Azure Monitor Aad Diagnostic Setting

azurerm_monitor_aad_diagnostic_setting (Terraform)

The Aad Diagnostic Setting in Monitor can be configured in Terraform with the resource name azurerm_monitor_aad_diagnostic_setting. The following sections describe 2 examples of how to use the resource and its parameters.

Example Usage from GitHub

thiagofborn/az-sentinel-tf

resource "azurerm_monitor_aad_diagnostic_setting" "rg-sentinel" {
  name               = "setting1"
  log_analytics_workspace_id = azurerm_log_analytics_workspace.rg-sentinel.id
  log {
    category = "SignInLogs"
    enabled  = true

imcuteani/az-kubernetes-architecture

resource "azurerm_monitor_aad_diagnostic_setting" "example" {
  name                       = var.azmonitor_diag_setting_name
  storage_account_id         = azurerm_storage_account.example.id
  log_analytics_workspace_id = azurerm_log_analytics_workspace.example.id // Sent monitor diag logs to Azure Log Analytics workspace
  log {
    category = "SignInLogs"

Parameters

The following arguments are supported:

• name - (Required) The name which should be used for this Monitor Azure Active Directory Diagnostic Setting. Changing this forces a new Monitor Azure Active Directory Diagnostic Setting to be created.
• log - (Required) One or more log blocks as defined below.

Note: At least one of the log blocks must have the enabled property set to true.

• eventhub_authorization_rule_id - (Optional) Specifies the ID of an Event Hub Namespace Authorization Rule used to send Diagnostics Data. Changing this forces a new resource to be created.

-> NOTE: This can be sourced from the azurerm_eventhub_namespace_authorization_rule resource and is different from a azurerm_eventhub_authorization_rule resource.

• eventhub_name - (Optional) Specifies the name of the Event Hub where Diagnostics Data should be sent. If not specified, the default Event Hub will be used. Changing this forces a new resource to be created.

• log_analytics_workspace_id - (Optional) Specifies the ID of a Log Analytics Workspace where Diagnostics Data should be sent.

• storage_account_id - (Optional) The ID of the Storage Account where logs should be sent. Changing this forces a new resource to be created.

-> NOTE: One of eventhub_authorization_rule_id, log_analytics_workspace_id and storage_account_id must be specified.

A log block supports the following:

• category - (Required) The log category for the Azure Active Directory Diagnostic. Possible values are AuditLogs, SignInLogs, ADFSSignInLogs, ManagedIdentitySignInLogs, NonInteractiveUserSignInLogs, ProvisioningLogs, RiskyUsers, ServicePrincipalSignInLogs, UserRiskEvents.

• retention_policy - (Required) A retention_policy block as defined below.

• enabled - (Optional) Is this Diagnostic Log enabled? Defaults to true.

A retention_policy block supports the following:

• enabled - (Optional) Is this Retention Policy enabled? Defaults to false.

• days - (Optional) The number of days for which this Retention Policy should apply. Defaults to 0.

In addition to the Arguments listed above - the following Attributes are exported:

• id - The ID of the Monitor Azure Active Directory Diagnostic Setting.

Explanation in Terraform Registry

Manages an Azure Active Directory Diagnostic Setting for Azure Monitor. !> Authentication The API for this resource does not support service principal authentication. This resource can only be used with Azure CLI authentication.

Tips: Best Practices for The Other Azure Monitor Resources

In addition to the azurerm_monitor_log_profile, Azure Monitor has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

azurerm_monitor_log_profile

Ensure to enable the activity retention log

It is better to enable the activity retention log to ensure that all the information required for an effective investigation is still available.