Browse Source

refactor

tags/0.1.0
ravi 6 months ago
parent
commit
2b26635aa1
9 changed files with 307 additions and 203 deletions
  1. +3
    -2
      .pre-commit-config.yaml
  2. +0
    -17
      Jenkinsfile
  3. +41
    -23
      README.md
  4. +13
    -0
      data.tf
  5. +28
    -14
      examples/default/README.md
  6. +79
    -112
      main.tf
  7. +23
    -12
      outputs.tf
  8. +119
    -22
      variables.tf
  9. +1
    -1
      versions.tf

+ 3
- 2
.pre-commit-config.yaml View File

@@ -1,11 +1,12 @@
repos:
- repo: git://github.com/antonbabenko/pre-commit-terraform
rev: v1.17.0
rev: v1.30.0
hooks:
- id: terraform_fmt
- id: terraform_docs
- id: terraform_tflint
- repo: git://github.com/pre-commit/pre-commit-hooks
rev: v2.1.0
rev: v2.5.0
hooks:
- id: check-merge-conflict
- id: trailing-whitespace


+ 0
- 17
Jenkinsfile View File

@@ -1,17 +0,0 @@
fxTerraformWithUsernamePassword(
testEnvironmentCredentialId: 'fxprometheus-service-principal',
providerUsernameVariableName: 'client_id',
providerPasswordVariableName: 'client_secret',
initSSHCredentialId: 'gitea-fx_administrator-key',
testPlanVars: [
'subscription_id=9ea1187f-441c-43f4-af71-8f54123f2ed1',
'tenant_id=c8be77fb-3cf8-4d5a-b446-a3c65e7ae3db'
],
publishPlanVars: [
'subscription_id=9ea1187f-441c-43f4-af71-8f54123f2ed1',
'tenant_id=c8be77fb-3cf8-4d5a-b446-a3c65e7ae3db'
],
inspecTarget: 'azure',
inspecSubscriptionId: '9ea1187f-441c-43f4-af71-8f54123f2ed1',
inspecTenantId: 'c8be77fb-3cf8-4d5a-b446-a3c65e7ae3db'
)

+ 41
- 23
README.md View File

@@ -5,36 +5,54 @@
This module is used to deploy multiple resources (storage account, event hub and log analytics workspace) that will be used for the gathering of diagnostic informations and logging.

<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Requirements

| Name | Version |
|------|---------|
| terraform | >= 0.12 |
| azurerm | >= 2.0.0 |

