In the course of an observability initiative I want to ensure all Azure Storage accounts always log into one specific Analytics Workspace.
I have tried to achieve this with assigning an Azure Policy ("Configure diagnostic settings for storage accounts to Log Analytics workspace") and creating a remediation task. This led to consistent "diagnostic settings" over the entire subscription and all storage accounts logging into the same workspace as desired.
I have used terraform for assigning the policy and creating the remediation task. This is all similar to the solution described here: Enable diagnostic settings for Storage account using Azure Policy Definition
Unfortunately, manual changes to the diagnostic settings after the initial creation are neither prevented nor remediated, although they are detected and raised as issues in the "compliance" tab.
How can I ensure the "Configure diagnostic settings for storage accounts to Log Analytics workspace" policy is permanently enforced?
I tried the same in my environment but it seems complicated or not possible .AFAIK and also as mentioned in this Github Issue, It is not possible to remediate the existing resources automatically.For diagnostics settings as it has deployifnotexists effect, only the new resources get automatically remediated and existing resources have to be remediated manually or by PowerShell or CLI script.
So to automate the remediation , you can Run Scheduled Scripts using Task Schedulers or Cron Jobs or use Azure Automation scheduled Tasks.