fix: DNS zone changes in hub

.azuredevops/pipelines/cd-infrastructure-dev-audit.yaml

@@ -14,7 +14,7 @@ resources:
     - repository: dtos-devops-templates
       type: github
       name: NHSDigital/dtos-devops-templates
-      ref: 57e204e15509e40243551dccfe077f3452a31369
+      ref: 50b7be9a048ad75097a409251687d9b527780079
       endpoint: NHSDigital
 
 variables:

.azuredevops/pipelines/cd-infrastructure-dev-core.yaml

@@ -14,7 +14,7 @@ resources:
     - repository: dtos-devops-templates
       type: github
       name: NHSDigital/dtos-devops-templates
-      ref: 57e204e15509e40243551dccfe077f3452a31369
+      ref: 50b7be9a048ad75097a409251687d9b527780079
       endpoint: NHSDigital
 
 variables:

.azuredevops/pipelines/cd-infrastructure-int-audit.yaml

@@ -14,7 +14,7 @@ resources:
     - repository: dtos-devops-templates
       type: github
       name: NHSDigital/dtos-devops-templates
-      ref: 57e204e15509e40243551dccfe077f3452a31369
+      ref: 50b7be9a048ad75097a409251687d9b527780079
       endpoint: NHSDigital
 
 variables:

.azuredevops/pipelines/cd-infrastructure-int-core.yaml

@@ -14,7 +14,7 @@ resources:
     - repository: dtos-devops-templates
       type: github
       name: NHSDigital/dtos-devops-templates
-      ref: 57e204e15509e40243551dccfe077f3452a31369
+      ref: 50b7be9a048ad75097a409251687d9b527780079
       endpoint: NHSDigital
 
 variables:

.azuredevops/pipelines/cd-infrastructure-nft-audit.yaml

@@ -14,7 +14,7 @@ resources:
     - repository: dtos-devops-templates
       type: github
       name: NHSDigital/dtos-devops-templates
-      ref: 57e204e15509e40243551dccfe077f3452a31369
+      ref: 50b7be9a048ad75097a409251687d9b527780079
       endpoint: NHSDigital
 
 variables:

.azuredevops/pipelines/cd-infrastructure-nft-core.yaml

@@ -14,7 +14,7 @@ resources:
     - repository: dtos-devops-templates
       type: github
       name: NHSDigital/dtos-devops-templates
-      ref: 57e204e15509e40243551dccfe077f3452a31369
+      ref: 50b7be9a048ad75097a409251687d9b527780079
       endpoint: NHSDigital
 
 variables:

infrastructure/tf-audit/diagnostic_settings.tf

@@ -0,0 +1,32 @@
+locals {
+  #APPSERVICEPLAN
+  monitor_diagnostic_setting_appserviceplan_metrics = ["AllMetrics"]
+
+  #FUNCTIONAPP
+  monitor_diagnostic_setting_function_app_enabled_logs = ["AppServiceAuthenticationLogs", "FunctionAppLogs"]
+  monitor_diagnostic_setting_function_app_metrics      = ["AllMetrics"]
+
+  # KEYVAULT
+  monitor_diagnostic_setting_keyvault_enabled_logs = ["AuditEvent", "AzurePolicyEvaluationDetails"]
+  monitor_diagnostic_setting_keyvault_metrics      = ["AllMetrics"]
+
+  # LOG ANALYTICS WORKSPACE
+  monitor_diagnostic_setting_log_analytics_workspace_enabled_logs = ["SummaryLogs", "Audit"]
+  monitor_diagnostic_setting_log_analytics_workspace_metrics      = ["AllMetrics"]
+
+  #SQL SERVER AND DATABASE
+  monitor_diagnostic_setting_database_enabled_logs   = ["SQLSecurityAuditEvents", "SQLInsights", "QueryStoreWaitStatistics", "Errors", "DatabaseWaitStatistics", "Timeouts"]
+  monitor_diagnostic_setting_database_metrics        = ["AllMetrics"]
+  monitor_diagnostic_setting_sql_server_enabled_logs = ["SQLSecurityAuditEvents"]
+  monitor_diagnostic_setting_sql_server_metrics      = ["AllMetrics"]
+
+  #STORAGE ACCOUNT
+  monitor_diagnostic_setting_storage_account_enabled_logs = ["StorageWrite", "StorageRead", "StorageDelete"]
+
+  #SUBNET
+  monitor_diagnostic_setting_network_security_group_enabled_logs = ["NetworkSecurityGroupEvent", "NetworkSecurityGroupRuleCounter"]
+
+  #VNET
+  monitor_diagnostic_setting_vnet_enabled_logs = ["VMProtectionAlerts"]
+  monitor_diagnostic_setting_vnet_metrics      = ["AllMetrics"]
+}

infrastructure/tf-audit/log_analytics_workspace.tf

@@ -9,6 +9,9 @@ module "log_analytics_workspace_audit" {
   law_sku        = var.law.law_sku
   retention_days = var.law.retention_days
 