## Providers

| Name | Version |
|------|---------|
| azurerm | >= 2.0.0 |

## Inputs

| Name | Description | Type | Default | Required |
|------|-------------|:----:|:-----:|:-----:|
| enabled | Enable or disable module. | bool | `"true"` | no |
| event\_hub\_namespace\_name | Name of the event hub namespace to be used as a target for the logs. | string | n/a | yes |
| location | Location where the resources will be deployed. | string | `""` | no |
| log\_analytics\_workspace\_name | Name of the workspace to deploy to be used for logging. | string | n/a | yes |
| log\_analytics\_workspace\_retention\_in\_days | Number of days the workspace to deploy will retain logs. | number | `"7"` | no |
| log\_analytics\_workspace\_sku | SKU of the workspace to deploy to be used for logging. | string | `"free"` | no |
| resource\_group\_name | Name of the resource group where the resource will be deployed. | string | n/a | yes |
| storage\_account\_name | Name of the storage account to be used to host the logs. | string | n/a | yes |
| subscription\_logs\_retention | Number of days to retain activity logs in the storage account. | number | `"0"` | no |
| tags | Tags to add to the resources. | map | `{}` | no |
|------|-------------|------|---------|:--------:|
| account\_replication\_type | The type of replication to use for this storage account. Valid options are 'LRS','GRS','RAGRS' and 'ZRS'. | `string` | `"LRS"` | no |
| account\_tier | Type of the tier to use for the storage account.Changing this force a new resource to be created. | `string` | `"Standard"` | no |
| diagnostics\_count | How many diagnostics settings to create. | `number` | `1` | no |
| enable\_https\_tarffic\_only | Boolean flag which forces HTTPS if enabled. | `bool` | `true` | no |
| enabled | Enable or disable module. | `bool` | `true` | no |
| log\_analytics\_detination\_type | when set to `Dedicated logs sent to a log analytics workspace will go into resource specific tables, instead of the legacy Azurediagnostics table. Note: This setting will only have an effect if a `log\_analytics\_workspace\_id` is provided, and the resource is avaliable for resource-specific logs.` | `list(string)` | <pre>[<br> ""<br>]</pre> | no |
| log\_analytics\_tags | Tags which will be associated to the log analytics workspace. | `map` | `{}` | no |
| log\_analytics\_workspace\_name | Name of the workspace to deploy to be used for logging.Changing this forces a new resource to be created. | `string` | `""` | no |
| logs | A list of list of map of options to apply. Map must support the following structure:<br> * category(required, string): The name of a diagnostic log category for the resource. Note: The log categories available vary depending on the resource begin used. You may wish to use `azurerm_monitor_diagnostc_catehories` data source to identify which categories are available for a given resource.<br> * enabled(Optional, boolean): Is this Diagnostic metric enabled?<br> * retention\_policy(Optional, list of map): A list of map of retention policies to apply<br> * enabled(required, boolean): Is this retention policy enabled?<br> * days(Optional, number): The number of days for which this retention policy should be applied. Note: Setting this to 0 will retain the events indefinetly.<br>For example, see folder example/default folder. | `list` | `[]` | no |
| metric | A list of list of map of options to apply. Map must support the following structure:<br> * category(required, string): The name of a diagnostic log category for the resource. Note: The metric categories available vary depending on the resource begin used. You may wish to use `azurerm_monitor_diagnostc_catehories` data source to identify which categories are available for a given resource.<br> * enabled(Optional, boolean): Is this Diagnostic metric enabled?<br> * retention\_policy(Optional, list of map): A list of map of retention policies to apply<br> * enabled(required, boolean): Is this retention policy enabled?<br> * days(Optional, number): The number of days for which this retention policy should be applied. Note: Setting this to 0 will retain the events indefinetly.<br>For example, see folder example/default folder. | `list` | `[]` | no |
| names | List which specifies the names of the diagnostics settings. Changing this forces a new resource to be created. | `list(string)` | <pre>[<br> ""<br>]</pre> | no |
| resource\_group\_location | Location where the resources will be deployed.Changing this forces a new resource to be created. | `string` | `"canadacentral"` | no |
| resource\_group\_name | Name of the resource group where the resource will be deployed.Changing this forces a new resource to be created. | `string` | `""` | no |
| retention\_in\_days | Number of days that logs will be retained in the workspace. | `number` | `7` | no |
| storage\_account\_exist | Boolean flag which describes whhether the storage account is already existing or not. | `bool` | `false` | no |
| storage\_account\_name | Name of the storage account to be used to host the logs. Changing forces a new resource to be created. | `string` | `""` | no |
| storage\_account\_tags | Tags which will specifically assigned to the storage account. | `map` | `{}` | no |
| storage\_containers | List of containers to create and their access levels. | `list(object({ name = string, access_type = string }))` | `[]` | no |
| tags | Tags shared by all resource of tis module. Will be merged with any other specific tags by resource. | `map` | `{}` | no |
| target\_resource\_ids | The list of IDs of an existing resource on which to configure diagnostic settings. Changing this forces a new resource to be created. | `list(string)` | <pre>[<br> ""<br>]</pre> | no |
| workspace\_exist | Boolean flag which describes whhether the log analytics workspace is already existing or not. | `bool` | `false` | no |
| workspace\_sku | SKU of the workspace to deploy to be used for logging.Changing this forces a new resource to be created. | `string` | `"free"` | no |

## Outputs

| Name | Description |
|------|-------------|
| diagnostics\_map | |
| log\_analytics\_primary\_shared\_key | |
| log\_analytics\_secondary\_shared\_key | |
| log\_analytics\_workspace\_id | |
| id | ID of the diagnostics setting. |
| log\_analytics\_primary\_shared\_key | n/a |
| log\_analytics\_secondary\_shared\_key | n/a |
| log\_analytics\_workspace\_id | n/a |
| storage\_account\_id | The ID of the storage account. |

<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

## Examples

Usage example is found in the `./examples/default/` folder.

