Azure Monitor Aad Diagnostic Setting
This page shows how to write Terraform and Azure Resource Manager for Monitor Aad Diagnostic Setting and write them securely.
azurerm_monitor_aad_diagnostic_setting (Terraform)
The Aad Diagnostic Setting in Monitor can be configured in Terraform with the resource name azurerm_monitor_aad_diagnostic_setting
. The following sections describe 2 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "azurerm_monitor_aad_diagnostic_setting" "rg-sentinel" {
name = "setting1"
log_analytics_workspace_id = azurerm_log_analytics_workspace.rg-sentinel.id
log {
category = "SignInLogs"
enabled = true
resource "azurerm_monitor_aad_diagnostic_setting" "example" {
name = var.azmonitor_diag_setting_name
storage_account_id = azurerm_storage_account.example.id
log_analytics_workspace_id = azurerm_log_analytics_workspace.example.id // Sent monitor diag logs to Azure Log Analytics workspace
log {
category = "SignInLogs"
Parameters
The following arguments are supported:
name
- (Required) The name which should be used for this Monitor Azure Active Directory Diagnostic Setting. Changing this forces a new Monitor Azure Active Directory Diagnostic Setting to be created.log
- (Required) One or morelog
blocks as defined below.
Note: At least one of the
log
blocks must have theenabled
property set totrue
.
eventhub_authorization_rule_id
- (Optional) Specifies the ID of an Event Hub Namespace Authorization Rule used to send Diagnostics Data. Changing this forces a new resource to be created.
-> NOTE: This can be sourced from the azurerm_eventhub_namespace_authorization_rule
resource and is different from a azurerm_eventhub_authorization_rule
resource.
eventhub_name
- (Optional) Specifies the name of the Event Hub where Diagnostics Data should be sent. If not specified, the default Event Hub will be used. Changing this forces a new resource to be created.log_analytics_workspace_id
- (Optional) Specifies the ID of a Log Analytics Workspace where Diagnostics Data should be sent.storage_account_id
- (Optional) The ID of the Storage Account where logs should be sent. Changing this forces a new resource to be created.
-> NOTE: One of eventhub_authorization_rule_id
, log_analytics_workspace_id
and storage_account_id
must be specified.
A log
block supports the following:
category
- (Required) The log category for the Azure Active Directory Diagnostic. Possible values areAuditLogs
,SignInLogs
,ADFSSignInLogs
,ManagedIdentitySignInLogs
,NonInteractiveUserSignInLogs
,ProvisioningLogs
,RiskyUsers
,ServicePrincipalSignInLogs
,UserRiskEvents
.retention_policy
- (Required) Aretention_policy
block as defined below.enabled
- (Optional) Is this Diagnostic Log enabled? Defaults totrue
.
A retention_policy
block supports the following:
enabled
- (Optional) Is this Retention Policy enabled? Defaults tofalse
.days
- (Optional) The number of days for which this Retention Policy should apply. Defaults to0
.
In addition to the Arguments listed above - the following Attributes are exported:
id
- The ID of the Monitor Azure Active Directory Diagnostic Setting.
Explanation in Terraform Registry
Manages an Azure Active Directory Diagnostic Setting for Azure Monitor. !> Authentication The API for this resource does not support service principal authentication. This resource can only be used with Azure CLI authentication.
Tips: Best Practices for The Other Azure Monitor Resources
In addition to the azurerm_monitor_log_profile, Azure Monitor has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
azurerm_monitor_log_profile
Ensure to enable the activity retention log
It is better to enable the activity retention log to ensure that all the information required for an effective investigation is still available.
Microsoft.Insights/diagnosticSettings (Azure Resource Manager)
The diagnosticSettings in Microsoft.Insights can be configured in Azure Resource Manager with the resource name Microsoft.Insights/diagnosticSettings
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
"type": "Microsoft.Insights/diagnosticSettings",
"name": "setByPolicy",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"deployment": {
"type": "Microsoft.Insights/diagnosticSettings",
"name": "setByPolicy",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"deployment": {
"type": "Microsoft.Insights/diagnosticSettings",
"name": "[concat(parameters('prefix'), 'setByPolicy')]",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
"type": "Microsoft.Insights/diagnosticSettings",
"name": "setByPolicy",
"roleDefinitionIds": [
"type": "Microsoft.Insights/diagnosticSettings",
"name": "setByPolicy",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"deployment": {
"type": "Microsoft.Insights/diagnosticSettings",
"name": "setByPolicy",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"deployment": {
"type": "Microsoft.Insights/diagnosticSettings",
"name": "setByPolicy",
"roleDefinitionIds": [
"/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
],
"deployment": {
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"_generator": {
"type": "Microsoft.Insights/diagnosticSettings",
"existenceCondition": {
"allOf": [
{
"field": "Microsoft.Insights/diagnosticSettings/logs.enabled",
"equals": "true"
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"_generator": {
Frequently asked questions
What is Azure Monitor Aad Diagnostic Setting?
Azure Monitor Aad Diagnostic Setting is a resource for Monitor of Microsoft Azure. Settings can be wrote in Terraform.
Where can I find the example code for the Azure Monitor Aad Diagnostic Setting?
For Terraform, the thiagofborn/az-sentinel-tf and imcuteani/az-kubernetes-architecture source code examples are useful. See the Terraform Example section for further details.
For Azure Resource Manager, the taldagan23/AzureMovingResource, AzureDeployment/azure-deploy and canada-ca-terraform-modules/terraform-azurerm-caf-diagnostic_policy_set source code examples are useful. See the Azure Resource Manager Example section for further details.