Merge pull request #10 from clouddrove/identos-154-n

Featured diagnostic settings for the resource
clouddrove · Mar 13, 2023 · 3e76c79 · 3e76c79
2 parents 7ecbd5d + 9d6f98c
commit 3e76c79
Show file tree

Hide file tree

Showing 4 changed files with 170 additions and 10 deletions.
diff --git a/_example/default_storage/example.tf b/_example/default_storage/example.tf
@@ -8,11 +8,26 @@ module "resource_group" {
   source = "clouddrove/resource-group/azure"
 
   label_order = ["name", "environment", ]
-  name        = "appeee"
+  name        = "appe"
   environment = "test"
   location    = "North Europe"
 }
 
+module "log-analytics" {
+  source                           = "clouddrove/log-analytics/azure"
+  version                          = "1.0.0"
+  name                             = "app"
+  environment                      = "test"
+  label_order                      = ["name", "environment"]
+  create_log_analytics_workspace   = true
+  log_analytics_workspace_sku      = "PerGB2018"
+  daily_quota_gb                   = "-1"
+  internet_ingestion_enabled       = true
+  internet_query_enabled           = true
+  resource_group_name              = module.resource_group.resource_group_name
+  log_analytics_workspace_location = module.resource_group.resource_group_location
+}
+
 
 ##    Storage Account
 module "storage" {
@@ -39,7 +54,7 @@ module "storage" {
 
 
   ##   Storage Account Threat Protection
-  enable_advanced_threat_protection = true
+  enable_advanced_threat_protection = false
 
   ##   Storage Container
   containers_list = [
@@ -66,10 +81,19 @@ module "storage" {
       snapshot_delete_after_days = 30
     }
   ]
-  
+
   #enable private endpoint
   # enabled_private_endpoint = true
   # subnet_id = ""
   # virtual_network_id = ""
-
+
+  enable_diagnostic          = true
+  log_analytics_workspace_id = module.log-analytics.workspace_id
+  metrics                    = ["Transaction", "Capacity"]
+  metrics_enabled            = [true, true]
+
+  datastorages = ["blob", "queue", "table", "file"]
+  logs         = ["StorageWrite", "StorageRead", "StorageDelete"]
+  logs_enabled = [true, true]
+
 }
diff --git a/_example/storage_with_cmk/example.tf b/_example/storage_with_cmk/example.tf
@@ -128,4 +128,13 @@ module "storage" {
   #  enabled_private_endpoint = true
   #  subnet_id = ""
   #  virtual_network_id = ""
+
+  enable_diagnostic          = true
+  log_analytics_workspace_id = module.log-analytics.workspace_id
+  metrics                    = ["Transaction", "Capacity"]
+  metrics_enabled            = [true, false]
+
+  datastorages = ["blob", "queue", "table", "file"]
+  logs         = ["StorageWrite", "StorageRead", "StorageDelete"]
+  logs_enabled = [true, true]
 }
diff --git a/main.tf b/main.tf
@@ -233,21 +233,21 @@ resource "azurerm_private_endpoint" "pep" {
 }
 
 locals {
-  resource_group_name = var.resource_group_name
-  location            = var.location
-  valid_rg_name = var.existing_private_dns_zone == null ? local.resource_group_name : var.existing_private_dns_zone_resource_group_name
+  resource_group_name   = var.resource_group_name
+  location              = var.location
+  valid_rg_name         = var.existing_private_dns_zone == null ? local.resource_group_name : var.existing_private_dns_zone_resource_group_name
   private_dns_zone_name = var.existing_private_dns_zone == null ? join("", azurerm_private_dns_zone.dnszone.*.name) : var.existing_private_dns_zone
 }
 
 data "azurerm_private_endpoint_connection" "private-ip-0" {
-  count               = var.enabled && var.enable_private_endpoint  && var.cmk_encryption_enabled ? 1 : 0
+  count               = var.enabled && var.enable_private_endpoint && var.cmk_encryption_enabled ? 1 : 0
   name                = join("", azurerm_private_endpoint.pep.*.name)
   resource_group_name = local.resource_group_name
   depends_on          = [azurerm_storage_account.storage]
 }
 
 data "azurerm_private_endpoint_connection" "private-ip-1" {
-  count               = var.enabled && var.enable_private_endpoint  && var.default_enabled ? 1 : 0
+  count               = var.enabled && var.enable_private_endpoint && var.default_enabled ? 1 : 0
   name                = join("", azurerm_private_endpoint.pep.*.name)
   resource_group_name = local.resource_group_name
   depends_on          = [azurerm_storage_account.default_storage]
@@ -280,7 +280,7 @@ resource "azurerm_private_dns_zone_virtual_network_link" "addon_vent_link" {
 