## Inspec

No Inspec tests are done for this module.

+ 13
- 0
data.tf View File

@@ -0,0 +1,13 @@
data "azurerm_storage_account" "this" {
count = var.enabled && var.storage_account_exist != false ? 1 : 0

name = var.storage_account_name
resource_group_name = var.resource_group_name
}

data "azurerm_log_analytics_workspace" "this" {
count = var.enabled && var.workspace_exist != false ? 1 : 0

name = var.log_analytics_workspace_name
resource_group_name = var.resource_group_name
}

+ 28
- 14
examples/default/README.md View File

@@ -1,22 +1,36 @@
# terraform-example

<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
## Requirements

| Name | Version |
|------|---------|
| azurerm | >= 1.36.0 |

## Providers

No provider.

## Inputs

| Name | Description | Type | Default | Required |
|------|-------------|:----:|:-----:|:-----:|
| client\_id | Azure service principal application Id. | string | n/a | yes |
| client\_secret | Azure service principal application Secret. | string | n/a | yes |
| event\_hub\_namespace\_name | Name of the event hub namespace to be used as a target for the logs. | string | `"fxcozca1dgeneh005"` | no |
| location | Location of the resources. | string | `"canadacentral"` | no |
| log\_analytics\_workspace\_name | Name of the workspace to deploy to be used for logging. | string | `"fxcozca1dgenla005"` | no |
| log\_analytics\_workspace\_retention\_in\_days | Number of days the workspace to deploy will retain logs. | number | `"7"` | no |
| log\_analytics\_workspace\_sku | SKU of the workspace to deploy to be used for logging. | string | `"free"` | no |
| resource\_group\_name | Resource group where the vnet resides. | string | `"fxcozca1dgenrg005"` | no |
| storage\_account\_name | Name of the storage account to be used to host the logs. | string | `"fxcozca1dgensa006"` | no |
| subscription\_id | Azure subscription Id. | string | n/a | yes |
| subscription\_logs\_retention | Number of days to retain activity logs in the storage account. | number | `"0"` | no |
| tags | Tags to add to the virtual network. | map | `{ "FXDepartment": "Cloud", "FXOwner": "Test user", "FXProjet": "FXCO" }` | no |
| tenant\_id | Azure tenant Id. | string | n/a | yes |
|------|-------------|------|---------|:--------:|
| client\_id | Azure service principal application Id. | `any` | n/a | yes |
| client\_secret | Azure service principal application Secret. | `any` | n/a | yes |
| event\_hub\_namespace\_name | Name of the event hub namespace to be used as a target for the logs. | `string` | `"fxcozca1dgeneh005"` | no |
| location | Location of the resources. | `string` | `"canadacentral"` | no |
| log\_analytics\_workspace\_name | Name of the workspace to deploy to be used for logging. | `string` | `"fxcozca1dgenla005"` | no |
| log\_analytics\_workspace\_retention\_in\_days | Number of days the workspace to deploy will retain logs. | `number` | `7` | no |
| log\_analytics\_workspace\_sku | SKU of the workspace to deploy to be used for logging. | `string` | `"free"` | no |
| resource\_group\_name | Resource group where the vnet resides. | `string` | `"fxcozca1dgenrg005"` | no |
| storage\_account\_name | Name of the storage account to be used to host the logs. | `string` | `"fxcozca1dgensa006"` | no |
| subscription\_id | Azure subscription Id. | `any` | n/a | yes |
| subscription\_logs\_retention | Number of days to retain activity logs in the storage account. | `number` | `0` | no |
| tags | Tags to add to the virtual network. | `map` | <pre>{<br> "FXDepartment": "Cloud",<br> "FXOwner": "Test user",<br> "FXProjet": "FXCO"<br>}</pre> | no |
| tenant\_id | Azure tenant Id. | `any` | n/a | yes |

## Outputs

No output.

