Terraform - Azurerm - Subscription Activity Log / API Logging

Question

Can anybody please help shine some light on how I can go about logging/storing API calls to Azure Subscriptions via Terraform?

I've found the "azurerm_monitor_diagnostic_setting", but this doesn't seem to cover Subscriptions. And I'm just banging my head against a wall here...

Ultimately I want to achieve some alerting on certain api calls (nsg deletes, edits & other 'important events') which I believe I can acheive with "azure_monitor_activity_log_alert" via an SA. But I'm just struggling to find how to get at these logs via Terraform in the first instance?

Any help would be much appreciated.

Thanks

Answer 1

But I'm just struggling to find how to get at these logs via Terraform in the first instance?

AFAIK, there is no supported terraform block to directly get these logs from a storage account.

As a workaround, you could access Activity log events using the following methods:

1. Use the Get-AzLog cmdlet to retrieve the Activity Log from PowerShell. See Azure Monitor PowerShell samples.
2. Use az monitor activity-log to retrieve the Activity Log from CLI. See Azure Monitor CLI samples.
3. Use the Azure Monitor REST API to retrieve the Activity Log from a REST client

in this case, you can mix the CLI or PowerShell scripts in your terraform code with local-exec Provisioner or remote-exec provisioner. This would be possible to get the logs. For storage stored diagnostic logs, you may need to get the blob content via Get-AzureStorageBlob.

Answer 2

I've been searching on this for a while now and I've found a solution or better yet explanation to this problem or confusion.

The portal is a bit unclear on this , but the activity log you see on your resources is actually the full activity log for your subscription, with filters (!!).

This means that when you open your Activity Log on the resource page in the portal it will show you all Activity for that resource but that doesn't mean you can send an Activity Log of that resource alone to your Log Analytics Workspace , or wherever you want to send that data.

You can actually see this by creating a Activity Log Diagnostic Setting on your resource in the Azure Portal and then go to the subscription page, where you will find the same Diagnostic Setting on that level.

So instead of configuring a Diagnostic Setting that send Activity Logs to Log Analytics Workspace for each Resource in your Subscription, you should only configure one on the Subscription level , that will contain all Activity on all the underlying Resource Groups & Resources.

In Terraform this can look like this :

resource "azurerm_monitor_diagnostic_setting" "activity-logs" {
  name               = "subscription-activitylogs"
  target_resource_id = data.azurerm_subscription.current.id
  log_analytics_workspace_id =  data.azurerm_log_analytics_workspace.monitoring.id
  log_analytics_destination_type = "Dedicated"

  enabled_log {
    category = "Security"

    retention_policy {
      enabled = true
      days    = 180
    }
  }

  enabled_log {
    category = "Administrative"

    retention_policy {
      enabled = true
      days    = 180
    }
  }

  enabled_log {
    category = "ServiceHealth"

    retention_policy {
      enabled = true
      days    = 180
    }
  }

  enabled_log {
    category = "Alert"

    retention_policy {
      enabled = true
      days    = 180
    }
  }

  enabled_log {
    category = "Recommendation"

    retention_policy {
      enabled = true
      days    = 180
    }
  }

  enabled_log {
    category = "Policy"

    retention_policy {
      enabled = true
      days    = 180
    }
  }

  enabled_log {
    category = "Autoscale"

    retention_policy {
      enabled = true
      days    = 180
    }
  }

  enabled_log {
    category = "ResourceHealth"

    retention_policy {
      enabled = true
      days    = 180
    }
  }
}