Configures KeyVault to log to a log analytics workspace

terraform/modules/keyvault/main.tf

@@ -76,4 +76,26 @@ resource "azurerm_key_vault_access_policy" "keyvault_admin_policy" {
     "backup",
     "update",
   ]
-}
+}
+
+resource "azurerm_monitor_diagnostic_setting" "keyvault_diagnostic" {
+  name                       = "${var.name}-${var.environment}-keyvault-diag"
+  target_resource_id         = azurerm_key_vault.keyvault.id
+  log_analytics_workspace_id = var.workspace_id
+
+  log {
+    category = "AuditEvent"
+    enabled  = true
+
+    retention_policy {
+      enabled = true
+    }
+  }
+  metric {
+    category = "AllMetrics"
+
+    retention_policy {
+      enabled = true
+    }
+  }
+}

terraform/modules/keyvault/variables.tf

@@ -48,4 +48,10 @@ variable "whitelist" {
   type        = map
   description = "A map of whitelisted IPs and CIDR ranges. For single IPs, Azure expects just the IP, NOT a /32."
   default     = {}
-}
+}
+
+variable "workspace_id" {
+  description = "Log Analytics Workspace ID for sending logs generated by this resource"
+  type        = string
+
+}

terraform/providers/dev/keyvault.tf

@@ -10,5 +10,6 @@ module "keyvault" {
   policy           = "Deny"
   subnet_ids       = [module.vpc.subnets]
   whitelist        = var.admin_user_whitelist
+  workspace_id     = module.logs.workspace_id
 }
 

terraform/providers/dev/secrets.tf

@@ -10,4 +10,5 @@ module "operator_keyvault" {
   policy           = "Deny"
   subnet_ids       = [module.vpc.subnets]
   whitelist        = var.admin_user_whitelist
+  workspace_id     = module.logs.workspace_id
 }