need to create 1 unique storage account per nsg per rg to store flow …

…logs
kentik · Nov 27, 2024 · 98be850 · 98be850
1 parent 7dafd2a
commit 98be850
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 8 deletions.
diff --git a/cloud_Azure/terraform/module/network_watcher.tf b/cloud_Azure/terraform/module/network_watcher.tf
@@ -55,7 +55,7 @@ locals {
 
 # Turns on flow logs for all network security groups in requested resource groups
 resource "azurerm_network_watcher_flow_log" "kentik_network_flow_log" {
-  for_each = { for i in local.flat_nsgs : i.key => i.value }
+  for_each = { for nsg in local.flat_nsgs : nsg.key => nsg.value }
 
   name                      = "${var.name}_flow_log_${each.value.name}"
   network_watcher_name      = data.azurerm_network_watcher.network_watcher.name

diff --git a/cloud_Azure/terraform/module/storage_account.tf b/cloud_Azure/terraform/module/storage_account.tf
@@ -7,14 +7,15 @@ locals {
   generated_storage_account_names = [for name in local._alphanum_lowercase_names : substr(name, 0, 24)]
 }
 
-# Creates one storage account per resource group to store flow logs
-# StorageAccounts are mapped 1:1 to resource_group_names and this fact is used to get storage account id for given resource group name
+# Creates one storage account per nsg per resource group to store flow logs
+# StorageAccounts are mapped 1:1+:1 to nsg(s) and resource_group_names
+# Note that only one flow log can be associated with a storage account per region
 resource "azurerm_storage_account" "logs_storage_account" {
-  for_each = { for s, rg in var.resource_group_names : rg => s }
+  for_each = { for nsg in local.flat_nsgs : nsg.key => nsg.value }
 
-  # use either custom name if one is provided, or generate one
-  name                     = length(var.storage_account_names) == length(var.resource_group_names) ? var.storage_account_names[each.value] : local.generated_storage_account_names[each.value]
-  resource_group_name      = each.key
+  # generate storage account per nsg per rg
+  name                     = local.generated_storage_account_names[each.value]
+  resource_group_name      = each.value.rg
   location                 = var.location
   account_tier             = "Standard"
   account_replication_type = "GRS"

diff --git a/cloud_Azure/terraform/module/variables.tf b/cloud_Azure/terraform/module/variables.tf
@@ -63,4 +63,4 @@ variable "flow_exporter_application_id" {
   type        = string
   default     = "a20ce222-63c0-46db-86d5-58551eeee89f"
   description = "Kentik NSG Flow Exporter application ID"
-}
+}