diff --git a/terraform/modules/bucket/main.tf b/terraform/modules/bucket/main.tf index e2f91f58..eeab6490 100644 --- a/terraform/modules/bucket/main.tf +++ b/terraform/modules/bucket/main.tf @@ -30,3 +30,11 @@ resource "azurerm_storage_container" "bucket" { storage_account_name = azurerm_storage_account.bucket.name container_access_type = var.container_access_type } + +# Added until requisite TF bugs are fixed. Typically this would be configured in the +# storage_account resource +resource "null_resource" "retention" { + provisioner "local-exec" { + command = "az storage logging update --account-name ${azurerm_storage_account.bucket.name} --log rwd --services bqt --retention 90" + } +} \ No newline at end of file diff --git a/terraform/modules/cdn/main.tf b/terraform/modules/cdn/main.tf index 5debd443..d6be6a94 100644 --- a/terraform/modules/cdn/main.tf +++ b/terraform/modules/cdn/main.tf @@ -29,3 +29,15 @@ resource "azurerm_cdn_endpoint" "cdn" { host_name = var.origin_host_name } } + +resource "azurerm_monitor_diagnostic_setting" "acr_diagnostic" { + name = "${var.name}-${var.environment}-acr-diag" + target_resource_id = azurerm_cdn_endpoint.cdn.id + log_analytics_workspace_id = var.workspace_id + log { + category = "CoreAnalytics" + retention_policy { + enabled = true + } + } +} diff --git a/terraform/modules/cdn/variables.tf b/terraform/modules/cdn/variables.tf index 3abe4851..ae26c2d2 100644 --- a/terraform/modules/cdn/variables.tf +++ b/terraform/modules/cdn/variables.tf @@ -29,3 +29,7 @@ variable "origin_host_name" { description = "Subdomain to use for the origin in requests to the CDN" } +variable "workspace_id" { + description = "Log Analytics Workspace ID for sending logs generated by this resource" + type = string +} \ No newline at end of file diff --git a/terraform/modules/container_registry/main.tf b/terraform/modules/container_registry/main.tf index 30b2b1cc..48b9789d 100644 --- a/terraform/modules/container_registry/main.tf +++ b/terraform/modules/container_registry/main.tf @@ -36,8 +36,32 @@ resource "azurerm_container_registry" "acr" { virtual_network = [ for subnet in var.subnet_ids : { action = "Allow" - subnet_id = subnet.value + subnet_id = subnet } ] } -} \ No newline at end of file +} + +resource "azurerm_monitor_diagnostic_setting" "acr_diagnostic" { + name = "${var.name}-${var.environment}-acr-diag" + target_resource_id = azurerm_container_registry.acr.id + log_analytics_workspace_id = var.workspace_id + log { + category = "ContainerRegistryRepositoryEvents" + retention_policy { + enabled = true + } + } + log { + category = "ContainerRegistryLoginEvents" + retention_policy { + enabled = true + } + } + metric { + category = "AllMetrics" + retention_policy { + enabled = true + } + } +} diff --git a/terraform/modules/container_registry/variables.tf b/terraform/modules/container_registry/variables.tf index 48fbb64a..aa0ff23a 100644 --- a/terraform/modules/container_registry/variables.tf +++ b/terraform/modules/container_registry/variables.tf @@ -52,3 +52,8 @@ variable "whitelist" { description = "A map of whitelisted IPs and CIDR ranges. For single IPs, Azure expects just the IP, NOT a /32." default = {} } + +variable "workspace_id" { + description = "The Log Analytics Workspace ID" + type = string +} \ No newline at end of file diff --git a/terraform/modules/k8s/main.tf b/terraform/modules/k8s/main.tf index 060d50b8..8ecbb4cd 100644 --- a/terraform/modules/k8s/main.tf +++ b/terraform/modules/k8s/main.tf @@ -39,3 +39,45 @@ resource "azurerm_kubernetes_cluster" "k8s" { owner = var.owner } } + +resource "azurerm_monitor_diagnostic_setting" "k8s_diagnostic-1" { + name = "${var.name}-${var.environment}-k8s-diag" + target_resource_id = azurerm_kubernetes_cluster.k8s.id + log_analytics_workspace_id = var.workspace_id + log { + category = "kube-apiserver" + retention_policy { + enabled = true + } + } + log { + category = "kube-controller-manager" + retention_policy { + enabled = true + } + } + log { + category = "kube-scheduler" + retention_policy { + enabled = true + } + } + log { + category = "kube-audit" + retention_policy { + enabled = true + } + } + log { + category = "cluster-autoscaler" + retention_policy { + enabled = true + } + } + metric { + category = "AllMetrics" + retention_policy { + enabled = true + } + } +} diff --git a/terraform/modules/k8s/variables.tf b/terraform/modules/k8s/variables.tf index e8ca5a27..79bac3de 100644 --- a/terraform/modules/k8s/variables.tf +++ b/terraform/modules/k8s/variables.tf @@ -62,3 +62,8 @@ variable "client_secret" { type = string description = "The client secret for the Service Principal associated with the AKS cluster." } + +variable "workspace_id" { + description = "Log Analytics workspace for this resource to log to" + type = string +} \ No newline at end of file diff --git a/terraform/modules/keyvault/main.tf b/terraform/modules/keyvault/main.tf index 1df84367..185c5b7d 100644 --- a/terraform/modules/keyvault/main.tf +++ b/terraform/modules/keyvault/main.tf @@ -76,4 +76,26 @@ resource "azurerm_key_vault_access_policy" "keyvault_admin_policy" { "backup", "update", ] -} \ No newline at end of file +} + +resource "azurerm_monitor_diagnostic_setting" "keyvault_diagnostic" { + name = "${var.name}-${var.environment}-keyvault-diag" + target_resource_id = azurerm_key_vault.keyvault.id + log_analytics_workspace_id = var.workspace_id + + log { + category = "AuditEvent" + enabled = true + + retention_policy { + enabled = true + } + } + metric { + category = "AllMetrics" + + retention_policy { + enabled = true + } + } +} diff --git a/terraform/modules/keyvault/variables.tf b/terraform/modules/keyvault/variables.tf index 56e7cc13..ebaabf83 100644 --- a/terraform/modules/keyvault/variables.tf +++ b/terraform/modules/keyvault/variables.tf @@ -48,4 +48,10 @@ variable "whitelist" { type = map description = "A map of whitelisted IPs and CIDR ranges. For single IPs, Azure expects just the IP, NOT a /32." default = {} -} \ No newline at end of file +} + +variable "workspace_id" { + description = "Log Analytics Workspace ID for sending logs generated by this resource" + type = string + +} diff --git a/terraform/modules/log_analytics/main.tf b/terraform/modules/log_analytics/main.tf new file mode 100644 index 00000000..9bd8a353 --- /dev/null +++ b/terraform/modules/log_analytics/main.tf @@ -0,0 +1,15 @@ +resource "azurerm_resource_group" "log_workspace" { + name = "${var.name}-${var.environment}-log-workspace" + location = var.region +} + +resource "azurerm_log_analytics_workspace" "log_workspace" { + name = "${var.name}-${var.environment}-log-workspace" + location = azurerm_resource_group.log_workspace.location + resource_group_name = azurerm_resource_group.log_workspace.name + sku = "Premium" + tags = { + environment = var.environment + owner = var.owner + } +} diff --git a/terraform/modules/log_analytics/outputs.tf b/terraform/modules/log_analytics/outputs.tf new file mode 100644 index 00000000..da9abb5b --- /dev/null +++ b/terraform/modules/log_analytics/outputs.tf @@ -0,0 +1,3 @@ +output "workspace_id" { + value = azurerm_log_analytics_workspace.log_workspace.id +} diff --git a/terraform/modules/log_analytics/variables.tf b/terraform/modules/log_analytics/variables.tf