 resource "azurerm_private_dns_a_record" "arecord" {
   count               = var.enabled && var.enable_private_endpoint ? 1 : 0
-  name                = var.cmk_encryption_enabled ? join("", azurerm_storage_account.storage.*.name) : join("", azurerm_storage_account.default_storage.*.name) 
+  name                = var.cmk_encryption_enabled ? join("", azurerm_storage_account.storage.*.name) : join("", azurerm_storage_account.default_storage.*.name)
   zone_name           = local.private_dns_zone_name
   resource_group_name = local.valid_rg_name
   ttl                 = 3600
@@ -291,4 +291,62 @@ resource "azurerm_private_dns_a_record" "arecord" {
       tags,
     ]
   }
+}
+
+resource "azurerm_monitor_diagnostic_setting" "storage" {
+  count                          = var.enable_diagnostic ? 1 : 0
+  name                           = format("storage-diagnostic-log")
+  target_resource_id             = var.default_enabled ? azurerm_storage_account.default_storage[0].id : azurerm_storage_account.storage[0].id # "${azurerm_storage_account.default_storage[0].id}/blobServices/default/" : "${azurerm_storage_account.storage[0].id}/blobServices/default/" # "${azurerm_storage_account.core.id}/blobServices/default/"
+  storage_account_id             = var.storage_account_id
+  eventhub_name                  = var.eventhub_name
+  eventhub_authorization_rule_id = var.eventhub_authorization_rule_id
+  log_analytics_workspace_id     = var.log_analytics_workspace_id
+
+  dynamic "metric" {
+    for_each = var.metrics
+    content {
+      category = metric.value
+      enabled  = var.metrics_enabled[count.index]
+      retention_policy {
+        days    = var.days
+        enabled = var.retention_policy_enabled
+      }
+    }
+  }
+
+}
+
+resource "azurerm_monitor_diagnostic_setting" "datastorage" {
+  count                          = length(var.datastorages)
+  name                           = format("%s-diagnostic-log", var.datastorages[count.index])
+  target_resource_id             = var.default_enabled ? "${azurerm_storage_account.default_storage[0].id}/${var.datastorages[count.index]}Services/default" : "${azurerm_storage_account.storage[0].id}/${var.datastorages[count.index]}Services/default" #  "${azurerm_storage_account.core.id}/blobServices/default/"
+  storage_account_id             = var.storage_account_id
+  eventhub_name                  = var.eventhub_name
+  eventhub_authorization_rule_id = var.eventhub_authorization_rule_id
+  log_analytics_workspace_id     = var.log_analytics_workspace_id
+
+  dynamic "log" {
+    for_each = var.logs
+    content {
+      category = log.value
+      enabled  = true
+      retention_policy {
+        days    = var.days
+        enabled = var.retention_policy_enabled
+      }
+    }
+  }
+
+  dynamic "metric" {
+    for_each = var.metrics
+    content {
+      category = metric.value
+      enabled  = true
+      retention_policy {
+        days    = var.days
+        enabled = var.retention_policy_enabled
+      }
+    }
+  }
+
 }
diff --git a/variables.tf b/variables.tf
@@ -281,4 +281,73 @@ variable "addon_virtual_network_id" {
   type        = string
   default     = ""
   description = "The name of the addon vnet link vnet id"
+}
+
+# Diagnosis Settings Enable
+
+variable "enable_diagnostic" {
+  type        = bool
+  default     = false
+  description = "Set to false to prevent the module from creating the diagnosys setting for the NSG Resource.."
+}
+
+variable "storage_account_id" {
+  type        = string
+  default     = null
+  description = "Storage account id to pass it to destination details of diagnosys setting of NSG."
+}
+
+variable "eventhub_name" {
+  type        = string
+  default     = null
+  description = "Eventhub Name to pass it to destination details of diagnosys setting of NSG."
+}
+
+variable "eventhub_authorization_rule_id" {
+  type        = string
+  default     = null
+  description = "Eventhub authorization rule id to pass it to destination details of diagnosys setting of NSG."
+}
+
+variable "log_analytics_workspace_id" {
+  type        = string
+  default     = null
+  description = "log analytics workspace id to pass it to destination details of diagnosys setting of NSG."
+}
+
+variable "retention_policy_enabled" {
+  type        = bool
+  default     = false
+  description = "Set to false to prevent the module from creating retension policy for the diagnosys setting."
+}
+
+variable "days" {
+  type        = number
+  default     = 365
+  description = "Number of days to create retension policies for te diagnosys setting."
+}
+
+variable "metrics" {
+  type    = list(string)
+  default = null
+}
+
+variable "metrics_enabled" {
+  type    = list(bool)
+  default = null
+}
+
+variable "logs" {
+  type    = list(string)
+  default = null
+}
+
+variable "logs_enabled" {
+  type    = list(bool)
+  default = null
+}
+
+variable "datastorages" {
+  type    = list(string)
+  default = null
 }