRule\": {\n \"if\": {\n \"allOf\": [\n {\n \"field\": \"type\",\n \"equals\": \"Microsoft.HybridCompute/machines\"\n },\n {\n \"field\": \"[[concat('tags[', parameters('MonitorDisableTagName'), ']')]\",\n \"notIn\": \"[[parameters('MonitorDisableTagValues')]\"\n }\n ]\n },\n \"then\": {\n \"effect\": \"[[parameters('effect')]\",\n \"details\": {\n \"roleDefinitionIds\": [\n \"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c\"\n ],\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\n \"existenceScope\": \"resourceGroup\",\n \"resourceGroupName\": \"[[parameters('alertResourceGroupName')]\",\n \"deploymentScope\": \"subscription\",\n \"existenceCondition\": {\n \"allOf\": [\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/displayName\",\n \"equals\": \"[[concat(subscription().displayName, '-HybridVMDisconnectedAlert')]\"\n },\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/scopes[*]\",\n \"equals\": \"[[subscription().id]\"\n },\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/enabled\",\n \"equals\": \"[[parameters('enabled')]\"\n },\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/evaluationFrequency\",\n \"equals\": \"[[parameters('evaluationFrequency')]\"\n },\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/windowSize\",\n \"equals\": \"[[parameters('windowSize')]\"\n },\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/severity\",\n \"equals\": \"[[parameters('severity')]\"\n },\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/autoMitigate\",\n \"equals\": \"[[parameters('autoMitigate')]\"\n },\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].operator\",\n \"equals\": \"[[parameters('operator')]\"\n },\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].timeAggregation\",\n \"equals\": \"[[parameters('timeAggregation')]\"\n },\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.numberOfEvaluationPeriods\",\n \"equals\": \"[[parameters('evaluationPeriods')]\"\n },\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].failingPeriods.minFailingPeriodsToAlert\",\n \"equals\": \"[[parameters('failingPeriods')]\"\n },\n {\n \"field\": \"Microsoft.Insights/scheduledQueryRules/criteria.allOf[*].query\",\n \"equals\": \"[[format('let policyThresholdString = \\\"{2}\\\"; arg(\\\"\\\").resources | where type == \\\"microsoft.hybridcompute/machines\\\" | where parse_json(tostring(tags.{0})) !in~ (\\\"{1}\\\") | where tostring(properties.status) == \\\"Disconnected\\\" | extend appliedThresholdString = iif(tags contains \\\"_amba-Disconnected-threshold-override_\\\", tostring(tags.[\\\"_amba-Disconnected-threshold-override_\\\"]), policyThresholdString) | extend appliedThreshold = totimespan(appliedThresholdString) | extend lastContactedDate = todatetime(properties.lastStatusChange) | where lastContactedDate >= ago(appliedThreshold) | extend status = tostring(properties.status) | project id, Computer=name, status, lastContactedDate', parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), parameters('threshold'))]\"\n },\n {\n \"field\": \"identity.userAssignedIdentities\",\n \"containsKey\": \"[[parameters('UAMIResourceId')]\"\n }\n ]\n },\n \"deployment\": {\n \"location\": \"northeurope\",\n \"properties\": {\n \"mode\": \"incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"alertResourceGroupName\": {\n \"type\": \"string\"\n },\n \"alertResourceGroupTags\": {\n \"type\": \"object\"\n },\n \"alertResourceGroupLocation\": {\n \"type\": \"string\"\n },\n \"UAMIResourceId\": {\n \"type\": \"string\"\n },\n \"severity\": {\n \"type\": \"String\"\n },\n \"windowSize\": {\n \"type\": \"String\"\n },\n \"evaluationFrequency\": {\n \"type\": \"String\"\n },\n \"autoMitigate\": {\n \"type\": \"String\"\n },\n \"enabled\": {\n \"type\": \"String\"\n },\n \"threshold\": {\n \"type\": \"String\"\n },\n \"operator\": {\n \"type\": \"String\"\n },\n \"timeAggregation\": {\n \"type\": \"String\"\n },\n \"failingPeriods\": {\n \"type\": \"String\"\n },\n \"evaluationPeriods\": {\n \"type\": \"String\"\n },\n \"MonitorDisableTagName\": {\n \"type\": \"String\"\n },\n \"MonitorDisableTagValues\": {\n \"type\": \"Array\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Resources/resourceGroups\",\n \"apiVersion\": \"2021-04-01\",\n \"name\": \"[[parameters('alertResourceGroupName')]\",\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\n \"tags\": \"[[parameters('alertResourceGroupTags')]\"\n },\n {\n \"type\": \"Microsoft.Resources/deployments\",\n \"apiVersion\": \"2019-10-01\",\n \"name\": \"HybridVMDisconnectedAlert\",\n \"resourceGroup\": \"[[parameters('alertResourceGroupName')]\",\n \"dependsOn\": [\n \"[[concat('Microsoft.Resources/resourceGroups/', parameters('alertResourceGroupName'))]\"\n ],\n \"properties\": {\n \"mode\": \"Incremental\",\n \"template\": {\n \"$schema\": \"https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#\",\n \"contentVersion\": \"1.0.0.0\",\n \"parameters\": {\n \"enabled\": {\n \"type\": \"string\"\n },\n \"alertResourceGroupName\": {\n \"type\": \"string\"\n },\n \"alertResourceGroupLocation\": {\n \"type\": \"string\"\n },\n \"UAMIResourceId\": {\n \"type\": \"string\"\n }\n },\n \"variables\": {},\n \"resources\": [\n {\n \"type\": \"Microsoft.Insights/scheduledQueryRules\",\n \"apiVersion\": \"2022-08-01-preview\",\n \"name\": \"[[concat(subscription().displayName, '-HybridVMDisconnectedAlert')]\",\n \"location\": \"[[parameters('alertResourceGroupLocation')]\",\n \"identity\": {\n \"type\": \"UserAssigned\",\n \"userAssignedIdentities\": {\n \"[[parameters('UAMIResourceId')]\": {}\n }\n },\n \"tags\": {\n \"_deployed_by_amba\": true\n },\n \"properties\": {\n \"displayName\": \"[[concat(subscription().displayName, '-HybridVMDisconnectedAlert')]\",\n \"description\": \"Hybrid VM in disconnected state. Not being connected, prevents extensions to be correctly managed from the portal and Azure policies to be correctly applied. Ensure that both server the specific service (Azure Hybrid Instance Metadata Service on Windows or azcmagent on Linux) are running.\",\n \"severity\": \"[[parameters('severity')]\",\n \"enabled\": \"[[parameters('enabled')]\",\n \"scopes\": [\n \"[[subscription().Id]\"\n ],\n \"targetResourceTypes\": [\n \"Microsoft.HybridCompute/machines\"\n ],\n \"evaluationFrequency\": \"[[parameters('evaluationFrequency')]\",\n \"windowSize\": \"[[parameters('windowSize')]\",\n \"criteria\": {\n \"allOf\": [\n {\n \"query\": \"[[format('let policyThresholdString = \\\"{2}\\\"; arg(\\\"\\\").resources | where type == \\\"microsoft.hybridcompute/machines\\\" | where parse_json(tostring(tags.