First commit

canada-ca-terraform-modules · Feb 5, 2025 · 8a570b4 · 8a570b4
commit 8a570b4
Show file tree

Hide file tree

Showing 8 changed files with 226 additions and 0 deletions.
diff --git a/.github/workflows/documentation.yaml b/.github/workflows/documentation.yaml
@@ -0,0 +1,27 @@
+name: Generate terraform docs
+on:
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - main
+      - master
+  push:
+    branches:
+      - main
+      - master
+
+jobs:
+  docs:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/[email protected]
+        with:
+          ref: ${{ github.event.pull_request.head.ref }}
+
+      - name: Render terraform docs inside the README.md and push changes back to PR branch
+        uses: terraform-docs/[email protected]
+        with:
+          working-dir: .
+          output-file: README.md
+          output-method: inject
+          git-push: "true"
diff --git a/ESLZ/logs_analytics_workspace.tf b/ESLZ/logs_analytics_workspace.tf
@@ -0,0 +1,18 @@
+variable "log_analytics_workspace" {
+  description = "Configuration for all log analytics workspace for the project"
+  type = any
+  default = {}
+}
+
+module "law" {
+  source = "github.com/canada-ca-terraform-modules/terraform-azurerm-caf-logs-analytics-workspaceV2.git?ref=v1.0.0"
+  for_each = var.log_analytics_workspace
+
+  userDefinedString = each.key
+  group = var.group
+  project = var.project
+  env = var.env
+  resource_groups = local.resource_groups_all
+  logs_analytics_workspace = each.value
+  tags = var.tags
+}
diff --git a/ESLZ/logs_analytics_workspace.tfvars b/ESLZ/logs_analytics_workspace.tfvars
@@ -0,0 +1,40 @@
+log_analytics_workspace = {
+  "name" = {
+    resource_group = "Project"
+
+    # All commented out values below are shown with their default value in the module. To change these values, uncomment then modify values
+    # allow_resource_only_permissions         = true              Optional: Possible value: true/false    
+    # local_authentication_disabled           = false             Optional: Possible value: true/false 
+    # sku                                     = "PerGB2018"       Optional: Check Terraform docs for SKUs
+    # retention_in_days                       = 30                Optional: Between 30 and 730
+    # daily_quota_gb                          = -1                Optional: Integer value/ -1 for disabled
+    # cmk_for_query_forced                    = false             Optional: Possible value: true/false 
+    # internet_ingestion_enabled              = true              Optional: Possible value: true/false 
+    # internet_query_enabled                  = true              Optional: Possible value: true/false 
+    # reservation_capacity_in_gb_per_day      = null              Optional: Integer value / Only relevant when SKU is CapacityReservation
+    # data_collection_rule_id                 = null              Optional: Azure ID
+    # immediate_data_purge_on_30_days_enabled = false             Optional: Possible value: true/false 
+    # customer_managed_key_enabled = false                        Optional: Possible value: true/false
+
+    # identity = {
+    #   type = "SystemAssigned"
+    #   identity_ids = null
+    # }
+
+    # Optional: Set Solutions for the workspace. Example for SecurityInsights below
+    # solutions = {
+    #   "SecurityInsights" = {
+    #     publisher = "Microsoft"
+    #     product = "OMSGallery/SecurityInsights"
+    #   }
+    # }
+
+    # Optinal: Set data source for Windows event logs. Example below
+    # datasource_windows_event = {
+    #   "windows_event" = {
+    #     event_types = ["Information", "Error", "Warning"]   # Required: Any combination of these 3 values is accepted
+    #   }
+    # }
+
+  }
+}
diff --git a/locals.tf b/locals.tf
@@ -0,0 +1,4 @@
+locals {
+  resource_group_id = strcontains(var.logs_analytics_workspace.resource_group, "/resourceGroups/") ? var.logs_analytics_workspace.resource_group : var.resource_groups[var.logs_analytics_workspace.resource_group].id
+  resource_group_name = strcontains(var.logs_analytics_workspace.resource_group, "/resourceGroups/") ? regex("[^\\/]+$", var.logs_analytics_workspace.resource_group) :  var.resource_groups[var.logs_analytics_workspace.resource_group].name
+}
diff --git a/module.tf b/module.tf
@@ -0,0 +1,61 @@
+resource "azurerm_log_analytics_workspace" "workspace" {
+  name = local.log_analytics_workspace-name
+  resource_group_name = local.resource_group_name
+  location = var.location
+
+  allow_resource_only_permissions = try(var.logs_analytics_workspace.allow_resource_only_permissions, true)
+  local_authentication_disabled = try(var.logs_analytics_workspace.local_authentication_disabled, false)
+  sku = try(var.logs_analytics_workspace.sku, "PerGB2018")
+  retention_in_days = try(var.logs_analytics_workspace.retention_in_days, 30)
+  daily_quota_gb = try(var.logs_analytics_workspace.daily_quota_gb, -1)
+  cmk_for_query_forced = try(var.logs_analytics_workspace.cmk_for_query_forced, false)
