This module deploys logging resources (Log Analytics Workspace, Log Solutions and AMPLS) to an operations or security spoke network described in the Microsoft recommended Hub-Spoke network topology.
This module can be SCCA compliant and can be used in a SCCA compliant Network. Enable private endpoints and SCCA compliant network rules to make it SCCA compliant.
For more information, please read the SCCA documentation.
# Copyright (c) Microsoft Corporation.
# Licensed under the MIT License.
module "mod_operational_logging" {
source = "azurenoops/overlays-management-logging"
version = ">= 1.0.0"
#####################################
## Global Settings Configuration ###
#####################################
create_resource_group = true
location = var.location
deploy_environment = var.deploy_environment
org_name = var.org_name
environment = var.environment
workload_name = var.workload_name
########################################
## Automation Account Configuration ###
########################################
# Enable Automation Account Linking to Log Analytics Workspace
enable_linked_automation_account_creation = true
automation_account_sku_name = "Basic"
automation_account_local_authentication_enabled = true
automation_account_public_network_access_enabled = true
#############################
## Logging Configuration ###
#############################
# Log Analytics Workspace Configuration
log_analytics_workspace_allow_resource_only_permissions = true
log_analytics_workspace_cmk_for_query_forced = true
log_analytics_workspace_daily_quota_gb = 1
log_analytics_workspace_internet_ingestion_enabled = true
log_analytics_workspace_internet_query_enabled = true
log_analytics_workspace_reservation_capacity_in_gb_per_day = 0 # CapacityReservation is not supported in this configuration
log_analytics_logs_retention_in_days = 50
log_analytics_workspace_sku = "PerGB2018"
# (Optional) Logging Solutions
# All solutions are not enabled (false) by default
enable_sentinel = true
enable_azure_activity_log = true
enable_vm_insights = true
#############################
## Misc Configuration ###
#############################
# By default, this will apply resource locks to all resources created by this module.
# To disable resource locks, set the argument to `enable_resource_locks = false`.
enable_resource_locks = false
# Tags
add_tags = {} # Tags to be applied to all resources
}
| Name | Version |
|---|---|
| terraform | >= 1.3 |
| azurenoopsutils | ~> 1.0.4 |
| azurerm | ~> 3.22 |
| Name | Version |
|---|---|
| azurenoopsutils | ~> 1.0.4 |
| azurerm | ~> 3.22 |
| random | n/a |
| Name | Source | Version |
|---|---|---|
| lz_management_resources | Azure/alz-management/azurerm | ~> 0.1 |
| mod_aa_diagnostic_settings | azurenoops/overlays-diagnostic-settings/azurerm | ~> 1.0 |
| mod_azure_region_lookup | azurenoops/overlays-azregions-lookup/azurerm | >= 1.0.0 |
| mod_log_diagnostic_settings | azurenoops/overlays-diagnostic-settings/azurerm | ~> 1.0 |
| mod_loganalytics_sa | azurenoops/overlays-storage-account/azurerm | >= 0.1.0 |
| mod_scaffold_rg | azurenoops/overlays-resource-group/azurerm | >= 1.0.1 |
| Name | Type |
|---|---|
| azurerm_role_assignment.law_contributor | resource |
| azurerm_user_assigned_identity.management | resource |
| random_id.uniqueString | resource |
| azurenoopsutils_resource_name.ampls_snet | data source |
| azurenoopsutils_resource_name.automation_account | data source |
| azurenoopsutils_resource_name.laws | data source |
| azurenoopsutils_resource_name.logging_st | data source |
| azurenoopsutils_resource_name.user_assigned_identity | data source |
| azurerm_client_config.current | data source |
| azurerm_resource_group.rgrp | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| Metric_enable | Is this Diagnostic Metric enabled? Defaults to true. | bool |
true |
no |
| add_tags | Map of custom tags. | map(string) |
{} |
no |
| ampls_subnet_custom_name | The name of the custom subnet to create for Azure Monitor Private Link Scope. If not set, the name will be generated using the 'name_prefix' and 'name_suffix' variables. If set, the 'name_prefix' and 'name_suffix' variables will be ignored. | string |
null |
no |
| automation_account_custom_name | The name of the custom automation account to create. If not set, the name will be generated using the 'name_prefix' and 'name_suffix' variables. If set, the 'name_prefix' and 'name_suffix' variables will be ignored. | string |
null |
no |
| automation_account_key_vault_key_id | The ID of the Key Vault Key to use for Automation Account encryption. | string |
null |
no |
| automation_account_key_vault_url | The URL of the Key Vault to use for Automation Account encryption. | string |
null |
no |
