SumoLogic · himanshu219 · Apr 21, 2025 · Apr 21, 2025 · Apr 21, 2025
@@ -0,0 +1,66 @@
+name: "Azure TF template tests"
+on:
+  pull_request:
+    paths:
+      - 'azure-collection-terraform/**'
+
+jobs:
+
+  ValidateTF:
+    runs-on: ubuntu-latest
+    name: "Validatation (format & syntax)"
+    defaults:
+      run:
+        working-directory: ./azure-collection-terraform
+    steps:
+    - uses: actions/checkout@v4
+      name: Checkout source code
+
+    - uses: hashicorp/setup-terraform@v3
+      name: Setup Terraform
+      # The default configuration installs the latest version of Terraform CLI
+      # with:
+      #   terraform_version: "1.1.7"
+
+    - name: Terraform fmt
+      id: fmt
+      run: terraform fmt -check -recursive -diff
+      continue-on-error: true
+
+    - name: Terraform Init
+      id: init
+      run: terraform init
+
+    - name: Terraform Validate
+      id: validate
+      run: terraform validate
+
+  TFSecurityChecksUsingCheckov:
+    name: "Security Checks (checkov)"
+    runs-on: "ubuntu-latest"
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+
+      - uses: bridgecrewio/checkov-action@master
+        with:
+          directory: 'azure-collection-terraform/'
+          quiet: true
+          framework: terraform
+          output_format: cli
+          output_bc_ids: false
+          download_external_modules: true
+          # skip_check:
+
+  TFSecurityChecksUsingTfsec:
+    name: "Security Checks (tfsec)"
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+
+      - name: tfsec
+        uses: aquasecurity/tfsec-action@v1.0.0
+        with:
+          working_directory: 'azure-collection-terraform/'
@@ -0,0 +1,228 @@
+# multiple location
+# separate source module
+# multiple namespace
+# # Todo Create a policy
+
+# Create a Resource Group
+resource "azurerm_resource_group" "rg" {
+  name     = var.resource_group_name
+  location = var.location
+}
+
+# Create an Event Hub Namespace
+resource "azurerm_eventhub_namespace" "namespace" {
+  name                = var.eventhub_namespace_name
+  location            = azurerm_resource_group.rg.location
+  resource_group_name = azurerm_resource_group.rg.name
+  sku                 = "Standard"
+  capacity            = var.throughput_units
+
+  # Todo take tags from vars file and iterate over multiple tags
+  tags = {
+    version = local.solution_version
+  }
+}
+
+# Create an Event Hub
+resource "azurerm_eventhub" "eventhub" {
+  name                = var.eventhub_name
+  namespace_id        = azurerm_eventhub_namespace.namespace.id
+
+  # 1 partition = 1 MB/sec
+  partition_count     = 4
+  message_retention   = 7
+}
+
+# Create a Shared Access Policy with listen permissions
+resource "azurerm_eventhub_namespace_authorization_rule" "sumo_collection_policy" {
+  name                = var.policy_name
+  namespace_name      = azurerm_eventhub_namespace.namespace.name
+  resource_group_name = azurerm_resource_group.rg.name
+  listen              = true
+  send                = false
+  manage              = false
+}
+
+# Sumo Collection sources
+resource "sumologic_collector" "sumo_collector" {
+  # Todo collector name from the variable
+  # Todo add tenant subscription in collector to uniquely identify
+  name          =  "Azure Observability Collector"
+  description = "created via terraform"
+
+  # name        = local.collector_name
+  # description = var.sumologic_collector_details.description
+  # fields      = var.sumologic_collector_details.fields
+  # timezone    = "UTC"
+  fields  = {
+    tenant_name = "azure_account"
+  }
+}
+
+resource "sumologic_azure_event_hub_log_source" "sumo_azure_event_hub_log_source" {
+    # Todo separate
+    name          =  "Azure Logs Source"
+    description = "created via terraform uses ${var.eventhub_name}"
+    category      = "azure/eventhub/logs"
+    content_type  = "AzureEventHubLog"
+    collector_id  = "${sumologic_collector.sumo_collector.id}"
+    depends_on = [azurerm_eventhub.eventhub]
