Azure RUN Common feature
A Terraform modules composition (feature) which includes services needed for Claranet RUN/MSP.
It includes:
- Log Management with following resources
- Log Analytics Workspace
- Storage Account with SAS Token to upload logs to
- Key Vault
- FAME monitoring function for additional metrics. Built-in metrics sent:
fame.azure.application_gateway.instances: number of Application Gateway instancesfame.azure.backup.file_share: number of successful file share backupsfame.azure.backup.vm: number of successful virtual machines backupsfame.azure.virtual_network_gateway.ike_event_success: number of successful ike events for a VPN Gateway
Requirements
- PowerShell with Az module >= 3.6 is mandatory and is used to configure IIS logs collect in Azure Monitor
Using sub-modules
The integrated services can be used separately with the same inputs and outputs when it's a sub module.
Log management
See logs sub-module README.
Monitoring function
See monitoring_function README
Key Vault
See Key Vault module: terraform-azurerm-keyvault.
Global versioning rule for Claranet Azure modules
| Module version | Terraform version | AzureRM version |
|---|---|---|
| >= 7.x.x | 1.3.x | >= 3.0 |
| >= 6.x.x | 1.x | >= 3.0 |
| >= 5.x.x | 0.15.x | >= 2.0 |
| >= 4.x.x | 0.13.x / 0.14.x | >= 2.0 |
| >= 3.x.x | 0.12.x | >= 2.0 |
| >= 2.x.x | 0.12.x | < 2.0 |
| < 2.x.x | 0.11.x | < 2.0 |
Usage
This module is optimized to work with the Claranet terraform-wrapper tool
which set some terraform variables in the environment needed by this module.
More details about variables set by the terraform-wrapper available in the documentation.
module "azure_region" {
source = "claranet/regions/azurerm"
version = "x.x.x"
azure_region = var.azure_region
}
module "rg" {
source = "claranet/rg/azurerm"
version = "x.x.x"
location = module.azure_region.location
client_name = var.client_name
environment = var.environment
stack = var.stack
}
data "http" "myip" {
url = "http://ip4.clara.net/?raw"
}
module "global_run" {
source = "claranet/run-common/azurerm"
version = "x.x.x"
client_name = var.client_name
location = module.azure_region.location
location_short = module.azure_region.location_short
environment = var.environment
stack = var.stack
resource_group_name = module.rg.resource_group_name
monitoring_function_storage_account_authorized_ips = ["${data.http.myip.body}/32"]
monitoring_function_splunk_token = "xxxxxx"
monitoring_function_metrics_extra_dimensions = {
env = var.environment
sfx_monitored = "true"
}
extra_tags = {
foo = "bar"
}
}Providers
| Name | Version |
|---|---|
| azurerm | ~> 3.22 |
Modules
| Name | Source | Version |
|---|---|---|
| keyvault | claranet/keyvault/azurerm | 6.0.0 |
| logs | ./modules/logs | n/a |
| monitoring_function | ./modules/monitoring_function | n/a |
Resources
| Name | Type |
|---|---|
| azurerm_role_assignment.function_workspace | resource |
Inputs
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| client_name | Client name | string |
n/a | yes |
| default_tags_enabled | Option to enable or disable default tags | bool |
true |
no |
| environment | Environment name | string |
n/a | yes |
| extra_tags | Extra tags to add | map(string) |
{} |
no |
| keyvault_admin_objects_ids | Ids of the objects that can do all operations on all keys, secrets and certificates | list(string) |
[] |
no |
| keyvault_custom_name | Name of the Key Vault, generated if not set. | string |
"" |
no |
| keyvault_enabled_for_deployment | Boolean flag to specify whether Azure Virtual Machines are permitted to retrieve certificates stored as secrets from the key vault. | bool |
false |
no |
| keyvault_enabled_for_disk_encryption | Boolean flag to specify whether Azure Disk Encryption is permitted to retrieve secrets from the vault and unwrap keys. | bool |
false |
no |
| keyvault_enabled_for_template_deployment | Boolean flag to specify whether Azure Resource Manager is permitted to retrieve secrets from the key vault. | bool |
false |
no |
| keyvault_extra_tags | Extra tags to add to the Key Vault | map(string) |
{} |
no |
| keyvault_logs_categories | Log categories to send to destinations. All by default. | list(string) |
null |
no |
| keyvault_logs_metrics_categories | Metrics categories to send to destinations. All by default. | list(string) |
null |
no |
| keyvault_network_acls | Object with attributes: bypass, default_action, ip_rules, virtual_network_subnet_ids. See https://www.terraform.io/docs/providers/azurerm/r/key_vault.html#bypass for more informations. |
object({ |
null |
no |
| keyvault_reader_objects_ids | Ids of the objects that can read all keys, secrets and certificates | list(string) |
[] |
no |
| keyvault_resource_group_name | Resource Group the Key Vault will belong to. Will use resource_group_name if not set. |
string |
"" |
no |
| keyvault_sku | The Name of the SKU used for this Key Vault. Possible values are "standard" and "premium". | string |
"standard" |
no |
| location | Azure location. | string |
n/a | yes |
| location_short | Short string for Azure location. | string |
n/a | yes |
| log_analytics_workspace_custom_name | Azure Log Analytics Workspace custom name. Empty by default, using naming convention. | string |
"" |
no |
