Fully hardened/observable linux vm example

Does anyone know if there exists any kind of fully worked example of a secure, fully monitored linux VM?

I’m still trying to wrap my head around Azure Security Center/Azure Defender/Log Analytics Workspaces and the different agents, I may have completely misunderstood something but what I think I’m looking for right now is something that includes;

  • Create Log Analytics Workspace to my preferred naming convention
  • Enable Azure Defender for Servers with Auto Provisioning of Log Analytics agent to above Workspace
  • Collect logs from journald/syslog
  • Enable vulnerability assessment (Qualys)
  • Unattended updates
  • Minimal NSG to allow the above to function
  • Azure Firewall (optional-ish, very expensive for a small example)
  • Anything else important I forgot…

When writing this out I start to wonder if I should perhaps disable the auto provisioning of the log agent and manage the extension manually. What are other people doing to create secure and monitored VMs with terraform?