| automation_account_sku_name | The SKU of the Automation Account. Possible values are Basic, Free, and Standard. Default is Basic. | string |
"Basic" |
no |
| create_logging_resource_group | Controls if the logging resource group should be created. If set to false, the resource group name must be provided. Default is true. | bool |
true |
no |
| create_resource_group | Controls if the resource group should be created. If set to false, the resource group name must be provided. Default is false. | bool |
false |
no |
| custom_resource_group_name | The name of the custom resource group to create. If not set, the name will be generated using the org_name, workload_name, deploy_environment and environment variables. |
string |
null |
no |
| days | The number of days for which this Retention Policy should apply. | number |
"90" |
no |
| default_tags_enabled | Option to enable or disable default tags. | bool |
true |
no |
| deploy_environment | Name of the workload's environnement | string |
n/a | yes |
| diagnostic_setting_enabled_aa_log_categories | A list of log categories to be enabled for this diagnostic setting. | list(string) |
[ |
no |
| diagnostic_setting_enabled_log_categories | A list of log categories to be enabled for this diagnostic setting. | list(string) |
[ |
no |
| diagnostic_setting_enabled_metric_categories | A list of metric categories to be enabled for this diagnostic setting. | list(string) |
[] |
no |
| enable_automation_account_encryption | Controls if encryption should be enabled for the Automation Account. Default is false. | bool |
false |
no |
| enable_automation_account_local_authentication | Controls if local authentication should be enabled for the Automation Account. Default is true. | bool |
true |
no |
| enable_automation_account_public_network_access | Controls if public network access should be enabled for the Automation Account. Default is true. | bool |
true |
no |
| enable_automation_account_user_assigned_identity | Controls if a Managed Identity should be created for the Automation Account. Default is false. | bool |
false |
no |
| enable_azure_activity_log | Controls if Azure Activity Log should be enabled. Default is true. | bool |
false |
no |
| enable_azure_security_center | Controls if Azure Security Center should be enabled. Default is true. | bool |
false |
no |
| enable_container_insights | Controls if Container Insights should be enabled. Default is true. | bool |
false |
no |
| enable_diagnostic_setting | Is this Diagnostic Setting enabled? Defaults to true. | bool |
true |
no |
| enable_key_vault_analytics | Controls if Key Vault Analytics should be enabled. Default is true. | bool |
false |
no |
| enable_linked_automation_account | Controls if a linked Automation Account should be created. Default is true. | bool |
true |
no |
| enable_linked_automation_account_creation | Controls if a linked Automation Account should be created. Default is true. | bool |
true |
no |
| enable_monitoring_private_endpoints | Enables private endpoints for monitoring resources. Default is true. | bool |
true |
no |
| enable_resource_locks | (Optional) Enable resource locks, default is false. If true, resource locks will be created for the resource group and the storage account. | bool |
false |
no |
| enable_sentinel | Controls if Sentinel should be enabled. Default is true. | bool |
false |
no |
| enable_service_map | Controls if Service Map should be enabled. Default is true. | bool |
false |
no |
| enable_vm_insights | Controls if VM Insights should be enabled. Default is true. | bool |
false |
no |
| environment | The Terraform backend environment e.g. public or usgovernment | string |
n/a | yes |
| eventhub_authorization_rule_id | Specifies the ID of an Event Hub Namespace Authorization Rule used to send Diagnostics Data. | string |
null |
no |
| eventhub_name | Specifies the name of the Event Hub where Diagnostics Data should be sent. | string |
null |
no |
| existing_resource_group_name | The name of the existing resource group to use. If not set, the name will be generated using the org_name, workload_name, deploy_environment and environment variables. |
string |
null |
no |
| linked_log_analytic_workspace_ids | The IDs of the Log Analytics Workspaces to link to the Private Link Scope. | list(string) |
[] |
no |
| location | Azure region in which instance will be hosted | string |
n/a | yes |
| lock_level | (Optional) id locks are enabled, Specifies the Level to be used for this Lock. | string |
"CanNotDelete" |
no |
| log_analytics_destination_type | Possible values are AzureDiagnostics and Dedicated, default to AzureDiagnostics. When set to Dedicated, logs sent to a Log Analytics workspace will go into resource specific tables, instead of the legacy AzureDiagnostics table. | string |
