From 7bd911a6f5954676367afdac4c84fc6859849d49 Mon Sep 17 00:00:00 2001 From: Kyle Meelker Date: Wed, 18 Mar 2020 12:00:32 -0400 Subject: [PATCH 1/8] added log level env variable to app service --- cppd_medical_report/app-service-docker.tf | 1 + 1 file changed, 1 insertion(+) diff --git a/cppd_medical_report/app-service-docker.tf b/cppd_medical_report/app-service-docker.tf index c7f68b3..7ef2fab 100644 --- a/cppd_medical_report/app-service-docker.tf +++ b/cppd_medical_report/app-service-docker.tf @@ -39,6 +39,7 @@ resource "azurerm_app_service" "app_service" { "DOCKER_REGISTRY_SERVER_PASSWORD" = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault.key_vault.vault_uri}secrets/${azurerm_key_vault_secret.docker_password.name}/${azurerm_key_vault_secret.docker_password.version})" "SESSION_ADAPTER" = "@sailshq/connect-redis" "AUTO_MIGRATE_MODE" = "alter" + "LOG_LEVEL" = "verbose" ## Look up from secret "DATABASE_URL" = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault.key_vault.vault_uri}secrets/${azurerm_key_vault_secret.pg_connection_string.name}/${azurerm_key_vault_secret.pg_connection_string.version})" "SESSION_ADAPTER_URL" = "@Microsoft.KeyVault(SecretUri=${azurerm_key_vault.key_vault.vault_uri}secrets/${azurerm_key_vault_secret.redis_connection_string.name}/${azurerm_key_vault_secret.redis_connection_string.version})" From c632476414cd5f19024e04fb97925852f89e4989 Mon Sep 17 00:00:00 2001 From: Kyle Meelker Date: Thu, 19 Mar 2020 13:55:25 -0400 Subject: [PATCH 2/8] adding diagnostic settings for cache and database --- cppd_medical_report/azure_cache_for_redis.tf | 15 +++++++ .../azure_database_for_postgresql.tf | 42 +++++++++++++++++++ cppd_medical_report/azure_log_analytics.tf | 8 ++++ 3 files changed, 65 insertions(+) create mode 100644 cppd_medical_report/azure_log_analytics.tf diff --git a/cppd_medical_report/azure_cache_for_redis.tf b/cppd_medical_report/azure_cache_for_redis.tf index dab37f1..7b25681 100644 --- a/cppd_medical_report/azure_cache_for_redis.tf +++ b/cppd_medical_report/azure_cache_for_redis.tf @@ -13,4 +13,19 @@ resource "azurerm_redis_cache" "session_store" { redis_configuration {} tags = merge(local.common_tags) +} + +resource "azurerm_monitor_diagnostic_setting" "cache_diagnostic_settings" { + name = "${local.nameprefix}cachediagnostics" + target_resource_id = azurerm_redis_cache.session_store.id + log_analytics_workspace_id = azurerm_log_analytics_workspace.log_analytics.id + log_analytics_destination_type = "Dedicated" + + metric { + category = "AllMetrics" + retention_policy { + enabled = true + days = 7 + } + } } \ No newline at end of file diff --git a/cppd_medical_report/azure_database_for_postgresql.tf b/cppd_medical_report/azure_database_for_postgresql.tf index 2ee81ff..5c42652 100644 --- a/cppd_medical_report/azure_database_for_postgresql.tf +++ b/cppd_medical_report/azure_database_for_postgresql.tf @@ -28,3 +28,45 @@ resource "azurerm_postgresql_database" "postgres" { charset = "UTF8" collation = "English_United States.1252" } + +resource "azurerm_monitor_diagnostic_setting" "cache_diagnostic_settings" { + name = "${local.nameprefix}postgresdiagnostics" + target_resource_id = azurerm_postgresql_database.postgres.id + log_analytics_workspace_id = azurerm_log_analytics_workspace.log_analytics.id + log_analytics_destination_type = "Dedicated" + + metric { + category = "AllMetrics" + retention_policy { + enabled = true + days = 7 + } + } + + log { + category = "PostgreSQLLogs" + enabled = true + retention_policy { + enabled = true + days = 7 + } + } + + log { + category = "QueryStoreRuntimeStatistics" + enabled = true + retention_policy { + enabled = true + days = 7 + } + } + + log { + category = "QueryStoreWaitStatistics" + enabled = true + retention_policy { + enabled = true + days = 7 + } + } +} \ No newline at end of file diff --git a/cppd_medical_report/azure_log_analytics.tf b/cppd_medical_report/azure_log_analytics.tf new file mode 100644 index 0000000..1cff4ab --- /dev/null +++ b/cppd_medical_report/azure_log_analytics.tf @@ -0,0 +1,8 @@ +resource "azurerm_log_analytics_workspace" "log_analytics" { + name = "${local.nameprefix}loganalytics" + location = azurerm_resource_group.resource_group.location + resource_group_name = azurerm_resource_group.resource_group.name + sku = "PerGB2018" + + tags = merge(local.common_tags) +} \ No newline at end of file From 55e3a2590a7bd50fd44f233656395825d043fca7 Mon Sep 17 00:00:00 2001 From: Kyle Meelker Date: Thu, 19 Mar 2020 13:58:19 -0400 Subject: [PATCH 3/8] fixing a duplicate name --- cppd_medical_report/azure_database_for_postgresql.