Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Module not compatible with Azure Landing Zones, as it expects certain resources from a different subscription #588

Open
1 task done
mestredelpino opened this issue Sep 9, 2024 · 5 comments

Comments

@mestredelpino
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Description

The Azure Landing Zones architecture expects a centralized deployment of Azure Log Analytics Workspace in the "management" subscription, while the rest of AKS resources should be on the "online" subscription. This AKS module does provide the possibility to use an existing LA workspace, but it expects it to be in the same subscription as all the other AKS resources.

The module should provide an input to properly import the LA workspace from a different subscription.

New or Affected Resource(s)/Data Source(s)

data.azurerm_log_analytics_workspace.main

Potential Terraform Configuration

provider "azurerm" {
  features {}
  alias = "management"
  subscription_id = var.subscription_id_management
}


variable "subscription_id_management" {
  type = string
  description = "The ID of the ALZ management subscription"
}

data "azurerm_log_analytics_workspace" "main" {
  provider = azurerm.management
  count = local.query_datasource_for_log_analytics_workspace_location ? 1 : 0

  name                = var.log_analytics_workspace.name
  resource_group_name = local.log_analytics_workspace.resource_group_name
}

References

https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/

@zioproto
Copy link
Collaborator

@mestredelpino there is a way to make this work without code changes. You have to set values to all fields of this variable log_analytics_workspace:

variable "log_analytics_workspace" {
type = object({
id = string
name = string
location = optional(string)
resource_group_name = optional(string)
})
default = null
description = "(Optional) Existing azurerm_log_analytics_workspace to attach azurerm_log_analytics_solution. Providing the config disables creation of azurerm_log_analytics_workspace."
}

It is important to set the location field.

Also var.log_analytics_workspace_enabled must be set to true.

variable "log_analytics_workspace_enabled" {
type = bool
default = true
description = "Enable the integration of azurerm_log_analytics_workspace and azurerm_log_analytics_solution: https://docs.microsoft.com/en-us/azure/azure-monitor/containers/container-insights-onboard"
nullable = false
}

This way you can use a Log Analytics Workspace that is created in a different subscription.

The location in var.log_analytics_workspace is important because at:

query_datasource_for_log_analytics_workspace_location = var.log_analytics_workspace_enabled && (var.log_analytics_workspace != null ? var.log_analytics_workspace.location == null : false)

If the location is null then you will use the datasource that does not support referencing a resource in a different subscription:

data "azurerm_log_analytics_workspace" "main" {
count = local.query_datasource_for_log_analytics_workspace_location ? 1 : 0
name = var.log_analytics_workspace.name
resource_group_name = local.log_analytics_workspace.resource_group_name
}

@zioproto
Copy link
Collaborator

zioproto commented Oct 3, 2024

@mestredelpino please confirm if your issue is solved. Thanks

@zioproto
Copy link
Collaborator

zioproto commented Nov 4, 2024

@mestredelpino friendly ping

@mestredelpino
Copy link
Author

mestredelpino commented Nov 14, 2024

Hi @zioproto, I am currently getting this error

│ Error: creating Solution (Subscription: "<ONLINE_SUBSCRIPTION_ID>"
│ Resource Group Name: "es-mgmt"
│ Solution Name: "ContainerInsights(es-la)"): performing CreateOrUpdate: unexpected status 404 (404 Not Found) with error: ResourceGroupNotFound: Resource group 'es-mgmt' could not be found.

│ with module.aks.azurerm_log_analytics_solution.main[0],
│ on .terraform/modules/aks/log_analytics.tf line 59, in resource "azurerm_log_analytics_solution" "main":
│ 59: resource "azurerm_log_analytics_solution" "main" {

│ creating Solution (Subscription: "<ONLINE_SUBSCRIPTION_ID>"
│ Resource Group Name: "es-mgmt"
│ Solution Name: "ContainerInsights(es-la)"): performing CreateOrUpdate: unexpected status 404 (404 Not Found) with error: ResourceGroupNotFound: Resource group 'es-mgmt' could not be found.

This is how I configured the variables suggested:

log_analytics_workspace_enabled = true 
log_analytics_workspace = {
    location = "westeurope" 
    id = "/subscriptions/<MANAGEMENT_SUBSCRIPTION_ID>/resourceGroups/es-mgmt/providers/Microsoft.OperationalInsights/workspaces/es-la/" 
    name = "es-la" 
    resource_group_name = "es-mgmt" 
    }

@zioproto
Copy link
Collaborator

Cc: @ibersanoMS

@mestredelpino AVM is releasing an AKS resource module here: https://github.com/Azure/terraform-azurerm-avm-res-containerservice-managedcluster

It makes sense to assess first if the new module has the same issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Development

No branches or pull requests

2 participants