Reputation: 21111
How to setup azure container instance to log to analytics workspace with terraform
I have a fairly vanilla docker image that is deployed to Azure via Azure container instance. It is set up with terraform and all of that seems to work as expected. However, I would like to get the container logs (i.e. stdout from the app) to appear in a log analytis workspace (also set up via terraform). I expected just adding the diganostics section as I have done below would be enough, but I can't find anything in the log analytics workspace even after waiting a while (to make sure that the logs have time to be ingested into log analytics). Is there some step I am missing?
One snag I did hit upon was that if I set the log_type to ContainerInstanceLogs the
deployment would fail (complaining that it didn't support metadata even though I didn't provide any). However, omitting that optional attribute in the log_analytics section everything deploys fine. Still it would be nice to actually get the logs into the workspace so they are more easily searchable!
resource "azurerm_container_group" "webapp" {
count = length(local.names)
name = local.names[count.index]
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
depends_on = [
azurerm_container_group.init,
azurerm_key_vault_access_policy.app_cg,
azurerm_role_assignment.servicebus_owner,
]
ip_address_type = "Private"
os_type = "Linux"
diagnostics {
log_analytics {
workspace_id = var.log_analytics_workspace_id
workspace_key = var.log_analytics_workspace_key
}
}
container {
name = "webapp"
image = "${var.registry_server}/app:${var.app_tag}"
cpu = "0.25"
memory = "0.5"
ports {
port = 8080
protocol = "TCP"
}
environment_variables = {
"ASPNETCORE_ENVIRONMENT" = "Production"
"AZURE_KEY_VAULT_URL" = var.keyvault_uri
"AZURE_STORAGE_ACCOUNT_ENDPOINT" = var.storage_account_endpoint
"ASPNETCORE_URLS" = "http://+:8080"
"AZURE_CLIENT_ID" = azurerm_user_assigned_identity.container_group_identity.client_id
}
}
image_registry_credential {
server = var.registry_server
user_assigned_identity_id = var.registry_identity_id
}
subnet_ids = [var.public_subnet_id]
identity {
type = "UserAssigned"
identity_ids = [azurerm_user_assigned_identity.container_group_identity.id, var.registry_identity_id]
}
tags = {
"environment" = var.environment
}
}
Upvotes: 0
Views: 412
Answers (1)
Reputation: 2461
Azure container instance to log to analytics workspace with terraform
Hello Emil L, seems like you already found a solution to your problem.
The input you mentioned is on point as missing private link is preventing the Azure Container Instance (ACI) from sending logs to the Log Analytics workspace. when we performing ACI specially when your workspace is configured to not ingest data over the public internet its always better to maintain the connection between container and workspace.
I tried a demo configuration which helps in achieving this requirement for the community people who might come across such similar cases. Please feel free to add any points / your inputs to this if required.
Configuration:
resource "azurerm_monitor_private_link_scope" "monitor_pls" {
name = "vksb-monitor-private-link-scope"
resource_group_name = azurerm_resource_group.rg.name
}
resource "azurerm_private_endpoint" "monitor_pe" {
name = "monitor-private-endpoint"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
subnet_id = azurerm_subnet.monitor_subnet.id
private_service_connection {
name = "monitor-connection"
private_connection_resource_id = azurerm_monitor_private_link_scope.monitor_pls.id
is_manual_connection = false
subresource_names = ["azuremonitor"]
}
}
resource "azurerm_user_assigned_identity" "container_group_identity" {
name = "vksb-container-group-identity"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
}
resource "azurerm_container_group" "webapp" {
count = length(local.container_group_names)
name = local.container_group_names[count.index]
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
ip_address_type = "Private"
os_type = "Linux"
diagnostics {
log_analytics {
workspace_id = azurerm_log_analytics_workspace.log_analytics.workspace_id
workspace_key = azurerm_log_analytics_workspace.log_analytics.primary_shared_key
}
}
container {
name = local.container_group_names[count.index]
image = "${var.registry_server}/app:${var.app_tag}"
cpu = "0.25"
memory = "0.5"
ports {
port = 8080
protocol = "TCP"
}
environment_variables = {
"ASPNETCORE_ENVIRONMENT" = "Production"
}
}
identity {
type = "UserAssigned"
identity_ids = [
azurerm_user_assigned_identity.container_group_identity.id
]
}
subnet_ids = [azurerm_subnet.aci_subnet.id]
depends_on = [
azurerm_log_analytics_workspace.log_analytics,
azurerm_monitor_private_link_scope.monitor_pls,
azurerm_private_endpoint.monitor_pe,
azurerm_user_assigned_identity.container_group_identity
]
}
Deployment:
Refer:
azurerm_container_group | Resources | hashicorp/azurerm | Terraform | Terraform Registry
https://learn.microsoft.com/en-us/azure/azure-monitor/logs/private-link-security
Upvotes: 1
Related Questions
- How to get error details logs in log analytics workspace for synapse analytics workspace
- Connect Azure Log Workspace with Data Collection Rule (Terrraform)
- Azure Log Analytics Workspace delete container insights table
- Create Diagnostic setting with terraform to send specific log categories to Log Analytics and Storage Accounts?
- Saving a query for azure log analytics inside a (custom) query pack using Terraform
- trying update azure container instances with azure cli
- How to combine or collate container log entries from Azure Log Analytics work space into XML data?
- Azure Kubernetes Service to Log Analytics Workspace - duplicated metrics ContainerInsights and LogManagement
- Unable to link storage account to Log analytics workspace