{0})) !in~ (\\\"{1}\\\") | where tostring(properties.status) == \\\"Disconnected\\\" | extend lastContactedDate = todatetime(properties.lastStatusChange) | where lastContactedDate <= ago(totimespan(policyThresholdString)) | extend status = tostring(properties.status) | project id, Computer=name, status, lastContactedDate', parameters('MonitorDisableTagName'), join(parameters('MonitorDisableTagValues'), '\\\",\\\"'), parameters('threshold'))]\",\n \"resourceIdColumn\": \"id\",\n \"threshold\": 0,\n \"operator\": \"[[parameters('operator')]\",\n \"timeAggregation\": \"[[parameters('timeAggregation')]\",\n \"dimensions\": [\n {\n \"name\": \"Computer\",\n \"operator\": \"Include\",\n \"values\": [\n \"*\"\n ]\n }\n ],\n \"failingPeriods\": {\n \"numberOfEvaluationPeriods\": \"[[parameters('evaluationPeriods')]\",\n \"minFailingPeriodsToAlert\": \"[[parameters('failingPeriods')]\"\n }\n }\n ]\n },\n \"autoMitigate\": \"[[parameters('autoMitigate')]\",\n \"parameters\": {\n \"alertResourceGroupName\": {\n \"value\": \"[[parameters('alertResourceGroupName')]\"\n },\n \"alertResourceGroupLocation\": {\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\n },\n \"UAMIResourceId\": {\n \"value\": \"[[parameters('UAMIResourceId')]\"\n },\n \"severity\": {\n \"value\": \"[[parameters('severity')]\"\n },\n \"windowSize\": {\n \"value\": \"[[parameters('windowSize')]\"\n },\n \"evaluationFrequency\": {\n \"value\": \"[[parameters('evaluationFrequency')]\"\n },\n \"autoMitigate\": {\n \"value\": \"[[parameters('autoMitigate')]\"\n },\n \"enabled\": {\n \"value\": \"[[parameters('enabled')]\"\n },\n \"threshold\": {\n \"value\": \"[[parameters('threshold')]\"\n },\n \"failingPeriods\": {\n \"value\": \"[[parameters('failingPeriods')]\"\n },\n \"evaluationPeriods\": {\n \"value\": \"[[parameters('evaluationPeriods')]\"\n },\n \"MonitorDisableTagName\": {\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\n },\n \"MonitorDisableTagValues\": {\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\n }\n }\n }\n }\n ]\n },\n \"parameters\": {\n \"enabled\": {\n \"value\": \"[[parameters('enabled')]\"\n },\n \"alertResourceGroupName\": {\n \"value\": \"[[parameters('alertResourceGroupName')]\"\n },\n \"alertResourceGroupLocation\": {\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\n },\n \"UAMIResourceId\": {\n \"value\": \"[[parameters('UAMIResourceId')]\"\n }\n }\n }\n }\n ]\n },\n \"parameters\": {\n \"alertResourceGroupName\": {\n \"value\": \"[[parameters('alertResourceGroupName')]\"\n },\n \"alertResourceGroupTags\": {\n \"value\": \"[[parameters('alertResourceGroupTags')]\"\n },\n \"alertResourceGroupLocation\": {\n \"value\": \"[[parameters('alertResourceGroupLocation')]\"\n },\n \"UAMIResourceId\": {\n \"value\": \"[[parameters('UAMIResourceId')]\"\n },\n \"severity\": {\n \"value\": \"[[parameters('severity')]\"\n },\n \"windowSize\": {\n \"value\": \"[[parameters('windowSize')]\"\n },\n \"evaluationFrequency\": {\n \"value\": \"[[parameters('evaluationFrequency')]\"\n },\n \"autoMitigate\": {\n \"value\": \"[[parameters('autoMitigate')]\"\n },\n \"enabled\": {\n \"value\": \"[[parameters('enabled')]\"\n },\n \"threshold\": {\n \"value\": \"[[parameters('threshold')]\"\n },\n \"operator\": {\n \"value\": \"[[parameters('operator')]\"\n },\n \"timeAggregation\": {\n \"value\": \"[[parameters('timeAggregation')]\"\n },\n \"failingPeriods\": {\n \"value\": \"[[parameters('failingPeriods')]\"\n },\n \"evaluationPeriods\": {\n \"value\": \"[[parameters('evaluationPeriods')]\"\n },\n \"MonitorDisableTagName\": {\n \"value\": \"[[parameters('MonitorDisableTagName')]\"\n },\n \"MonitorDisableTagValues\": {\n \"value\": \"[[parameters('MonitorDisableTagValues')]\"\n }\n }\n }\n }\n }\n }\n }\n }\n}\n", "$fxv#12": { "type": "Microsoft.Authorization/policySetDefinitions", "apiVersion": "2021-06-01", diff --git a/patterns/alz/scripts/Remove-AMBADeployments.ps1 b/patterns/alz/scripts/Remove-AMBADeployments.ps1 index 1767c1a9a..5818f2015 100644 --- a/patterns/alz/scripts/Remove-AMBADeployments.ps1 +++ b/patterns/alz/scripts/Remove-AMBADeployments.ps1 @@ -1,4 +1,25 @@ -<# +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to deal +# in the Software without restriction, including without limitation the rights +# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +# copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: + +# The above copyright notice and this permission notice shall be included in all +# copies or substantial portions of the Software. + +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +# SOFTWARE. + +<# .SYNOPSIS This script cleans up the deployment entries at the management group hierarchy level performed by the AMBA-ALZ automation. @@ -12,16 +33,17 @@ https://github.com/Azure/azure-monitor-baseline-alerts .EXAMPLE - ./Remove-AMBADeployments.ps1 -pseudoManagementGroup Contoso -ReportOnly - # generate a list of the deployments which would be deleted by this script + ./Remove-AMBADeployments.ps1 -pseudoRootManagementGroup Contoso -WhatIf + # show output of what would happen if deletes executed. .EXAMPLE - ./Remove-AMBADeployments.ps1 -pseudoManagementGroup Contoso -WhatIf - # show output of what would happen if deletes executed + ./Remove-AMBADeployments.ps1 -pseudoRootManagementGroup Contoso + # execute the script and will ask for confirmation before taking the configured action. .EXAMPLE - ./Remove-AMBADeployments.ps1 -pseudoManagementGroup Contoso -Force - # delete all deployments entries for deployments performed by the AMBA-ALZ IaC without prompting for confirmation + ./Remove-AMBADeployments.ps1 -pseudoRootManagementGroup Contoso -Confirm:$false + # execute the script without asking for confirmation before taking the configured action. + #> [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'High')] @@ -29,20 +51,11 @@ param( # the pseudo managemnt group to start from [Parameter(Mandatory = $True, ValueFromPipeline = $false)] - [string]$pseudoRootManagementGroup, - # output a list of the resources to be deleted - [Parameter(Mandatory = $False, - ValueFromPipeline = $false)] - [switch]$reportOnly, - # if not specified, delete will prompt for confirmation - [Parameter(Mandatory = $False, - ValueFromPipeline = $false)] - [switch]$force + [string]$pseudoRootManagementGroup ) Function Iterate-ManagementGroups($mg) { - - $script:managementGroups += $mg.Name + $script:managementGroups += $mg.Name if ($mg.Children) { foreach ($child in $mg.Children) { if ($child.Type -eq 'Microsoft.Management/managementGroups') { @@ -68,11 +81,10 @@ ForEach ($mg in $allMgs) { Iterate-ManagementGroups $mg } -Write-Host "Found '$($managementGroups.Count)' management groups to query for AMBA-ALZ deployments." - +Write-Host "Found '$($managementGroups.Count)' management group(s) (including the parent one) which are part of the '$pseudoRootManagementGroup' management group hierarchy, to be queried for AMBA-ALZ deployments." If ($managementGroups.count -eq 0) { - Write-Error "The command 'Get-AzManagementGroups' returned '0' groups. This script needs to run with Owner permissions on the Azure Landing Zones intermediate root management group to effectively clean up Policies and all related resources." + Write-Error "The command 'Get-AzManagementGroups' returned '0' groups. This script needs to run with Owner permissions on the Azure Landing Zones intermediate root management group to effectively query all the AMBA-ALZ deployment records." } # get AMBA-ALZ deployments to delete @@ -82,33 +94,17 @@ ForEach ($mg in $managementGroups) { $allDeployments += $deployments } -Write-Host "Found '$($allDeployments.Count)' deployments for AMBA-ALZ pattern with name starting with 'amba-'." - -If (!