<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

+ 79
- 112
main.tf View File

@@ -1,127 +1,94 @@
data "azurerm_resource_group" "rg" {
name = var.resource_group_name
}
###
# Storage account
###

locals {
location = var.location == "" ? data.azurerm_resource_group.rg.location : var.location
}
module "storage_account" {
source = "git::https://scm.dazzlingwrench.fxinnovation.com/fxinnovation-public/terraform-module-azurerm-storage-account.git?ref=1.0.0"

enabled = var.enabled && var.storage_account_exist == false
storage_account_name = var.storage_account_name
resource_group_name = var.resource_group_name
location = var.location
account_tier = var.account_tier
account_replication_type = var.account_replication_type
enable_https_traffic_only = var.enable_https_traffic_only

storage_containers = var.storage_containers
storage_shares = []

#Defines the subscription-wide logging and eventing settings
#Creating the containers on Storage Account and Event Hub (optional)

resource "azurerm_storage_account" "this" {
count = var.enabled ? 1 : 0
location = local.location
resource_group_name = data.azurerm_resource_group.rg.name
name = var.storage_account_name
account_kind = "StorageV2"
account_tier = "Standard"
account_replication_type = "GRS"
access_tier = "Hot"
enable_https_traffic_only = true
tags = merge(
{
"Terraform" = "true"
},
var.tags,
var.storage_account_tags
)
}

resource "azurerm_eventhub_namespace" "this" {
count = var.enabled ? 1 : 0
location = local.location
resource_group_name = data.azurerm_resource_group.rg.name
name = var.event_hub_namespace_name
sku = "Standard"
capacity = 2
auto_inflate_enabled = false
###
# Log analytics workspace
###

module "log_analytics_workspace" {
source = "git::https://scm.dazzlingwrench.fxinnovation.com/fxinnovation-public/terraform-module-azurerm-log-analytics-workspace.git?ref=1.0.0"

enabled = var.enabled && var.workspace_exist == false
name = var.log_analytics_workspace_name
location = var.resource_group_location
resource_group_name = var.resource_group_name
sku = var.workspace_sku
retention_in_days = var.retention_in_days
tags = merge(
{
"Terraform" = "true"
},
var.tags,
var.log_analytics_workspace_tags
)
}

resource "azurerm_monitor_log_profile" "subscription" {
count = var.enabled ? 1 : 0
name = "default"

categories = [
"Action",
"Delete",
"Write"
]

# Add all regions - > put in variable
# az account list-locations --query '[].name'
# updated Nov 08 2019
locations = [
"global",
"eastasia",
"southeastasia",
"centralus",
"eastus",
"eastus2",
"westus",
"northcentralus",
"southcentralus",
"northeurope",
"westeurope",
"japanwest",
"japaneast",
"brazilsouth",
"australiaeast",
"australiasoutheast",
"southindia",
"centralindia",
"westindia",
"canadacentral",
"canadaeast",
"uksouth",
"ukwest",
"westcentralus",
"westus2",
"koreacentral",
"koreasouth",
"francecentral",
"francesouth",
"australiacentral",
"australiacentral2",
"uaecentral",
"uaenorth",
"southafricanorth",
"southafricawest",
"switzerlandnorth",
"switzerlandwest",
"germanynorth",
"germanywestcentral",
"norwaywest",
"norwayeast"
]

# RootManageSharedAccessKey is created by default with listen, send, manage permissions
servicebus_rule_id = "${azurerm_eventhub_namespace.this[0].id}/authorizationrules/RootManageSharedAccessKey"
storage_account_id = azurerm_storage_account.this[0].id

retention_policy {
enabled = true
days = var.subscription_logs_retention


###
# Diagnostics settings
###

resource "azurerm_monitor_diagnostic_setting" "this" {
count = var.enabled ? var.diagnostics_count : 0

name = element(var.names, count.index)
target_resource_id = element(var.target_resource_ids, count.index)
log_analytics_workspace_id = var.workspace_exist != false ? data.azurerm_log_analytics_workspace.this[0].id : module.log_analytics_workspace.id
log_analytics_destination_type = var.log_analytics_destination_type
storage_account_id = var.storage_account_exist != false ? data.azurerm_storage_account.this[0].id : module.storage_account.id

