1. Integrating Activity Log Alerts with Azure Functions for custom processing

    TypeScript

    To integrate Azure Activity Log Alerts with Azure Functions for custom processing, you need to set up two primary components:

    1. Azure Function App: This will host the actual Azure Function that you'll write to process the incoming events. You can write functions in various languages, but we'll use TypeScript for this example.

    2. Azure Monitor Activity Log Alert: The alert configuration in Azure Monitor, which will monitor for specific events in your activity logs. When an event matching your criteria occurs, Azure Monitor will automatically trigger the associated Azure Function for processing.

    Here are the high-level steps that we'll follow in the Pulumi TypeScript program:

    • Create an Azure Function App, where the function code will reside.
    • Define the application settings and configuration required by the Function App.
    • Create an Azure Monitor Activity Log Alert with a condition to monitor specific events in your activity logs.
    • Set up an Action Group that will trigger the Azure Function when an alert is fired.

    Below is a Pulumi program written in TypeScript that sets up these components. Please ensure you've installed the necessary Pulumi packages for Azure and have configured your Pulumi CLI with the appropriate Azure credentials.

    import * as pulumi from "@pulumi/pulumi"; import * as azure from "@pulumi/azure"; import * as azure_native from "@pulumi/azure-native"; // Create an Azure Resource Group const resourceGroup = new azure.core.ResourceGroup("my-resource-group"); // Create the Azure Function App const storageAccount = new azure.storage.Account("mystorageaccount", { resourceGroupName: resourceGroup.name, accountTier: "Standard", accountReplicationType: "LRS", }); const appServicePlan = new azure.appservice.Plan("my-app-service-plan", { resourceGroupName: resourceGroup.name, kind: "FunctionApp", sku: { tier: "Dynamic", size: "Y1", }, }); const functionApp = new azure.appservice.FunctionApp("my-function-app", { resourceGroupName: resourceGroup.name, appServicePlanId: appServicePlan.id, storageConnectionString: storageAccount.primaryConnectionString, version: "~3", // Runtime version (e.g., ~3 denotes version 3.x) appSettings: { // Add any additional settings your function might need here }, }); // Define Activity Log Alert criteria const activityLogAlert = new azure_native.insights.ActivityLogAlert("myActivityLogAlert", { resourceGroupName: resourceGroup.name, scopes: [resourceGroup.id], condition: { allOf: [ { field: "category", equals: "Administrative", // You can filter for other categories as needed }, { field: "operationName", equals: "Microsoft.Resources/deployments/write", // An example operation }, ], }, actions: { actionGroups: [ { actionGroupId: "/subscriptions/{subscriptionId}/resourceGroups/{rg}/providers/microsoft.insights/actionGroups/{actionGroupName}", // Set appropriate values for the actionGroupId }, ], }, enabled: true, }); // Output the Function App name and its default hostname export const functionName = functionApp.name; export const functionDefaultHostname = functionApp.defaultHostname;

    This program sets up the required infrastructure for responding to Activity Log Alerts with Azure Functions:

    • The azure.core.ResourceGroup creates a new Azure Resource Group for organizing resources.
    • The azure.storage.Account creates a storage account needed by the Function App to maintain state.
    • The azure.appservice.Plan creates a consumption plan for our Azure Functions, which is a cost-effective way to run functions without provisioning Virtual Machines.
    • The azure.appservice.FunctionApp defines the Azure Function App itself.
    • The azure_native.insights.ActivityLogAlert resource creates an Activity Log Alert with a condition to filter for specific events in the activity log. When the condition is met, the alert is fired.
    • We've used placeholders for the actionGroupId, which should be replaced with the actual resource ID of your Azure Action Group configured to trigger the Azure Function.
    • Finally, we export the function name and its default hostname, which can be used to call the function once it’s deployed.

    Remember to replace placeholders and set the appSettings to your function's requirements. Also, configure your Azure Action Group correctly to point to the Function App for trigger actions.

    The Azure Function code that processes Activity Log events needs to be developed and deployed separately. This Pulumi program focuses on setting up the necessary infrastructure to support that function.