$reportOnly.IsPresent) { +Write-Host "- Found '$($allDeployments.Count)' deployments for AMBA-ALZ pattern with name starting with 'amba-' performed on the '$pseudoRootManagementGroup' Management Group hierarchy." - Write-Warning "This script will delete the AMBA-ALZ deployments discovered above." +If ($allDeployments.Count -gt 0) { + If ($PSCmdlet.ShouldProcess($pseudoRootManagementGroup, "Delete AMBA-ALZ deployments performed on the '$pseudoRootManagementGroup' Management Group hierarchy ..." )) { + # overriding confirmation behavior using local copy of $ConfirmPreference + $ConfirmPreference = 'None' - If (!$force.IsPresent) { - While ($prompt -notmatch '[yYnN]') { - $prompt = Read-Host -Prompt 'Would you like to proceed with the deletion? (y/n)' - } - If ($prompt -match '[yY]') { - $force = $true - } - Else { - Write-Host "Exiting script..." - return - } + # delete AMBA-ALZ deployments + Write-Host "-- Deleting AMBA-ALZ deployments performed on the '$pseudoRootManagementGroup' Management Group hierarchy ..." + $allDeployments | ForEach-Object -Parallel { Remove-AzManagementGroupDeployment -InputObject $_ } -throttlelimit 100 } - - # delete alert processing rules - Write-Host "Deleting AMBA-ALZ deployments..." - $allDeployments | ForEach-Object -Parallel { Remove-AzManagementGroupDeployment -InputObject $_ } -throttlelimit 100 - - Write-Host "AMBA-ALZ deployments cleanup complete." } -Else { - $resourceToBeDeleted = $allDeployments.Name - return $resourceToBeDeleted -} +Write-Host "=== Script execution completed. ===" diff --git a/patterns/alz/scripts/Remove-AMBANotificationAssets.ps1 b/patterns/alz/scripts/Remove-AMBANotificationAssets.ps1 index f63a007a4..1e7dbd647 100644 --- a/patterns/alz/scripts/Remove-AMBANotificationAssets.ps1 +++ b/patterns/alz/scripts/Remove-AMBANotificationAssets.ps1 @@ -1,3 +1,14 @@ +# The above copyright notice and this permission notice shall be included in all +# copies or substantial portions of the Software. + +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +# SOFTWARE. + <# .SYNOPSIS This script cleans up the alert processing rules and action groups deployed by the ALZ-Monitor versions up to 2024-03-01 and not used anymore if customers @@ -14,36 +25,31 @@ resources after this script executes. This script leverages the Azure Resource Graph to find object to delete. Note that the Resource Graph lags behind ARM by a couple minutes. + .LINK https://github.com/Azure/azure-monitor-baseline-alerts .EXAMPLE - ./Remove-AMBANotificationAssets.ps1 -pseudoManagementGroup Contoso -ReportOnly - # generate a list of the resource IDs which would be deleted by this script + ./Remove-AMBANotificationAssets.ps1 -pseudoRootManagementGroup Contoso -WhatIf + # show output of what would happen if deletes executed. .EXAMPLE - ./Remove-AMBANotificationAssets.ps1 -pseudoManagementGroup Contoso -WhatIf - # show output of what would happen if deletes executed + ./Remove-AMBANotificationAssets.ps1 -pseudoRootManagementGroup Contoso + # execute the script and will ask for confirmation before taking the configured action. .EXAMPLE - ./Remove-AMBANotificationAssets.ps1 -pseudoManagementGroup Contoso -Force - # delete all resources deployed by the ALZ-Monitor IaC without prompting for confirmation + ./Remove-AMBANotificationAssets.ps1 -pseudoRootManagementGroup Contoso -Confirm:$false + # execute the script without asking for confirmation before taking the configured action. + #> [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'High')] + param( # the pseudo managemnt group to start from [Parameter(Mandatory=$True, - ValueFromPipeline=$false)] - [string]$pseudoRootManagementGroup, - # output a list of the resources to be deleted - [Parameter(Mandatory=$False, - ValueFromPipeline=$false)] - [switch]$reportOnly, - # if not specified, delete will prompt for confirmation - [Parameter(Mandatory=$False, - ValueFromPipeline=$false)] - [switch]$force + ValueFromPipeline=$false)] + [string]$pseudoRootManagementGroup ) Function Search-AzGraphRecursive { @@ -94,15 +100,14 @@ Function Search-AzGraphRecursive { } Function Iterate-ManagementGroups($mg) { - - $script:managementGroups += $mg.Name - if ($mg.Children) { - foreach ($child in $mg.Children) { - if ($child.Type -eq 'Microsoft.Management/managementGroups') { - Iterate-ManagementGroups $child - } - } - } + $script:managementGroups += $mg.Name + if ($mg.Children) { + foreach ($child in $mg.Children) { + if ($child.Type -eq 'Microsoft.Management/managementGroups') { + Iterate-ManagementGroups $child + } + } + } } $ErrorActionPreference = 'Stop' @@ -121,52 +126,38 @@ foreach ($mg in $allMgs) { Iterate-ManagementGroups $mg } -Write-Host "Found '$($managementGroups.Count)' management groups to query for ALZ-Monitor resources." +Write-Host "Found '$($managementGroups.Count)' management groups(s) (including the parent one) which are part of the '$pseudoRootManagementGroup' management group hierarchy, to be queried for action groups and alert processing rules deployed by AMBA-ALZ." If ($managementGroups.count -eq 0) { - Write-Error "The command 'Get-AzManagementGroups' returned '0' groups. This script needs to run with Owner permissions on the Azure Landing Zones intermediate root management group to effectively clean up Policies and all related resources." + Write-Error "The command 'Get-AzManagementGroups' returned '0' groups. This script needs to run with Owner permissions on the Azure Landing Zones intermediate root management group to effectively remove action groups and alert processing rules deployed by AMBA-ALZ." } # get alert processing rules to delete $query = "resources | where type =~ 'Microsoft.AlertsManagement/actionRules' | where name startswith 'apr-AMBA-' and name endswith '-001' and properties.description == 'AMBA Notification Assets - Alert Processing Rule for Subscription' and tags['_deployed_by_amba'] =~ 'True'| project id" $alertProcessingRuleIds = Search-AzGraphRecursive -Query $query -ManagementGroupNames $managementGroups | Select-Object -ExpandProperty Id | Sort-Object | Get-Unique -Write-Host "Found '$($alertProcessingRuleIds.Count)' alert