| log_analytics_workspace_enable_iis_logs | Specifies if IIS logs should be collected for linked Virtual Machines | bool |
false |
no |
| log_analytics_workspace_extra_tags | Extra tags to add to the Log Analytics Workspace | map(string) |
{} |
no |
| log_analytics_workspace_name_prefix | Log Analytics name prefix | string |
"" |
no |
| log_analytics_workspace_retention_in_days | The workspace data retention in days. Possible values range between 30 and 730. | number |
30 |
no |
| log_analytics_workspace_sku | Specifies the SKU of the Log Analytics Workspace. Possible values are Free, PerNode, Premium, Standard, Standalone, Unlimited, and PerGB2018 (new Sku as of 2018-04-03). | string |
"PerGB2018" |
no |
| logs_delete_after_days_since_modification_greater_than | Delete blob after x days without modification | number |
365 |
no |
| logs_resource_group_name | Resource Group the resources for log management will belong to. Will use resource_group_name if not set. |
string |
"" |
no |
| logs_storage_account_appservices_container_name | Name of the container in which App Services logs are stored | string |
"app-services" |
no |
| logs_storage_account_archived_logs_fileshare_name | Name of the file share in which externalized logs are stored | string |
"archived-logs" |
no |
| logs_storage_account_archived_logs_fileshare_quota | The maximum size in GB of the archived-logs file share, default is 5120 | number |
null |
no |
| logs_storage_account_custom_name | Storage Account for logs custom name. Empty by default, using naming convention. | string |
"" |
no |
| logs_storage_account_enable_advanced_threat_protection | Enable/disable Advanced Threat Protection, see here for more information. | bool |
false |
no |
| logs_storage_account_enable_appservices_container | Boolean flag which controls if App Services logs container should be created. | bool |
false |
no |
| logs_storage_account_enable_archived_logs_fileshare | Enable/disable archived-logs file share creation | bool |
false |
no |
| logs_storage_account_enable_archiving | Enable/disable blob archiving lifecycle | bool |
true |
no |
| logs_storage_account_enable_https_traffic_only | Enable/disable HTTPS traffic only | bool |
true |
no |
| logs_storage_account_extra_tags | Extra tags to add to the Storage Account | map(string) |
{} |
no |
| logs_storage_account_kind | Storage Account Kind | string |
"StorageV2" |
no |
| logs_storage_account_name_prefix | Storage Account name prefix | string |
"" |
no |
| logs_storage_account_replication_type | Storage Account Replication type | string |
"LRS" |
no |
| logs_storage_account_sas_expiry | Storage Account SAS Token end date (expiry). Specifies the UTC datetime (Y-m-d'T'H:M'Z') at which the SAS becomes invalid. | string |
"2042-01-01T00:00:00Z" |
no |
| logs_storage_account_tier | Storage Account tier | string |
"Standard" |
no |
| logs_storage_min_tls_version | Storage Account minimal TLS version | string |
"TLS1_2" |
no |
| logs_tier_to_archive_after_days_since_modification_greater_than | Change blob tier to Archive after x days without modification | number |
90 |
no |
| logs_tier_to_cool_after_days_since_modification_greater_than | Change blob tier to cool after x days without modification | number |
30 |
no |
| monitoring_function_advanced_threat_protection_enabled | FAME function app's storage account: Enable Advanced Threat Protection | bool |
false |
no |
| monitoring_function_app_service_plan_name | FAME App Service Plan custom name. Empty by default, using naming convention. | string |
null |
no |
| monitoring_function_application_insights_custom_name | FAME Application Insights custom name. Empty by default, using naming convention | string |
null |
no |
| monitoring_function_assign_role_on_workspace | True to assign role for the monitoring Function on the Log Analytics Workspace | bool |
true |
no |
| monitoring_function_enabled | Enable/disable monitoring function | bool |
true |
no |
| monitoring_function_extra_application_settings | Extra application settings to set on monitoring Function | map(string) |
{} |
no |
| monitoring_function_extra_tags | Monitoring function extra tags to add | map(string) |
{} |
no |
| monitoring_function_function_app_custom_name | FAME Function App custom name. Empty by default, using naming convention. | string |
null |
no |
| monitoring_function_logs_categories | Monitoring function log categories to send to destinations. All by default. | list(string) |
null |
no |
| monitoring_function_logs_metrics_categories | Monitoring function metrics categories to send to destinations. All by default. | list(string) |
null |
no |
| monitoring_function_metrics_extra_dimensions | Extra dimensions sent with metrics | map(string) |
{} |
no |
| monitoring_function_splunk_token | Access Token to send metrics to Splunk Observability | string |
n/a | yes |
| monitoring_function_storage_account_authorized_ips | FAME function app's storage account: IPs restriction for Function storage account in CIDR format | list(string) |
[] |
no |
| monitoring_function_storage_account_custom_name | FAME Storage Account custom name. Empty by default, using naming convention. | string |
null |
no |
| monitoring_function_storage_account_network_bypass | FAME function app's storage account: Specifies whether traffic is bypassed for Logging/Metrics/AzureServices. Valid options are any combination of Logging, Metrics, AzureServices, or None. |