dynamic "log" {
for_each = var.logs

content {
category = lookup(log.value, "category", null)
enabled = lookup(log.value, "enabled", true)

dynamic "retention_policy" {
for_each = log.value.retention_policy

content {
enabled = retention_policy.value.enabled
days = retention_policy.value.days
}
}
}
}
}

module "log-analytics-workspace" {
source = "git::ssh://git@scm.dazzlingwrench.fxinnovation.com:2222/fxinnovation-public/terraform-module-azurerm-log-analytics-workspace.git?ref=0.2.0"
enabled = var.enabled ? true : false
location = local.location
resource_group_name = data.azurerm_resource_group.rg.name
name = var.log_analytics_workspace_name
sku = var.log_analytics_workspace_sku
retention_in_days = var.log_analytics_workspace_retention_in_days
tags = merge(
{
"Terraform" = "true"
},
var.tags,
)
dynamic "metric" {
for_each = var.metrics

content {
category = lookup(metric.value, "category", null)
enabled = lookup(metric.value, "enabled", true)

dynamic "retention_policy" {
for_each = metric.value.retention_policy

content {
enabled = retention_policy.value.enabled
days = retention_policy.value.days
}
}
}
}
}

+ 23
- 12
outputs.tf View File

@@ -1,24 +1,35 @@
output "diagnostics_map" {
value = map(
"diags_sa", azurerm_storage_account.this[0].id,
"eh_name", azurerm_eventhub_namespace.this[0].name,
"eh_id", azurerm_eventhub_namespace.this[0].id,
"la_name", var.log_analytics_workspace_name,
"la_id", module.log-analytics-workspace.id,
"la_work_id", module.log-analytics-workspace.workspace_id
)
###
# Diagnostic setting
###

output "id" {
description = "ID of the diagnostics setting."
value = element(concat(azurerm_monitor_diagnostic_setting.this.*.id, list("")), 0)
}

###
# Storage account
###

output "storage_account_id" {
description = "The ID of the storage account."
value = module.storage_account.id
}

###
# Log analytics workspace
###

output "log_analytics_primary_shared_key" {
sensitive = true
value = module.log-analytics-workspace.primary_shared_key
value = module.log_analytics_workspace.primary_shared_key
}

output "log_analytics_secondary_shared_key" {
sensitive = true
value = module.log-analytics-workspace.secondary_shared_key
value = module.log_analytics_workspace.secondary_shared_key
}

output "log_analytics_workspace_id" {
value = module.log-analytics-workspace.workspace_id
value = module.log_analytics_workspace.workspace_id
}

+ 119
- 22
variables.tf View File

@@ -1,55 +1,152 @@
###
# General
###
variable "enabled" {
description = "Enable or disable module."
type = bool
default = true
}

variable "location" {
description = "Location where the resources will be deployed."
type = string
default = ""
variable "resource_group_location" {
description = "Location where the resources will be deployed.Changing this forces a new resource to be created."
default = "canadacentral"
}

variable "resource_group_name" {
description = "Name of the resource group where the resource will be deployed."
type = string
description = "Name of the resource group where the resource will be deployed.Changing this forces a new resource to be created."
default = ""
}

variable "tags" {
description = "Tags shared by all resource of tis module. Will be merged with any other specific tags by resource."
default = {}
}

###
# Storage account
###

variable "storage_account_exist" {
description = "Boolean flag which describes whhether the storage account is already existing or not."
default = false
}

variable "storage_account_name" {
description = "Name of the storage account to be used to host the logs."
description = "Name of the storage account to be used to host the logs. Changing forces a new resource to be created."
type = string
default = ""
}

variable "event_hub_namespace_name" {
description = "Name of the event hub namespace to be used as a target for the logs."
variable "account_tier" {
description = "Type of the tier to use for the storage account.Changing this force a new resource to be created."
type = string
default = "Standard"
}

variable "subscription_logs_retention" {
description = "Number of days to retain activity logs in the storage account."
type = number
default = 0 # 0 = no rotation
variable "account_replication_type" {
description = "The type of replication to use for this storage account. Valid options are 'LRS','GRS','RAGRS' and 'ZRS'."
type = string
default = "LRS"
}

variable "enable_https_tarffic_only" {
description = "Boolean flag which forces HTTPS if enabled."
default = true
}

variable "storage_containers" {
description = "List of containers to create and their access levels."
default = []
type = list(object({ name = string, access_type = string }))
}

variable "storage_account_tags" {
description = "Tags which will specifically assigned to the storage account."
default = {}
}