processing rule(s) with description 'AMBA Notification Assets - Alert Processing Rule for Subscription' and tag '_deployed_by_amba=True' to be deleted." +Write-Host "- Found '$($alertProcessingRuleIds.Count)' alert processing rule(s) with description 'AMBA Notification Assets - Alert Processing Rule for Subscription' and tag '_deployed_by_amba=True' on the '$pseudoRootManagementGroup' Management Group hierarchy to be deleted." # get action groups to delete $query = "resources | where type =~ 'Microsoft.Insights/actionGroups' | where name startswith 'ag-AMBA-' and name endswith '-001' and properties.groupShortName endswith 'ActGrp'and tags['_deployed_by_amba'] =~ 'True' | project id" $actionGroupIds = Search-AzGraphRecursive -Query $query -ManagementGroupNames $managementGroups | Select-Object -ExpandProperty Id | Sort-Object | Get-Unique -Write-Host "Found '$($actionGroupIds.Count)' action group(s) with name starting with 'ag-AMBA-', short name ending with 'ActGrp' and tag '_deployed_by_amba=True' to be deleted." +Write-Host "- Found '$($actionGroupIds.Count)' action group(s) with name starting with 'ag-AMBA-', short name ending with 'ActGrp' and tag '_deployed_by_amba=True' on the '$pseudoRootManagementGroup' Management Group hierarchy to be deleted." -If (!$reportOnly.IsPresent) { +If (($alertProcessingRuleIds.count -gt 0) -or ($actionGroupIds.count -gt 0)) { + If ($PSCmdlet.ShouldProcess($pseudoRootManagementGroup, "Delete AMBA-ALZ alert processing rules and action groups on the '$pseudoRootManagementGroup' Management Group hierarchy ..." )) { - Write-Warning "This script will delete the resources discovered above." + # delete alert processing rules + If ($alertProcessingRuleIds.count -gt 0) { + Write-Host "-- Deleting alert processing rules ..." + $alertProcessingRuleIds | Foreach-Object { Remove-AzResource -ResourceId $_ -Force } + } - If (!$force.IsPresent) { - While ($prompt -notmatch '[yYnN]') { - $prompt = Read-Host -Prompt 'Would you like to proceed with the deletion? (y/n)' - } - If ($prompt -match '[yY]') { - $force = $true - } - Else { - Write-Host "Exiting script..." - return - } + # delete action groups + If ($actionGroupIds.count -gt 0) { + Write-Host "-- Deleting action groups ..." + $actionGroupIds | Foreach-Object { Remove-AzResource -ResourceId $_ -Force } + } } - - # delete alert processing rules - Write-Host "Deleting alert processing rule(s)..." - $alertProcessingRuleIds | Foreach-Object { Remove-AzResource -ResourceId $_ -Force:$force -Confirm:(!$force) } - - # delete action groups - Write-Host "Deleting action group(s)..." - $actionGroupIds | Foreach-Object { Remove-AzResource -ResourceId $_ -Force:$force -Confirm:(!$force) } - - Write-Host "Cleanup complete." } -Else { - $resourceToBeDeleted = $alertProcessingRuleIds+$actionGroupIds - return $resourceToBeDeleted -} +Write-Host "=== Script execution completed. ===" diff --git a/patterns/alz/scripts/Start-AMBACleanup.ps1 b/patterns/alz/scripts/Start-AMBACleanup.ps1 index 42d674801..9a99a6a54 100644 --- a/patterns/alz/scripts/Start-AMBACleanup.ps1 +++ b/patterns/alz/scripts/Start-AMBACleanup.ps1 @@ -1,6 +1,18 @@ +# The above copyright notice and this permission notice shall be included in all +# copies or substantial portions of the Software. + +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +# SOFTWARE. + <# .SYNOPSIS This script cleans up the resources deployed by the ALZ-Monitor automation, including alerts, policy assignments, policy initiatives, policy definitions, and policy assignment role assignments. + .DESCRIPTION .NOTES @@ -11,20 +23,21 @@ The Role Assignments associated with Policy assignment identities and including _deployed_by_amba in the description field will also be deleted. This script leverages the Azure Resource Graph to find object to delete. Note that the Resource Graph lags behind ARM by a couple minutes. + .LINK https://github.com/Azure/azure-monitor-baseline-alerts .EXAMPLE - ./Start-AMBACleanup.ps1 -pseudoManagementGroup Contoso -ReportOnly - # generate a list of the resource IDs which would be deleted by this script + ./Start-AMBACleanup.ps1 -pseudoRootManagementGroup Contoso -WhatIf + # show output of what would happen if deletes executed. .EXAMPLE - ./Start-AMBACleanup.ps1 -pseudoManagementGroup Contoso -WhatIf - # show output of what would happen if deletes executed + ./Start-AMBACleanup.ps1 -pseudoRootManagementGroup Contoso + # execute the script and will ask for confirmation before taking the configured action. .EXAMPLE - ./Start-AMBACleanup.ps1 -pseudoManagementGroup Contoso -Force - # delete all resources deployed by the ALZ-Monitor IaC without prompting for confirmation + ./Start-AMBACleanup.ps1 -pseudoRootManagementGroup Contoso -Confirm:$false + # execute the script without asking for confirmation before taking the configured action. #> [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'High')] @@ -32,15 +45,7 @@ param( # the pseudo managemnt group to start from [Parameter(Mandatory = $True, ValueFromPipeline = $false)] - [string]$pseudoRootManagementGroup, - # output a list of the resources to be deleted - [Parameter(Mandatory = $False, - ValueFromPipeline = $false)] - [switch]$reportOnly, - # if not specified, delete will prompt for confirmation - [Parameter(Mandatory = $False, - ValueFromPipeline = $false)] - [switch]$force + [string]$pseudoRootManagementGroup ) Function Search-AzGraphRecursive { @@ -132,114 +137,116 @@ foreach ($mg in $allMgs) { Iterate-ManagementGroups $mg } -Write-Host "Found '$($managementGroups.Count)' management groups to query for ALZ-Monitor resources." +Write-Host "Found '$($managementGroups.Count)' management group(s) (including the parent one) which are part of the '$pseudoRootManagementGroup' management group hierarchy, to be queried for AMBA-ALZ resources." If ($managementGroups.count -eq 0) { - Write-Error "The command 'Get-AzManagementGroups' returned '0' groups. This script needs to run with Owner permissions on the Azure Landing Zones intermediate root management group to effectively clean up Policies and all related resources." + Write-Error "The command 'Get-AzManagementGroups' returned '0' groups. This script needs to run with Owner permissions on the Azure Landing Zones intermediate root management group to effectively clean up Policies and all related resources deployed by AMBA-ALZ." } # get alert resources to delete $query = "Resources | where type in~ ('Microsoft.Insights/metricAlerts','Microsoft.Insights/activityLogAlerts', 'Microsoft.Insights/scheduledQueryRules') and tags['_deployed_by_amba'] =~ 'True' | project id" $alertResourceIds = Search-AzGraphRecursive -Query $query -ManagementGroupNames $managementGroups | Select-Object -ExpandProperty Id | Sort-Object | Get-Unique -Write-Host "Found '$($alertResourceIds.Count)' metric, activity