Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Container insights not working when using existing Log Analytics Workspace #607

Open
1 task done
dboden-nitro opened this issue Nov 16, 2024 · 5 comments
Open
1 task done
Labels
bug Something isn't working waiting-response

Comments

@dboden-nitro
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Greenfield/Brownfield provisioning

greenfield

Terraform Version

1.9.8

Module Version

9.2.0

AzureRM Provider Version

3.117.0

Affected Resource(s)/Data Source(s)

N/A

Terraform Configuration Files

module "aks" {
  source  = "Azure/aks/azurerm"
  version = "9.2.0"
...
  log_analytics_workspace = {
    id = "/subscriptions/../../providers/Microsoft.OperationalInsights/workspaces/<workspacename>"
    name = "<workspacename>"
  }
  msi_auth_for_monitoring_enabled = true
}

tfvars variables values

N/A

Debug Output/Panic Output

N/A

Expected Behaviour

Container insight logs are available in the existing log analytics workspace provided as an input variable.
I believe this is due to a missing data collection rule.

Actual Behaviour

No logs are available in the existing log analytics workspace.

The following warning is shown when looking at the monitor settings:
You do not have access to the associated data collection rule to view the log analytics workspace name or the data collection rule has been deleted.

Steps to Reproduce

No response

Important Factoids

No response

References

No response

@zioproto
Copy link
Collaborator

Please could you clarify if the log_analytics_workspace.id is pointing to a workspace in the same subscription ?

Related issue: #588

@dboden-nitro
Copy link
Author

@zioproto I confirm that log_analytics_workspace.id is pointing to a workspace in the same subscription.

@zioproto
Copy link
Collaborator

You are right the diagnostic settings are not created in this module. There is no azurerm_monitor_diagnostic_setting resource.

I think the expectation was that if you bring your work Log Analytics Workspace you also provide the necessary azurerm_monitor_diagnostic_setting.

You can add a resource like this:

resource "azurerm_monitor_diagnostic_setting" "aks" {
  name                           = "my-diagnostic-setting-name"
  target_resource_id             = module.aks.aks_id
  log_analytics_destination_type = "Dedicated"

# This is "/subscriptions/../../providers/Microsoft.OperationalInsights/workspaces/<workspacename>"
  log_analytics_workspace_id     = azurerm_log_analytics_workspace.this.id 

  # Kubernetes API Server
  enabled_log {
    category = "kube-apiserver"
  }
  # Kubernetes Audit
  enabled_log {
    category = "kube-audit"
  }
  # Kubernetes Audit Admin Logs
  enabled_log {
    category = "kube-audit-admin"
  }
  # Kubernetes Controller Manager
  enabled_log {
    category = "kube-controller-manager"
  }
  # Kubernetes Scheduler
  enabled_log {
    category = "kube-scheduler"
  }
  #Kubernetes Cluster Autoscaler
  enabled_log {
    category = "cluster-autoscaler"
  }
  #Kubernetes Cloud Controller Manager
  enabled_log {
    category = "cloud-controller-manager"
  }
  #guard
  enabled_log {
    category = "guard"
  }
  #csi-azuredisk-controller
  enabled_log {
    category = "csi-azuredisk-controller"
  }
  #csi-azurefile-controller
  enabled_log {
    category = "csi-azurefile-controller"
  }
  #csi-snapshot-controller
  enabled_log {
    category = "csi-snapshot-controller"
  }
  metric {
    category = "AllMetrics"
  }
}

Please let me know if this fixes the problem.

@oscarwest
Copy link

container insights != diagnostic settings

@zioproto
Copy link
Collaborator

@oscarwest thanks for the clarification.

I understand now this Terraform module is missing the Data Collection Rules

Microsoft Documentation has a specific page on how to enable Containers Insights with Terraform.

What happened is that I missed this when I did the review of #446 from @admincasper .

@admincasper are you creating the resource azurerm_monitor_data_collection_rule outside of the module ?

PR #446 only implemented the block:

  oms_agent {
    log_analytics_workspace_id = var.workspace_resource_id
    msi_auth_for_monitoring_enabled = true
  }

We missed the implementation of the azurerm_monitor_data_collection_rule and azurerm_monitor_data_collection_rule_association resources.

The product team published a reference implementation here:
https://github.com/microsoft/Docker-Provider/tree/ci_prod/scripts/onboarding/aks/onboarding-msi-terraform

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working waiting-response
Projects
Development

No branches or pull requests

3 participants