Merge pull request #1362 from robgil-dds/170322629-azure-logging
Azure Logging
This commit is contained in:
commit
b444378b0f
@ -30,3 +30,11 @@ resource "azurerm_storage_container" "bucket" {
|
||||
storage_account_name = azurerm_storage_account.bucket.name
|
||||
container_access_type = var.container_access_type
|
||||
}
|
||||
|
||||
# Added until requisite TF bugs are fixed. Typically this would be configured in the
|
||||
# storage_account resource
|
||||
resource "null_resource" "retention" {
|
||||
provisioner "local-exec" {
|
||||
command = "az storage logging update --account-name ${azurerm_storage_account.bucket.name} --log rwd --services bqt --retention 90"
|
||||
}
|
||||
}
|
@ -29,3 +29,15 @@ resource "azurerm_cdn_endpoint" "cdn" {
|
||||
host_name = var.origin_host_name
|
||||
}
|
||||
}
|
||||
|
||||
resource "azurerm_monitor_diagnostic_setting" "acr_diagnostic" {
|
||||
name = "${var.name}-${var.environment}-acr-diag"
|
||||
target_resource_id = azurerm_cdn_endpoint.cdn.id
|
||||
log_analytics_workspace_id = var.workspace_id
|
||||
log {
|
||||
category = "CoreAnalytics"
|
||||
retention_policy {
|
||||
enabled = true
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -29,3 +29,7 @@ variable "origin_host_name" {
|
||||
description = "Subdomain to use for the origin in requests to the CDN"
|
||||
}
|
||||
|
||||
variable "workspace_id" {
|
||||
description = "Log Analytics Workspace ID for sending logs generated by this resource"
|
||||
type = string
|
||||
}
|
@ -36,8 +36,32 @@ resource "azurerm_container_registry" "acr" {
|
||||
virtual_network = [
|
||||
for subnet in var.subnet_ids : {
|
||||
action = "Allow"
|
||||
subnet_id = subnet.value
|
||||
subnet_id = subnet
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource "azurerm_monitor_diagnostic_setting" "acr_diagnostic" {
|
||||
name = "${var.name}-${var.environment}-acr-diag"
|
||||
target_resource_id = azurerm_container_registry.acr.id
|
||||
log_analytics_workspace_id = var.workspace_id
|
||||
log {
|
||||
category = "ContainerRegistryRepositoryEvents"
|
||||
retention_policy {
|
||||
enabled = true
|
||||
}
|
||||
}
|
||||
log {
|
||||
category = "ContainerRegistryLoginEvents"
|
||||
retention_policy {
|
||||
enabled = true
|
||||
}
|
||||
}
|
||||
metric {
|
||||
category = "AllMetrics"
|
||||
retention_policy {
|
||||
enabled = true
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -52,3 +52,8 @@ variable "whitelist" {
|
||||
description = "A map of whitelisted IPs and CIDR ranges. For single IPs, Azure expects just the IP, NOT a /32."
|
||||
default = {}
|
||||
}
|
||||
|
||||
variable "workspace_id" {
|
||||
description = "The Log Analytics Workspace ID"
|
||||
type = string
|
||||
}
|
@ -39,3 +39,45 @@ resource "azurerm_kubernetes_cluster" "k8s" {
|
||||
owner = var.owner
|
||||
}
|
||||
}
|
||||
|
||||
resource "azurerm_monitor_diagnostic_setting" "k8s_diagnostic-1" {
|
||||
name = "${var.name}-${var.environment}-k8s-diag"
|
||||
target_resource_id = azurerm_kubernetes_cluster.k8s.id
|
||||
log_analytics_workspace_id = var.workspace_id
|
||||
log {
|
||||
category = "kube-apiserver"
|
||||
retention_policy {
|
||||
enabled = true
|
||||
}
|
||||
}
|
||||
log {
|
||||
category = "kube-controller-manager"
|
||||
retention_policy {
|
||||
enabled = true
|
||||
}
|
||||
}
|
||||
log {
|
||||
category = "kube-scheduler"
|
||||
retention_policy {
|
||||
enabled = true
|
||||
}
|
||||
}
|
||||
log {
|
||||
category = "kube-audit"
|
||||
retention_policy {
|
||||
enabled = true
|
||||
}
|
||||
}
|
||||
log {
|
||||
category = "cluster-autoscaler"
|
||||
retention_policy {
|
||||
enabled = true
|
||||
}
|
||||
}
|
||||
metric {
|
||||
category = "AllMetrics"
|
||||
retention_policy {
|
||||
enabled = true
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -62,3 +62,8 @@ variable "client_secret" {
|
||||
type = string
|
||||
description = "The client secret for the Service Principal associated with the AKS cluster."
