pk/atst
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Configures KeyVault to log to a log analytics workspace

Browse Source
This commit is contained in:
Rob Gil 2020-01-27 12:44:28 -05:00
parent 3e4244fc6d
commit b61bb6a4c4
4 changed files with 32 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
terraform/modules/keyvault/main.tf
View File

@ -77,3 +77,25 @@ resource "azurerm_key_vault_access_policy" "keyvault_admin_policy" {
"update", "update",
] ]
} }
resource "azurerm_monitor_diagnostic_setting" "keyvault_diagnostic" {
name = "${var.name}-${var.environment}-keyvault-diag"
target_resource_id = azurerm_key_vault.keyvault.id
log_analytics_workspace_id = var.workspace_id
log {
category = "AuditEvent"
enabled = true
retention_policy {
enabled = true
}
}
metric {
category = "AllMetrics"
retention_policy {
enabled = true
}
}
}

6
terraform/modules/keyvault/variables.tf
View File

@ -49,3 +49,9 @@ variable "whitelist" {
description = "A map of whitelisted IPs and CIDR ranges. For single IPs, Azure expects just the IP, NOT a /32." description = "A map of whitelisted IPs and CIDR ranges. For single IPs, Azure expects just the IP, NOT a /32."
default = {} default = {}
} }
variable "workspace_id" {
description = "Log Analytics Workspace ID for sending logs generated by this resource"
type = string
}

1
terraform/providers/dev/keyvault.tf
View File

@ -10,5 +10,6 @@ module "keyvault" {
policy = "Deny" policy = "Deny"
subnet_ids = [module.vpc.subnets] subnet_ids = [module.vpc.subnets]
whitelist = var.admin_user_whitelist whitelist = var.admin_user_whitelist
workspace_id = module.logs.workspace_id
} }

1
terraform/providers/dev/secrets.tf
View File

@ -10,4 +10,5 @@ module "operator_keyvault" {
policy = "Deny" policy = "Deny"
subnet_ids = [module.vpc.subnets] subnet_ids = [module.vpc.subnets]
whitelist = var.admin_user_whitelist whitelist = var.admin_user_whitelist
workspace_id = module.logs.workspace_id
} }