+    authentication {
+      type = "AzureEventHubAuthentication"
+      shared_access_policy_name = var.policy_name
+      shared_access_policy_key = azurerm_eventhub_namespace_authorization_rule.sumo_collection_policy.primary_key
+    }
+    path {
+      type = "AzureEventHubPath"
+      namespace     = azurerm_eventhub_namespace.namespace.name
+      event_hub_name = var.eventhub_name
+      consumer_group = "$Default"
+      # Todo test for US Gov, take it as separate variable
+      region = "Commercial"
+    }
+}
+
+data "azurerm_client_config" "current" {}
+
+resource "sumologic_azure_metrics_source" "sumo_azure_event_hub_metrics_source" {
+    # one source for all regions
+    # Todo take region as input
+    # Todo take namespaces as input
+    name          =  "Azure Metrics Source"
+    description = "created via terraform uses Azure Monitor API"
+    category      = "azure/eventhub/metrics"
+    content_type  = "AzureMetrics"
+    collector_id  = "${sumologic_collector.sumo_collector.id}"
+    authentication {
+      type = "AzureClientSecretAuthentication"
+      tenant_id = data.azurerm_client_config.current.tenant_id
+      # Todo create client id and client secret with contributors role and use service using script and use the same in providers and below
+      # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_client_secret
+      client_id = var.azure_client_id
+      client_secret = var.azure_client_secret
+    }
+    path {
+      type = "AzureMetricsPath"
+      limit_to_namespaces = ["Microsoft.Web/sites"]
+    }
+    lifecycle {
+      ignore_changes = [authentication.0.client_secret]
+    }
+}
+
+
+data "azurerm_eventhub_namespace_authorization_rule" "default_rule" {
+ name                = "RootManageSharedAccessKey"
+ namespace_name      = var.eventhub_namespace_name
+ resource_group_name = azurerm_resource_group.rg.name
+ depends_on = [azurerm_eventhub_namespace.namespace]
+}
+
+# Todo for each for each target resource
+data "azurerm_monitor_diagnostic_categories" "function_app_category" {
+  # Todo take in variable
+  resource_id = var.target_resource_ids[0]
+}
+
+# Todo Create a autosubscribe function to create diagnostic settings
+# Create a Diagnostic Setting for Function App logs
+resource "azurerm_monitor_diagnostic_setting" "diagnostic_setting_logs" {
+  name               = "sumo_export_logs"
+  eventhub_name = var.eventhub_name
+  target_resource_id = var.target_resource_ids[0]
+  eventhub_authorization_rule_id  = data.azurerm_eventhub_namespace_authorization_rule.default_rule.id
+
+  # Select the resource from the list https://learn.microsoft.com/en-gb/azure/azure-monitor/platform/resource-logs-schema#service-specific-schemas
+  # Select the category from the link opened from above link for example for function app it opens this link - https://learn.microsoft.com/en-us/azure/azure-functions/monitor-functions-reference?tabs=consumption-plan#resource-logs
+
+
+  dynamic "enabled_log" {
+    for_each = data.azurerm_monitor_diagnostic_categories.function_app_category.log_category_types
+
+    content {
+      category = enabled_log.value
+    }
+  }
+
+
+  metric {
+    category = "AllMetrics"
+    enabled  = false
+
+    retention_policy {
+      days    = 0
+      enabled = false
+    }
+  }
+
+  # dynamic log {
+  #   for_each = sort(data.azurerm_monitor_diagnostic_categories.default.logs)
+  #   content {
+  #     category = log.value
+  #     enabled  = true
+
+  #     retention_policy {
+  #       enabled = true
+  #       days    = 30
+  #     }
+  #   }
+  # }
+
+  # # this needs to be here with enabled = false to prevent TF from showing changes happening with each plan/apply
+  # dynamic metric {
+  #   for_each = sort(data.azurerm_monitor_diagnostic_categories.default.metrics)
+  #   content {
+  #     category = metric.value
+  #     enabled  = false
+
+  #     retention_policy {
+  #       enabled = false
+  #       days    = 0
+  #     }
+  #   }
+  # }
+
+  # metric {
