fix: DNS zone changes in hub

Author: patrickmoore-nc

.azuredevops/pipelines/cd-infrastructure-dev-audit.yaml

@@ -14,7 +14,7 @@ resources:
     - repository: dtos-devops-templates
       type: github
       name: NHSDigital/dtos-devops-templates
-      ref: 57e204e15509e40243551dccfe077f3452a31369
+      ref: 50b7be9a048ad75097a409251687d9b527780079
       endpoint: NHSDigital
 
 variables:

.azuredevops/pipelines/cd-infrastructure-dev-core.yaml

@@ -14,7 +14,7 @@ resources:
     - repository: dtos-devops-templates
       type: github
       name: NHSDigital/dtos-devops-templates
-      ref: 57e204e15509e40243551dccfe077f3452a31369
+      ref: 50b7be9a048ad75097a409251687d9b527780079
       endpoint: NHSDigital
 
 variables:

.azuredevops/pipelines/cd-infrastructure-int-audit.yaml

@@ -14,7 +14,7 @@ resources:
     - repository: dtos-devops-templates
       type: github
       name: NHSDigital/dtos-devops-templates
-      ref: 57e204e15509e40243551dccfe077f3452a31369
+      ref: 50b7be9a048ad75097a409251687d9b527780079
       endpoint: NHSDigital
 
 variables:

.azuredevops/pipelines/cd-infrastructure-int-core.yaml

@@ -14,7 +14,7 @@ resources:
     - repository: dtos-devops-templates
       type: github
       name: NHSDigital/dtos-devops-templates
-      ref: 57e204e15509e40243551dccfe077f3452a31369
+      ref: 50b7be9a048ad75097a409251687d9b527780079
       endpoint: NHSDigital
 
 variables:

.azuredevops/pipelines/cd-infrastructure-nft-audit.yaml

@@ -14,7 +14,7 @@ resources:
     - repository: dtos-devops-templates
       type: github
       name: NHSDigital/dtos-devops-templates
-      ref: 57e204e15509e40243551dccfe077f3452a31369
+      ref: 50b7be9a048ad75097a409251687d9b527780079
       endpoint: NHSDigital
 
 variables:

.azuredevops/pipelines/cd-infrastructure-nft-core.yaml

@@ -14,7 +14,7 @@ resources:
     - repository: dtos-devops-templates
       type: github
       name: NHSDigital/dtos-devops-templates
-      ref: 57e204e15509e40243551dccfe077f3452a31369
+      ref: 50b7be9a048ad75097a409251687d9b527780079
       endpoint: NHSDigital
 
 variables:

infrastructure/tf-audit/diagnostic_settings.tf

@@ -0,0 +1,32 @@
+locals {
+  #APPSERVICEPLAN
+  monitor_diagnostic_setting_appserviceplan_metrics = ["AllMetrics"]
+
+  #FUNCTIONAPP
+  monitor_diagnostic_setting_function_app_enabled_logs = ["AppServiceAuthenticationLogs", "FunctionAppLogs"]
+  monitor_diagnostic_setting_function_app_metrics      = ["AllMetrics"]
+
+  # KEYVAULT
+  monitor_diagnostic_setting_keyvault_enabled_logs = ["AuditEvent", "AzurePolicyEvaluationDetails"]
+  monitor_diagnostic_setting_keyvault_metrics      = ["AllMetrics"]
+
+  # LOG ANALYTICS WORKSPACE
+  monitor_diagnostic_setting_log_analytics_workspace_enabled_logs = ["SummaryLogs", "Audit"]
+  monitor_diagnostic_setting_log_analytics_workspace_metrics      = ["AllMetrics"]
+
+  #SQL SERVER AND DATABASE
+  monitor_diagnostic_setting_database_enabled_logs   = ["SQLSecurityAuditEvents", "SQLInsights", "QueryStoreWaitStatistics", "Errors", "DatabaseWaitStatistics", "Timeouts"]
+  monitor_diagnostic_setting_database_metrics        = ["AllMetrics"]
+  monitor_diagnostic_setting_sql_server_enabled_logs = ["SQLSecurityAuditEvents"]
+  monitor_diagnostic_setting_sql_server_metrics      = ["AllMetrics"]
+
+  #STORAGE ACCOUNT
+  monitor_diagnostic_setting_storage_account_enabled_logs = ["StorageWrite", "StorageRead", "StorageDelete"]
+
+  #SUBNET
+  monitor_diagnostic_setting_network_security_group_enabled_logs = ["NetworkSecurityGroupEvent", "NetworkSecurityGroupRuleCounter"]
+
+  #VNET
+  monitor_diagnostic_setting_vnet_enabled_logs = ["VMProtectionAlerts"]
+  monitor_diagnostic_setting_vnet_metrics      = ["AllMetrics"]
+}

