Global diagnostics settings

[gevraud]

Hello @LaurentLesle ,

Related to this issue #1570, I was wondering how to set global diagnostics settings / definitions.

My tfvars files are like this :

➜  caf git:(master) ✗ ll configuration/stainfra/level0/launchpad
total 104K
-rw-r--r-- 1 vscode docker 1.9K Jun 23 19:19 azuread_api_permissions.tfvars
-rw-r--r-- 1 vscode docker  575 May 24 14:14 azuread_applications.tfvars
-rw-r--r-- 1 vscode vscode  360 Jun 23 19:18 azuread_group_members.tfvars
-rw-r--r-- 1 vscode docker 3.9K May 24 14:14 azuread_groups.tfvars
-rw-r--r-- 1 vscode vscode 1.2K May 26 12:32 azuread_roles.tfvars
-rw-r--r-- 1 vscode docker  659 May 24 14:14 azuread_service_principals.tfvars
-rw-r--r-- 1 vscode docker 9.5K Aug 17 14:27 diagnostic_definitions.tfvars
-rw-r--r-- 1 vscode docker 1.4K May 24 14:14 diagnostic_logs_analystics.tfvars
-rw-r--r-- 1 vscode docker  818 May 24 14:14 diagnostics_destinations.tfvars
-rw-r--r-- 1 vscode docker  438 May 24 14:14 diagnostics_event_hubs.tfvars
-rw-r--r-- 1 vscode docker 2.3K May 24 14:14 diagnostic_storage_accounts.tfvars
-rw-r--r-- 1 vscode vscode 2.9K May 26 12:32 dynamic_keyvault_secrets.tfvars
-rw-r--r-- 1 vscode docker 1.4K May 24 14:14 global_settings.tfvars
-rw-r--r-- 1 vscode docker 2.1K May 24 14:14 keyvault_access_policies.tfvars
-rw-r--r-- 1 vscode vscode 5.3K Jun 23 19:19 keyvaults.tfvars
-rw-r--r-- 1 vscode docker  100 May 24 14:14 landingzone.tfvars
-rw-r--r-- 1 vscode vscode  484 May 26 12:32 managed_identities.tfvars
-rw-r--r-- 1 vscode docker 3.1K May 24 14:14 readme.md
-rw-r--r-- 1 vscode docker  531 May 24 14:14 resource_groups.tfvars
-rw-r--r-- 1 vscode vscode 4.7K Jun 23 19:19 role_mapping.tfvars
-rw-r--r-- 1 vscode docker 2.8K May 24 14:14 storage_accounts.tfvars
-rw-r--r-- 1 vscode docker  439 May 24 14:14 subscriptions.tfvars

And my global_settings.tfvars is like this

passthrough = true
inherit_tags = true
default_region = "region1"
regions = {
  region1 = "westeurope"
  region2 = "northeurope"
}

launchpad_key_names = {
  keyvault = "level0"
  tfstates = [
    "level0",
    "level1",
    "level2",
    "level3",
    "level4"
  ]
}

tags = {
  deployment_type   = "Terraform"
  deployment_module = "CAF"
}

Should I move the content of all diagnostics_xxx.tfvars into global_settings.tfvars ?
Could you provide an example of how to set it globally ?

Regards

[gevraud]

Hello,

I tried this code.

diagnostics deployed in level0 launchpad

diagnostics_destinations = {
  # Storage keys must reference the azure region name
  # For storage, reference "all_regions" and we will send the logs to the storage account
  # in the region of the deployment
  storage = {
    all_regions = {
      westeurope = {
        storage_account_key = "diagsiem_region1"
      }
      northeurope = {
        storage_account_key = "diagsiem_region2"
      }
    }
  }

  log_analytics = {
    central_logs = {
      log_analytics_key              = "central_logs_region1"
      log_analytics_destination_type = "Dedicated"
    }
  }

  event_hub_namespaces = {
    central_logs = {
      event_hub_namespace_key = "central_logs_region1"
    }
  }
}
diagnostic_event_hub_namespaces = {
  central_logs_region1 = {
    name               = "evlogs"
    resource_group_key = "monitoring"
    sku                = "Standard"
    region             = "region1"
}

firewall.tfvars in level2

azurerm_firewalls = {
  myfw = {
    ...
    ...
    diagnostic_profiles = {
      central_logs_region1 = {
        name             = "operational_firewall_logs"
        definition_key   = "azurerm_firewall"
        destination_type = "event_hub"
        destination_key  = "central_logs"
      }
    }
  }
}

diag definition in level2 (same lz than the FW)

diagnostics_definition = {
  azurerm_firewall = {
    name = "operational_logs_and_metrics"
    categories = {
      log = [
        # ["Category name",  "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
        ["AzureFirewallApplicationRule", true, false, 7],
        ["AzureFirewallNetworkRule", true, false, 7],
        ["AzureFirewallDnsProxy", true, false, 7],
        ["AZFWApplicationRule", true, false, 7],
        ["AZFWApplicationRuleAggregation", true, false, 7],
        ["AZFWDnsQuery", true, false, 7],
        ["AZFWFatFlow", true, true, 7],
        ["AZFWFlowTrace", true, true, 7],
        ["AZFWFqdnResolveFailure", true, false, 7],
        ["AZFWIdpsSignature", true, false, 7],
        ["AZFWNatRule", true, false, 7],
        ["AZFWNatRuleAggregation", true, false, 7],
        ["AZFWNetworkRule", true, false, 7],
        ["AZFWNetworkRuleAggregation", true, false, 7],
        ["AZFWThreatIntel", true, false, 7],
      ]
      metric = [
        #["Category name",  "Diagnostics Enabled(true/false)", "Retention Enabled(true/false)", Retention_period]
        ["AllMetrics", true, false, 7],
      ]
    }
  }
}

The plan gave me this error :

│ Error: Error in function call
│
│   on /home/vscode/.terraform.cache/stainfra/modules/solution/modules/diagnostics/module.tf line 18, in resource "azurerm_monitor_diagnostic_setting" "diagnostics":
│   18:   eventhub_authorization_rule_id = contains(try([tostring(each.value.destination_type)], tolist(each.value.destination_type)), "event_hub") ? coalesce(
│   19:     try(each.value.eventhub_authorization_rule_id, null),
│   20:     try(format("%s/authorizationRules/RootManageSharedAccessKey", var.diagnostics.event_hub_namespaces[var.diagnostics.diagnostics_destinations.event_hub_namespaces[each.value.destination_key].event_hub_namespace_key].id), null)
│   21:   ) : null
│     ├────────────────
│     │ while calling coalesce(vals...)
│     │ each.value is object with 4 attributes
│     │ each.value.destination_key is "central_logs"
│     │ var.diagnostics.diagnostics_destinations.event_hub_namespaces is object with no attributes
│     │ var.diagnostics.event_hub_namespaces is object with no attributes
│
│ Call to function "coalesce" failed: no non-null, non-empty-string arguments.

I can see that the outputs of level0 contains diagnostics_destinations.

Did I miss something ?