+  monitor_diagnostic_setting_log_analytics_workspace_enabled_logs = local.monitor_diagnostic_setting_log_analytics_workspace_enabled_logs
+  monitor_diagnostic_setting_log_analytics_workspace_metrics      = local.monitor_diagnostic_setting_log_analytics_workspace_metrics
+
   resource_group_name = azurerm_resource_group.audit[each.key].name
 
   tags = var.tags

infrastructure/tf-audit/networking.tf

@@ -1,3 +1,7 @@
+locals {
+  primary_region = [for k, v in var.regions : k if v.is_primary_region][0]
+}
+
 resource "azurerm_resource_group" "rg_vnet" {
   for_each = var.regions
 
@@ -22,6 +26,10 @@ module "vnet" {
   location            = each.key
   vnet_address_space  = each.value.address_space
 
+  log_analytics_workspace_id                   = module.log_analytics_workspace_audit[local.primary_region].id
+  monitor_diagnostic_setting_vnet_enabled_logs = local.monitor_diagnostic_setting_vnet_enabled_logs
+  monitor_diagnostic_setting_vnet_metrics      = local.monitor_diagnostic_setting_vnet_metrics
+
   dns_servers = [data.terraform_remote_state.hub.outputs.private_dns_resolver_inbound_ips[each.key].private_dns_resolver_ip]
 
   tags = var.tags
@@ -51,6 +59,9 @@ module "subnets" {
   service_delegation_name    = each.value.service_delegation_name != null ? each.value.service_delegation_name : ""
   service_delegation_actions = each.value.service_delegation_actions != null ? each.value.service_delegation_actions : []
 
+  log_analytics_workspace_id                                     = module.log_analytics_workspace_audit[local.primary_region].id
+  monitor_diagnostic_setting_network_security_group_enabled_logs = local.monitor_diagnostic_setting_network_security_group_enabled_logs
+
   tags = var.tags
 }
 

infrastructure/tf-audit/private_link_scopes.tf

@@ -39,11 +39,11 @@ module "private_link_scope" {
   # Private Endpoint Configuration if enabled
   private_endpoint_properties = var.features.private_endpoints_enabled ? {
     private_dns_zone_ids = [
-      data.terraform_remote_state.hub.outputs.private_dns_zone_app_insight[each.key].private_dns_zone.id,
-      data.terraform_remote_state.hub.outputs.private_dns_zone_azure_automation[each.key].private_dns_zone.id,
-      data.terraform_remote_state.hub.outputs.private_dns_zone_od_insights[each.key].private_dns_zone.id,
-      data.terraform_remote_state.hub.outputs.private_dns_zone_op_insights[each.key].private_dns_zone.id,
-      data.terraform_remote_state.hub.outputs.private_dns_zone_storage_blob[each.key].private_dns_zone.id
+      data.terraform_remote_state.hub.outputs.private_dns_zones["${each.key}-app_insights"].id,
+      data.terraform_remote_state.hub.outputs.private_dns_zones["${each.key}-automation"].id,
+      data.terraform_remote_state.hub.outputs.private_dns_zones["${each.key}-operations_data_store"].id,
+      data.terraform_remote_state.hub.outputs.private_dns_zones["${each.key}-operations_management_suite"].id,
+      data.terraform_remote_state.hub.outputs.private_dns_zones["${each.key}-storage_blob"].id
     ]
     private_endpoint_enabled             = var.features.private_endpoints_enabled
     private_endpoint_subnet_id           = module.subnets["${module.regions_config[each.key].names.subnet}-pep"].id

infrastructure/tf-core/app_service_plan.tf

@@ -24,6 +24,9 @@ module "app-service-plan" {
   resource_group_name = azurerm_resource_group.core[each.value.region_key].name
   location            = each.value.region_key
 