new file mode 100644 index 00000000..4721a46a --- /dev/null +++ b/terraform/modules/log_analytics/variables.tf @@ -0,0 +1,19 @@ +variable "region" { + type = string + description = "Region this module and resources will be created in" +} + +variable "name" { + type = string + description = "Unique name for the services in this module" +} + +variable "environment" { + type = string + description = "Environment these resources reside (prod, dev, staging, etc)" +} + +variable "owner" { + type = string + description = "Owner of the environment and resources created in this module" +} diff --git a/terraform/modules/postgres/main.tf b/terraform/modules/postgres/main.tf index 29b6cc53..7b659d4e 100644 --- a/terraform/modules/postgres/main.tf +++ b/terraform/modules/postgres/main.tf @@ -35,3 +35,33 @@ resource "azurerm_postgresql_virtual_network_rule" "sql" { subnet_id = var.subnet_id ignore_missing_vnet_service_endpoint = true } + +resource "azurerm_postgresql_database" "db" { + name = "${var.name}-${var.environment}-atat" + resource_group_name = azurerm_resource_group.sql.name + server_name = azurerm_postgresql_server.sql.name + charset = "UTF8" + collation = "en-US" +} + +resource "azurerm_monitor_diagnostic_setting" "postgresql_diagnostic" { + name = "${var.name}-${var.environment}-postgresql-diag" + target_resource_id = azurerm_postgresql_server.sql.id + log_analytics_workspace_id = var.workspace_id + + log { + category = "PostgreSQLLogs" + enabled = true + + retention_policy { + enabled = true + } + } + metric { + category = "AllMetrics" + + retention_policy { + enabled = true + } + } +} diff --git a/terraform/modules/postgres/variables.tf b/terraform/modules/postgres/variables.tf index f3366cdb..ea4a2dea 100644 --- a/terraform/modules/postgres/variables.tf +++ b/terraform/modules/postgres/variables.tf @@ -93,3 +93,8 @@ variable "ssl_enforcement" { description = "Enforce SSL (Enabled/Disable)" default = "Enabled" } + +variable "workspace_id" { + description = "Log Analytics workspace for this resource to log to" + type = string +} diff --git a/terraform/modules/redis/main.tf b/terraform/modules/redis/main.tf index b12bf92d..3e7f33eb 100644 --- a/terraform/modules/redis/main.tf +++ b/terraform/modules/redis/main.tf @@ -23,3 +23,16 @@ resource "azurerm_redis_cache" "redis" { owner = var.owner } } + +resource "azurerm_monitor_diagnostic_setting" "redis_diagnostic" { + name = "${var.name}-${var.environment}-redis-diag" + target_resource_id = azurerm_redis_cache.redis.id + log_analytics_workspace_id = var.workspace_id + metric { + category = "AllMetrics" + + retention_policy { + enabled = true + } + } +} diff --git a/terraform/modules/redis/variables.tf b/terraform/modules/redis/variables.tf index 06ddd36d..bb99ebd0 100644 --- a/terraform/modules/redis/variables.tf +++ b/terraform/modules/redis/variables.tf @@ -58,3 +58,8 @@ variable "subnet_id" { type = string description = "Subnet ID that the service_endpoint should reside" } + +variable "workspace_id" { + description = "Log Analytics workspace for this resource to log to" + type = string +} \ No newline at end of file diff --git a/terraform/modules/vpc/main.tf b/terraform/modules/vpc/main.tf index d0ea9a2a..65fadc61 100644 --- a/terraform/modules/vpc/main.tf +++ b/terraform/modules/vpc/main.tf @@ -72,45 +72,3 @@ resource "azurerm_route" "route" { address_prefix = "0.0.0.0/0" next_hop_type = each.value } - -# Required for the gateway -resource "azurerm_subnet" "gateway" { - name = "GatewaySubnet" - resource_group_name = azurerm_resource_group.vpc.name - virtual_network_name = azurerm_virtual_network.vpc.name - address_prefix = var.gateway_subnet -} - - -resource "azurerm_public_ip" "vpn_ip" { - name = "${var.name}-${var.environment}-vpn-ip" - location = azurerm_resource_group.vpc.location - resource_group_name = azurerm_resource_group.vpc.name - - allocation_method = "Dynamic" -} - -resource "azurerm_virtual_network_gateway" "vnet_gateway" { - name = "${var.name}-${var.environment}-gateway" - location = azurerm_resource_group.vpc.location - resource_group_name = azurerm_resource_group.vpc.name - - type = "Vpn" - vpn_type = "RouteBased" - - active_active = false - enable_bgp = false - sku = "Standard" - - ip_configuration { - name = "vnetGatewayConfig" - public_ip_address_id = azurerm_public_ip.vpn_ip.id - private_ip_address_allocation = "Dynamic" - subnet_id = azurerm_subnet.gateway.id - } - - vpn_client_configuration { - address_space = var.vpn_client_cidr - vpn_client_protocols = ["OpenVPN"] - } -} \ No newline at end of file diff --git a/terraform/modules/vpc/variables.tf b/terraform/modules/vpc/variables.tf index aae7ef45..1c72cca7 100644 --- a/terraform/modules/vpc/variables.tf +++ b/terraform/modules/vpc/variables.tf @@ -34,7 +34,6 @@ variable "networks" { variable "dns_servers" { description = "DNS Server IPs for internal and public DNS lookups (must be on a defined subnet)" type = list - } variable "route_tables" { @@ -42,19 +41,8 @@ variable "route_tables" { description = "A map with the route tables to create" } -variable "gateway_subnet" { - type = string - description = "The Subnet CIDR that we'll use for the virtual_network_gateway 'GatewaySubnet'" -} - variable "service_endpoints" { type = map description = "A map of the service endpoints and its mapping to subnets" } - -variable "vpn_client_cidr" { - type = list - description = "The CIDR range used for clients on the VPN" - default = ["172.16.0.0/16"] -} diff --git a/terraform/providers/dev/cdn.tf b/terraform/providers/dev/cdn.tf index 02c17e3d..aa7c5f9a 100644 --- a/terraform/providers/dev/cdn.tf +++ b/terraform/providers/dev/cdn.tf @@ -5,4 +5,5 @@ module "cdn" { environment = var.environment name = var.name region = var.region + workspace_id = module.logs.workspace_id } diff --git a/terraform/providers/dev/container_registry.tf b/terraform/providers/dev/container_registry.tf index 805ef3e8..a6b76654 100644 --- a/terraform/providers/dev/container_registry.tf +++ b/terraform/providers/dev/container_registry.tf @@ -6,6 +6,7 @@ module "container_registry" { owner = var.owner backup_region = var.backup_region policy = "Deny" - subnet_ids = [] + subnet_ids = [module.vpc.subnet_list["private"].id] whitelist = var.admin_user_whitelist + workspace_id = module.logs.workspace_id } diff --git a/terraform/providers/dev/k8s.tf b/terraform/providers/dev/k8s.tf index 7d415c9c..fe3dac18 100644 --- a/terraform/providers/dev/k8s.tf +++ b/terraform/providers/dev/k8s.tf @@ -22,6 +22,7 @@ module "k8s" { min_count = 3 client_id = data.azurerm_key_vault_secret.k8s_client_id.value client_secret = data.azurerm_key_vault_secret.k8s_client_secret.value + workspace_id = module.logs.workspace_id } #module "main_lb" { diff --git a/terraform/providers/dev/keyvault.tf b/terraform/providers/dev/keyvault.tf index 4d35fa0f..fe749ba1 100644 --- a/terraform/providers/dev/keyvault.tf +++ b/terraform/providers/dev/keyvault.tf @@ -10,5 +10,6 @@ module "keyvault" { policy = "Deny" subnet_ids = [module.vpc.subnets] whitelist = var.admin_user_whitelist + workspace_id = module.logs.workspace_id } diff --git a/terraform/providers/dev/logs.tf b/terraform/providers/dev/logs.tf new file mode 100644 index 00000000..eec9df78 --- /dev/null +++ b/terraform/providers/dev/logs.tf @@ -0,0 +1,8 @@ +module "logs" { + source = "../../modules/log_analytics" + owner = var.owner + environment = var.environment + region = var.region + name = var.name +} + diff --git a/terraform/providers/dev/postgres.tf b/terraform/providers/dev/postgres.tf index 53031f85..c2120012 100644 --- a/terraform/providers/dev/postgres.tf +++ b/terraform/providers/dev/postgres.tf @@ -14,7 +14,8 @@ module "sql" { owner = var.owner environment = var.environment region = var.region - subnet_id = module.vpc.subnets # FIXME - Should be a map of subnets and specify private + subnet_id = module.vpc.subnet_list["private"].id administrator_login = data.azurerm_key_vault_secret.postgres_username.value administrator_login_password = data.azurerm_key_vault_secret.postgres_password.value + workspace_id = module.logs.workspace_id } diff --git a/terraform/providers/dev/redis.tf b/terraform/providers/dev/redis.tf index 8c89dc92..a9d0fa89 100644 --- a/terraform/providers/dev/redis.tf +++ b/terraform/providers/dev/redis.tf @@ -1,10 +1,11 @@ module "redis" { - source = "../../modules/redis" - owner = var.owner - environment = var.environment - region = var.region - name = var.name - subnet_id = module.vpc.subnet_list["redis"].id - sku_name = "Premium" - family = "P" + source = "../../modules/redis" + owner = var.owner + environment = var.environment + region = var.region + name = var.name + subnet_id = module.vpc.subnet_list["redis"].id + sku_name = "Premium" + family = "P" + workspace_id = module.logs.workspace_id } diff --git a/terraform/providers/dev/secrets.tf b/terraform/providers/dev/secrets.tf index 7a67205e..b7a97b0b 100644 --- a/terraform/providers/dev/secrets.tf +++ b/terraform/providers/dev/secrets.tf @@ -10,4 +10,5 @@ module "operator_keyvault" { policy = "Deny" subnet_ids = [module.vpc.subnets] whitelist = var.admin_user_whitelist + workspace_id = module.logs.workspace_id } diff --git a/terraform/providers/dev/variables.tf b/terraform/providers/dev/variables.tf index b13c0d57..1a19fc77 100644 --- a/terraform/providers/dev/variables.tf +++ b/terraform/providers/dev/variables.tf @@ -34,6 +34,7 @@ variable "networks" { public = "10.1.1.0/24,public" # LBs private = "10.1.2.0/24,private" # k8s, postgres, keyvault redis = "10.1.3.0/24,private" # Redis + apps = "10.1.4.0/24,private" # Redis } } @@ -43,23 +44,18 @@ variable "service_endpoints" { public = "Microsoft.ContainerRegistry" # Not necessary but added to avoid infinite state loop private = "Microsoft.Storage,Microsoft.KeyVault,Microsoft.ContainerRegistry,Microsoft.Sql" redis = "Microsoft.Storage,Microsoft.Sql" # FIXME: There is no Microsoft.Redis + apps = "Microsoft.Storage,Microsoft.KeyVault,Microsoft.ContainerRegistry,Microsoft.Sql" } } -variable "gateway_subnet" { - type = string - default = "10.1.20.0/24" -} - - variable "route_tables" { description = "Route tables and their default routes" type = map default = { public = "Internet" - private = "Internet" + private = "Internet" # TODO: Switch to FW redis = "VnetLocal" - #private = "VnetLocal" + apps = "Internet" # TODO: Switch to FW } } diff --git a/terraform/providers/dev/vpc.tf b/terraform/providers/dev/vpc.tf index 8d43a82f..c33e281c 100644 --- a/terraform/providers/dev/vpc.tf +++ b/terraform/providers/dev/vpc.tf @@ -4,12 +4,9 @@ module "vpc" { region = var.region virtual_network = var.virtual_network networks = var.networks - gateway_subnet = var.gateway_subnet route_tables = var.route_tables owner = var.owner name = var.name dns_servers = var.dns_servers service_endpoints = var.service_endpoints - vpn_client_cidr = var.vpn_client_cidr } -