log and log alerts with tag '_deployed_by_amba=True' to be deleted." +Write-Host "- Found '$($alertResourceIds.Count)' metric, activity log and log alerts with tag '_deployed_by_amba=True' to be deleted." # get resource group to delete $query = "ResourceContainers | where type =~ 'microsoft.resources/subscriptions/resourcegroups' and tags['_deployed_by_amba'] =~ 'True' | project id" $resourceGroupIds = Search-AzGraphRecursive -Query $query -ManagementGroupNames $managementGroups | Select-Object -ExpandProperty Id | Sort-Object | Get-Unique -Write-Host "Found '$($resourceGroupIds.Count)' resource groups with tag '_deployed_by_amba=True' to be deleted." +Write-Host "- Found '$($resourceGroupIds.Count)' resource groups with tag '_deployed_by_amba=True' to be deleted." # get policy assignments to delete $query = "policyresources | where type =~ 'microsoft.authorization/policyAssignments' | project name,metadata=parse_json(properties.metadata),type,identity,id | where metadata._deployed_by_amba =~ 'true'" $policyAssignmentIds = Search-AzGraphRecursive -Query $query -ManagementGroupNames $managementGroups | Select-Object -ExpandProperty Id | Sort-Object | Get-Unique -Write-Host "Found '$($policyAssignmentIds.Count)' policy assignments with metadata '_deployed_by_amba=True' to be deleted." +Write-Host "- Found '$($policyAssignmentIds.Count)' policy assignments with metadata '_deployed_by_amba=True' to be deleted." # get policy set definitions to delete $query = "policyresources | where type =~ 'microsoft.authorization/policysetdefinitions' | project name,metadata=parse_json(properties.metadata),type,id | where metadata._deployed_by_amba =~ 'true' | project id" $policySetDefinitionIds = Search-AzGraphRecursive -Query $query -ManagementGroupNames $managementGroups | Select-Object -ExpandProperty Id | Sort-Object | Get-Unique -Write-Host "Found '$($policySetDefinitionIds.Count)' policy set definitions with metadata '_deployed_by_amba=True' to be deleted." +Write-Host "- Found '$($policySetDefinitionIds.Count)' policy set definitions with metadata '_deployed_by_amba=True' to be deleted." # get policy definitions to delete $query = "policyresources | where type =~ 'microsoft.authorization/policyDefinitions' | project name,metadata=parse_json(properties.metadata),type,id | where metadata._deployed_by_amba =~ 'true' | project id" $policyDefinitionIds = Search-AzGraphRecursive -Query $query -ManagementGroupNames $managementGroups | Select-Object -ExpandProperty Id | Sort-Object | Get-Unique -Write-Host "Found '$($policyDefinitionIds.Count)' policy definitions with metadata '_deployed_by_amba=True' to be deleted." +Write-Host "- Found '$($policyDefinitionIds.Count)' policy definitions with metadata '_deployed_by_amba=True' to be deleted." # get user assigned managed identities to delete $query = "Resources | where type =~ 'Microsoft.ManagedIdentity/userAssignedIdentities' and tags['_deployed_by_amba'] =~ 'True' | project id, name, principalId = properties.principalId, tenantId, subscriptionId, resourceGroup" $UamiIds = Search-AzGraphRecursive -Query $query -ManagementGroupNames $managementGroups | Sort-Object -Property id | Get-Unique -AsString -Write-Host "Found '$($UamiIds.Count)' user assigned managed identities with tag '_deployed_by_amba=True' to be deleted." +Write-Host "- Found '$($UamiIds.Count)' user assigned managed identities with tag '_deployed_by_amba=True' to be deleted." # get role assignments to delete $query = "authorizationresources | where type =~ 'microsoft.authorization/roleassignments' and properties.description == '_deployed_by_amba' | project roleDefinitionId = properties.roleDefinitionId, objectId = properties.principalId, scope = properties.scope, id" $roleAssignments = Search-AzGraphRecursive -Query $query -ManagementGroupNames $managementGroups | Sort-Object -Property id | Get-Unique -AsString -Write-Host "Found '$($roleAssignments.Count)' role assignments with description '_deployed_by_amba' to be deleted." +Write-Host "- Found '$($roleAssignments.Count)' role assignments with description '_deployed_by_amba' to be deleted." # get alert processing rules to delete -$query = "resources | where type =~ 'Microsoft.AlertsManagement/actionRules' | where tags['_deployed_by_amba'] =~ 'True'| project id" +#$query = "resources | where type =~ 'Microsoft.AlertsManagement/actionRules' | where tags['_deployed_by_amba'] =~ 'True'| project id" +$query = "resources | where type =~ 'Microsoft.AlertsManagement/actionRules' | where name startswith 'apr-AMBA-' and properties.description startswith 'AMBA Notification Assets - ' and tags['_deployed_by_amba'] =~ 'True'| project id" $alertProcessingRuleIds = Search-AzGraphRecursive -Query $query -ManagementGroupNames $managementGroups | Select-Object -ExpandProperty Id | Sort-Object | Get-Unique -Write-Host "Found '$($alertProcessingRuleIds.Count)' alert processing rule(s) with tag '_deployed_by_amba=True' to be deleted." +Write-Host "- Found '$($alertProcessingRuleIds.Count)' alert processing rule(s) with tag '_deployed_by_amba=True' to be deleted." # get action groups to delete $query = "resources | where type =~ 'Microsoft.Insights/actionGroups' | where tags['_deployed_by_amba'] =~ 'True' | project id" $actionGroupIds = Search-AzGraphRecursive -Query $query -ManagementGroupNames $managementGroups | Select-Object -ExpandProperty Id | Sort-Object | Get-Unique -Write-Host "Found '$($actionGroupIds.Count)' action group(s) with tag '_deployed_by_amba=True' to be deleted." - -If (!$reportOnly.IsPresent) { - - Write-Warning "This script will delete the resources discovered above." - - If (!$force.IsPresent) { - While ($prompt -notmatch '[yYnN]') { - $prompt = Read-Host -Prompt 'Would you like to proceed with the deletion? (y/n)' +Write-Host "- Found '$($actionGroupIds.Count)' action group(s) with tag '_deployed_by_amba=True' to be deleted." + +If (($alertResourceIds.count -gt 0) -or ($policyAssignmentIds.count -gt 0) -or ($policySetDefinitionIds.count -gt 0) -or ($policyDefinitionIds.count -gt 0) -or ($roleAssignments.count -gt 0) -or ($UamiIds.count -gt 0) -or ($alertProcessingRuleIds.count -gt 0) -or ($actionGroupIds.count -gt 0)) { + If ($PSCmdlet.ShouldProcess($pseudoRootManagementGroup, "Delete alerts, policy assignments, policy initiatives, policy definitions, policy role assignments, user assigned managed identities, alert processing rules and action groups deployed by AMBA-ALZ on the '$pseudoRootManagementGroup' Management Group hierarchy ..." )) { + # delete alert resources + If ($alertResourceIds.count -gt 0) { + Write-Host "-- Deleting alerts ..." + $alertResourceIds | Foreach-Object { Remove-AzResource -ResourceId $_ -Force } } - If ($prompt -match '[yY]') { - $force = $true + <# + ### Leave this in place incase we decide to remove the rg later on + # delete resource groups + If ($resourceGroupIds.count -gt 0) { + Write-Host "-- Deleting resource groups ..." + $resourceGroupIds | ForEach-Object { Remove-AzResourceGroup -ResourceGroupId $_ -Confirm:$false | Out-Null } } - Else { - Write-Host "Exiting script..." - return - } - } - - # delete alert resources - Write-Host "Deleting alert resources..." - $alertResourceIds | Foreach-Object { Remove-AzResource -ResourceId $_ -Force:$force -Confirm:(!