terraform stuff

Author: mrlockstar

infrastructure/environments/nonlive-hub/variables.tfvars

@@ -34,6 +34,12 @@ avd_source_image_from_gallery = {
   gallery_rg_name = "rg-hub-dev-uks-hub-virtual-desktop"
 }
 
+law = {
+  export_enabled = false
+  law_sku        = "PerGB2018"
+  retention_days = 30
+}
+
 regions = {
   uksouth = {
     address_space     = "10.65.0.0/16"

infrastructure/terraform/hub/log_analytics_workspace.tf

@@ -0,0 +1,52 @@
+module "log_analytics_workspace_hub" {
+  for_each = var.regions
+
+  source = "../../../../dtos-devops-templates/infrastructure/modules/log-analytics-workspace"
+
+  name                = module.config[each.key].names.log-analytics-workspace
+  resource_group_name = azurerm_resource_group.rg_base[each.key].name
+  location            = each.key
+
+  law_sku        = var.law.law_sku
+  retention_days = var.law.retention_days
+
+  monitor_diagnostic_setting_log_analytics_workspace_enabled_logs = local.monitor_diagnostic_setting_log_analytics_workspace_enabled_logs
+  monitor_diagnostic_setting_log_analytics_workspace_metrics      = local.monitor_diagnostic_setting_log_analytics_workspace_metrics
+
+  tags = var.tags
+}
+
+# Add a data export rule to forward logs to the Event Hub in the Hub subscription
+module "log_analytics_data_export_rule" {
+  for_each = var.features.log_analytics_data_export_rule_enabled ? var.regions : {}
+
+  source = "../../../../dtos-devops-templates/infrastructure/modules/log-analytics-data-export-rule"
+
+  name                    = "${module.config[each.key].names.log-analytics-workspace}-export-rule"
+  resource_group_name     = azurerm_resource_group.rg_base[each.key].name
+  workspace_resource_id   = module.log_analytics_workspace_hub[each.key].id
+  destination_resource_id = module.eventhub_law_export["dtos-hub-${each.key}"].event_hubs["dtos-hub"].id
+  table_names             = var.law.export_table_names
+  enabled                 = var.law.export_enabled
+}
+
+/*--------------------------------------------------------------------------------------------------
+  RBAC Assignments
+--------------------------------------------------------------------------------------------------*/
+/*
+For sending events to the Event Hub:
+* Azure Event Hubs Data Sender: Grants permissions to send events to the Event Hub.
+* For receiving events from the Event Hub:
+
+For receiving events from the Event Hub (i.e. remote resource):
+* Azure Event Hubs Data Receiver: Grants permissions to receive events from the Event Hub.
+*/
+# module "rbac_assignments" {
+#   for_each = var.regions
+
+#   source = "../../../dtos-devops-templates/infrastructure/modules/rbac-assignment"
+
+#   principal_id         = module.log_analytics_workspace_audit[each.key].0.principal_id
+#   role_definition_name = "Azure Event Hubs Data Sender"
+#   scope                = data.terraform_remote_state.hub.outputs.eventhub_law_export_id["dtos-hub-${each.key}"]
+# }

infrastructure/terraform/hub/networking_hub.tf

@@ -38,7 +38,7 @@ module "subnets_hub" {
 
   source = "../../../../dtos-devops-templates/infrastructure/modules/subnet"
 
-  # log_analytics_workspace_id                                     = module.log_analytics_workspace_hub[local.primary_region].id
+  log_analytics_workspace_id                                     = module.log_analytics_workspace_hub[local.primary_region].id
   monitor_diagnostic_setting_network_security_group_enabled_logs = local.monitor_diagnostic_setting_network_security_group_enabled_logs
 
   name                              = each.value.subnet_name

infrastructure/terraform/hub/variables.tf

@@ -256,6 +256,17 @@ variable "tags" {
   default     = {}
 }
 
+variable "law" {
+  description = "Configuration of the Log Analytics Workspace"
+  type = object({
+    name               = optional(string, "hub")
+    export_enabled     = optional(bool, false)
+    law_sku            = optional(string, "PerGB2018")
+    retention_days     = optional(number, 30)
+    export_table_names = optional(list(string))
+  })
+}
+
 variable "virtual_desktop_group_active" {
   description = <<-EOT
     This can either be 'blue', 'green', 'both-with-blue-primary',  'both-with-green-primary', 'both-with-blue-primary-but-equal-vms' or 'both-with-green-primary-but-equal-vms'.