###
# Log analytics workspace
###

variable "workspace_exist" {
description = "Boolean flag which describes whhether the log analytics workspace is already existing or not."
default = false
}

variable "log_analytics_workspace_name" {
description = "Name of the workspace to deploy to be used for logging."
description = "Name of the workspace to deploy to be used for logging.Changing this forces a new resource to be created."
type = string
default = ""
}

variable "log_analytics_workspace_sku" {
description = "SKU of the workspace to deploy to be used for logging."
variable "workspace_sku" {
description = "SKU of the workspace to deploy to be used for logging.Changing this forces a new resource to be created."
type = string
default = "free"
}

variable "log_analytics_workspace_retention_in_days" {
description = "Number of days the workspace to deploy will retain logs."
variable "retention_in_days" {
description = "Number of days that logs will be retained in the workspace."
type = number
default = 7
}

variable "tags" {
description = "Tags to add to the resources."
type = map
variable "log_analytics_tags" {
description = "Tags which will be associated to the log analytics workspace."
default = {}
}

###
# Diagnostics settings
###

variable "diagnostics_count" {
description = "How many diagnostics settings to create."
default = 1
}

variable "names" {
description = "List which specifies the names of the diagnostics settings. Changing this forces a new resource to be created."
type = list(string)
default = [""]
}

variable "target_resource_ids" {
description = "The list of IDs of an existing resource on which to configure diagnostic settings. Changing this forces a new resource to be created."
type = list(string)
default = [""]
}

variable "log_analytics_detination_type" {
description = "when set to `Dedicated logs sent to a log analytics workspace will go into resource specific tables, instead of the legacy Azurediagnostics table. Note: This setting will only have an effect if a `log_analytics_workspace_id` is provided, and the resource is avaliable for resource-specific logs."
type = list(string)
default = [""]
}

variable "logs" {
description = <<-DOCUMENTATION
A list of list of map of options to apply. Map must support the following structure:
* category(required, string): The name of a diagnostic log category for the resource. Note: The log categories available vary depending on the resource begin used. You may wish to use `azurerm_monitor_diagnostc_catehories` data source to identify which categories are available for a given resource.
* enabled(Optional, boolean): Is this Diagnostic metric enabled?
* retention_policy(Optional, list of map): A list of map of retention policies to apply
* enabled(required, boolean): Is this retention policy enabled?
* days(Optional, number): The number of days for which this retention policy should be applied. Note: Setting this to 0 will retain the events indefinetly.
For example, see folder example/default folder.
DOCUMENTATION
type = list
default = []
}

variable "metric" {
description = <<-DOCUMENTATION
A list of list of map of options to apply. Map must support the following structure:
* category(required, string): The name of a diagnostic log category for the resource. Note: The metric categories available vary depending on the resource begin used. You may wish to use `azurerm_monitor_diagnostc_catehories` data source to identify which categories are available for a given resource.
* enabled(Optional, boolean): Is this Diagnostic metric enabled?
* retention_policy(Optional, list of map): A list of map of retention policies to apply
* enabled(required, boolean): Is this retention policy enabled?
* days(Optional, number): The number of days for which this retention policy should be applied. Note: Setting this to 0 will retain the events indefinetly.
For example, see folder example/default folder.
DOCUMENTATION
type = list
default = []
}

+ 1
- 1
versions.tf View File

@@ -1,6 +1,6 @@
terraform {
required_version = ">= 0.12"
required_providers {
azurerm = ">= 1.36.0"
azurerm = ">= 2.0.0"
}
}

Loading…
Cancel
Save