Dynamiclly setup diagnostic settings to support standard app-service SKU

CHANGELOG.md

@@ -19,7 +19,7 @@ BUG FIXES:
 
 * Azure monitor resourced provided by Terraform and don't allow ingestion over internet ([#2375](https://github.com/microsoft/AzureTRE/pull/2375)).
 * Enable route table on the Airlock Processor subnet ([#2414](https://github.com/microsoft/AzureTRE/pull/2414))
-
+* Support for _Standard_ app service plan SKUs ([#2415](https://github.com/microsoft/AzureTRE/pull/2415))
 
 ## 0.4.1 (August 03, 2022)
 

templates/core/terraform/api-webapp.tf

@@ -144,14 +144,13 @@ resource "azurerm_monitor_diagnostic_setting" "webapp_api" {
   log_analytics_workspace_id = module.azure_monitor.log_analytics_workspace_id
 
   dynamic "log" {
-    for_each = toset(["AppServiceHTTPLogs", "AppServiceConsoleLogs", "AppServiceAppLogs", "AppServiceFileAuditLogs",
-    "AppServiceAuditLogs", "AppServiceIPSecAuditLogs", "AppServicePlatformLogs", "AppServiceAntivirusScanAuditLogs"])
+    for_each = data.azurerm_monitor_diagnostic_categories.api.logs
     content {
       category = log.value
-      enabled  = true
+      enabled  = contains(local.api_diagnostic_categories_enabled, log.value) ? true : false
 
       retention_policy {
-        enabled = true
+        enabled = contains(local.api_diagnostic_categories_enabled, log.value) ? true : false
         days    = 365
       }
     }

templates/core/terraform/data.tf

@@ -0,0 +1,27 @@
+data "azurerm_subscription" "current" {}
+
+data "azurerm_client_config" "current" {}
+
+# Random unique id
+resource "random_string" "unique_id" {
+  length      = 4
+  min_numeric = 4
+}
+
+data "azurerm_container_registry" "mgmt_acr" {
+  name                = var.acr_name
+  resource_group_name = var.mgmt_resource_group_name
+}
+
+data "http" "myip" {
+  count = var.public_deployment_ip_address == "" ? 1 : 0
+  url   = "https://ipecho.net/plain"
+}
+
+data "azurerm_monitor_diagnostic_categories" "api" {
+  resource_id = azurerm_linux_web_app.api.id
+  depends_on = [
+    azurerm_linux_web_app.api,
+    azurerm_service_plan.core,
+  ]
+}

templates/core/terraform/locals.tf

@@ -1,30 +1,11 @@
-data "azurerm_subscription" "current" {}
-
-data "azurerm_client_config" "current" {}
-
-# Random unique id
-resource "random_string" "unique_id" {
-  length      = 4
-  min_numeric = 4
-}
-
-data "azurerm_container_registry" "mgmt_acr" {
-  name                = var.acr_name
-  resource_group_name = var.mgmt_resource_group_name
-}
-
-data "http" "myip" {
-  count = var.public_deployment_ip_address == "" ? 1 : 0
-  url   = "https://ipecho.net/plain"
-}
-
 locals {
   myip = var.public_deployment_ip_address != "" ? var.public_deployment_ip_address : chomp(data.http.myip[0].body)
-}
-
-locals {
   tre_core_tags = {
     tre_id              = var.tre_id
     tre_core_service_id = var.tre_id
   }
+  api_diagnostic_categories_enabled = [
+    "AppServiceHTTPLogs", "AppServiceConsoleLogs", "AppServiceAppLogs", "AppServiceFileAuditLogs",
+    "AppServiceAuditLogs", "AppServiceIPSecAuditLogs", "AppServicePlatformLogs", "AppServiceAntivirusScanAuditLogs"
+  ]
 }

templates/core/terraform/migrate.sh

@@ -71,4 +71,34 @@ if [ -n "${app_insights_via_arm}" ]; then
     terraform apply -input=false -auto-approve ${PLAN_FILE}"
 fi
 
