Adding Module code for Azure Diagnostic Settings

.github/workflows/checkov.yml

@@ -0,0 +1,25 @@
+
+name: Static security analysis for Terraform
+
+permissions: read-all
+
+on:
+  push:
+    branches:
+    - main
+  pull_request:
+    branches:
+    - main
+jobs:
+  checkov-job:
+    runs-on: ubuntu-latest
+    name: checkov-action
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v2
+
+      - name: Run Checkov action
+        id: checkov
+        uses: bridgecrewio/checkov-action@master
+        with:
+          directory: ./

.gitignore

@@ -0,0 +1,34 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+.terraform.*
+# Crash log files
+crash.log
+
+# Exclude all .tfvars files, which are likely to contain sentitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+#
+*.tfvars
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+#
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc

.pre-commit-config.yaml

@@ -0,0 +1,11 @@
+repos:
+- repo: https://github.com/antonbabenko/pre-commit-terraform
+  rev: v1.77.1
+  hooks:
+    - id: terraform_fmt
+    - id: terraform_validate
+    - id: terraform_checkov
+    - id: terraform_docs
+      args:
+          - '--args=--lockfile=false'
+

README.md

@@ -0,0 +1,54 @@
+# Terraform module for Azure Diagnostic Settings
+
+## How to use it as a module
+
+```hcl
+
+```
+
+<!-- BEGINNING OF PRE-COMMIT-TERRAFORM DOCS HOOK -->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.13.1 |
+| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | >= 3.0.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_azurerm"></a> [azurerm](#provider\_azurerm) | >= 3.0.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [azurerm_monitor_diagnostic_setting.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_diagnostic_setting) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_create_diagnostic_setting"></a> [create\_diagnostic\_setting](#input\_create\_diagnostic\_setting) | (Optional) Do you want to create the resource | `bool` | `true` | no |
+| <a name="input_enabled_log"></a> [enabled\_log](#input\_enabled\_log) | (Optional) One or more enabled\_log blocks, At least one enabled\_log or metric block must be specified. | `any` | `[]` | no |
+| <a name="input_eventhub_authorization_rule_id"></a> [eventhub\_authorization\_rule\_id](#input\_eventhub\_authorization\_rule\_id) | (Optional) Specifies the ID of an Event Hub Namespace Authorization Rule used to send Diagnostics Data. | `string` | `null` | no |
+| <a name="input_eventhub_name"></a> [eventhub\_name](#input\_eventhub\_name) | (Optional) Specifies the name of the Event Hub where Diagnostics Data should be sent. | `string` | `null` | no |
+| <a name="input_log_analytics_destination_type"></a> [log\_analytics\_destination\_type](#input\_log\_analytics\_destination\_type) | (Optional) Possible values are AzureDiagnostics and Dedicated. When set to Dedicated, logs sent to a Log Analytics workspace will go into resource specific tables, instead of the legacy AzureDiagnostics table. | `string` | `"AzureDiagnostics"` | no |
+| <a name="input_log_analytics_workspace_id"></a> [log\_analytics\_workspace\_id](#input\_log\_analytics\_workspace\_id) | (Optional) Specifies the ID of a Log Analytics Workspace where Diagnostics Data should be sent. | `string` | `null` | no |
+| <a name="input_metric"></a> [metric](#input\_metric) | (Optional) One or more metric blocks, At least one enabled\_log or metric block must be specified. | `any` | `[]` | no |
+| <a name="input_name"></a> [name](#input\_name) | (Required) Specifies the name of the Diagnostic Setting. Changing this forces a new resource to be created. | `string` | n/a | yes |
+| <a name="input_partner_solution_id"></a> [partner\_solution\_id](#input\_partner\_solution\_id) | (Optional) The ID of the market partner solution where Diagnostics Data should be sent. For potential partner integrations | `string` | `null` | no |
+| <a name="input_storage_account_id"></a> [storage\_account\_id](#input\_storage\_account\_id) | (Optional) The ID of the Storage Account where logs should be sent. | `string` | `null` | no |
+| <a name="input_target_resource_id"></a> [target\_resource\_id](#input\_target\_resource\_id) | (Required) The ID of an existing Resource on which to configure Diagnostic Settings. Changing this forces a new resource to be created. | `string` | n/a | yes |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_id"></a> [id](#output\_id) | The ID of the Diagnostic Setting. |
+<!-- END OF PRE-COMMIT-TERRAFORM DOCS HOOK -->

