Support enabling audit logs on MySQL Flexible Server

To enable audit logs to a LAW in Azure, the following MySQL configuration entries are needed: "audit_log_enabled" = "ON", "audit_log_events" = "ADMIN,CONNECTION,DCL,DDL"

The latter may vary depend on what logging is desired from the server.

Via Terraform these could be implemented via a pair of azurerm_mysql_flexible_server_configuration resources:

resource "azurerm_mysql_flexible_server_configuration" "audit_log_enabled" {
  resource_group_name = azurerm_resource_group.redcap.name
  server_name         = azurerm_mysql_flexible_server.redcap.name
  name                = "audit_log_enabled"
  value               = "ON"
}

resource "azurerm_mysql_flexible_server_configuration" "audit_log_events" {
  resource_group_name = azurerm_resource_group.redcap.name
  server_name         = azurerm_mysql_flexible_server.redcap.name
  name                = "audit_log_events"
  value               = "ADMIN,CONNECTION,DCL,DDL"
}

These could either be enabled via an option variable in the variables.tf file (e.g. enable_audit_log), or even better such a variable could add the above defined in locals as an argument to a merge() function such as suggested in #50 (preferred).

This will also require a diagnostic setting resource and a LAW to house logs. In Terraform:

resource "azurerm_monitor_diagnostic_setting" "logging" {
  count                      = var.enable_audit_log
  name                       = "mds-mysql-redcap"
  target_resource_id         = azurerm_mysql_flexible_server.redcap.id
  log_analytics_workspace_id = var.log_analytics_workspace_id

  # https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/resource-logs-categories#microsoftdbformysqlflexibleservers
  enabled_log {
    category = "MySQLAuditLogs"
  }

  metric {
    category = "AllMetrics"
  }
}

microsoft / azure-redcap-paas

Support enabling audit logs on MySQL Flexible Server #51