Configures container registry to log to a log analytics workspace

terraform/modules/container_registry/main.tf

@@ -36,8 +36,32 @@ resource "azurerm_container_registry" "acr" {
     virtual_network = [
       for subnet in var.subnet_ids : {
         action    = "Allow"
-        subnet_id = subnet.value
+        subnet_id = subnet
       }
     ]
   }
-}
+}
+
+resource "azurerm_monitor_diagnostic_setting" "acr_diagnostic" {
+  name                       = "${var.name}-${var.environment}-acr-diag"
+  target_resource_id         = azurerm_container_registry.acr.id
+  log_analytics_workspace_id = var.workspace_id
+  log {
+    category = "ContainerRegistryRepositoryEvents"
+    retention_policy {
+      enabled = true
+    }
+  }
+  log {
+    category = "ContainerRegistryLoginEvents"
+    retention_policy {
+      enabled = true
+    }
+  }
+  metric {
+    category = "AllMetrics"
+    retention_policy {
+      enabled = true
+    }
+  }
+}

terraform/modules/container_registry/variables.tf

@@ -52,3 +52,8 @@ variable "whitelist" {
   description = "A map of whitelisted IPs and CIDR ranges. For single IPs, Azure expects just the IP, NOT a /32."
   default     = {}
 }
+
+variable "workspace_id" {
+  description = "The Log Analytics Workspace ID"
+  type        = string
+}

terraform/providers/dev/container_registry.tf

@@ -6,6 +6,7 @@ module "container_registry" {
   owner         = var.owner
   backup_region = var.backup_region
   policy        = "Deny"
-  subnet_ids    = []
+  subnet_ids    = [module.vpc.subnet_list["private"].id]
   whitelist     = var.admin_user_whitelist
+  workspace_id  = module.logs.workspace_id
 }