Home > database >  Azure Terraform Build Generic Components using Infrastructure as Code
Azure Terraform Build Generic Components using Infrastructure as Code

Time:02-23

I am new to Terraform and Azure. I am trying to build a Resource Group / Resources using Terraform. Below is the design for the same.

enter image description here

I have written Terraform code to build Log Analytics workspace and Automation account. Now below are my questions :

  1. Cost Mgmt / Azure Monitor / Network Watcher / Defender for Cloud ? Can I build all these using Terraform code in this resource group or they need to manually built from Azure portal. When we create any resource on the left hand side options like Cost estimator / management are already available. Does that mean they can be easily selected from there on usage and no need to build from Terraform code ?
  2. How does we apply Role Entitlement / Policy Assignment from Terraform code ?

Here is my code what I have written to build Automation account / Log Analytics

terraform {

  required_version = ">=0.12"
  
  required_providers {
    azurerm = {
      source = "hashicorp/azurerm"
      version = "~>2.0"
    }
  }
}

provider "azurerm" {
  features {}
}

  resource "azurerm_resource_group" "management" {
 
  # Mandatory resource attributes
  name     = "k8s-log-analytics-test"
  location = "eastus"
  
}

resource "random_id" "workspace" {
  keepers = {
    # Generate a new id each time we switch to a new resource group
    group_name = azurerm_resource_group.management.name
  }

  byte_length = 8
}

resource "azurerm_log_analytics_workspace" "management" {
  

  # Mandatory resource attributes
  name                = "k8s-workspace-${random_id.workspace.hex}"
  location            = azurerm_resource_group.management.location
  resource_group_name = azurerm_resource_group.management.name

  # Optional resource attributes 
  retention_in_days          = 30
  sku                        = "PerGB2018"


}

resource "azurerm_log_analytics_solution" "management" {

  # Mandatory resource attributes
  solution_name         = "mgmyloganalytsolution"
  location              = azurerm_resource_group.management.location
  resource_group_name   = azurerm_resource_group.management.name
  workspace_resource_id = azurerm_log_analytics_workspace.management.id
  workspace_name        = azurerm_log_analytics_workspace.management.name
  plan {
    publisher = "Microsoft"
    product   = "OMSGallery/ContainerInsights"
  }


}

resource "azurerm_automation_account" "management" {
  
  # Mandatory resource attributes
  name                = "mgmtautomationaccount"
  location            = azurerm_resource_group.management.location
  resource_group_name = azurerm_resource_group.management.name 
  sku_name = "Basic"
 

}

resource "azurerm_log_analytics_linked_service" "management" {

  # Mandatory resource attributes
  resource_group_name = azurerm_resource_group.management.name
  workspace_id        = azurerm_log_analytics_workspace.management.id
  read_access_id  = azurerm_automation_account.management.id
 

}
 

CodePudding user response:

Cost Mgmt / Azure Monitor / Network Watcher / Defender for Cloud ? Can I build all these using Terraform code in this resource group or they need to manually built from Azure portal. When we create any resource on the left hand side options like Cost estimator / management are already available. Does that mean they can be easily selected from there on usage and no need to build from Terraform code ?

Yes , you can create Network Watcher , Azure Monitor resources & Cost Management using terraform resource blocks as azurerm_network_watcher , azurerm_network_watcher_flow_log ,azurerm_monitor_metric_alert ... , azurerm_resource_group_cost_management_export, azurerm_consumption_budget_resource_group etc. Defender for Cloud can't be built from terraform . Yes you are correct , cost management ,monitoring etc are also available on portal but there is a need for its resources to be created like budget alert etc. for simplification it has been added as a blade in portal.


How does we apply Role Entitlement / Policy Assignment from Terraform code ?

You can use azurerm_role_assignment to assign built-in roles and use azurerm_role_definition to create a custom role and then assign it . For Policy assignment you can use this azurerm_resource_policy_assignment and remediate using azurerm_policy_insights_remediation.


For all the azure resource block you can refer the Official Registry Documentation of Terraform AzureRM Provider & Terraform AzureAD Provider.

  • Related