+  log_analytics_workspace_id                        = data.terraform_remote_state.audit.outputs.log_analytics_workspace_id[local.primary_region]
+  monitor_diagnostic_setting_appserviceplan_metrics = local.monitor_diagnostic_setting_appserviceplan_metrics
+
   os_type  = var.app_service_plan.os_type
   sku_name = var.app_service_plan.sku_name
 

infrastructure/tf-core/data.tf

@@ -91,3 +91,7 @@ data "azurerm_key_vault_key" "private_key" {
   name         = "PRIVATE-KEY"
   key_vault_id = module.key_vault[each.key].key_vault_id
 }
+
+data "azuread_group" "commgt_devs" {
+  display_name = "DToS-commgt-DevTesters-dev"
+}

infrastructure/tf-core/diagnostic_settings.tf

@@ -0,0 +1,32 @@
+locals {
+  #APPSERVICEPLAN
+  monitor_diagnostic_setting_appserviceplan_metrics = ["AllMetrics"]
+
+  #FUNCTIONAPP
+  monitor_diagnostic_setting_function_app_enabled_logs = ["AppServiceAuthenticationLogs", "FunctionAppLogs"]
+  monitor_diagnostic_setting_function_app_metrics      = ["AllMetrics"]
+
+  # KEYVAULT
+  monitor_diagnostic_setting_keyvault_enabled_logs = ["AuditEvent", "AzurePolicyEvaluationDetails"]
+  monitor_diagnostic_setting_keyvault_metrics      = ["AllMetrics"]
+
+  # LOG ANALYTICS WORKSPACE
+  monitor_diagnostic_setting_log_analytics_workspace_enabled_logs = ["SummaryLogs", "Audit"]
+  monitor_diagnostic_setting_log_analytics_workspace_metrics      = ["AllMetrics"]
+
+  #SQL SERVER AND DATABASE
+  monitor_diagnostic_setting_database_enabled_logs   = ["SQLSecurityAuditEvents", "SQLInsights", "QueryStoreWaitStatistics", "Errors", "DatabaseWaitStatistics", "Timeouts"]
+  monitor_diagnostic_setting_database_metrics        = ["AllMetrics"]
+  monitor_diagnostic_setting_sql_server_enabled_logs = ["SQLSecurityAuditEvents"]
+  monitor_diagnostic_setting_sql_server_metrics      = ["AllMetrics"]
+
+  #STORAGE ACCOUNT
+  monitor_diagnostic_setting_storage_account_enabled_logs = ["StorageWrite", "StorageRead", "StorageDelete"]
+
+  #SUBNET
+  monitor_diagnostic_setting_network_security_group_enabled_logs = ["NetworkSecurityGroupEvent", "NetworkSecurityGroupRuleCounter"]
+
+  #VNET
+  monitor_diagnostic_setting_vnet_enabled_logs = ["VMProtectionAlerts"]
+  monitor_diagnostic_setting_vnet_metrics      = ["AllMetrics"]
+}

infrastructure/tf-core/function_app.tf

@@ -9,7 +9,9 @@ module "functionapp" {
 
   app_settings = each.value.app_settings
 
-  log_analytics_workspace_id = data.terraform_remote_state.audit.outputs.log_analytics_workspace_id[local.primary_region]
+  log_analytics_workspace_id                           = data.terraform_remote_state.audit.outputs.log_analytics_workspace_id[local.primary_region]
+  monitor_diagnostic_setting_function_app_enabled_logs = local.monitor_diagnostic_setting_function_app_enabled_logs
+  monitor_diagnostic_setting_function_app_metrics      = local.monitor_diagnostic_setting_function_app_metrics
 
   public_network_access_enabled = var.features.public_network_access_enabled
   vnet_integration_subnet_id    = module.subnets["${module.regions_config[each.value.region].names.subnet}-apps"].id
@@ -44,7 +46,7 @@ module "functionapp" {
 
   # Private Endpoint Configuration if enabled
   private_endpoint_properties = var.features.private_endpoints_enabled ? {
-    private_dns_zone_ids                 = [data.terraform_remote_state.hub.outputs.private_dns_zone_app_services[each.value.region].private_dns_zone.id]
+    private_dns_zone_ids                 = [data.terraform_remote_state.hub.outputs.private_dns_zones["${each.value.region}-app_services"].id]
     private_endpoint_enabled             = var.features.private_endpoints_enabled
     private_endpoint_subnet_id           = module.subnets["${module.regions_config[each.value.region].names.subnet}-pep"].id
     private_endpoint_resource_group_name = azurerm_resource_group.rg_private_endpoints[each.value.region].name
@@ -110,6 +112,7 @@ locals {
             } : {}
           )
 
+          # These RBAC assignments are for the Function Apps only
           rbac_role_assignments = flatten([
 
