Azure storage account with logging/diagnostics

Terraform
1

I need to enable diagnostics on all storage accounts . V2 logs to be kept for 7 days for blob , file , queue and tables. I cannot find any examples of this here , or on git or stackoverflow . I noticed some users are using azurecli for this , so i wonder if its supported with terraform providers . Anyway here is what I have , but terraform plan is indicating that its not expecting the logging block " Blocks of type “logging” are not expected here…

1 Like
2

here is what I have been playing with .

Test Storage account with logging

resource “azurerm_storage_account” “satestwithlogging” {
name = “salogtest”
resource_group_name = azurerm_resource_group.prodrgroup.name

location = var.location
account_tier = “Standard”
account_replication_type = “LRS”
account_kind = “StorageV2”

network_rules {
default_action = “Deny”
bypass = [“logging”]
}

tags = {
Environment = “Infrastructure”
Application = “Infrastructurelogs”
Owner = “Networkadmin”
Function = “Testonly”
}

logging {
delete = enabled
read = enabled
retention_policy_days = “7”
version = “2”
write = enabled
}

3

Just some updates from researching this .
1> It appears Terraform can only set logging for Queue_properties . Not for Blob , file and table . ( ref Github-azureRM Issue 4401 )
2 > I tried using AZ CLI storage logging in terraform , but there get XML synatax bug . Also it cannot set logging for File .
3 > I guess the only way around this is to use Terraform create the storage account , then hash out the resource from TF files . Goto portal and set logging manually . IF you dont hash out the TF side , it will override the azure portal config during next terraform apply.

Any help on this please ?
Logging is a compulsory security requirement .

4

Did you ever get this done in Terraform? Although syntax allows me to set the enable_logs for the file share resource and the plan is generated, as per the portal it isn’t actually in the resource, so fails on apply.

resource “azurerm_monitor_diagnostic_setting” “sa_fslogix_fileshare” {

provider = azurerm.management

name = “fslogix-fileshare-${var.env}-mgmt-diag”

target_resource_id = azurerm_storage_share.fslogix.id

log_analytics_workspace_id = azurerm_log_analytics_workspace.management.id

dynamic “enabled_log” {

for_each = \[

  { category = "StorageDelete" },

  { category = "StorageWrite" },

  { category = "StorageRead" },

\]

content {

  category = enabled_log.value.category

}

}

}

{“code”:“ResourceTypeNotSupported”,“message”:"The resource type ‘microsoft.storage/storageaccounts/fileservices/shares’ does not support diagnostic settings.