Support for [log_analytics_workspace_id as target for azurerm_monitor_log_profile]

lyndon678 commented 4 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Exporting the activity log of Azure subscriptions for processing is imperative for governance and security. Unfortunately the azurerm_log_profile only support two of the three common targets, Event Hub and Storage Account. The support for a Log Analytics Workspace would be highly appreciated.

New or Affected Resource(s)

azurerm_monitor_log_profile

Potential Terraform Configuration


resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "East US"
}

resource "azurerm_log_analytics_workspace" "example" {
  name                = "acctest-01"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  sku                 = "PerGB2018"
  retention_in_days   = 180
}

resource "azurerm_monitor_log_profile" "example" {
  name = "default"

  categories = [
    "Action",
    "Delete",
    "Write",
  ]

  locations = [
    "westus",
    "global",
  ]

  log_analytics_workspace_id = azurerm_log_analytics_workspace.example.workspace_id
}

References

https://docs.microsoft.com/en-us/azure/azure-monitor/platform/activity-log-collect
Feature request has been mentioned in #4446, but wrongfully associated as duplicate with #3182

magodo commented 4 years ago

Hi @lyndon678 Thank you for submitting this issue :+1: As you know, azurerm_monitor_log_profile is a legacy method to manage the platform logs and metrics, in favor of diagnostic settings. There is the corresponding terraform resource: azurerm_monitor_diagnostic_settings, which accepts log_analytics_workspace_id. While if you for some reason is not able to migrate to using the diagnostic settings, then unfortunately current API of monitor log profile doesn't support specifying the log analytics workspace id directly. However, as the document mentioned, we can create a data source (as stated in #4446) to support it.

kylelee24 commented 3 years ago

Since I didn't find this information easy to come by. I agree with @magodo that the azurerm_monitor_diagnostic_settings is what should be used where you can use log_analytics_workspace_id. You can then pass in your current subscription ID as the target_resource_id. Here is an example on what worked for me.

data "azurerm_subscription" "current" {
}

resource "azurerm_monitor_diagnostic_setting" "diag-activitylog" {
  name               = "diag-activitylog"
  target_resource_id = data.azurerm_subscription.current.id
  log_analytics_workspace_id = azurerm_log_analytics_workspace.log-workspace.id

  log {
    category = "Administrative"
    enabled  = true
  }

  log {
    category = "Security"
    enabled  = true
  }

  log {
    category = "ServiceHealth"
    enabled  = true
  }

  log {
    category = "Alert"
    enabled  = true
  }

  log {
    category = "Recommendation"
    enabled  = true
  }

  log {
    category = "Policy"
    enabled  = true
  }

  log {
    category = "Autoscale"
    enabled  = true
  }

  log {
    category = "ResourceHealth"
    enabled  = true
  }
}

One issue is that the data source on the log analytics workspace doesn't automatically connect. Seems like this will need to be done manually as per https://github.com/terraform-providers/terraform-provider-azurerm/issues/3182.

hashicorp / terraform-provider-azurerm