+# support downgrading core app service plan
+core_plan=$(echo "${terraform_show_json}" \
+  | jq -r 'select(.values.root_module.resources != null) | .values.root_module.resources[] | select(.address=="azurerm_service_plan.core") | .values.id')
+api_diag=$(echo "${terraform_show_json}" \
+  | jq -r 'select(.values.root_module.resources != null) | .values.root_module.resources[] | select(.address=="azurerm_monitor_diagnostic_setting.webapp_api") | .values.id')
+if [ -n "${core_plan}" ] && [ -n "${api_diag}" ]; then
+  set +o errexit
+  terraform plan -target "azurerm_service_plan.core" -detailed-exitcode
+  plan_exit_code=$?
+  set -o errexit
+
+  if [ "${plan_exit_code}" == "2" ]; then
+    echo "Migrating ${api_diag}"
+    PLAN_FILE="tfplan$$"
+    TS=$(date +"%s")
+    LOG_FILE="${TS}-tre-core-migrate.log"
+
+    # This variables are loaded in for us
+    # shellcheck disable=SC2154
+    ../../../devops/scripts/terraform_wrapper.sh \
+      -g "${TF_VAR_mgmt_resource_group_name}" \
+      -s "${TF_VAR_mgmt_storage_account_name}" \
+      -n "${TF_VAR_terraform_state_container_name}" \
+      -k "${TRE_ID}" \
+      -l "${LOG_FILE}" \
+      -c "terraform plan -destroy -target azurerm_monitor_diagnostic_setting.webapp_api -out ${PLAN_FILE} && \
+      terraform apply -input=false -auto-approve ${PLAN_FILE}"
+  fi
+fi
+
 echo "Migration is done."

templates/core/version.txt

@@ -1 +1 @@
-__version__ = "0.4.10"
+__version__ = "0.4.11"

templates/workspace_services/guacamole/porter.yaml

@@ -1,6 +1,6 @@
 ---
 name: tre-service-guacamole
-version: 0.4.1
+version: 0.4.2
 description: "An Azure TRE service for Guacamole"
 registry: azuretre
 

templates/workspace_services/guacamole/template_schema.json

@@ -38,7 +38,8 @@
       "$id": "#/properties/is_exposed_externally",
       "type": "boolean",
       "title": "Expose externally",
-      "description": "Is the Guacamole service exposed outside of the vnet"
+      "description": "Is the Guacamole service exposed outside of the vnet",
+      "default": true
     }
   },
   "pipeline": {

templates/workspace_services/guacamole/terraform/data.tf

@@ -64,3 +64,10 @@ data "azurerm_application_insights" "ws" {
   name                = "appi-${var.tre_id}-ws-${local.short_workspace_id}"
   resource_group_name = data.azurerm_resource_group.ws.name
 }
+
+data "azurerm_monitor_diagnostic_categories" "guacamole" {
+  resource_id = azurerm_linux_web_app.guacamole.id
+  depends_on = [
+    azurerm_linux_web_app.guacamole,
+  ]
+}

templates/workspace_services/guacamole/terraform/locals.tf

@@ -17,4 +17,8 @@ locals {
     tre_workspace_id         = var.workspace_id
     tre_workspace_service_id = var.tre_resource_id
   }
+  guacamole_diagnostic_categories_enabled = [
+    "AppServiceHTTPLogs", "AppServiceConsoleLogs", "AppServiceAppLogs", "AppServiceFileAuditLogs",
+    "AppServiceAuditLogs", "AppServiceIPSecAuditLogs", "AppServicePlatformLogs", "AppServiceAntivirusScanAuditLogs"
+  ]
 }

templates/workspace_services/guacamole/terraform/web_app.tf

@@ -99,14 +99,13 @@ resource "azurerm_monitor_diagnostic_setting" "guacamole" {
   log_analytics_workspace_id = data.azurerm_log_analytics_workspace.tre.id
 
   dynamic "log" {
-    for_each = toset(["AppServiceHTTPLogs", "AppServiceConsoleLogs", "AppServiceAppLogs", "AppServiceFileAuditLogs",
-    "AppServiceAuditLogs", "AppServiceIPSecAuditLogs", "AppServicePlatformLogs", "AppServiceAntivirusScanAuditLogs"])
+    for_each = data.azurerm_monitor_diagnostic_categories.guacamole.logs
     content {
       category = log.value
-      enabled  = true
+      enabled  = contains(local.guacamole_diagnostic_categories_enabled, log.value) ? true : false
 
       retention_policy {
-        enabled = true
+        enabled = contains(local.guacamole_diagnostic_categories_enabled, log.value) ? true : false
         days    = 365
       }
     }

templates/workspaces/base/porter.yaml

@@ -1,6 +1,6 @@
 ---
 name: tre-workspace-base
-version: 0.3.21
+version: 0.3.22
 description: "A base Azure TRE workspace"
 dockerfile: Dockerfile.tmpl
 registry: azuretre

templates/workspaces/base/template_schema.json

@@ -52,7 +52,8 @@
       "type": "string",
       "enum": [
         "P1v3",
-        "P1v2"
+        "P1v2",
+        "S1"
       ],
       "default": "P1v3",
       "title": "App Service Plan SKU",