diagnostic setting: metrics and logs to LogAnalytics

README.md

@@ -31,6 +31,7 @@ No modules.
 | [azurerm_cognitive_account.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cognitive_account) | resource |
 | [azurerm_cognitive_deployment.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/cognitive_deployment) | resource |
 | [azurerm_monitor_diagnostic_setting.setting](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_diagnostic_setting) | resource |
+| [azurerm_monitor_diagnostic_setting.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_diagnostic_setting) | resource |
 | [azurerm_private_dns_zone.dns_zone](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_zone) | resource |
 | [azurerm_private_dns_zone_virtual_network_link.dns_zone_link](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_dns_zone_virtual_network_link) | resource |
 | [azurerm_private_endpoint.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/private_endpoint) | resource |
@@ -59,6 +60,8 @@ No modules.
 | <a name="input_identity"></a> [identity](#input\_identity) | type = object({<br>  type         = (Required) The type of the Identity. Possible values are `SystemAssigned`, `UserAssigned`, `SystemAssigned, UserAssigned`.<br>  identity\_ids = (Optional) Specifies a list of User Assigned Managed Identity IDs to be assigned to this OpenAI Account.<br>}) | <pre>object({<br>    type         = string<br>    identity_ids = optional(list(string))<br>  })</pre> | `null` | no |
 | <a name="input_local_auth_enabled"></a> [local\_auth\_enabled](#input\_local\_auth\_enabled) | Whether local authentication methods is enabled for the Cognitive Account. Defaults to `true`. | `bool` | `true` | no |
 | <a name="input_location"></a> [location](#input\_location) | Azure OpenAI deployment region. Set this variable to `null` would use resource group's location. | `string` | n/a | yes |
+| <a name="input_log_analytics_workspace"></a> [log\_analytics\_workspace](#input\_log\_analytics\_workspace) | (Optional) Existing azurerm\_log\_analytics\_workspace. | <pre>object({<br>    id                  = string<br>    name                = optional(string)<br>    location            = optional(string)<br>    resource_group_name = optional(string)<br>  })</pre> | `null` | no |
+| <a name="input_log_analytics_workspace_enabled"></a> [log\_analytics\_workspace\_enabled](#input\_log\_analytics\_workspace\_enabled) | Enable the integration of azurerm\_log\_analytics\_workspace | `bool` | `false` | no |
 | <a name="input_network_acls"></a> [network\_acls](#input\_network\_acls) | type = set(object({<br>  default\_action = (Required) The Default Action to use when no rules match from ip\_rules / virtual\_network\_rules. Possible values are `Allow` and `Deny`.<br>  ip\_rules                    = (Optional) One or more IP Addresses, or CIDR Blocks which should be able to access the Cognitive Account.<br>  virtual\_network\_rules = optional(set(object({<br>    subnet\_id                            = (Required) The ID of a Subnet which should be able to access the OpenAI Account.<br>    ignore\_missing\_vnet\_service\_endpoint = (Optional) Whether ignore missing vnet service endpoint or not. Default to `false`.<br>  })))<br>})) | <pre>set(object({<br>    default_action = string<br>    ip_rules       = optional(set(string))<br>    virtual_network_rules = optional(set(object({<br>      subnet_id                            = string<br>      ignore_missing_vnet_service_endpoint = optional(bool, false)<br>    })))<br>  }))</pre> | `null` | no |
 | <a name="input_outbound_network_access_restricted"></a> [outbound\_network\_access\_restricted](#input\_outbound\_network\_access\_restricted) | Whether outbound network access is restricted for the Cognitive Account. Defaults to `false`. | `bool` | `false` | no |
 | <a name="input_pe_subresource"></a> [pe\_subresource](#input\_pe\_subresource) | A list of subresource names which the Private Endpoint is able to connect to. `subresource_names` corresponds to `group_id`. Possible values are detailed in the product [documentation](https://docs.microsoft.com/azure/private-link/private-endpoint-overview#private-link-resource) in the `Subresources` column. Changing this forces a new resource to be created. | `list(string)` | <pre>[<br>  "account"<br>]</pre> | no |

main.tf

@@ -90,3 +90,23 @@ resource "azurerm_cognitive_deployment" "this" {
     capacity = try(each.value.capacity, 1)
   }
 }
+
+resource "azurerm_monitor_diagnostic_setting" "this" {
+  count                      = var.log_analytics_workspace_enabled ? 1 : 0
+  name                       = local.account_name
+  target_resource_id         = azurerm_cognitive_account.this.id
+  log_analytics_workspace_id = var.log_analytics_workspace.id
+
+  enabled_log {
+    category_group = "AllLogs"
+  }
+
+  enabled_log {
+    category_group =  "Audit"
+  }
+
+  metric {
+    enabled  = true
+    category = "AllMetrics"
+  }
+}

variables.tf

@@ -169,6 +169,24 @@ variable "local_auth_enabled" {
   description = "Whether local authentication methods is enabled for the Cognitive Account. Defaults to `true`."
 }
 
+variable "log_analytics_workspace" {
+  type = object({
+    id                  = string
+    name                = optional(string)
+    location            = optional(string)
+    resource_group_name = optional(string)
+  })
+  default     = null
+  description = "(Optional) Existing azurerm_log_analytics_workspace."
+}
+
+variable "log_analytics_workspace_enabled" {
+  type        = bool
+  default     = false
+  description = "Enable the integration of azurerm_log_analytics_workspace"
+  nullable    = false
+}
+
 variable "network_acls" {
   type = set(object({
     default_action = string