"AzureDiagnostics" |
no |
| log_analytics_logs_retention_in_days | The number of days to retain logs for. Possible values are between 30 and 730. Default is 30. | number |
30 |
no |
| log_analytics_workspace_allow_resource_only_permissions | Specifies whether the Log Analytics Workspace should only allow access to resources within the same subscription. Defaults to true. | bool |
true |
no |
| log_analytics_workspace_cmk_for_query_forced | Specifies whether the Log Analytics Workspace should force the use of Customer Managed Keys for query. Defaults to true. | bool |
true |
no |
| log_analytics_workspace_daily_quota_gb | The daily ingestion quota in GB for the Log Analytics Workspace. Default is 1. | number |
1 |
no |
| log_analytics_workspace_id | The ID of the Log Analytics Workspace where logs should be sent. | string |
null |
no |
| log_analytics_workspace_internet_ingestion_enabled | Should the Log Analytics Workspace support ingestion over the Public Internet? Defaults to true. | bool |
false |
no |
| log_analytics_workspace_internet_query_enabled | Should the Log Analytics Workspace support querying over the Public Internet? Defaults to true. | bool |
true |
no |
| log_analytics_workspace_reservation_capacity_in_gb_per_day | The daily ingestion quota in GB for the Log Analytics Workspace. Default is 200. | number |
200 |
no |
| log_analytics_workspace_sku | The SKU of the Log Analytics Workspace. Possible values are PerGB2018 and Free. Default is PerGB2018. | string |
"PerGB2018" |
no |
| log_enabled | Is this Diagnostic Log enabled? Defaults to true. | string |
true |
no |
| loganalytics_storage_account_kind | The Kind of log analytics storage account to create. Valid options are Storage, StorageV2, BlobStorage, FileStorage, BlockBlobStorage | string |
"StorageV2" |
no |
| loganalytics_storage_account_replication_type | The Replication Type of log analytics storage account to create. Valid options are LRS, GRS, RAGRS, ZRS, GZRS, RAGZRS. | string |
"GRS" |
no |
| loganalytics_storage_account_tier | The Tier of log analytics storage account to create. Valid options are Standard and Premium. | string |
"Standard" |
no |
| name_prefix | Optional prefix for the generated name | string |
"" |
no |
| name_suffix | Optional suffix for the generated name | string |
"" |
no |
| ops_logging_law_custom_name | The name of the custom operational logging laws workspace to create. If not set, the name will be generated using the 'name_prefix' and 'name_suffix' variables. If set, the 'name_prefix' and 'name_suffix' variables will be ignored. | string |
null |
no |
| ops_logging_law_sa_custom_name | The name of the custom operational logging laws storage account to create. If not set, the name will be generated using the 'name_prefix' and 'name_suffix' variables. If set, the 'name_prefix' and 'name_suffix' variables will be ignored. | string |
null |
no |
| org_name | Name of the organization | string |
n/a | yes |
| retention_policy_enabled | Is this Retention Policy enabled? | bool |
false |
no |
| storage_account_id | The ID of the Storage Account where logs should be sent. | string |
null |
no |
| use_location_short_name | Use short location name for resources naming (ie eastus -> eus). Default is true. If set to false, the full cli location name will be used. if custom naming is set, this variable will be ignored. | bool |
true |
no |
| use_naming | Use the Azure NoOps naming provider to generate default resource name. storage_account_custom_name override this if set. Legacy default name is used if this is set to false. |
bool |
true |
no |
| user_assigned_identity_custom_name | The name of the custom user assigned identity to create. If not set, the name will be generated using the 'name_prefix' and 'name_suffix' variables. If set, the 'name_prefix' and 'name_suffix' variables will be ignored. | string |
null |
no |
| workload_name | Name of the workload_name | string |
n/a | yes |
| Name | Description |
|---|---|
| automation_account_dsc_server_endpoint | Automation Account Resource Group Name |
| automation_account_id | Automation Account ID |
| automation_account_identity | Automation Account Identity |
| automation_account_name | Automation Account Name |
| laws_name | LAWS Name |
| laws_primary_shared_key | LAWS Primary Shared Key |
| laws_resource_id | LAWS Resource ID |
| laws_rgname | LAWS Resource Group Name |
| laws_secondary_shared_key | LAWS Primary Shared Key |
| laws_storage_account_id | LAWS Storage Account ID |
| laws_storage_account_location | LAWS Storage Account Location |
| laws_storage_account_name | LAWS Storage Account Name |
| laws_storage_account_rgname | LAWS Storage Account Resource Group Name |
| laws_workspace_id | LAWS Workspace ID |