From b61bb6a4c46be3112d873646793b89be94508e9c Mon Sep 17 00:00:00 2001
From: Rob Gil <dds@rem5.com>
Date: Mon, 27 Jan 2020 12:44:28 -0500
Subject: [PATCH] Configures KeyVault to log to a log analytics workspace

---
 terraform/modules/keyvault/main.tf      | 24 +++++++++++++++++++++++-
 terraform/modules/keyvault/variables.tf |  8 +++++++-
 terraform/providers/dev/keyvault.tf     |  1 +
 terraform/providers/dev/secrets.tf      |  1 +
 4 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/terraform/modules/keyvault/main.tf b/terraform/modules/keyvault/main.tf
index 1df84367..185c5b7d 100644
--- a/terraform/modules/keyvault/main.tf
+++ b/terraform/modules/keyvault/main.tf
@@ -76,4 +76,26 @@ resource "azurerm_key_vault_access_policy" "keyvault_admin_policy" {
     "backup",
     "update",
   ]
-}
\ No newline at end of file
+}
+
+resource "azurerm_monitor_diagnostic_setting" "keyvault_diagnostic" {
+  name                       = "${var.name}-${var.environment}-keyvault-diag"
+  target_resource_id         = azurerm_key_vault.keyvault.id
+  log_analytics_workspace_id = var.workspace_id
+
+  log {
+    category = "AuditEvent"
+    enabled  = true
+
+    retention_policy {
+      enabled = true
+    }
+  }
+  metric {
+    category = "AllMetrics"
+
+    retention_policy {
+      enabled = true
+    }
+  }
+}
diff --git a/terraform/modules/keyvault/variables.tf b/terraform/modules/keyvault/variables.tf
index 56e7cc13..ebaabf83 100644
--- a/terraform/modules/keyvault/variables.tf
+++ b/terraform/modules/keyvault/variables.tf
@@ -48,4 +48,10 @@ variable "whitelist" {
   type        = map
   description = "A map of whitelisted IPs and CIDR ranges. For single IPs, Azure expects just the IP, NOT a /32."
   default     = {}
-}
\ No newline at end of file
+}
+
+variable "workspace_id" {
+  description = "Log Analytics Workspace ID for sending logs generated by this resource"
+  type        = string
+
+}
diff --git a/terraform/providers/dev/keyvault.tf b/terraform/providers/dev/keyvault.tf
index 4d35fa0f..fe749ba1 100644
--- a/terraform/providers/dev/keyvault.tf
+++ b/terraform/providers/dev/keyvault.tf
@@ -10,5 +10,6 @@ module "keyvault" {
   policy           = "Deny"
   subnet_ids       = [module.vpc.subnets]
   whitelist        = var.admin_user_whitelist
+  workspace_id     = module.logs.workspace_id
 }
 
diff --git a/terraform/providers/dev/secrets.tf b/terraform/providers/dev/secrets.tf
index 7a67205e..b7a97b0b 100644
--- a/terraform/providers/dev/secrets.tf
+++ b/terraform/providers/dev/secrets.tf
@@ -10,4 +10,5 @@ module "operator_keyvault" {
   policy           = "Deny"
   subnet_ids       = [module.vpc.subnets]
   whitelist        = var.admin_user_whitelist
+  workspace_id     = module.logs.workspace_id
 }