From 37040028726e999e19a2d80645981dbdfd99aad2 Mon Sep 17 00:00:00 2001 From: Tamir Kamara <26870601+tamirkamara@users.noreply.github.com> Date: Wed, 8 Jan 2025 11:19:51 +0200 Subject: [PATCH] Add EventGrid diagnostic settings (#4258) * add eventgrid diagnostic settings * changelog * core version * add system topics * uncomment --- CHANGELOG.md | 3 +- core/terraform/airlock/airlock_processor.tf | 8 ---- core/terraform/airlock/data.tf | 21 +++++++++ core/terraform/airlock/eventgrid_topics.tf | 52 +++++++++++++++++++-- core/terraform/airlock/identity.tf | 5 -- core/terraform/airlock/locals.tf | 2 + core/terraform/deploy.sh | 2 +- core/version.txt | 2 +- 8 files changed, 74 insertions(+), 21 deletions(-) create mode 100644 core/terraform/airlock/data.tf diff --git a/CHANGELOG.md b/CHANGELOG.md index 6d19e990a0..fcc8d8b3f6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -32,6 +32,8 @@ ENHANCEMENTS: * Upgrade Python version from 3.8 to 3.12 ([#3949](https://github.com/microsoft/AzureTRE/issues/3949))Upgrade Python version from 3.8 to 3.12 (#3949) * Disable storage account key usage ([[#4227](https://github.com/microsoft/AzureTRE/issues/4227)]) * Update Guacamole dependencies ([[#4232](https://github.com/microsoft/AzureTRE/issues/4232)]) +* Add option to force tunnel TRE's Firewall ([#4237](https://github.com/microsoft/AzureTRE/issues/4237)) +* Add EventGrid diagnostics to identify airlock issues ([#4258](https://github.com/microsoft/AzureTRE/issues/4258)) BUG FIXES: * Update KeyVault references in API to use the version so Terraform cascades the update ([#4112](https://github.com/microsoft/AzureTRE/pull/4112)) @@ -49,7 +51,6 @@ BUG FIXES: * Fix VM actions where Workspace shared storage doesn't allow shared key access ([#4222](https://github.com/microsoft/AzureTRE/issues/4222)) * Fix public exposure in Guacamole service ([[#4199](https://github.com/microsoft/AzureTRE/issues/4199)]) * Fix Azure ML network tags to use name rather than ID ([[#4151](https://github.com/microsoft/AzureTRE/issues/4151)]) -* Add option to force tunnel TRE's Firewall ([#4237](https://github.com/microsoft/AzureTRE/issues/4237)) COMPONENTS: diff --git a/core/terraform/airlock/airlock_processor.tf b/core/terraform/airlock/airlock_processor.tf index be784443ef..80a6968e97 100644 --- a/core/terraform/airlock/airlock_processor.tf +++ b/core/terraform/airlock/airlock_processor.tf @@ -1,11 +1,3 @@ -data "local_file" "airlock_processor_version" { - filename = "${path.root}/../../airlock_processor/_version.py" -} - -locals { - version = replace(replace(replace(data.local_file.airlock_processor_version.content, "__version__ = \"", ""), "\"", ""), "\n", "") -} - resource "azurerm_service_plan" "airlock_plan" { name = "plan-airlock-${var.tre_id}" resource_group_name = var.resource_group_name diff --git a/core/terraform/airlock/data.tf b/core/terraform/airlock/data.tf new file mode 100644 index 0000000000..73915e6b6a --- /dev/null +++ b/core/terraform/airlock/data.tf @@ -0,0 +1,21 @@ +data "local_file" "airlock_processor_version" { + filename = "${path.root}/../../airlock_processor/_version.py" +} + +data "azurerm_private_dns_zone" "eventgrid" { + name = module.terraform_azurerm_environment_configuration.private_links["privatelink.eventgrid.azure.net"] + resource_group_name = var.resource_group_name +} + +data "azurerm_container_registry" "mgmt_acr" { + name = var.mgmt_acr_name + resource_group_name = var.mgmt_resource_group_name +} + +data "azurerm_monitor_diagnostic_categories" "eventgrid_custom_topics" { + resource_id = azurerm_eventgrid_topic.airlock_notification.id +} + +data "azurerm_monitor_diagnostic_categories" "eventgrid_system_topics" { + resource_id = azurerm_eventgrid_system_topic.export_approved_blob_created.id +} diff --git a/core/terraform/airlock/eventgrid_topics.tf b/core/terraform/airlock/eventgrid_topics.tf index 991325d2e1..2b967a6b79 100644 --- a/core/terraform/airlock/eventgrid_topics.tf +++ b/core/terraform/airlock/eventgrid_topics.tf @@ -1,8 +1,3 @@ -data "azurerm_private_dns_zone" "eventgrid" { - name = module.terraform_azurerm_environment_configuration.private_links["privatelink.eventgrid.azure.net"] - resource_group_name = var.resource_group_name -} - # Below we assign a SYSTEM-assigned identity for the topics. note that a user-assigned identity will not work. # Event grid topics @@ -511,3 +506,50 @@ resource "azurerm_eventgrid_event_subscription" "export_approved_blob_created" { ] } +resource "azurerm_monitor_diagnostic_setting" "eventgrid_custom_topics" { + for_each = merge({ + (azurerm_eventgrid_topic.airlock_notification.name) = azurerm_eventgrid_topic.airlock_notification.id, + (azurerm_eventgrid_topic.step_result.name) = azurerm_eventgrid_topic.step_result.id, + (azurerm_eventgrid_topic.status_changed.name) = azurerm_eventgrid_topic.status_changed.id, + (azurerm_eventgrid_topic.data_deletion.name) = azurerm_eventgrid_topic.data_deletion.id, + }, + var.enable_malware_scanning ? { (azurerm_eventgrid_topic.scan_result[0].name) = azurerm_eventgrid_topic.scan_result[0].id } : null + ) + + name = "${each.key}-diagnostics" + target_resource_id = each.value + log_analytics_workspace_id = var.log_analytics_workspace_id + dynamic "enabled_log" { + for_each = data.azurerm_monitor_diagnostic_categories.eventgrid_custom_topics.log_category_types + content { + category = enabled_log.value + } + } + + metric { + category = "AllMetrics" + } +} + +resource "azurerm_monitor_diagnostic_setting" "eventgrid_system_topics" { + for_each = { + (azurerm_eventgrid_system_topic.import_inprogress_blob_created.name) = azurerm_eventgrid_system_topic.import_inprogress_blob_created.id, + (azurerm_eventgrid_system_topic.import_rejected_blob_created.name) = azurerm_eventgrid_system_topic.import_rejected_blob_created.id, + (azurerm_eventgrid_system_topic.import_blocked_blob_created.name) = azurerm_eventgrid_system_topic.import_blocked_blob_created.id, + (azurerm_eventgrid_system_topic.export_approved_blob_created.name) = azurerm_eventgrid_system_topic.export_approved_blob_created.id, + } + + name = "${each.key}-diagnostics" + target_resource_id = each.value + log_analytics_workspace_id = var.log_analytics_workspace_id + dynamic "enabled_log" { + for_each = data.azurerm_monitor_diagnostic_categories.eventgrid_system_topics.log_category_types + content { + category = enabled_log.value + } + } + + metric { + category = "AllMetrics" + } +} diff --git a/core/terraform/airlock/identity.tf b/core/terraform/airlock/identity.tf index abca21c60d..9711f19ab6 100644 --- a/core/terraform/airlock/identity.tf +++ b/core/terraform/airlock/identity.tf @@ -1,8 +1,3 @@ -data "azurerm_container_registry" "mgmt_acr" { - name = var.mgmt_acr_name - resource_group_name = var.mgmt_resource_group_name -} - resource "azurerm_user_assigned_identity" "airlock_id" { resource_group_name = var.resource_group_name location = var.location diff --git a/core/terraform/airlock/locals.tf b/core/terraform/airlock/locals.tf index 37f7fdead0..3bc09392b6 100644 --- a/core/terraform/airlock/locals.tf +++ b/core/terraform/airlock/locals.tf @@ -1,4 +1,6 @@ locals { + version = replace(replace(replace(data.local_file.airlock_processor_version.content, "__version__ = \"", ""), "\"", ""), "\n", "") + # STorage AirLock EXternal import_external_storage_name = lower(replace("stalimex${var.tre_id}", "-", "")) # STorage AirLock IMport InProgress diff --git a/core/terraform/deploy.sh b/core/terraform/deploy.sh index e71fb14ae1..148cf1aca4 100755 --- a/core/terraform/deploy.sh +++ b/core/terraform/deploy.sh @@ -10,8 +10,8 @@ set -o nounset # shellcheck disable=SC1091 source ./migrate.sh -PLAN_FILE="tfplan$$" TS=$(date +"%s") +PLAN_FILE="${TS}-tre-core.tfplan" LOG_FILE="${TS}-tre-core.log" # This variables are loaded in for us diff --git a/core/version.txt b/core/version.txt index 1e6e806534..d0f18418d1 100644 --- a/core/version.txt +++ b/core/version.txt @@ -1 +1 @@ -__version__ = "0.11.16" +__version__ = "0.11.17"