From 64adbce0e1f74b1248469eb134fefdb36cee531e Mon Sep 17 00:00:00 2001 From: Arnaud Lheureux Date: Thu, 7 May 2020 01:32:03 +0000 Subject: [PATCH] Update for #8 including data structure variable and example --- README.md | 4 +- examples/activity_logs/activity_logs.tf | 40 +++++----- examples/activity_logs/locals.tf | 14 ++++ examples/activity_logs/main.tf | 2 +- main.tf | 5 ++ module.tf | 101 +++++------------------- variables.tf | 3 + 7 files changed, 68 insertions(+), 101 deletions(-) diff --git a/README.md b/README.md index ac2c217..c3ac26a 100644 --- a/README.md +++ b/README.md @@ -5,6 +5,7 @@ Configures the Azure Activity Logs rention for a subscription into: 1. Event Hub for short term and fast access (optional). 2. Storage account for long term retention. + 3. Log Analytics Reference the module to a specific version (recommended): ```hcl @@ -12,7 +13,7 @@ module "activity_logs" { source = "aztfmod/caf-activity-logs/azurerm" version = "0.x.y" - resource_group_name = var.rg + resource_group_name = var.rg log_analytics_workspace_id = var.workspace_id diagnostic_name = var.diagnostic_name name = var.eventhub_name @@ -26,6 +27,7 @@ module "activity_logs" { | Name | Type | Default | Description | | -- | -- | -- | -- | +| audit_settings_object | string | None | (Required) Contains the settings for Azure Audit activity log retention | | resource_group_name | string | None | (Required) Name of the resource group where to create the resource. Changing this forces a new resource to be created. | | diagnostic_name | string | None | (Required) Name of the diagnostic activity log | | log_analytics_workspace_id | string | None | (Required) The resource ID of the target log analytics worksoace | diff --git a/examples/activity_logs/activity_logs.tf b/examples/activity_logs/activity_logs.tf index 6e2effb..2bee2d5 100644 --- a/examples/activity_logs/activity_logs.tf +++ b/examples/activity_logs/activity_logs.tf @@ -6,29 +6,31 @@ resource "azurerm_resource_group" "rg_test" { module "la_test" { source = "aztfmod/caf-log-analytics/azurerm" - version = "0.1.0" + version = "2.0.1" - location = local.location - name = local.laname - solution_plan_map = {} - prefix = "log" - resource_group_name = azurerm_resource_group.rg_test.name - tags = local.tags + location = local.location + name = local.laname + solution_plan_map = {} + prefix = "log" + resource_group_name = azurerm_resource_group.rg_test.name + tags = local.tags + convention = local.convention } module "al_test" { source = "../../" - convention = local.convention - location = local.location - name = local.name - diagnostic_name = local.diagnostic_name - log_analytics_workspace_id = module.la_test.id - prefix = local.prefix - tags = local.tags - - resource_group_name = azurerm_resource_group.rg_test.name - - logs_rentention = local.azure_activity_logs_retention - enable_event_hub = local.azure_activity_logs_event_hub + convention = local.convention + location = local.location + name = local.name + diagnostic_name = local.diagnostic_name + log_analytics_workspace_id = module.la_test.id + prefix = local.prefix + tags = local.tags + audit_settings_object = local.audit + + resource_group_name = azurerm_resource_group.rg_test.name + + logs_rentention = local.azure_activity_logs_retention + enable_event_hub = local.azure_activity_logs_event_hub } diff --git a/examples/activity_logs/locals.tf b/examples/activity_logs/locals.tf index 9a2ffa4..9a75557 100644 --- a/examples/activity_logs/locals.tf +++ b/examples/activity_logs/locals.tf @@ -15,6 +15,20 @@ locals { environment = "DEV" owner = "CAF" } + audit = { + log = [ + # ["Audit category name", "Audit enabled)"] + ["Administrative", true], + ["Security", true], + ["ServiceHealth", true], + ["Alert", true], + ["Recommendation", true], + ["Policy", true], + ["Autoscale", true], + ["ResourceHealth", true], + + ] + } azure_activity_logs_event_hub = true azure_activity_logs_retention = 180 diff --git a/examples/activity_logs/main.tf b/examples/activity_logs/main.tf