$force) } + #> - # delete resource groups - Write-Host "Deleting resource groups..." - $resourceGroupIds | ForEach-Object { Remove-AzResourceGroup -ResourceGroupId $_ -Force:$force -Confirm:(!$force) | Out-Null } - - # delete policy assignments - Write-Host "Deleting policy assignments..." - $policyAssignmentIds | ForEach-Object { Remove-AzPolicyAssignment -Id $_ -Confirm:(!$force) -ErrorAction Stop } - - # delete policy set definitions - Write-Host "Deleting policy set definitions..." - $policySetDefinitionIds | ForEach-Object { Remove-AzPolicySetDefinition -Id $_ -Force:$force -Confirm:(!$force) } + # delete policy assignments + If ($policyAssignmentIds.count -gt 0) { + Write-Host "-- Deleting policy assignments ..." + $policyAssignmentIds | ForEach-Object { Remove-AzPolicyAssignment -Id $_ -Confirm:$false -ErrorAction Stop } + } - # delete policy definitions - Write-Host "Deleting policy definitions..." - $policyDefinitionIds | ForEach-Object { Remove-AzPolicyDefinition -Id $_ -Force:$force -Confirm:(!$force) } + # delete policy set definitions + If ($policySetDefinitionIds.count -gt 0) { + Write-Host "-- Deleting policy set definitions ..." + $policySetDefinitionIds | ForEach-Object { Remove-AzPolicySetDefinition -Id $_ -Force } + } - # delete role assignments - Write-Host "Deleting role assignments..." - $roleAssignments | Select-Object -Property objectId, roleDefinitionId, scope | ForEach-Object { Remove-AzRoleAssignment @psItem -Confirm:(!$force) | Out-Null } + # delete policy definitions + If ($policyDefinitionIds.count -gt 0) { + Write-Host "-- Deleting policy definitions ..." + $policyDefinitionIds | ForEach-Object { Remove-AzPolicyDefinition -Id $_ -Force } + } - # delete user assigned managed identities - Write-Host "Deleting user assigned managed identities..." - $UamiIds | Select-Object -Property resourceGroup, name | ForEach-Object { Remove-AzUserAssignedIdentity -ResourceGroupName $_.resourceGroup -Name $_.name -Confirm:(!$force) | Out-Null } + # delete role assignments + If ($roleAssignments.count -gt 0) { + Write-Host "-- Deleting role assignments ..." + $roleAssignments | Select-Object -Property objectId, roleDefinitionId, scope | ForEach-Object { Remove-AzRoleAssignment @psItem -Confirm:$false | Out-Null } + } - # delete alert processing rules - Write-Host "Deleting alert processing rule(s)..." - $alertProcessingRuleIds | Foreach-Object { Remove-AzResource -ResourceId $_ -Force:$force -Confirm:(!$force) } + # delete user assigned managed identities + If ($UamiIds.count -gt 0) { + Write-Host "-- Deleting user assigned managed identities ..." + $UamiIds | ForEach-Object { Remove-AzUserAssignedIdentity -ResourceGroupName $_.resourceGroup -Name $_.name -SubscriptionId $_.subscriptionId -Confirm:$false } + } - # delete action groups - Write-Host "Deleting action group(s)..." - $actionGroupIds | Foreach-Object { Remove-AzResource -ResourceId $_ -Force:$force -Confirm:(!$force) } + # delete alert processing rules + If ($alertProcessingRuleIds.count -gt 0) { + Write-Host "-- Deleting alert processing rules ..." + $alertProcessingRuleIds | Foreach-Object { Remove-AzResource -ResourceId $_ -Force } + } - Write-Host "Cleanup complete." + # delete action groups + If ($actionGroupIds.count -gt 0) { + Write-Host "-- Deleting action groups ..." + $actionGroupIds | Foreach-Object { Remove-AzResource -ResourceId $_ -Force } + } + } } -Else { - $resourceToBeDeleted = $alertResourceIds + $resourceGroupIds + $policyAssignmentIds + $policySetDefinitionIds + $policyDefinitionIds + $roleAssignments.Id + $UamiIds + $alertProcessingRuleIds + $alertProcessingRuleIds - return $resourceToBeDeleted -} +Write-Host "=== Script execution completed. ===" diff --git a/patterns/alz/scripts/Start-AMBAOldArpCleanup.ps1 b/patterns/alz/scripts/Start-AMBAOldArpCleanup.ps1 index adb473c48..28da2355d 100644 --- a/patterns/alz/scripts/Start-AMBAOldArpCleanup.ps1 +++ b/patterns/alz/scripts/Start-AMBAOldArpCleanup.ps1 @@ -1,6 +1,18 @@ +# The above copyright notice and this permission notice shall be included in all +# copies or substantial portions of the Software. + +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +# SOFTWARE. + <# .SYNOPSIS This script cleans up the alert processing rule and action group created deployed by the ALZ-Monitor automation versions up to 2023-11-14 and not in use anymore. + .DESCRIPTION This script cleans up the alert processing rule and action group created deployed by the ALZ-Monitor automation versions up to 2023-11-14 and not in use anymore. Newer versions will deploy 1 action group per subscription specific to Service Health alerts and 1 action group, which is member of 1 alert processing rule, per @@ -12,36 +24,29 @@ resources after this script executes. This script leverages the Azure Resource Graph to find object to delete. Note that the Resource Graph lags behind ARM by a couple minutes. + .LINK https://github.com/Azure/azure-monitor-baseline-alerts .EXAMPLE - ./Start-AMBAOldArpCleanup.ps1 -pseudoManagementGroup Contoso -ReportOnly - # generate a list of the resource IDs which would be deleted by this script + ./Start-AMBAOldArpCleanup.ps1 -pseudoRootManagementGroup Contoso -WhatIf + # show output of what would happen if deletes executed. .EXAMPLE - ./Start-AMBAOldArpCleanup.ps1 -pseudoManagementGroup Contoso -WhatIf - # show output of what would happen if deletes executed + ./Start-AMBAOldArpCleanup.ps1 -pseudoRootManagementGroup Contoso + # execute the script and will ask for confirmation before taking the configured action. .EXAMPLE - ./Start-AMBAOldArpCleanup.ps1 -pseudoManagementGroup Contoso -Force - # delete all resources deployed by the ALZ-Monitor IaC without prompting for confirmation + ./Start-AMBAOldArpCleanup.ps1 -pseudoRootManagementGroup Contoso -Confirm:$false + # execute the script without asking for confirmation before taking the configured action. #> [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'High')] param( # the pseudo managemnt group to start from [Parameter(Mandatory=$True, - ValueFromPipeline=$false)] - [string]$pseudoRootManagementGroup, - # output a list of the resources to be deleted - [Parameter(Mandatory=$False, - ValueFromPipeline=$false)] - [switch]$reportOnly, - # if not specified, delete will prompt for confirmation - [Parameter(Mandatory=$False, - ValueFromPipeline=$false)] - [switch]$force + ValueFromPipeline=$false)] + [string]$pseudoRootManagementGroup ) Function Search-AzGraphRecursive { @@ -119,11 +124,12 @@ foreach ($mg in $allMgs) { Iterate-ManagementGroups $mg } -Write-Host "Found '$($managementGroups.Count)' management groups to query for ALZ-Monitor resources." +Write-Host "Found '$($managementGroups.Count)' management groups(s) (including the parent one) which are part of the '$pseudoRootManagementGroup' management group hierarchy, to be queried for action groups and alert processing rules deployed by ALZ-Monitor." If ($managementGroups.count -eq 0) { - Write-Error "The command 'Get-AzManagementGroups' returned '0' groups. This script needs to run with Owner permissions on the Azure Landing Zones intermediate root management group to effectively clean up Policies and all related resources." + Write-Error "The command 'Get-AzManagementGroups' returned '0' groups. This script needs to run with Owner permissions on the Azure Landing Zones intermediate root management group to effectively remove action groups and alert processing rules deployed by AMBA-ALZ." + return } # get alert processing rules to delete @@ -136,35 +142,20 @@ $query = "resources | where type =~ 'Microsoft.Insights/actionGroups' | where na $actionGroupIds = Search-AzGraphRecursive -Query $query -ManagementGroupNames $managementGroups | Select-Object -ExpandProperty Id | Sort-Object | Get-Unique Write-Host "Found '$($actionGroupIds.Count)' action group(s) with name 'AmbaActionGr', short name 'AmbaActionGr' and tag '_deployed_by_amba=True' to be deleted." -If (!$reportOnly.IsPresent) { - - Write-Warning "This script will delete the resources discovered above." - - If (!$force.IsPresent) { - While ($prompt -notmatch '[yYnN]') { - $prompt = Read-Host -Prompt 'Would you like to proceed with the deletion? (y/n)' +If (($alertProcessingRuleIds.count -gt 0) -or ($actionGroupIds.count -gt 0)) { + If ($PSCmdlet.ShouldProcess($pseudoRootManagementGroup, "Delete ALZ-Monitor alert processing rules and action groups on the '$pseudoRootManagementGroup' Management Group hierarchy ..." )) { + # delete alert processing rules + If ($alertProcessingRuleIds.count -gt 0) { + Write-Host "-- Deleting alert processing rules ..." + $alertProcessingRuleIds | Foreach-Object { Remove-AzResource -ResourceId $_ -Force } } - If ($prompt -match '[yY]') { - $force = $true - } - Else { - Write-Host "Exiting script..." - return + + # delete action groups + If ($actionGroupIds.count -gt 0) { + Write-Host "-- Deleting action groups ..." + $actionGroupIds | Foreach-Object { Remove-AzResource -ResourceId $_ -Force } } } - - # delete alert processing rules - Write-Host "Deleting alert processing rule(s)..." - $alertProcessingRuleIds | Foreach-Object { Remove-AzResource -ResourceId $_ -Force:$force -Confirm:(!$force) } - - # delete action groups - Write-Host "Deleting action group(s)..." - $actionGroupIds | Foreach-Object { Remove-AzResource -ResourceId $_ -Force:$force -Confirm:(!$force) } - - Write-Host "Cleanup complete." } -Else { - $resourceToBeDeleted = $alertProcessingRuleIds+$actionGroupIds - return $resourceToBeDeleted -} +Write-Host "=== Script execution completed. ===" diff --git a/patterns/alz/scripts/Start-AMBAPolicyInitiativesAndAssignmentsCleanup.ps1 b/patterns/alz/scripts/Start-AMBAPolicyInitiativesAndAssignmentsCleanup.ps1 index 1920e748e..6e6b1f9ab 100644 --- a/patterns/alz/scripts/Start-AMBAPolicyInitiativesAndAssignmentsCleanup.ps1 +++ b/patterns/alz/scripts/Start-AMBAPolicyInitiativesAndAssignmentsCleanup.ps1 @@ -1,6 +1,17 @@ +# The above copyright notice and this permission notice shall be included in all +# copies or substantial portions of the Software. + +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +# SOFTWARE. + <# .SYNOPSIS - This script cleans up the policy assignments, policy initiatives, policy definitions and policy assignment role assignments previously deployed. + This script cleans up the policy assignments, policy initiatives, policy definitions and policy role assignments previously deployed. .DESCRIPTION .NOTES @@ -11,20 +22,21 @@ The Role Assignments associated with Policy assignment identities and including _deployed_by_amba in the description field will also be deleted. This script leverages the Azure Resource Graph to find object to delete. Note that the Resource Graph lags behind ARM by a couple minutes. + .LINK https://github.com/Azure/azure-monitor-baseline-alerts .EXAMPLE - ./Start-AMBAPolicyInitiativesAndAssignmentsCleanup.ps1 -pseudoManagementGroup Contoso -ReportOnly - # generate a list of the resource IDs which would be deleted by this script + ./Start-AMBAPolicyInitiativesAndAssignmentsCleanup.ps1 -pseudoRootManagementGroup Contoso -WhatIf + # show output of what would happen if deletes executed. .EXAMPLE - ./Start-AMBAPolicyInitiativesAndAssignmentsCleanup.ps1 -pseudoManagementGroup Contoso -WhatIf - # show output of what would happen if deletes executed + ./Start-AMBAPolicyInitiativesAndAssignmentsCleanup.ps1 -pseudoRootManagementGroup Contoso + # execute the script and will ask for confirmation before taking the configured action. .EXAMPLE - ./Start-AMBAPolicyInitiativesAndAssignmentsCleanup.ps1 -pseudoManagementGroup Contoso -Force - # delete all resources deployed by the ALZ-Monitor IaC without prompting for confirmation + ./Start-AMBAPolicyInitiativesAndAssignmentsCleanup.ps1 -pseudoRootManagementGroup Contoso -Confirm:$false + # execute the script without asking for confirmation before taking the configured action. #> [CmdletBinding(SupportsShouldProcess, ConfirmImpact = 'High')] @@ -32,15 +44,7 @@ param( # the pseudo managemnt group to start from [Parameter(Mandatory = $True, ValueFromPipeline = $false)] - [string]$pseudoRootManagementGroup, - # output a list of the resources to be deleted - [Parameter(Mandatory = $False, - ValueFromPipeline = $false)] - [switch]$reportOnly, - # if not specified, delete will prompt for confirmation - [Parameter(Mandatory = $False, - ValueFromPipeline = $false)] - [switch]$force + [string]$pseudoRootManagementGroup ) Function Search-AzGraphRecursive { @@ -132,69 +136,59 @@ foreach ($mg in $allMgs) { Iterate-ManagementGroups $mg } -Write-Host "Found '$($managementGroups.Count)' management groups to query for ALZ-Monitor resources." +Write-Host "Found '$($managementGroups.Count)' management groups(s) (including the parent one) which are part of the '$pseudoRootManagementGroup' management group hierarchy, to be queried for policy assignments, policy initiatives, policy definitions and policy role assignments deployed by AMBA-ALZ." If ($managementGroups.count -eq 0) { - Write-Error "The command 'Get-AzManagementGroups' returned '0' groups. This script needs to run with Owner permissions on the Azure Landing Zones