I would like to alter my arm template so that it sets the diagnostic settings of the keyvault to use a storage account and an oms workspace.
At the moment I can get it working with just the storage account, but when I try to provide an OMS workspace as well, it provides a very unhelpful error:
ERROR: At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-debug for usage details. {
"code": null,
"message": null
} Correlation ID: 26a5b601-ef98-415a-9963-e2b872f035b7
It works fine if I remove the workspaceId value, and I have double checked that I am giving it a valid value for the workspace name - I have a blank oms workspace setup
{
"$schema":"http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion":"1.0.0.0",
"parameters":{
"keyVaultName":{
"type":"string",
"minLength":1,
"metadata":{
"description":"Name of the Key Vault"
}
},
"accessPolicies":{
"type":"array",
"defaultValue":"{}",
"metadata":{
"description":"Access policies object"
}
},
"logsRetentionInDays":{
"type":"int",
"defaultValue":0,
"minValue":0,
"maxValue":365,
"metadata":{
"description":"Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely."
}
},
"enableVaultForDeployment":{
"type":"bool",
"defaultValue":false,
"allowedValues":[
true,
false
],
"metadata":{
"description":"Specifies if the vault is enabled for deployment by script or compute"
}
},
"enableVaultForTemplateDeployment":{
"type":"bool",
"defaultValue":false,
"allowedValues":[
true,
false
],
"metadata":{
"description":"Specifies if the vault is enabled for a template deployment"
}
},
"enableVaultForDiskEncryption":{
"type":"bool",
"defaultValue":false,
"allowedValues":[
true,
false
],
"metadata":{
"description":"Specifies if the azure platform has access to the vault for enabling disk encryption scenarios."
}
},
"vaultSku":{
"type":"string",
"defaultValue":"Premium",
"allowedValues":[
"Premium"
],
"metadata":{
"description":"Specifies the SKU for the vault"
}
},
"diagnosticStorageAccountPrefix":{
"type":"string",
"minLength":1,
"metadata":{
"description":"Prefix for the diagnostic storage account"
}
},
"omsWorkspaceName":{
"type":"string",
"minLength":1,
"metadata":{
"description":"Name of the OMS workspace used for diagnostic log integration."
}
}
},
"variables":{
"uniqueString":"[uniqueString(subscription().id, resourceGroup().id)]",
"diagnosticStorageAccountName":"[toLower(substring(replace(concat(parameters('diagnosticStorageAccountPrefix'), variables('uniqueString'), variables('uniqueString')), '-', ''), 0, 23) )]"
},
"resources":[
{
"type":"Microsoft.Storage/storageAccounts",
"name":"[variables('diagnosticStorageAccountName')]",
"apiVersion":"2016-12-01",
"location":"[resourceGroup().location]",
"sku":{
"name":"Standard_LRS"
},
"kind":"Storage",
"tags":{
"displayName":"Key Vault Diagnostic Storage Account')"
},
"properties": {
"encryption": {
"keySource":"Microsoft.Storage",
"services": {
"blob": {
"enabled":true
}
}
}
}
},
{
"type":"Microsoft.KeyVault/vaults",
"name":"[parameters('keyVaultName')]",
"apiVersion":"2016-10-01",
"location":"[resourceGroup().location]",
"tags":{
"displayName":"Key Vault"
},
"properties":{
"enabledForDeployment":"[parameters('enableVaultForDeployment')]",
"enabledForTemplateDeployment":"[parameters('enableVaultForTemplateDeployment')]",
"enabledForDiskEncryption":"[parameters('enableVaultForDiskEncryption')]",
"tenantId":"[subscription().tenantId]",
"accessPolicies":"[parameters('AccessPolicies')]",
"sku":{
"name":"[parameters('vaultSku')]",
"family":"A"
}
},
"resources":[
{
"type":"Microsoft.KeyVault/vaults/providers/diagnosticsettings",
"name":"[concat(parameters('keyVaultName'), '/Microsoft.Insights/service')]",
"apiVersion":"2016-09-01",
"location":"[resourceGroup().location]",
"dependsOn":[
"[concat('Microsoft.KeyVault/vaults/', parameters('keyVaultName'))]",
"[concat('Microsoft.Storage/storageAccounts/', variables('diagnosticStorageAccountName'))]"
],
"properties":{
"storageAccountId":"[resourceId('Microsoft.Storage/storageAccounts', variables('diagnosticStorageAccountName'))]",
"workspaceId":"[resourceId('Microsoft.OperationalInsights/workspaces', parameters('omsWorkspaceName'))]",
"logs":[
{
"category":"AuditEvent",
"enabled":true,
"retentionPolicy":{
"enabled":true,
"days":"[parameters('LogsRetentionInDays')]"
}
}
]
}
}
]
},
{
"type":"Microsoft.KeyVault/vaults/providers/locks",
"apiVersion":"2016-09-01",
"name":"[concat(parameters('keyVaultName'), '/Microsoft.Authorization/keyVaultDoNotDelete')]",
"dependsOn":[
"[concat('Microsoft.KeyVault/vaults/', parameters('keyVaultName'))]"
],
"comments":"Resource lock on key vault",
"properties":{
"level":"CannotDelete"
}
},
{
"type":"Microsoft.Storage/storageAccounts/providers/locks",
"apiVersion":"2016-09-01",
"name":"[concat(variables('diagnosticStorageAccountName'), '/Microsoft.Authorization/storageDoNotDelete')]",
"dependsOn":[
"[concat('Microsoft.Storage/storageAccounts/', variables('diagnosticStorageAccountName'))]"
],
"comments":"Resource lock on key vault diagnostic storage account",
"properties":{
"level":"CannotDelete"
}
}
],
"outputs":{
}
}