|
||||
}
|
||||
|
||||
variable "workspace_id" {
|
||||
description = "Log Analytics workspace for this resource to log to"
|
||||
type = string
|
||||
}
|
@ -76,4 +76,26 @@ resource "azurerm_key_vault_access_policy" "keyvault_admin_policy" {
|
||||
"backup",
|
||||
"update",
|
||||
]
|
||||
}
|
||||
}
|
||||
|
||||
resource "azurerm_monitor_diagnostic_setting" "keyvault_diagnostic" {
|
||||
name = "${var.name}-${var.environment}-keyvault-diag"
|
||||
target_resource_id = azurerm_key_vault.keyvault.id
|
||||
log_analytics_workspace_id = var.workspace_id
|
||||
|
||||
log {
|
||||
category = "AuditEvent"
|
||||
enabled = true
|
||||
|
||||
retention_policy {
|
||||
enabled = true
|
||||
}
|
||||
}
|
||||
metric {
|
||||
category = "AllMetrics"
|
||||
|
||||
retention_policy {
|
||||
enabled = true
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -48,4 +48,10 @@ variable "whitelist" {
|
||||
type = map
|
||||
description = "A map of whitelisted IPs and CIDR ranges. For single IPs, Azure expects just the IP, NOT a /32."
|
||||
default = {}
|
||||
}
|
||||
}
|
||||
|
||||
variable "workspace_id" {
|
||||
description = "Log Analytics Workspace ID for sending logs generated by this resource"
|
||||
type = string
|
||||
|
||||
}
|
||||
|
15
terraform/modules/log_analytics/main.tf
Normal file
15
terraform/modules/log_analytics/main.tf
Normal file
@ -0,0 +1,15 @@
|
||||
resource "azurerm_resource_group" "log_workspace" {
|
||||
name = "${var.name}-${var.environment}-log-workspace"
|
||||
location = var.region
|
||||
}
|
||||
|
||||
resource "azurerm_log_analytics_workspace" "log_workspace" {
|
||||
name = "${var.name}-${var.environment}-log-workspace"
|
||||
location = azurerm_resource_group.log_workspace.location
|
||||
resource_group_name = azurerm_resource_group.log_workspace.name
|
||||
sku = "Premium"
|
||||
tags = {
|
||||
environment = var.environment
|
||||
owner = var.owner
|
||||
}
|
||||
}
|
3
terraform/modules/log_analytics/outputs.tf
Normal file
3
terraform/modules/log_analytics/outputs.tf
Normal file
@ -0,0 +1,3 @@
|
||||
output "workspace_id" {
|
||||
value = azurerm_log_analytics_workspace.log_workspace.id
|
||||
}
|
19
terraform/modules/log_analytics/variables.tf
Normal file
19
terraform/modules/log_analytics/variables.tf
Normal file
@ -0,0 +1,19 @@
|
||||
variable "region" {
|
||||
type = string
|
||||
description = "Region this module and resources will be created in"
|
||||
}
|
||||
|
||||
variable "name" {
|
||||
type = string
|
||||
description = "Unique name for the services in this module"
|
||||
}
|
||||
|
||||
variable "environment" {
|
||||
type = string
|
||||
description = "Environment these resources reside (prod, dev, staging, etc)"
|
||||
}
|
||||
|
||||
variable "owner" {
|
||||
type = string
|
||||
description = "Owner of the environment and resources created in this module"
|
||||
}
|
@ -35,3 +35,33 @@ resource "azurerm_postgresql_virtual_network_rule" "sql" {
|
||||
subnet_id = var.subnet_id
|
||||
ignore_missing_vnet_service_endpoint = true
|
||||
}
|
||||
|
||||
resource "azurerm_postgresql_database" "db" {
|
||||
name = "${var.name}-${var.environment}-atat"
|
||||
resource_group_name = azurerm_resource_group.sql.name
|
||||
server_name = azurerm_postgresql_server.sql.name
|
||||
charset = "UTF8"
|
||||
collation = "en-US"
|
||||
}
|
||||
|
||||
resource "azurerm_monitor_diagnostic_setting" "postgresql_diagnostic" {
|
||||
name = "${var.name}-${var.environment}-postgresql-diag"
|
||||
target_resource_id = azurerm_postgresql_server.sql.id
|
||||
log_analytics_workspace_id = var.workspace_id
|
||||
|
||||
log {
|
||||
category = "PostgreSQLLogs"
|
||||
enabled = true
|
||||
|
||||
retention_policy {
|
||||
enabled = true
|
||||
}
|
||||
}
|
||||
metric {
|
||||
category = "AllMetrics"
|
||||
|
||||
retention_policy {
|
||||
enabled = true
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -93,3 +93,8 @@ variable "ssl_enforcement" {
