Module not compatible with Azure Landing Zones, as it expects certain resources from a different subscription

[mestredelpino]

Is there an existing issue for this?

• I have searched the existing issues

Description

The Azure Landing Zones architecture expects a centralized deployment of Azure Log Analytics Workspace in the "management" subscription, while the rest of AKS resources should be on the "online" subscription. This AKS module does provide the possibility to use an existing LA workspace, but it expects it to be in the same subscription as all the other AKS resources.

The module should provide an input to properly import the LA workspace from a different subscription.

New or Affected Resource(s)/Data Source(s)

data.azurerm_log_analytics_workspace.main

Potential Terraform Configuration

provider "azurerm" {
  features {}
  alias = "management"
  subscription_id = var.subscription_id_management
}


variable "subscription_id_management" {
  type = string
  description = "The ID of the ALZ management subscription"
}

data "azurerm_log_analytics_workspace" "main" {
  provider = azurerm.management
  count = local.query_datasource_for_log_analytics_workspace_location ? 1 : 0

  name                = var.log_analytics_workspace.name
  resource_group_name = local.log_analytics_workspace.resource_group_name
}

References

https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/landing-zone/

[zioproto]

@mestredelpino there is a way to make this work without code changes. You have to set values to all fields of this variable log_analytics_workspace:

terraform-azurerm-aks/variables.tf

Lines 690 to 699 in decb533

	variable "log_analytics_workspace" {
	type = object({
	id = string
	name = string
	location = optional(string)
	resource_group_name = optional(string)
	})
	default = null
	description = "(Optional) Existing azurerm_log_analytics_workspace to attach azurerm_log_analytics_solution. Providing the config disables creation of azurerm_log_analytics_workspace."
	}

It is important to set the location field.

Also var.log_analytics_workspace_enabled must be set to true.

terraform-azurerm-aks/variables.tf

Lines 725 to 730 in decb533

	variable "log_analytics_workspace_enabled" {
	type = bool
	default = true
	description = "Enable the integration of azurerm_log_analytics_workspace and azurerm_log_analytics_solution: https://docs.microsoft.com/en-us/azure/azure-monitor/containers/container-insights-onboard"
	nullable = false
	}

This way you can use a Log Analytics Workspace that is created in a different subscription.

The location in var.log_analytics_workspace is important because at:

terraform-azurerm-aks/locals.tf

Line 57 in decb533

query_datasource_for_log_analytics_workspace_location = var.log_analytics_workspace_enabled && (var.log_analytics_workspace != null ? var.log_analytics_workspace.location == null : false)

If the location is null then you will use the datasource that does not support referencing a resource in a different subscription:

terraform-azurerm-aks/log_analytics.tf

Lines 52 to 57 in decb533

	data "azurerm_log_analytics_workspace" "main" {
	count = local.query_datasource_for_log_analytics_workspace_location ? 1 : 0
	name = var.log_analytics_workspace.name
	resource_group_name = local.log_analytics_workspace.resource_group_name
	}

[zioproto]

@mestredelpino please confirm if your issue is solved. Thanks

[zioproto]

@mestredelpino friendly ping

[mestredelpino]

Hi @zioproto, I am currently getting this error

│ Error: creating Solution (Subscription: "<ONLINE_SUBSCRIPTION_ID>"
│ Resource Group Name: "es-mgmt"
│ Solution Name: "ContainerInsights(es-la)"): performing CreateOrUpdate: unexpected status 404 (404 Not Found) with error: ResourceGroupNotFound: Resource group 'es-mgmt' could not be found.
│
│ with module.aks.azurerm_log_analytics_solution.main[0],
│ on .terraform/modules/aks/log_analytics.tf line 59, in resource "azurerm_log_analytics_solution" "main":
│ 59: resource "azurerm_log_analytics_solution" "main" {
│
│ creating Solution (Subscription: "<ONLINE_SUBSCRIPTION_ID>"
│ Resource Group Name: "es-mgmt"
│ Solution Name: "ContainerInsights(es-la)"): performing CreateOrUpdate: unexpected status 404 (404 Not Found) with error: ResourceGroupNotFound: Resource group 'es-mgmt' could not be found.

This is how I configured the variables suggested:

log_analytics_workspace_enabled = true 
log_analytics_workspace = {
    location = "westeurope" 
    id = "/subscriptions/<MANAGEMENT_SUBSCRIPTION_ID>/resourceGroups/es-mgmt/providers/Microsoft.OperationalInsights/workspaces/es-la/" 
    name = "es-la" 
    resource_group_name = "es-mgmt" 
    }

[zioproto]

Cc: @ibersanoMS

@mestredelpino AVM is releasing an AKS resource module here: https://github.com/Azure/terraform-azurerm-avm-res-containerservice-managedcluster

It makes sense to assess first if the new module has the same issue.