🧠 Azure Diagnostic Setting for Azure Key Vault is not enabled - prod.logic.yaml🟢

Contextual name: 🧠 prod.logic.yaml🟢
ID: /ce/ca/azure/monitor/diagnostic-setting-for-azure-key-vault/prod.logic.yaml
Tags:
- 🟢 Logic test success
- 🟢 Logic with extracts
- 🟢 Logic with test data

Uses

📗 Azure Key Vault
🔌 Azure Diagnostic Setting - object.extracts.yaml
🧪 test-data.json

Test Results 🟢

Generated at: 2026-05-02T12:04:56.813057554Z Open

Result	Id	Condition Index	Condition Text	Runtime Error
🟢	kv-001	✔️ `199`	✔️ `CA10__resource__r.CA10__Azure_Diagnostic_Settings__r.has(COMPLIANT)`	✔️ `null`
🟢	kv-002	✔️ `199`	✔️ `CA10__resource__r.CA10__Azure_Diagnostic_Settings__r.has(COMPLIANT)`	✔️ `null`
🟢	kv-003	✔️ `200`	✔️ `otherwise`	✔️ `null`
🟢	kv-004	✔️ `200`	✔️ `otherwise`	✔️ `null`
🟢	kv-005	✔️ `200`	✔️ `otherwise`	✔️ `null`

Generation Bundle

	File	MD5
Open	`/ce/ca/azure/monitor/diagnostic-setting-for-azure-key-vault/policy.yaml`	`F90784BBD162DCC62707A3B189BCDA08`
Open	`/ce/ca/azure/monitor/diagnostic-setting-for-azure-key-vault/prod.logic.yaml`	`DF71D3FBCEC2DF921ACA5A17E1C999E3`
Open	`/ce/ca/azure/monitor/diagnostic-setting-for-azure-key-vault/test-data.json`	`EDA4B9EF8E3FBE2E393CE4EFA232D776`
Open	`/types/CA10__CaAzureDiagnosticSetting__c/object.extracts.yaml`	`4AADFEBE59E43127A2529B2F0DB31297`

Available Commands

repo-manager policies generate FULL /ce/ca/azure/monitor/diagnostic-setting-for-azure-key-vault/prod.logic.yaml
repo-manager policies generate DEBUG /ce/ca/azure/monitor/diagnostic-setting-for-azure-key-vault/prod.logic.yaml
repo-manager policies generate CAPTURE_TEST_DATA /ce/ca/azure/monitor/diagnostic-setting-for-azure-key-vault/prod.logic.yaml
repo-manager policies generate TESTS /ce/ca/azure/monitor/diagnostic-setting-for-azure-key-vault/prod.logic.yaml
# Execute tests
repo-manager policies test /ce/ca/azure/monitor/diagnostic-setting-for-azure-key-vault/prod.logic.yaml

Content

Open File

---
inputType: "CA10__CaAzureKeyVault__c"
testData:
  - file: "test-data.json"
conditions:
  - status: "COMPLIANT"
    currentStateMessage: "Key Vault diagnostic logging is enabled and sent to a destination."
    check:
      RELATED_LIST_HAS:
        status: "COMPLIANT"
        relationshipName: "CA10__resource__r.CA10__Azure_Diagnostic_Settings__r"
otherwise:
  status: "INCOMPLIANT"
  currentStateMessage: "Key Vault diagnostic logging is not enabled and sent to a destination."
  remediationMessage: "Enable Key Vault diagnostic logging and configure a log destination."
relatedLists:
  - relationshipName: "CA10__resource__r.CA10__Azure_Diagnostic_Settings__r"
    importExtracts:
      - file: "/types/CA10__CaAzureDiagnosticSetting__c/object.extracts.yaml"
    conditions:
      - status: "INCOMPLIANT"
        currentStateMessage: "Key Vault diagnostic logging is not enabled for the required log categories."
        remediationMessage: "Enable the audit and allLogs category groups, or the legacy AuditEvent category."
        check:
          NOT:
            arg:
              OR:
                args:
                  - JSON_QUERY_BOOLEAN:
                      arg:
                        EXTRACT: "caJsonFrom__logsJson__c"
                      expression: "contains([? category == `AuditEvent`].enabled, `true`)"
                      undeterminedIf:
                        evaluationError: "The JSON query has failed."
                        resultTypeMismatch: "The JSON query did not return boolean type."
                  - AND:
                      args:
                        - JSON_QUERY_BOOLEAN:
                            arg:
                              EXTRACT: "caJsonFrom__logsJson__c"
                            expression: "contains([? categoryGroup == `audit`].enabled, `true`)"
                            undeterminedIf:
                              evaluationError: "The JSON query has failed."
                              resultTypeMismatch: "The JSON query did not return boolean type."
                        - JSON_QUERY_BOOLEAN:
                            arg:
                              EXTRACT: "caJsonFrom__logsJson__c"
                            expression: "contains([? categoryGroup == `allLogs`].enabled, `true`)"
                            undeterminedIf:
                              evaluationError: "The JSON query has failed."
                              resultTypeMismatch: "The JSON query did not return boolean type."
      - status: "INCOMPLIANT"
        currentStateMessage: "Key Vault diagnostic logging does not have a log destination."
        remediationMessage: "Configure a Log Analytics workspace, storage account, or event hub destination."
        check:
          AND:
            args:
              - IS_EMPTY:
                  arg:
                    EXTRACT: "CA10__workspaceId__c"
              - IS_EMPTY:
                  arg:
                    EXTRACT: "CA10__storageAccountId__c"
              - IS_EMPTY:
                  arg:
                    EXTRACT: "CA10__eventHubAuthorizationRuleId__c"
    otherwise:
      status: "COMPLIANT"
      currentStateMessage: "This Key Vault diagnostic setting enables the required logs and has a configured destination."

Uses​

Test Results 🟢​

Generation Bundle​

Available Commands​

Content​

Uses

Test Results 🟢

Generation Bundle

Available Commands

Content