Azure policy to deny adding a second diagnostic setting to any resource if the first diagnostic setting already exists

Question

Azure policy to deny adding a second diagnostic setting to any resource if the first diagnostic setting already exists

I tried the below code, but it doesn't seem to have any resource details and it doesn't work

{
    "mode": "All",
    "policyRule": {
        "if": {
            "field": "type",
            "equals": "Microsoft.Insights/diagnosticSettings"
        },
        "then": {
            "effect": "deny"
        }
    },
    "parameters": {}
}

Answer 1

Azure policy to deny adding a second diagnostic setting to any resource if the first diagnostic setting already exists: -

The Azure policy is as follows: I found out how avoid the addition of two or more diagnostic settings. If at least one diagnostic parameter is already enabled and set to "true," the policy allows it.

If a resource has several diagnostic settings with enabled set to "true," the policy forbids.

{
  "mode": "All",
  "policyRule": {
    "if": {
      "allOf": [
        {
          "field": "type",
          "equals": "Microsoft.Insights/diagnosticSettings"
        },
        {
          "count": {
            "field": "Microsoft.Insights/diagnosticSettings/logs[*]",
            "where": {
              "allOf": [
                {
                  "field": "Microsoft.Insights/diagnosticSettings/logs[*].enabled",
                  "equals": "true"
                }
              ]
            }
          },
          "greater": 1
        }
      ]
    },
    "then": {
      "effect": "deny"
    }
  },
  "parameters": {}
}

Created successfully:

Azure Policy COUNT operator.