Configures KeyVault to log to a log analytics workspace
This commit is contained in:
parent
3e4244fc6d
commit
b61bb6a4c4
@ -76,4 +76,26 @@ resource "azurerm_key_vault_access_policy" "keyvault_admin_policy" {
|
||||
"backup",
|
||||
"update",
|
||||
]
|
||||
}
|
||||
}
|
||||
|
||||
resource "azurerm_monitor_diagnostic_setting" "keyvault_diagnostic" {
|
||||
name = "${var.name}-${var.environment}-keyvault-diag"
|
||||
target_resource_id = azurerm_key_vault.keyvault.id
|
||||
log_analytics_workspace_id = var.workspace_id
|
||||
|
||||
log {
|
||||
category = "AuditEvent"
|
||||
enabled = true
|
||||
|
||||
retention_policy {
|
||||
enabled = true
|
||||
}
|
||||
}
|
||||
metric {
|
||||
category = "AllMetrics"
|
||||
|
||||
retention_policy {
|
||||
enabled = true
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -48,4 +48,10 @@ variable "whitelist" {
|
||||
type = map
|
||||
description = "A map of whitelisted IPs and CIDR ranges. For single IPs, Azure expects just the IP, NOT a /32."
|
||||
default = {}
|
||||
}
|
||||
}
|
||||
|
||||
variable "workspace_id" {
|
||||
description = "Log Analytics Workspace ID for sending logs generated by this resource"
|
||||
type = string
|
||||
|
||||
}
|
||||
|
@ -10,5 +10,6 @@ module "keyvault" {
|
||||
policy = "Deny"
|
||||
subnet_ids = [module.vpc.subnets]
|
||||
whitelist = var.admin_user_whitelist
|
||||
workspace_id = module.logs.workspace_id
|
||||
}
|
||||
|
||||
|
@ -10,4 +10,5 @@ module "operator_keyvault" {
|
||||
policy = "Deny"
|
||||
subnet_ids = [module.vpc.subnets]
|
||||
whitelist = var.admin_user_whitelist
|
||||
workspace_id = module.logs.workspace_id
|
||||
}
|
||||
|
Loading…
x
Reference in New Issue
Block a user