Add EventGrid diagnostic settings (#4258)

* add eventgrid diagnostic settings * changelog * core version * add system topics * uncomment
microsoft · Jan 8, 2025 · 3704002 · 3704002
1 parent 97debdc
commit 3704002
Show file tree

Hide file tree

Showing 8 changed files with 74 additions and 21 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -32,6 +32,8 @@ ENHANCEMENTS:
 * Upgrade Python version from 3.8 to 3.12 ([#3949](https://github.com/microsoft/AzureTRE/issues/3949))Upgrade Python version from 3.8 to 3.12 (#3949)
 * Disable storage account key usage ([[#4227](https://github.com/microsoft/AzureTRE/issues/4227)])
 * Update Guacamole dependencies ([[#4232](https://github.com/microsoft/AzureTRE/issues/4232)])
+* Add option to force tunnel TRE's Firewall ([#4237](https://github.com/microsoft/AzureTRE/issues/4237))
+* Add EventGrid diagnostics to identify airlock issues ([#4258](https://github.com/microsoft/AzureTRE/issues/4258))
 
 BUG FIXES:
 * Update KeyVault references in API to use the version so Terraform cascades the update ([#4112](https://github.com/microsoft/AzureTRE/pull/4112))
@@ -49,7 +51,6 @@ BUG FIXES:
 * Fix VM actions where Workspace shared storage doesn't allow shared key access ([#4222](https://github.com/microsoft/AzureTRE/issues/4222))
 * Fix public exposure in Guacamole service ([[#4199](https://github.com/microsoft/AzureTRE/issues/4199)])
 * Fix Azure ML network tags to use name rather than ID ([[#4151](https://github.com/microsoft/AzureTRE/issues/4151)])
-* Add option to force tunnel TRE's Firewall ([#4237](https://github.com/microsoft/AzureTRE/issues/4237))
 
 COMPONENTS:
 

diff --git a/core/terraform/airlock/airlock_processor.tf b/core/terraform/airlock/airlock_processor.tf
@@ -1,11 +1,3 @@
-data "local_file" "airlock_processor_version" {
-  filename = "${path.root}/../../airlock_processor/_version.py"
-}
-
-locals {
-  version = replace(replace(replace(data.local_file.airlock_processor_version.content, "__version__ = \"", ""), "\"", ""), "\n", "")
-}
-
 resource "azurerm_service_plan" "airlock_plan" {
   name                = "plan-airlock-${var.tre_id}"
   resource_group_name = var.resource_group_name

diff --git a/core/terraform/airlock/data.tf b/core/terraform/airlock/data.tf
@@ -0,0 +1,21 @@
+data "local_file" "airlock_processor_version" {
+  filename = "${path.root}/../../airlock_processor/_version.py"
+}
+
+data "azurerm_private_dns_zone" "eventgrid" {
+  name                = module.terraform_azurerm_environment_configuration.private_links["privatelink.eventgrid.azure.net"]
+  resource_group_name = var.resource_group_name
+}
+
+data "azurerm_container_registry" "mgmt_acr" {
+  name                = var.mgmt_acr_name
+  resource_group_name = var.mgmt_resource_group_name
+}
+
+data "azurerm_monitor_diagnostic_categories" "eventgrid_custom_topics" {
+  resource_id = azurerm_eventgrid_topic.airlock_notification.id
+}
+
+data "azurerm_monitor_diagnostic_categories" "eventgrid_system_topics" {
+  resource_id = azurerm_eventgrid_system_topic.export_approved_blob_created.id
+}
diff --git a/core/terraform/airlock/eventgrid_topics.tf b/core/terraform/airlock/eventgrid_topics.tf
@@ -1,8 +1,3 @@
-data "azurerm_private_dns_zone" "eventgrid" {
-  name                = module.terraform_azurerm_environment_configuration.private_links["privatelink.eventgrid.azure.net"]
-  resource_group_name = var.resource_group_name
-}
-
 # Below we assign a SYSTEM-assigned identity for the topics. note that a user-assigned identity will not work.
 
