Provide full support for Azure Monitor Private Link Scopes

[WibblyDibbler]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Is your feature request related to a problem?

There does not appear to be full support for using the ALZ module with Azure Monitor Private Link Scopes (AMPLS).

As per https://learn.microsoft.com/en-us/azure/azure-monitor/logs/private-link-security, AMPLS is a major component in reducing the risk of data exfiltration. As per https://learn.microsoft.com/en-us/azure/azure-monitor/logs/private-link-design, AMPLS requires associated Log Analytics workspaces to use customer-managed storage accounts for custom log ingestion. Those storage accounts must be accessible via private links, which require virtual network connectivity.

The ALZ module documentation is lacking relative to the deployment of azurerm_log_analytics_linked_storage_account, azurerm_monitor_private_link_scope, and azurerm_monitor_private_link_scoped_service for the Log Analytics workspace(s) deployed by the Management Resources. Specifically consider the example at https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-using-multiple-module-declarations-with-remote-state#coremaintf. Being a networking concern, it seems like the aforementioned AMPLS resources should reside alongside the Connectivity configuration, not Management. Assuming that is proper, that would imply that the Connectivity configuration would need to take a dependency on the remote configuration of the Management Resources. Some clarification here would be appreciated, as incorrectly adding dependencies could cause problems with future module expansion.

More importantly, the Management Resources do not currently expose any means of configuring the following components of the Log Analytics workspace(s):

1. azurerm_log_analytics_workspace.cmk_for_query_forced
2. azurerm_log_analytics_workspace.internet_ingestion_enabled
3. azurerm_log_analytics_workspace.internet_query_enabled

Describe the solution you'd like

There is high value in documenting a recommended approach for deploying AMPLS with this module, especially when using separate configuration for Identity/Core, Management, and Connectivity.

The Management configuration should support the above azurerm_log_analytics_workspace attributes in a first-class way.

The only way to alter that configuration today requires the use of the advanced settings, which as per https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/wiki/%5BExamples%5D-Deploy-Management-Resources-With-Custom-Settings is undocumented, experimental, and seemingly full of risk.

[jaredfholgate]

@luke-taylor Is this supported by the alz-management module?

[luke-taylor]

The alz-management module does expose the configurations specified above. But doesn't include explicit support for Azure Monitor Private Link Scopes as such

[matt-FFFFFF]

feature request logged: https://github.com/Azure/terraform-azurerm-alz-management/issues/40

[WibblyDibbler]

@jaredfholgate This feature request likely was too hastily crafted - thinking that the documentation and configuration concerns were related enough for a single issue. Upon further consideration, the documentation part of the request is more generic. Instead of focusing on AMPLS, the underlying documentation concern is properly maintaining custom Terraform configuration related to these overall platform needs. In a simple deployment of the module using a single configuration set for Management, Connectivity, and Core/Identity, it is reasonable to add extra/custom configuration to the same set. When deploying in the context of separate roles for each sub-module and using remote state, adding custom configuration can start adding interdependencies beyond what has been documented.

A simple approach would place the custom Management configuration alongside the ALZ module configuration - same for Connectivity and Core/Identity. This was the assumed structure when the feature request was placed.

However, it appears that creating the dependencies in such a fashion could cause problems if/when the ALZ module changes its own dependency hierarchy. It seems that it would be safer for module consumers to separate custom configuration for each concern from the corresponding module configuration.

[WibblyDibbler]

@matt-FFFFFF In an effort towards a working example of AMPLS, the relevant resources were divided between Management and Connectivity. The approach may have been short-sighted; any feedback is appreciated. Beyond the below lists, various role definitions and assignments were created for supporting the separate service principals that apply the Terraform. Although implemented as part of a hub and spoke topology, the private endpoints were deployed into a separate network to mimic the vWAN hub extension pattern, given the inclusion of some custom VPN solutions and their associated routing needs.

Management

• azurerm_storage_account (Log Analytics customer-managed for ingestion, custom logs, queries, alerts, Azure Watson)
• azurerm_log_analytics_linked_storage_account
• azurerm_monitor_data_collection_endpoint (for use by azurerm_monitor_data_collection_rule)

Connectivity

• azurerm_monitor_private_link_scope
• azurerm_monitor_private_link_scoped_service (Log Analytics workspace, DCEs)
• azurerm_private_endpoint (Log Analytics storage accounts, AMPLS)

[matt-FFFFFF]

Thanks @WibblyDibbler

We are considering how this configuration should be declared and what if any changes to this module are required.