Module not compatible with Azure Landing Zones, as it expects certain resources from a different subscription

[mestredelpino]

Is there an existing issue for this?

• [X] I have searched the existing issues

Description

The Azure Landing Zones architecture expects a centralized deployment of Azure Log Analytics Workspace in the "management" subscription, while the rest of AKS resources should be on the "online" subscription. This AKS module does provide the possibility to use an existing LA workspace, but it expects it to be in the same subscription as all the other AKS resources.

The module should provide an input to properly import the LA workspace from a different subscription.

New or Affected Resource(s)/Data Source(s)

data.azurerm_log_analytics_workspace.main

Potential Terraform Configuration

provider "azurerm" {
  features {}
  alias = "management"
  subscription_id = var.subscription_id_management
}

variable "subscription_id_management" {
  type = string
  description = "The ID of the ALZ management subscription"
}

data "azurerm_log_analytics_workspace" "main" {
  provider = azurerm.management
  count = local.query_datasource_for_log_analytics_workspace_location ? 1 : 0

  name                = var.log_analytics_workspace.name
  resource_group_name = local.log_analytics_workspace.resource_group_name
}

References

https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/

[zioproto]

@mestredelpino there is a way to make this work without code changes. You have to set values to all fields of this variable log_analytics_workspace:

https://github.com/Azure/terraform-azurerm-aks/blob/decb533e2785f965673698b0ac9949faca963f68/variables.tf#L690-L699

It is important to set the location field.

Also var.log_analytics_workspace_enabled must be set to true.

https://github.com/Azure/terraform-azurerm-aks/blob/decb533e2785f965673698b0ac9949faca963f68/variables.tf#L725-L730

This way you can use a Log Analytics Workspace that is created in a different subscription.

The location in var.log_analytics_workspace is important because at: https://github.com/Azure/terraform-azurerm-aks/blob/decb533e2785f965673698b0ac9949faca963f68/locals.tf#L57

If the location is null then you will use the datasource that does not support referencing a resource in a different subscription: https://github.com/Azure/terraform-azurerm-aks/blob/decb533e2785f965673698b0ac9949faca963f68/log_analytics.tf#L52-L57

[zioproto]

@mestredelpino please confirm if your issue is solved. Thanks

[zioproto]

@mestredelpino friendly ping

[mestredelpino]

Hi @zioproto, I am currently getting this error

│ Error: creating Solution (Subscription: "" │ Resource Group Name: "es-mgmt" │ Solution Name: "ContainerInsights(es-la)"): performing CreateOrUpdate: unexpected status 404 (404 Not Found) with error: ResourceGroupNotFound: Resource group 'es-mgmt' could not be found. │ │ with module.aks.azurerm_log_analytics_solution.main[0], │ on .terraform/modules/aks/log_analytics.tf line 59, in resource "azurerm_log_analytics_solution" "main": │ 59: resource "azurerm_log_analytics_solution" "main" { │ │ creating Solution (Subscription: "" │ Resource Group Name: "es-mgmt" │ Solution Name: "ContainerInsights(es-la)"): performing CreateOrUpdate: unexpected status 404 (404 Not Found) with error: ResourceGroupNotFound: Resource group 'es-mgmt' could not be found.

This is how I configured the variables suggested:

log_analytics_workspace_enabled = true 
log_analytics_workspace = {
    location = "westeurope" 
    id = "/subscriptions/<MANAGEMENT_SUBSCRIPTION_ID>/resourceGroups/es-mgmt/providers/Microsoft.OperationalInsights/workspaces/es-la/" 
    name = "es-la" 
    resource_group_name = "es-mgmt" 
    }

[zioproto]

Cc: @ibersanoMS

@mestredelpino AVM is releasing an AKS resource module here: https://github.com/Azure/terraform-azurerm-avm-res-containerservice-managedcluster

It makes sense to assess first if the new module has the same issue.