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cppd_medical_report/azure_database_for_postgresql.tf b/cppd_medical_report/azure_database_for_postgresql.tf index 5c42652..6e77049 100644 --- a/cppd_medical_report/azure_database_for_postgresql.tf +++ b/cppd_medical_report/azure_database_for_postgresql.tf @@ -29,7 +29,7 @@ resource "azurerm_postgresql_database" "postgres" { collation = "English_United States.1252" } -resource "azurerm_monitor_diagnostic_setting" "cache_diagnostic_settings" { +resource "azurerm_monitor_diagnostic_setting" "database_diagnostic_settings" { name = "${local.nameprefix}postgresdiagnostics" target_resource_id = azurerm_postgresql_database.postgres.id log_analytics_workspace_id = azurerm_log_analytics_workspace.log_analytics.id From 3cc8413f73684c7ec9f6ab841ca663b4762f8c07 Mon Sep 17 00:00:00 2001 From: Kyle Meelker Date: Thu, 19 Mar 2020 14:16:47 -0400 Subject: [PATCH 4/8] added some database log configurations --- .../azure_database_for_postgresql.tf | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/cppd_medical_report/azure_database_for_postgresql.tf b/cppd_medical_report/azure_database_for_postgresql.tf index 6e77049..38dfcdb 100644 --- a/cppd_medical_report/azure_database_for_postgresql.tf +++ b/cppd_medical_report/azure_database_for_postgresql.tf @@ -69,4 +69,25 @@ resource "azurerm_monitor_diagnostic_setting" "database_diagnostic_settings" { days = 7 } } +} + +resource "azurerm_postgresql_configuration" "db_congif_log_level" { + name = "client_min_messages" + resource_group_name = azurerm_resource_group.resource_group.name + server_name = azurerm_postgresql_server.postgres.name + value = "LOG" +} + +resource "azurerm_postgresql_configuration" "db_congif_retention" { + name = "log_retention_days" + resource_group_name = azurerm_resource_group.resource_group.name + server_name = azurerm_postgresql_server.postgres.name + value = "7" +} + +resource "azurerm_postgresql_configuration" "db_congif_log_statement" { + name = "log_statement" + resource_group_name = azurerm_resource_group.resource_group.name + server_name = azurerm_postgresql_server.postgres.name + value = "ALL" } \ No newline at end of file From 4721bed49ceb2fedcb5395d939803801490d8565 Mon Sep 17 00:00:00 2001 From: Kyle Meelker Date: Thu, 19 Mar 2020 14:25:51 -0400 Subject: [PATCH 5/8] exempting azure postgres config resource from compliance check --- policy/resource_types.rego | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/policy/resource_types.rego b/policy/resource_types.rego index 4c1d9a9..7b854db 100644 --- a/policy/resource_types.rego +++ b/policy/resource_types.rego @@ -5,7 +5,8 @@ import data.terraform_helper as dth name_policy_exempt_types = { "azurerm_postgresql_database", "azurerm_storage_container", - "azurerm_key_vault_secret" + "azurerm_key_vault_secret", + "azurerm_postgres_configuration" } From 9c74872909f0c94ce703c8814bb3faa8d433e436 Mon Sep 17 00:00:00 2001 From: Kyle Meelker Date: Thu, 19 Mar 2020 14:29:12 -0400 Subject: [PATCH 6/8] fixing a typo --- policy/resource_types.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/resource_types.rego b/policy/resource_types.rego index 7b854db..47318f8 100644 --- a/policy/resource_types.rego +++ b/policy/resource_types.rego @@ -6,7 +6,7 @@ name_policy_exempt_types = { "azurerm_postgresql_database", "azurerm_storage_container", "azurerm_key_vault_secret", - "azurerm_postgres_configuration" + "azurerm_postgresql_configuration" } From 0c9cceb3e1096ebac4c4c379d7741e8accd5b9e4 Mon Sep 17 00:00:00 2001 From: Kyle Meelker Date: Fri, 20 Mar 2020 12:48:12 -0400 Subject: [PATCH 7/8] added app service logging. updated postgresql password and connection string --- cppd_medical_report/app-service-docker.tf | 9 +++++++++ cppd_medical_report/azure_database_for_postgresql.tf | 9 ++++++++- cppd_medical_report/azure_key_vault_secrets.tf | 3 +-- cppd_medical_report/azure_log_analytics.tf | 2 +- 4 files changed, 19 insertions(+), 4 deletions(-) diff --git a/cppd_medical_report/app-service-docker.tf b/cppd_medical_report/app-service-docker.tf index 7ef2fab..8583a8a 100644 --- a/cppd_medical_report/app-service-docker.tf +++ b/cppd_medical_report/app-service-docker.tf @@ -31,6 +31,15 @@ resource "azurerm_app_service" "app_service" { identity { type = "SystemAssigned" } + + logs { + http_logs { + file_system { + retention_in_days = 7 + retention_in_mb = 100 + } + } + } app_settings = { "DOCKER_ENABLE_CI" = "true" diff --git a/cppd_medical_report/azure_database_for_postgresql.tf b/cppd_medical_report/azure_database_for_postgresql.tf index 38dfcdb..a2dc092 100644 --- a/cppd_medical_report/azure_database_for_postgresql.tf +++ b/cppd_medical_report/azure_database_for_postgresql.tf @@ -31,7 +31,7 @@ resource "azurerm_postgresql_database" "postgres" { resource "azurerm_monitor_diagnostic_setting" "database_diagnostic_settings" { name = "${local.nameprefix}postgresdiagnostics" - target_resource_id = azurerm_postgresql_database.postgres.id + target_resource_id = azurerm_postgresql_server.postgres.id log_analytics_workspace_id = azurerm_log_analytics_workspace.log_analytics.id log_analytics_destination_type = "Dedicated" @@ -90,4 +90,11 @@ resource "azurerm_postgresql_configuration" "db_congif_log_statement" { resource_group_name = azurerm_resource_group.resource_group.name server_name = azurerm_postgresql_server.postgres.name value = "ALL" +} + +resource "azurerm_postgresql_configuration" "db_congif_log_duration" { + name = "log_duration" + resource_group_name = azurerm_resource_group.resource_group.name + server_name = azurerm_postgresql_server.postgres.name + value = "ON" } \ No newline at end of file diff --git a/cppd_medical_report/azure_key_vault_secrets.tf b/cppd_medical_report/azure_key_vault_secrets.tf index 8a0ee64..147cd1a 100644 --- a/cppd_medical_report/azure_key_vault_secrets.tf +++ b/cppd_medical_report/azure_key_vault_secrets.tf @@ -42,7 +42,6 @@ resource "azurerm_key_vault_access_policy" "ap_identity" { resource "random_password" "postgres_admin" { length = 16 special = true - override_special = "_%@" } resource "azurerm_key_vault_secret" "pg_admin_pass" { @@ -53,7 +52,7 @@ resource "azurerm_key_vault_secret" "pg_admin_pass" { } resource "azurerm_key_vault_secret" "pg_connection_string" { name = "postgresconnection" - value = "postgres://${local.pgadmin_account}@${azurerm_postgresql_database.postgres.name}:${random_password.postgres_admin.result}@${azurerm_postgresql_server.postgres.fqdn}:5432/${azurerm_postgresql_database.postgres.name}" + value = "postgres://${local.pgadmin_account}@${azurerm_postgresql_database.postgres.name}:${urlencode(random_password.postgres_admin.result)}@${azurerm_postgresql_server.postgres.fqdn}:5432/${azurerm_postgresql_database.postgres.name}" key_vault_id = azurerm_key_vault.key_vault.id tags = merge(local.common_tags) } diff --git a/cppd_medical_report/azure_log_analytics.tf b/cppd_medical_report/azure_log_analytics.tf index 1cff4ab..4d247c0 100644 --- a/cppd_medical_report/azure_log_analytics.tf +++ b/cppd_medical_report/azure_log_analytics.tf @@ -1,5 +1,5 @@ resource "azurerm_log_analytics_workspace" "log_analytics" { - name = "${local.nameprefix}loganalytics" + name = "${lower(local.nameprefix)}loganalytics" location = azurerm_resource_group.resource_group.location resource_group_name = azurerm_resource_group.resource_group.name sku = "PerGB2018" From 7dc658aefd6eda44f82e077ac8fdaf4a6e984102 Mon Sep 17 00:00:00 2001 From: Kyle Meelker Date: Fri, 20 Mar 2020 13:56:16 -0400 Subject: [PATCH 8/8] changed hostname in postgres connection string --- cppd_medical_report/azure_key_vault_secrets.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cppd_medical_report/azure_key_vault_secrets.tf b/cppd_medical_report/azure_key_vault_secrets.tf index 147cd1a..0d0f19f 100644 --- a/cppd_medical_report/azure_key_vault_secrets.tf +++ b/cppd_medical_report/azure_key_vault_secrets.tf @@ -52,7 +52,7 @@ resource "azurerm_key_vault_secret" "pg_admin_pass" { } resource "azurerm_key_vault_secret" "pg_connection_string" { name = "postgresconnection" - value = "postgres://${local.pgadmin_account}@${azurerm_postgresql_database.postgres.name}:${urlencode(random_password.postgres_admin.result)}@${azurerm_postgresql_server.postgres.fqdn}:5432/${azurerm_postgresql_database.postgres.name}" + value = "postgres://${local.pgadmin_account}@${azurerm_postgresql_server.postgres.fqdn}:${urlencode(random_password.postgres_admin.result)}@${azurerm_postgresql_server.postgres.fqdn}:5432/${azurerm_postgresql_database.postgres.name}" key_vault_id = azurerm_key_vault.key_vault.id tags = merge(local.common_tags) }