|
||||
description = "Enforce SSL (Enabled/Disable)"
|
||||
default = "Enabled"
|
||||
}
|
||||
|
||||
variable "workspace_id" {
|
||||
description = "Log Analytics workspace for this resource to log to"
|
||||
type = string
|
||||
}
|
||||
|
@ -23,3 +23,16 @@ resource "azurerm_redis_cache" "redis" {
|
||||
owner = var.owner
|
||||
}
|
||||
}
|
||||
|
||||
resource "azurerm_monitor_diagnostic_setting" "redis_diagnostic" {
|
||||
name = "${var.name}-${var.environment}-redis-diag"
|
||||
target_resource_id = azurerm_redis_cache.redis.id
|
||||
log_analytics_workspace_id = var.workspace_id
|
||||
metric {
|
||||
category = "AllMetrics"
|
||||
|
||||
retention_policy {
|
||||
enabled = true
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -58,3 +58,8 @@ variable "subnet_id" {
|
||||
type = string
|
||||
description = "Subnet ID that the service_endpoint should reside"
|
||||
}
|
||||
|
||||
variable "workspace_id" {
|
||||
description = "Log Analytics workspace for this resource to log to"
|
||||
type = string
|
||||
}
|
@ -72,45 +72,3 @@ resource "azurerm_route" "route" {
|
||||
address_prefix = "0.0.0.0/0"
|
||||
next_hop_type = each.value
|
||||
}
|
||||
|
||||
# Required for the gateway
|
||||
resource "azurerm_subnet" "gateway" {
|
||||
name = "GatewaySubnet"
|
||||
resource_group_name = azurerm_resource_group.vpc.name
|
||||
virtual_network_name = azurerm_virtual_network.vpc.name
|
||||
address_prefix = var.gateway_subnet
|
||||
}
|
||||
|
||||
|
||||
resource "azurerm_public_ip" "vpn_ip" {
|
||||
name = "${var.name}-${var.environment}-vpn-ip"
|
||||
location = azurerm_resource_group.vpc.location
|
||||
resource_group_name = azurerm_resource_group.vpc.name
|
||||
|
||||
allocation_method = "Dynamic"
|
||||
}
|
||||
|
||||
resource "azurerm_virtual_network_gateway" "vnet_gateway" {
|
||||
name = "${var.name}-${var.environment}-gateway"
|
||||
location = azurerm_resource_group.vpc.location
|
||||
resource_group_name = azurerm_resource_group.vpc.name
|
||||
|
||||
type = "Vpn"
|
||||
vpn_type = "RouteBased"
|
||||
|
||||
active_active = false
|
||||
enable_bgp = false
|
||||
sku = "Standard"
|
||||
|
||||
ip_configuration {
|
||||
name = "vnetGatewayConfig"
|
||||
public_ip_address_id = azurerm_public_ip.vpn_ip.id
|
||||
private_ip_address_allocation = "Dynamic"
|
||||
subnet_id = azurerm_subnet.gateway.id
|
||||
}
|
||||
|
||||
vpn_client_configuration {
|
||||
address_space = var.vpn_client_cidr
|
||||
vpn_client_protocols = ["OpenVPN"]
|
||||
}
|
||||
}
|
@ -34,7 +34,6 @@ variable "networks" {
|
||||
variable "dns_servers" {
|
||||
description = "DNS Server IPs for internal and public DNS lookups (must be on a defined subnet)"
|
||||
type = list
|
||||
|
||||
}
|
||||
|
||||
variable "route_tables" {
|
||||
@ -42,19 +41,8 @@ variable "route_tables" {
|
||||
description = "A map with the route tables to create"
|
||||
}
|
||||
|
||||
variable "gateway_subnet" {
|
||||
type = string
|
||||
description = "The Subnet CIDR that we'll use for the virtual_network_gateway 'GatewaySubnet'"
|
||||
}
|
||||
|
||||
variable "service_endpoints" {
|
||||
type = map
|
||||
description = "A map of the service endpoints and its mapping to subnets"
|
||||
|
||||
}
|
||||
|
||||
variable "vpn_client_cidr" {
|
||||
type = list
|
||||
description = "The CIDR range used for clients on the VPN"
|
||||
default = ["172.16.0.0/16"]
|
||||
}
|
||||
|
@ -5,4 +5,5 @@ module "cdn" {
|
||||
environment = var.environment
|
||||
name = var.name
|
||||
region = var.region
|
||||
workspace_id = module.logs.workspace_id
|
||||
}
|
||||
|
@ -6,6 +6,7 @@ module "container_registry" {
|
||||
owner = var.owner
|
||||
backup_region = var.backup_region
|
||||
policy = "Deny"
|
||||
subnet_ids = []
|
||||
subnet_ids = [module.vpc.subnet_list["private"].id]
|
||||
whitelist = var.admin_user_whitelist
|
||||
