I haven’t work with the Terraform for a while and didn’t know about recent updates in Azure API released at the end of 2023. If you are like me, in short, this update allows you configure settings for Azure Storage sub-services separately. Private Endpoints, retention settings and diagnostic settings have to be configured separately from there.
Started looking for documentation.. No issues with private endpoints, decided to leave retention policies with default settings, but logs export is a must have feature for security and needs to be implemented. All the documentation and articles availavle were only explaining how to do a log export to a Storage Account, while I want to use Log Analytics Workspace for that. After some experiments the solution was found and I am sharing it with you.
This example is not ready as a copy/paste scenario for a whole Storage Account module with all the whistles. Nevertheless, it should be good enough to pick-up the idea and adapt it for your case. The snippet is for Blob Storage only as that one is used more often Feel free to taylor it if you need others storage types too. I used AzureRM provider version = 3.71.0 while it should work with higher versions.
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "=3.71.0"
}
}
}
resource "azurerm_storage_account" "this" {
name = "storage_account_name"
resource_group_name = "resource_group_name"
location = "West Europe"
account_tier = "Standard"
account_replication_type = "LRS"
tags = {
environment = "test"
}
}
resource "azurerm_log_analytics_workspace" "this" {
name = "law_name"
location = "West Europe"
resource_group_name = "resource_group_name"
sku = "PerGB2018"
retention_in_days = 30
}
resource "azurerm_monitor_diagnostic_setting" "logs" {
name = "logs_export_to_law"
// The storage account_sub_resource
target_resource_id = "${azurerm_storage_account.this.id}/blobServices/default"
log_analytics_workspace_id = azurerm_log_analytics_workspace.this.id
log_analytics_destination_type = "Dedicated"
// This was just "log" before
enabled_log {
category_group = "allLogs" // there are categories and sub-categories now for you to define
// Enabled = true - deprecated
}
// Metric configuration aren't changed much
metric {
category = "Transaction"
enabled = true
}
}
This is how the result looks like.
Diagnostic settings enabled for Blob resourse type only.
Diagnostic settings show connection with Log Analytics Workspace.
What are the “Category groups” and “Categories” enabled for export and destination.
That works for me. Hope that would help you to configure logs export from Azure Storage Account to Azure Log Analytics Workspace with Terraform.