             # Key Vault

infrastructure/tf-core/key_vault.tf

@@ -15,9 +15,13 @@ module "key_vault" {
   enable_rbac_authorization = true
   rbac_roles                = local.rbac_roles_key_vault
 
+  log_analytics_workspace_id                       = data.terraform_remote_state.audit.outputs.log_analytics_workspace_id[local.primary_region]
+  monitor_diagnostic_setting_keyvault_enabled_logs = local.monitor_diagnostic_setting_keyvault_enabled_logs
+  monitor_diagnostic_setting_keyvault_metrics      = local.monitor_diagnostic_setting_keyvault_metrics
+
   # Private Endpoint Configuration if enabled
   private_endpoint_properties = var.features.private_endpoints_enabled ? {
-    private_dns_zone_ids_keyvault        = [data.terraform_remote_state.hub.outputs.private_dns_zone_key_vault[each.key].private_dns_zone.id]
+    private_dns_zone_ids_keyvault        = [data.terraform_remote_state.hub.outputs.private_dns_zones["${each.key}-key_vault"].id]
     private_endpoint_enabled             = var.features.private_endpoints_enabled
     private_endpoint_subnet_id           = module.subnets["${module.regions_config[each.key].names.subnet}-pep"].id
     private_endpoint_resource_group_name = azurerm_resource_group.rg_private_endpoints[each.key].name

infrastructure/tf-core/networking.tf

@@ -24,6 +24,10 @@ module "vnet" {
 
   dns_servers = [data.terraform_remote_state.hub.outputs.private_dns_resolver_inbound_ips[each.key].private_dns_resolver_ip]
 
+  log_analytics_workspace_id                   = data.terraform_remote_state.audit.outputs.log_analytics_workspace_id[local.primary_region]
+  monitor_diagnostic_setting_vnet_enabled_logs = local.monitor_diagnostic_setting_vnet_enabled_logs
+  monitor_diagnostic_setting_vnet_metrics      = local.monitor_diagnostic_setting_vnet_metrics
+
   tags = var.tags
 }
 
@@ -65,6 +69,9 @@ module "subnets" {
   default_outbound_access_enabled   = true
   private_endpoint_network_policies = "Disabled" # Default as per compliance requirements
 
+  log_analytics_workspace_id                                     = data.terraform_remote_state.audit.outputs.log_analytics_workspace_id[local.primary_region]
+  monitor_diagnostic_setting_network_security_group_enabled_logs = local.monitor_diagnostic_setting_network_security_group_enabled_logs
+
   delegation_name            = each.value.delegation_name != null ? each.value.delegation_name : ""
   service_delegation_name    = each.value.service_delegation_name != null ? each.value.service_delegation_name : ""
   service_delegation_actions = each.value.service_delegation_actions != null ? each.value.service_delegation_actions : []

infrastructure/tf-core/rbac.tf

@@ -10,4 +10,5 @@ locals {
     "Storage Blob Data Owner",
     "Storage Queue Data Contributor"
   ]
+
 }

infrastructure/tf-core/storage.tf

@@ -15,10 +15,14 @@ module "storage" {
 
   rbac_roles = local.rbac_roles_storage
 
+  log_analytics_workspace_id                              = data.terraform_remote_state.audit.outputs.log_analytics_workspace_id[local.primary_region]
+  monitor_diagnostic_setting_storage_account_enabled_logs = local.monitor_diagnostic_setting_storage_account_enabled_logs
+
+
   # Private Endpoint Configuration if enabled
   private_endpoint_properties = var.features.private_endpoints_enabled ? {
-    private_dns_zone_ids_blob            = [data.terraform_remote_state.hub.outputs.private_dns_zone_storage_blob[each.value.region].private_dns_zone.id]
-    private_dns_zone_ids_queue           = [data.terraform_remote_state.hub.outputs.private_dns_zone_storage_queue[each.value.region].private_dns_zone.id]
+    private_dns_zone_ids_blob            = [data.terraform_remote_state.hub.outputs.private_dns_zones["${each.value.region}-storage_blob"].id]
+    private_dns_zone_ids_queue           = [data.terraform_remote_state.hub.outputs.private_dns_zones["${each.value.region}-storage_queue"].id]
     private_endpoint_enabled             = var.features.private_endpoints_enabled
     private_endpoint_subnet_id           = module.subnets["${module.regions_config[each.value.region].names.subnet}-pep"].id
     private_endpoint_resource_group_name = azurerm_resource_group.rg_private_endpoints[each.value.region].name