index 23db8f2..c684465 100644 --- a/examples/activity_logs/main.tf +++ b/examples/activity_logs/main.tf @@ -1,5 +1,5 @@ provider "azurerm" { - version = "~>2.2.0" + version = ">=2.8.0" features {} } diff --git a/main.tf b/main.tf index 2db4c0e..52d0fcf 100644 --- a/main.tf +++ b/main.tf @@ -7,3 +7,8 @@ locals { data "azurerm_subscription" "current" { } + +provider "azurerm" { + version = "~>2.8.0" + features {} +} diff --git a/module.tf b/module.tf index 6f87389..a6b5220 100644 --- a/module.tf +++ b/module.tf @@ -1,21 +1,21 @@ # Defines the subscription-wide logging and eventing settings # Creating the containers on Storage Account and Event Hub (optional) resource "azurecaf_naming_convention" "caf_name_st" { - name = var.name - prefix = var.prefix != "" ? var.prefix : null - postfix = var.postfix != "" ? var.postfix : null - max_length = var.max_length != "" ? var.max_length : null - resource_type = "azurerm_storage_account" - convention = var.convention + name = var.name + prefix = var.prefix != "" ? var.prefix : null + postfix = var.postfix != "" ? var.postfix : null + max_length = var.max_length != "" ? var.max_length : null + resource_type = "azurerm_storage_account" + convention = var.convention } resource "azurecaf_naming_convention" "caf_name_evh" { - name = var.name - prefix = var.prefix != "" ? var.prefix : null - postfix = var.postfix != "" ? var.postfix : null - max_length = var.max_length != "" ? var.max_length : null - resource_type = "evh" - convention = var.convention + name = var.name + prefix = var.prefix != "" ? var.prefix : null + postfix = var.postfix != "" ? var.postfix : null + max_length = var.max_length != "" ? var.max_length : null + resource_type = "azurerm_eventhub_namespace" + convention = var.convention } resource "azurerm_storage_account" "log" { @@ -40,81 +40,22 @@ resource "azurerm_eventhub_namespace" "log" { capacity = 2 tags = local.tags auto_inflate_enabled = false - # kafka_enabled = true } resource "azurerm_monitor_diagnostic_setting" "audit" { - name = var.name target_resource_id = data.azurerm_subscription.current.id log_analytics_workspace_id = var.log_analytics_workspace_id - eventhub_authorization_rule_id = var.enable_event_hub == true ? "${azurerm_eventhub_namespace.log[0].id}/authorizationrules/RootManageSharedAccessKey" : null - eventhub_name = azurerm_eventhub_namespace.log[0].name + eventhub_authorization_rule_id = var.enable_event_hub ? "${azurerm_eventhub_namespace.log[0].id}/authorizationrules/RootManageSharedAccessKey" : null + eventhub_name = var.enable_event_hub ? azurerm_eventhub_namespace.log[0].name : null storage_account_id = azurerm_storage_account.log.id - log { - category = "Administrative" - enabled = true - retention_policy { - days = 0 - enabled = false - } - } - log { - category = "Security" - enabled = true - retention_policy { - days = 0 - enabled = false - } - } - log { - category = "ServiceHealth" - enabled = true - retention_policy { - days = 0 - enabled = false - } - } - log { - category = "Alert" - enabled = true - retention_policy { - days = 0 - enabled = false - } - } - log { - category = "Recommendation" - enabled = true - retention_policy { - days = 0 - enabled = false - } - } - log { - category = "Policy" - enabled = true - retention_policy { - days = 0 - enabled = false - } - } - log { - category = "Autoscale" - enabled = true - retention_policy { - days = 0 - enabled = false - } - } - log { - category = "ResourceHealth" - enabled = true - retention_policy { - days = 0 - enabled = false - } - } + dynamic "log" { + for_each = var.audit_settings_object.log + content { + category = log.value[0] + enabled = log.value[1] + } + } } \ No newline at end of file diff --git a/variables.tf b/variables.tf index 192b696..40a57a3 100644 --- a/variables.tf +++ b/variables.tf @@ -53,3 +53,6 @@ variable "max_length" { default = "" } +variable "audit_settings_object" { + description = "(Required) Contains the settings for Azure Audit activity log retention" +}