infrastructure/tf-audit/log_analytics_workspace.tf

@@ -6,8 +6,11 @@ module "log_analytics_workspace_audit" {
   name     = module.regions_config[each.key].names.log-analytics-workspace
   location = each.key
 
-  law_sku        = var.law.law_sku
-  retention_days = var.law.retention_days
+  law_sku                                                         = var.law.law_sku
+  retention_days                                                  = var.law.retention_days
+
+  monitor_diagnostic_setting_log_analytics_workspace_enabled_logs = local.monitor_diagnostic_setting_log_analytics_workspace_enabled_logs
+  monitor_diagnostic_setting_log_analytics_workspace_metrics      = local.monitor_diagnostic_setting_log_analytics_workspace_metrics
 
   resource_group_name = azurerm_resource_group.audit[each.key].name
 

infrastructure/tf-audit/networking.tf

@@ -1,3 +1,7 @@
+locals {
+  primary_region = [for k, v in var.regions : k if v.is_primary_region][0]
+}
+
 resource "azurerm_resource_group" "rg_vnet" {
   for_each = var.regions
 
@@ -22,6 +26,10 @@ module "vnet" {
   location            = each.key
   vnet_address_space  = each.value.address_space
 
+  log_analytics_workspace_id                   = module.log_analytics_workspace_audit[local.primary_region].id
+  monitor_diagnostic_setting_vnet_enabled_logs = local.monitor_diagnostic_setting_vnet_enabled_logs
+  monitor_diagnostic_setting_vnet_metrics      = local.monitor_diagnostic_setting_vnet_metrics
+
   dns_servers = [data.terraform_remote_state.hub.outputs.private_dns_resolver_inbound_ips[each.key].private_dns_resolver_ip]
 
   tags = var.tags
@@ -51,6 +59,9 @@ module "subnets" {
   service_delegation_name    = each.value.service_delegation_name != null ? each.value.service_delegation_name : ""
   service_delegation_actions = each.value.service_delegation_actions != null ? each.value.service_delegation_actions : []
 
+  log_analytics_workspace_id                                     = module.log_analytics_workspace_audit[local.primary_region].id
+  monitor_diagnostic_setting_network_security_group_enabled_logs = local.monitor_diagnostic_setting_network_security_group_enabled_logs
+
   tags = var.tags
 }
 

infrastructure/tf-audit/private_link_scopes.tf

@@ -39,11 +39,11 @@ module "private_link_scope" {
   # Private Endpoint Configuration if enabled
   private_endpoint_properties = var.features.private_endpoints_enabled ? {
     private_dns_zone_ids = [
-      data.terraform_remote_state.hub.outputs.private_dns_zone_app_insight[each.key].private_dns_zone.id,
-      data.terraform_remote_state.hub.outputs.private_dns_zone_azure_automation[each.key].private_dns_zone.id,
-      data.terraform_remote_state.hub.outputs.private_dns_zone_od_insights[each.key].private_dns_zone.id,
-      data.terraform_remote_state.hub.outputs.private_dns_zone_op_insights[each.key].private_dns_zone.id,
-      data.terraform_remote_state.hub.outputs.private_dns_zone_storage_blob[each.key].private_dns_zone.id
+      data.terraform_remote_state.hub.outputs.private_dns_zones["${each.key}-app_insights"].id,
+      data.terraform_remote_state.hub.outputs.private_dns_zones["${each.key}-automation"].id,
+      data.terraform_remote_state.hub.outputs.private_dns_zones["${each.key}-operations_data_store"].id,
+      data.terraform_remote_state.hub.outputs.private_dns_zones["${each.key}-operations_management_suite"].id,
+      data.terraform_remote_state.hub.outputs.private_dns_zones["${each.key}-storage_blob"].id
     ]
     private_endpoint_enabled             = var.features.private_endpoints_enabled
     private_endpoint_subnet_id           = module.subnets["${module.regions_config[each.key].names.subnet}-pep"].id