+  #   category = "AllMetrics"
+  # }
+
+  # logs {
+  #   category = "Function Application Logs"
+  #   enabled  = true
+  #   retention_policy {
+  #     enabled = false
+  #   }
+  # }
+
+  # metrics {
+  #   category = "AllMetrics"
+  #   enabled  = true
+  #   retention_policy {
+  #     enabled = false
+  #   }
+  # }
+}
+
+# data "azurerm_storage_account" "main" {
+#   name                = "allbloblogseastus"
+#   resource_group_name = azurerm_resource_group.rg.name
+# }
+
+# resource "azurerm_monitor_diagnostic_setting" "main" {
+#    name               = "sumo_export_logs"
+#   eventhub_name = var.eventhub_name
+#    target_resource_id = "${data.azurerm_storage_account.main.id}/blobServices/default"
+#    eventhub_authorization_rule_id  = data.azurerm_eventhub_namespace_authorization_rule.default_rule.id
+#    enabled_log {
+#     category = "StorageRead"
+#    }
+
+#    enabled_log {
+#     category = "StorageWrite"
+#    }
+
+#    enabled_log {
+#     category = "StorageDelete"
+#    }
+#  }
+
@@ -0,0 +1,11 @@
+locals {
+  sumologic_service_endpoint = var.sumologic_environment == "us1" ? "https://service.sumologic.com" : (contains(["stag", "long"], var.sumologic_environment) ? "https://${var.sumologic_environment}.sumologic.net" : "https://service.${var.sumologic_environment}.sumologic.com")
+  sumologic_api_endpoint     = var.sumologic_environment == "us1" ? "https://api.sumologic.com/api" : (contains(["stag", "long"], var.sumologic_environment) ? "https://${var.sumologic_environment}-api.sumologic.net/api" : "https://api.${var.sumologic_environment}.sumologic.com/api")
+
+  # is_adminMode = var.apps_folder_installation_location == "Admin Recommended Folder" ? true : false
+
+  apps_to_install = compact([for s in split(",", var.apps_names_to_install) : trimspace(s)])
+
+  solution_version = "v1.0.0"
+
+}
@@ -0,0 +1,3 @@
+output "resource_group_name" {
+    value = azurerm_resource_group.rg.name
+}
@@ -0,0 +1,35 @@
+# provider "sumologic" {
+#   environment = var.sumologic_environment
+#   access_id   = var.sumologic_access_id
+#   access_key  = var.sumologic_access_key
+#   admin_mode  = true
+#   alias       = "admin"
+# }
+
+provider "sumologic" {
+  environment = var.sumologic_environment
+  access_id   = var.sumologic_access_id
+  access_key  = var.sumologic_access_key
+  # base_url   = local.sumologic_service_endpoint
+}
+
+provider "azurerm" {
+  # The AzureRM Provider supports authenticating using via the Azure CLI, a Managed Identity
+  # and a Service Principal. More information on the authentication methods supported by
+  # the AzureRM Provider can be found here:
+  # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs#authenticating-to-azure
+  # recommended authenticating using the Azure CLI when running Terraform locally.
+
+  # The features block allows changing the behaviour of the Azure Provider, more
+  # information can be found here:
+  # https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/features-block
+  subscription_id = var.azure_subscription_id
+  features {
+
+    resource_group {
+      prevent_deletion_if_contains_resources = true
+    }
+
+
+  }
+}
@@ -0,0 +1,19 @@
+# have to use version as hardcoded because during apply command latest always tries to update app resource and fails if the app with latest version is already installed
+resource "sumologic_app" "azure_function_app" {
+    uuid = "a0fb1bf0-2ab4-4f69-bf7e-5d97a176c7ea"
+    version = "1.0.3"
+    # Todo namespace to app mapping
+    # separate app module
+    count = contains(local.apps_to_install, "Azure Functions") ? 1 : 0
+}
+
+resource "sumologic_app" "azure_web_app" {
+    uuid = "a4741497-31c6-4fb2-a236-0223e98b59e8"
+    version = "1.0.1"
+    count = contains(local.apps_to_install, "Azure Web Apps") ? 1 : 0
+}
+resource "sumologic_app" "azure_cosmos_db_app" {
+    uuid = "d9ac4e28-13d6-4e69-8dcc-63fd6cb3bc80"
+    version = "1.0.1"
+    count = contains(local.apps_to_install, "Azure CosmosDB") ? 1 : 0
+}