list(string) |
[ |
no |
| monitoring_function_storage_account_network_rules_enabled | FAME function app's storage account: Enable Storage account network default rules for functions | bool |
true |
no |
| monitoring_function_zip_package_path | Zip package path for monitoring function | string |
"https://github.com/claranet/fame/releases/download/v1.1.0/fame.zip" |
no |
| name_prefix | Optional prefix for the generated name | string |
"" |
no |
| name_suffix | Optional suffix for the generated name | string |
"" |
no |
| resource_group_name | Resource Group the resources will belong to | string |
n/a | yes |
| stack | Stack name | string |
n/a | yes |
| tenant_id | Tenant ID | string |
null |
no |
| use_caf_naming | Use the Azure CAF naming provider to generate default resource name. *custom_name override this if set. Legacy default name is used if this is set to false. |
bool |
true |
no |
Outputs
| Name | Description |
|---|---|
| keyvault_id | Id of the Key Vault |
| keyvault_name | Name of the Key Vault |
| keyvault_resource_group_name | Resource Group the Key Vault belongs to |
| keyvault_uri | URI of the Key Vault |
| log_analytics_workspace_guid | The Log Analytics Workspace GUID. |
| log_analytics_workspace_id | The Log Analytics Workspace ID. |
| log_analytics_workspace_name | The Log Analytics Workspace name. |
| log_analytics_workspace_primary_key | The Primary shared key for the Log Analytics Workspace. |
| log_analytics_workspace_secondary_key | The Secondary shared key for the Log Analytics Workspace. |
| logs_resource_group_name | Resource Group the logs resources belongs to |
| logs_storage_account_appservices_container_name | Name of the container in which App Services logs are stored |
| logs_storage_account_archived_logs_fileshare_name | Name of the file share in which externalized logs are stored |
| logs_storage_account_id | Id of the dedicated Storage Account |
| logs_storage_account_name | Name of the logs Storage Account |
| logs_storage_account_primary_access_key | Primary connection string of the logs Storage Account, empty if connection string provided |
| logs_storage_account_primary_connection_string | Primary connection string of the logs Storage Account, empty if connection string provided |
| logs_storage_account_sas_token | SAS Token generated for logs access on Storage Account with full permissions on containers and objects for blob and table services. |
| logs_storage_account_secondary_access_key | Secondary connection string of the logs Storage Account, empty if connection string provided |
| logs_storage_account_secondary_connection_string | Secondary connection string of the logs Storage Account, empty if connection string provided |
| monitoring_function_app_service_plan_id | Id of the created App Service Plan |
| monitoring_function_app_service_plan_name | Name of the created App Service Plan |
| monitoring_function_application_insights_app_id | App id of the associated Application Insights |
| monitoring_function_application_insights_application_type | Application Type of the associated Application Insights |
| monitoring_function_application_insights_id | Id of the associated Application Insights |
| monitoring_function_application_insights_instrumentation_key | Instrumentation key of the associated Application Insights |
| monitoring_function_application_insights_name | Name of the associated Application Insights |
| monitoring_function_function_app_connection_string | Connection string of the created Function App |
| monitoring_function_function_app_id | Id of the created Function App |
| monitoring_function_function_app_identity | Identity block output of the Function App |
| monitoring_function_function_app_name | Name of the created Function App |
| monitoring_function_function_app_outbound_ip_addresses | Outbound IP adresses of the created Function App |
| monitoring_function_storage_account_id | Id of the associated Storage Account, empty if connection string provided |
| monitoring_function_storage_account_name | Name of the associated Storage Account, empty if connection string provided |
| monitoring_function_storage_account_primary_access_key | Primary connection string of the associated Storage Account, empty if connection string provided |
| monitoring_function_storage_account_primary_connection_string | Primary connection string of the associated Storage Account, empty if connection string provided |
| monitoring_function_storage_account_secondary_access_key | Secondary connection string of the associated Storage Account, empty if connection string provided |
| monitoring_function_storage_account_secondary_connection_string | Secondary connection string of the associated Storage Account, empty if connection string provided |
| monitoring_function_storage_queries_table_name | Name of the table in the Storage Account, empty if connection string provided |
| terraform_module | Information about this Terraform module |
Related documentation
Microsoft Azure Monitor logs documentation: docs.microsoft.com/en-us/azure/azure-monitor/log-query/log-query-overview
Microsoft Azure Key Vault documentation: docs.microsoft.com/en-us/azure/key-vault/