intermediate root management group to effectively clean up Policies and all related resources." + Write-Error "The command 'Get-AzManagementGroups' returned '0' groups. This script needs to run with Owner permissions on the Azure Landing Zones intermediate root management group to effectively query policy assignments, policy initiatives, policy definitions and policy role assignments deployed by AMBA-ALZ." } # get policy assignments to delete $query = "policyresources | where type =~ 'microsoft.authorization/policyAssignments' | project name,metadata=parse_json(properties.metadata),type,identity,id | where metadata._deployed_by_amba =~ 'true'" $policyAssignmentIds = Search-AzGraphRecursive -Query $query -ManagementGroupNames $managementGroups | Select-Object -ExpandProperty Id | Sort-Object | Get-Unique -Write-Host "Found '$($policyAssignmentIds.Count)' policy assignments with metadata '_deployed_by_amba=True' to be deleted." +Write-Host "- Found '$($policyAssignmentIds.Count)' policy assignments with metadata '_deployed_by_amba=True' to be deleted." # get policy set definitions to delete $query = "policyresources | where type =~ 'microsoft.authorization/policysetdefinitions' | project name,metadata=parse_json(properties.metadata),type,id | where metadata._deployed_by_amba =~ 'true' | project id" $policySetDefinitionIds = Search-AzGraphRecursive -Query $query -ManagementGroupNames $managementGroups | Select-Object -ExpandProperty Id | Sort-Object | Get-Unique -Write-Host "Found '$($policySetDefinitionIds.Count)' policy set definitions with metadata '_deployed_by_amba=True' to be deleted." +Write-Host "- Found '$($policySetDefinitionIds.Count)' policy set definitions with metadata '_deployed_by_amba=True' to be deleted." # get policy definitions to delete $query = "policyresources | where type =~ 'microsoft.authorization/policyDefinitions' | project name,metadata=parse_json(properties.metadata),type,id | where metadata._deployed_by_amba =~ 'true' | project id" $policyDefinitionIds = Search-AzGraphRecursive -Query $query -ManagementGroupNames $managementGroups | Select-Object -ExpandProperty Id | Sort-Object | Get-Unique -Write-Host "Found '$($policyDefinitionIds.Count)' policy definitions with metadata '_deployed_by_amba=True' to be deleted." +Write-Host "- Found '$($policyDefinitionIds.Count)' policy definitions with metadata '_deployed_by_amba=True' to be deleted." # get role assignments to delete $query = "authorizationresources | where type =~ 'microsoft.authorization/roleassignments' and properties.description == '_deployed_by_amba' | project roleDefinitionId = properties.roleDefinitionId, objectId = properties.principalId, scope = properties.scope, id" $roleAssignments = Search-AzGraphRecursive -Query $query -ManagementGroupNames $managementGroups | Sort-Object -Property id | Get-Unique -AsString -Write-Host "Found '$($roleAssignments.Count)' role assignments with description '_deployed_by_amba' to be deleted." +Write-Host "- Found '$($roleAssignments.Count)' role assignments with description '_deployed_by_amba' to be deleted." -If (!$reportOnly.IsPresent) { +If (($policyAssignmentIds.count -gt 0) -or ($policySetDefinitionIds.count -gt 0) -or ($policyDefinitionIds.count -gt 0) -or ($roleAssignments.count -gt 0)) { + If ($PSCmdlet.ShouldProcess($pseudoRootManagementGroup, "Delete policy assignments, policy initiatives, policy definitions and policy role assignments deployed by AMBA-ALZ on the '$pseudoRootManagementGroup' Management Group hierarchy ..." )) { - Write-Warning "This script will delete the resources discovered above." + # delete policy assignments + If ($policyAssignmentIds.count -gt 0) { + Write-Host "-- Deleting AMBA-ALZ policy assignments ..." + $policyAssignmentIds | ForEach-Object { Remove-AzPolicyAssignment -Id $_ -Confirm:$false } + } - If (!$force.IsPresent) { - While ($prompt -notmatch '[yYnN]') { - $prompt = Read-Host -Prompt 'Would you like to proceed with the deletion? (y/n)' + # delete policy set definitions + If ($policySetDefinitionIds.count -gt 0) { + Write-Host "-- Deleting AMBA-ALZ policy set definitions ..." + $policySetDefinitionIds | ForEach-Object { Remove-AzPolicySetDefinition -Id $_ -Force } } - If ($prompt -match '[yY]') { - $force = $true + + # delete policy definitions + If ($policyDefinitionIds.count -gt 0) { + Write-Host "-- Deleting AMBA-ALZ policy definitions ..." + $policyDefinitionIds | ForEach-Object { Remove-AzPolicyDefinition -Id $_ -Force} } - Else { - Write-Host "Exiting script..." - return + + # delete role assignments + If ($roleAssignments.count -gt 0) { + Write-Host "-- Deleting AMBA-ALZ role assignments performed on the '$pseudoRootManagementGroup' Management Group hierarchy ..." + $roleAssignments | Select-Object -Property objectId, roleDefinitionId, scope | ForEach-Object { Remove-AzRoleAssignment @psItem -Confirm:$false | Out-Null } } } - - # delete policy assignments - Write-Host "Deleting policy assignments..." - $policyAssignmentIds | ForEach-Object { Remove-AzPolicyAssignment -Id $_ -Confirm:(!$force) -ErrorAction Stop } - - # delete policy set definitions - Write-Host "Deleting policy set definitions..." - $policySetDefinitionIds | ForEach-Object { Remove-AzPolicySetDefinition -Id $_ -Force:$force -Confirm:(!$force) } - - # delete policy definitions - Write-Host "Deleting policy definitions..." - $policyDefinitionIds | ForEach-Object { Remove-AzPolicyDefinition -Id $_ -Force:$force -Confirm:(!$force) } - - # delete role assignments - Write-Host "Deleting role assignments..." - $roleAssignments | Select-Object -Property objectId, roleDefinitionId, scope | ForEach-Object { Remove-AzRoleAssignment @psItem -Confirm:(!$force) | Out-Null } - - Write-Host "Cleanup complete." } -Else { - $resourceToBeDeleted = $policyAssignmentIds + $policySetDefinitionIds + $policyDefinitionIds + $roleAssignments.Id - return $resourceToBeDeleted -} +Write-Host "=== Script execution completed. ===" diff --git a/services/HybridCompute/machines/Deploy-Hybrid-VM-Disconnected-Alert.json b/services/HybridCompute/machines/Deploy-Hybrid-VM-Disconnected-Alert.json index 2ddfed84e..0541884de 100644 --- a/services/HybridCompute/machines/Deploy-Hybrid-VM-Disconnected-Alert.json +++ b/services/HybridCompute/machines/Deploy-Hybrid-VM-Disconnected-Alert.json @@ -8,7 +8,7 @@ "displayName": "Deploy Hybrid VM Disconnected Alert", "description": "Policy to Deploy Hybrid VM Disconnected Alert", "metadata": { - "version": "1.2.0", + "version": "1.3.0", "category": "Hybrid Compute", "source": "https://github.com/Azure/azure-monitor-baseline-alerts/", "alzCloudEnvironments": [ @@ -439,7 +439,7 @@ } ] }, - "autoMitigate": "false", + "autoMitigate": "[[parameters('autoMitigate')]", "parameters": { "alertResourceGroupName": { "value": "[[parameters('alertResourceGroupName')]"