workspace_id = module.logs.workspace_id
|
||||
}
|
||||
|
@ -22,6 +22,7 @@ module "k8s" {
|
||||
min_count = 3
|
||||
client_id = data.azurerm_key_vault_secret.k8s_client_id.value
|
||||
client_secret = data.azurerm_key_vault_secret.k8s_client_secret.value
|
||||
workspace_id = module.logs.workspace_id
|
||||
}
|
||||
|
||||
#module "main_lb" {
|
||||
|
@ -10,5 +10,6 @@ module "keyvault" {
|
||||
policy = "Deny"
|
||||
subnet_ids = [module.vpc.subnets]
|
||||
whitelist = var.admin_user_whitelist
|
||||
workspace_id = module.logs.workspace_id
|
||||
}
|
||||
|
||||
|
8
terraform/providers/dev/logs.tf
Normal file
8
terraform/providers/dev/logs.tf
Normal file
@ -0,0 +1,8 @@
|
||||
module "logs" {
|
||||
source = "../../modules/log_analytics"
|
||||
owner = var.owner
|
||||
environment = var.environment
|
||||
region = var.region
|
||||
name = var.name
|
||||
}
|
||||
|
@ -14,7 +14,8 @@ module "sql" {
|
||||
owner = var.owner
|
||||
environment = var.environment
|
||||
region = var.region
|
||||
subnet_id = module.vpc.subnets # FIXME - Should be a map of subnets and specify private
|
||||
subnet_id = module.vpc.subnet_list["private"].id
|
||||
administrator_login = data.azurerm_key_vault_secret.postgres_username.value
|
||||
administrator_login_password = data.azurerm_key_vault_secret.postgres_password.value
|
||||
workspace_id = module.logs.workspace_id
|
||||
}
|
||||
|
@ -1,10 +1,11 @@
|
||||
module "redis" {
|
||||
source = "../../modules/redis"
|
||||
owner = var.owner
|
||||
environment = var.environment
|
||||
region = var.region
|
||||
name = var.name
|
||||
subnet_id = module.vpc.subnet_list["redis"].id
|
||||
sku_name = "Premium"
|
||||
family = "P"
|
||||
source = "../../modules/redis"
|
||||
owner = var.owner
|
||||
environment = var.environment
|
||||
region = var.region
|
||||
name = var.name
|
||||
subnet_id = module.vpc.subnet_list["redis"].id
|
||||
sku_name = "Premium"
|
||||
family = "P"
|
||||
workspace_id = module.logs.workspace_id
|
||||
}
|
||||
|
@ -10,4 +10,5 @@ module "operator_keyvault" {
|
||||
policy = "Deny"
|
||||
subnet_ids = [module.vpc.subnets]
|
||||
whitelist = var.admin_user_whitelist
|
||||
workspace_id = module.logs.workspace_id
|
||||
}
|
||||
|
@ -34,6 +34,7 @@ variable "networks" {
|
||||
public = "10.1.1.0/24,public" # LBs
|
||||
private = "10.1.2.0/24,private" # k8s, postgres, keyvault
|
||||
redis = "10.1.3.0/24,private" # Redis
|
||||
apps = "10.1.4.0/24,private" # Redis
|
||||
}
|
||||
}
|
||||
|
||||
@ -43,23 +44,18 @@ variable "service_endpoints" {
|
||||
public = "Microsoft.ContainerRegistry" # Not necessary but added to avoid infinite state loop
|
||||
private = "Microsoft.Storage,Microsoft.KeyVault,Microsoft.ContainerRegistry,Microsoft.Sql"
|
||||
redis = "Microsoft.Storage,Microsoft.Sql" # FIXME: There is no Microsoft.Redis
|
||||
apps = "Microsoft.Storage,Microsoft.KeyVault,Microsoft.ContainerRegistry,Microsoft.Sql"
|
||||
}
|
||||
}
|
||||
|
||||
variable "gateway_subnet" {
|
||||
type = string
|
||||
default = "10.1.20.0/24"
|
||||
}
|
||||
|
||||
|
||||
variable "route_tables" {
|
||||
description = "Route tables and their default routes"
|
||||
type = map
|
||||
default = {
|
||||
public = "Internet"
|
||||
private = "Internet"
|
||||
private = "Internet" # TODO: Switch to FW
|
||||
redis = "VnetLocal"
|
||||
#private = "VnetLocal"
|
||||
apps = "Internet" # TODO: Switch to FW
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -4,12 +4,9 @@ module "vpc" {
|
||||
region = var.region
|
||||
virtual_network = var.virtual_network
|
||||
networks = var.networks
|
||||
gateway_subnet = var.gateway_subnet
|
||||
route_tables = var.route_tables
|
||||
owner = var.owner
|
||||
name = var.name
|
||||
dns_servers = var.dns_servers
|
||||
service_endpoints = var.service_endpoints
|
||||
vpn_client_cidr = var.vpn_client_cidr
|
||||
}
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user