+  internet_ingestion_enabled = try(var.logs_analytics_workspace.internet_ingestion_enabled, true)
+  internet_query_enabled = try(var.logs_analytics_workspace.internet_query_enabled, true)
+  reservation_capacity_in_gb_per_day = try(var.logs_analytics_workspace.reservation_capacity_in_gb_per_day, null)
+  data_collection_rule_id = try(var.logs_analytics_workspace.data_collection_rule_id, null)
+  immediate_data_purge_on_30_days_enabled = try(var.logs_analytics_workspace.immediate_data_purge_on_30_days_enabled, false)
+  tags = merge(var.tags, try(var.logs_analytics_workspace.tags, {}))
+
+  dynamic "identity" {
+    for_each = try(var.logs_analytics_workspace.identity, null) != null ? [1] : []
+    content {
+      type         = try(var.logs_analytics_workspace.identity.type, "SystemAssigned")
+      identity_ids = try(var.logs_analytics_workspace.identity.identity_ids, [])
+    }
+  }
+}
+
+resource "azurerm_log_analytics_solution" "solutions" {
+  for_each = try(var.logs_analytics_workspace.solutions, {})
+
+  solution_name = each.key
+  resource_group_name = azurerm_log_analytics_workspace.workspace.resource_group_name
+  location = azurerm_log_analytics_workspace.workspace.location
+  workspace_resource_id = azurerm_log_analytics_workspace.workspace.id
+  workspace_name = azurerm_log_analytics_workspace.workspace.name
+
+  tags = merge(var.tags, try(var.logs_analytics_workspace.tags, {}))
+
+  plan {
+    publisher = each.value.publisher
+    product = each.value.product
+    promotion_code = try(each.value.promotion_code, null)
+  }
+}
+
+resource "azurerm_log_analytics_datasource_windows_event" "windows_event" {
+  for_each = try(var.logs_analytics_workspace.datasource_windows_event, {})
+
+  name = each.key
+  resource_group_name = azurerm_log_analytics_workspace.workspace.resource_group_name
+  workspace_name = azurerm_log_analytics_workspace.workspace.name
+  event_log_name = each.key
+  event_types = each.value.event_types
+}
+
+resource "azurerm_sentinel_log_analytics_workspace_onboarding" "sentinel_onboarding" {
+  count = try(var.logs_analytics_workspace.sentinel_onboarding, false) ? 1 : 0
+
+  workspace_id = azurerm_log_analytics_workspace.workspace.id
+  customer_managed_key_enabled = try(var.logs_analytics_workspace.customer_managed_key_enabled, false)
+}
diff --git a/name.tf b/name.tf
@@ -0,0 +1,10 @@
+locals {
+  unique                                  = substr(sha1(local.resource_group_id), 0, 8)
+  env_4                                   = substr(var.env, 0, 4)
+  log_analytics_workspace-no_underscore   = replace("${local.env_4}CLD-${var.userDefinedString}", "_", "-")
+  log_analytics_workspace-regex           = "/[^0-9A-Za-z-]/" # Anti-pattern to match all characters not in: 0-9 a-z A-Z -
+  log_analytics_workspace-regex_compliant = replace(local.log_analytics_workspace-no_underscore, local.log_analytics_workspace-regex, "")
+  log_analytics_workspace-54              = substr(local.log_analytics_workspace-regex_compliant, 0, 54)
+  log_analytics_workspace-59              = substr("${local.log_analytics_workspace-54}-${local.unique}", 0, 59)
+  log_analytics_workspace-name          = "${local.log_analytics_workspace-59}-law"
+}
diff --git a/outputs.tf b/outputs.tf
@@ -0,0 +1,24 @@
+output "log_analytics_workspace_object" {
+  description = "Outputs the entire LAW"
+  value = azurerm_log_analytics_workspace.workspace
+}
+
+output "log_analytics_workspace_name" {
+  description = "Outputs the name of the LAW"
+  value = azurerm_log_analytics_workspace.workspace.name
+}
+
+output "log_analytics_workspace_id" {
+  description = "Outputs the ID of the LAW"
+  value = azurerm_log_analytics_workspace.workspace.id
+}
+
+output "log_analytics_workspace_solutions" {
+  description = "Outputs the solutions for the LAW"
+  value = azurerm_log_analytics_solution.solutions
+}
+
+output "log_analytics_workspace_datasource_windows_event" {
+  description = "Outputs the data source windows event for the LAW"
+  value = azurerm_log_analytics_datasource_windows_event.windows_event
+}
diff --git a/variables.tf b/variables.tf
@@ -0,0 +1,42 @@
+variable "tags" {
+  description = "Tags to be applied to the LAW"
+  type        = map(string)
+  default     = {}
+}
+
+variable "userDefinedString" {
+  description = "(Required) UserDefinedString portion of the name of the LAW"
+  type = string
+}
+
+variable "group" {
+  description = "(Required) Group portion of the name of the LAW"
+  type = string
+}
+
+variable "project" {
+  description = "(Required) Project portion of the name of the LAW"
+  type = string
+}
+
+variable "env" {
+  description = "(Required) Env value"
+  type = string
+}
+
+variable "resource_groups" {
+  description = "(Required) Resource group object containing all the resource group for the target project"
+  type = any
+}
+
+variable "location" {
+  description = "Azure location for the LAW"
+  type = string
+  default = "canadacentral"
+}
+
+variable "logs_analytics_workspace" {
+  description = "Object containing all configuration for the LAW and associated resources"
+  type = any
+  default = {}
+}