Create Auxiliary Table equivalents to ASIM and Common Log Sentinel Tables

asimAuxiliaryTables.bicep

param workspaceName string
param logRetentionDays int = 90
param tableNames array = [
  'ASimNetworkSessionLogs'
  'ASimAuthenticationEventLogs'
  'ASimWebSessionLogs'
  'ASimAuditEventLogs'
  'ASimDhcpEventLogs'
  'ASimDnsActivityLogs'
  'ASimFileEventLogs'
  'Syslog'
  'CommonSecurityLog'
]
@allowed(['Basic', 'Auxiliary'])
param plan string = 'Auxiliary'

param reservedColumnNames array = [
  '_ResourceId'
  'id'
  '_ResourceId'
  '_SubscriptionId'
  'TenantId'
  'Type'
  'UniqueId'
  'Title'
  'MG'
]

resource workspace 'Microsoft.OperationalInsights/workspaces@2023-09-01' existing = {
  name: workspaceName
}
resource tables 'Microsoft.OperationalInsights/workspaces/tables@2022-10-01' existing = [for tableName in tableNames: {
  parent: workspace
  name: tableName
}]

resource auxTables 'Microsoft.OperationalInsights/workspaces/tables@2023-01-01-preview' = [for (tableName, i) in tableNames: {
  parent: workspace
  name: '${tables[i].name}_Aux_CL'

  properties: {
    schema: union(
      tables[i].properties.schema,
      {
        name: '${tables[i].properties.schema.name}_Aux_CL'
        displayName: null
      }
    )
    plan: plan
    totalRetentionInDays: logRetentionDays
  }
}]

// Has to be done as a separate module because we want to toObject a for loop
module dcr 'asimDCR.bicep' = {
  name: '${deployment().name}-dcr'
  params: {
    dcrName: '${deployment().name}-dcr'
    location: workspace.location
    workspaceName: workspaceName
    tableInfo: [for (table, i) in tableNames: { //Ideally would be a var but can't because of dependent reference
      name: auxTables[i].name
      columns: string(
        filter(
          filter(
            map(
              union(auxTables[i].properties.schema.columns, tables[i].properties.schema.standardColumns),
              c => {
                name: c.name
                type: c.type
              }
            ),
            c => !contains(reservedColumnNames, c.name)
          ),
        c => c.type != 'Guid')
      )
    }]
  }
}

output dcrRuleId string = dcr.outputs.dcrRuleId
output dcrLogIngestionEndpoint string = dcr.outputs.dcrLogIngestionEndpoint
output streamNames array = dcr.outputs.streamNames

asimDCR.bicep

param dcrName string
param location string = resourceGroup().location
param workspaceName string
param tableInfo array

var workspaceReference = 'workspace'

resource workspace 'Microsoft.OperationalInsights/workspaces@2023-09-01' existing = {
  name: workspaceName
}

resource dcr 'Microsoft.Insights/dataCollectionRules@2023-03-11' = {
  name: dcrName
  location: location
  kind: 'Direct'
  properties: {
    description: 'Log Analytics Ingestion Point for Auxiliary Tables'
    destinations: {
      logAnalytics: [
        {
          name: workspaceReference
          workspaceResourceId: workspace.id
        }
      ]
    }
    streamDeclarations: toObject(
      tableInfo,
      k=>'Custom-${k.name}',
      v=>{columns: map(
        json(v.columns),
        c => {
          name: c.name
          // Guid is not a valid stream type even though it's a valid table type
          type: replace(c.type, 'guid', 'string')
        }
      )}
    )
    dataFlows: [for table in tableInfo: {
      streams: ['Custom-${table.name}']
      destinations: [workspaceReference]
      outputStream: 'Custom-${table.name}'
    }]
  }
}

output dcrRuleId string = dcr.properties.immutableId
output dcrLogIngestionEndpoint string = dcr.properties.endpoints.logsIngestion
output streamNames array = objectKeys(dcr.properties.streamDeclarations)