"Enable allLogs category group resource logging for supported resources to Log Analytics" creates duplicate logs for Application Insights already using a Log Analytics Workspace

[djbark]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Versions

module: 6.0.0

Description

Describe the bug

I already have an Application Insights resource which is using a Log Analytics workspace configured via the WORKSPACE config option (actually configured via azurerm_application_insights/workspace_id). This sends all logs to the Log Analytics workspace. I believe this configuration can not be removed.

If I remediate the policy "Enable allLogs category group resource logging for supported resources to Log Analytics" it creates a Diagnostic Setting "setByPolicy-LogAnalytics" for the Application Insights resource which also sends all logs to the Log Analytics workspace. Hence duplicate logs are stored in the Log Analytics workspace.

[diegosrp]

Hi djbark, I looked at the documentation for the azurerm_application_insights resource and the workspace_id is optional (I didn't do any testing, but I believe you can comment on this parameter and see how the plan behaves).

Or if you want to control it through the resource, I believe another option is to add an exemption to this policy/resource and remove the setbypolicy that it will not create again.

[djbark]

@diegosrp It is optional, but once added it cannot be removed (at least not without deleting and re-creating the resource). Furthermore my understanding is that the recommendation is to migrate to workspace-based Application Insights resources so would seem a backwards step.

I would rather not do exemptions to individual policies that are part of an initiative provided as part of the CAF, but maybe that is the only option.

[diegosrp]

I understood.

In my view, I see CAF as the best practices/recommendations, however it is not suitable for all businesses, sometimes we have a compliance requirement or something that will not meet our needs and we need to adjust.

Regarding exemption, you can put it in the specific resource_id, meaning it will not only apply to the specific resource.

[diegosrp]

[eehret]

Hi all,

In case this option hasn't been considered yet: it looks like it's possible to exclude App Insights from this policy by removing it from the 'resourceTypeList' parameter, where it is included in the default value.

That's what we will be doing for now, using the archetype_config_overrides feature of CAF Terraform module.

[eehret]

Also, Microsoft seems to have updated their documentation recently. The blurb in the red caution shown above seems to have been made less prominent, no longer in red and no longer a caution. The information presented is similar though: https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/diagnostic-settings#diagnostic-logs-for-application-insights