main.tf

@@ -0,0 +1,53 @@
+resource "azurerm_monitor_diagnostic_setting" "this" {
+  count = var.create_diagnostic_setting ? 1 : 0
+
+  name                           = var.name
+  target_resource_id             = var.target_resource_id
+  eventhub_name                  = var.eventhub_name
+  eventhub_authorization_rule_id = var.eventhub_authorization_rule_id
+  log_analytics_workspace_id     = var.log_analytics_workspace_id
+  log_analytics_destination_type = var.log_analytics_destination_type
+  partner_solution_id            = var.partner_solution_id
+
+  storage_account_id = var.storage_account_id
+
+
+  dynamic "enabled_log" {
+    for_each = var.enabled_log
+    content {
+      category       = try(enabled_log.value.category, null)
+      category_group = try(enabled_log.value.category_group, null)
+
+      dynamic "retention_policy" {
+        for_each = try(enabled_log.value.retention_policy, [])
+
+        content {
+          enabled = try(retention_policy.value.enabled, true)
+          days    = try(retention_policy.value.days, 0)
+        }
+
+      }
+    }
+  }
+
+  dynamic "metric" {
+    for_each = var.metric
+
+    content {
+      category = try(metric.value.category)
+      enabled  = try(metric.value.enabled, true)
+      dynamic "retention_policy" {
+        for_each = try(metric.value.retention_policy, [])
+
+        content {
+          enabled = try(retention_policy.value.enabled, true)
+          days    = try(retention_policy.value.days, 0)
+        }
+
+      }
+
+    }
+
+  }
+
+}

outputs.tf

@@ -0,0 +1,4 @@
+output "id" {
+  description = "The ID of the Diagnostic Setting."
+  value       = try(azurerm_monitor_diagnostic_setting.this[0].id, "")
+}

variables.tf

@@ -0,0 +1,64 @@
+variable "create_diagnostic_setting" {
+  type        = bool
+  description = "(Optional) Do you want to create the resource"
+  default     = true
+}
+
+variable "name" {
+  type        = string
+  description = "(Required) Specifies the name of the Diagnostic Setting. Changing this forces a new resource to be created."
+}
+
+variable "target_resource_id" {
+  type        = string
+  description = "(Required) The ID of an existing Resource on which to configure Diagnostic Settings. Changing this forces a new resource to be created."
+}
+
+variable "eventhub_name" {
+  type        = string
+  description = "(Optional) Specifies the name of the Event Hub where Diagnostics Data should be sent."
+  default     = null
+}
+
+variable "eventhub_authorization_rule_id" {
+  type        = string
+  description = "(Optional) Specifies the ID of an Event Hub Namespace Authorization Rule used to send Diagnostics Data."
+  default     = null
+}
+
+variable "log_analytics_workspace_id" {
+  type        = string
+  description = "(Optional) Specifies the ID of a Log Analytics Workspace where Diagnostics Data should be sent."
+  default     = null
+}
+
+variable "log_analytics_destination_type" {
+  type        = string
+  description = "(Optional) Possible values are AzureDiagnostics and Dedicated. When set to Dedicated, logs sent to a Log Analytics workspace will go into resource specific tables, instead of the legacy AzureDiagnostics table."
+  default     = "AzureDiagnostics"
+}
+
+variable "partner_solution_id" {
+  type        = string
+  description = "(Optional) The ID of the market partner solution where Diagnostics Data should be sent. For potential partner integrations"
+  default     = null
+}
+
+variable "storage_account_id" {
+  type        = string
+  description = "(Optional) The ID of the Storage Account where logs should be sent."
+  default     = null
+}
+
+variable "enabled_log" {
+  type        = any
+  description = "(Optional) One or more enabled_log blocks, At least one enabled_log or metric block must be specified."
+  default     = []
+}
+
+variable "metric" {
+  type        = any
+  description = "(Optional) One or more metric blocks, At least one enabled_log or metric block must be specified."
+  default     = []
+}
+

versions.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 0.13.1"
+
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = ">= 3.0.0"
+    }
+  }
+}