 # Event grid topics
@@ -511,3 +506,50 @@ resource "azurerm_eventgrid_event_subscription" "export_approved_blob_created" {
   ]
 }
 
+resource "azurerm_monitor_diagnostic_setting" "eventgrid_custom_topics" {
+  for_each = merge({
+    (azurerm_eventgrid_topic.airlock_notification.name) = azurerm_eventgrid_topic.airlock_notification.id,
+    (azurerm_eventgrid_topic.step_result.name)          = azurerm_eventgrid_topic.step_result.id,
+    (azurerm_eventgrid_topic.status_changed.name)       = azurerm_eventgrid_topic.status_changed.id,
+    (azurerm_eventgrid_topic.data_deletion.name)        = azurerm_eventgrid_topic.data_deletion.id,
+    },
+    var.enable_malware_scanning ? { (azurerm_eventgrid_topic.scan_result[0].name) = azurerm_eventgrid_topic.scan_result[0].id } : null
+  )
+
+  name                       = "${each.key}-diagnostics"
+  target_resource_id         = each.value
+  log_analytics_workspace_id = var.log_analytics_workspace_id
+  dynamic "enabled_log" {
+    for_each = data.azurerm_monitor_diagnostic_categories.eventgrid_custom_topics.log_category_types
+    content {
+      category = enabled_log.value
+    }
+  }
+
+  metric {
+    category = "AllMetrics"
+  }
+}
+
+resource "azurerm_monitor_diagnostic_setting" "eventgrid_system_topics" {
+  for_each = {
+    (azurerm_eventgrid_system_topic.import_inprogress_blob_created.name) = azurerm_eventgrid_system_topic.import_inprogress_blob_created.id,
+    (azurerm_eventgrid_system_topic.import_rejected_blob_created.name)   = azurerm_eventgrid_system_topic.import_rejected_blob_created.id,
+    (azurerm_eventgrid_system_topic.import_blocked_blob_created.name)    = azurerm_eventgrid_system_topic.import_blocked_blob_created.id,
+    (azurerm_eventgrid_system_topic.export_approved_blob_created.name)   = azurerm_eventgrid_system_topic.export_approved_blob_created.id,
+  }
+
+  name                       = "${each.key}-diagnostics"
+  target_resource_id         = each.value
+  log_analytics_workspace_id = var.log_analytics_workspace_id
+  dynamic "enabled_log" {
+    for_each = data.azurerm_monitor_diagnostic_categories.eventgrid_system_topics.log_category_types
+    content {
+      category = enabled_log.value
+    }
+  }
+
+  metric {
+    category = "AllMetrics"
+  }
+}
diff --git a/core/terraform/airlock/identity.tf b/core/terraform/airlock/identity.tf
@@ -1,8 +1,3 @@
-data "azurerm_container_registry" "mgmt_acr" {
-  name                = var.mgmt_acr_name
-  resource_group_name = var.mgmt_resource_group_name
-}
-
 resource "azurerm_user_assigned_identity" "airlock_id" {
   resource_group_name = var.resource_group_name
   location            = var.location

diff --git a/core/terraform/airlock/locals.tf b/core/terraform/airlock/locals.tf
@@ -1,4 +1,6 @@
 locals {
+  version = replace(replace(replace(data.local_file.airlock_processor_version.content, "__version__ = \"", ""), "\"", ""), "\n", "")
+
   # STorage AirLock EXternal
   import_external_storage_name = lower(replace("stalimex${var.tre_id}", "-", ""))
   # STorage AirLock IMport InProgress

diff --git a/core/terraform/deploy.sh b/core/terraform/deploy.sh
@@ -10,8 +10,8 @@ set -o nounset
 # shellcheck disable=SC1091
 source ./migrate.sh
 
-PLAN_FILE="tfplan$$"
 TS=$(date +"%s")
+PLAN_FILE="${TS}-tre-core.tfplan"
 LOG_FILE="${TS}-tre-core.log"
 
 # This variables are loaded in for us

diff --git a/core/version.txt b/core/version.txt
@@ -1 +1 @@
-__version__ = "0.11.16"
+__version__ = "0.11.17"