CKV2_AZURE_21 doesn't actually add StorageBlobLogs to the Log Analytics workspace #6844
Labels
checks
Check additions or changes
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the issue
CKV2_AZURE_21 - Azure storage account logging setting for blobs is disabled
Azure storage account logging is not configured using Storage Insights, but should use Diagnostic Settings. Details are spelled out in this previous comment - #5407 (comment)
Examples
This code passes the check, but doesn't actually create StorageBlobLogs in the Log Analytics Workspace or send any events to it if it already exists.
{
"resource "azurerm_resource_group" "resource_group_ok" {
name = "example-resources"
location = "West Europe"
}
resource "azurerm_log_analytics_workspace" "analytics_workspace_ok" {
name = "exampleworkspace"
location = azurerm_resource_group.resource_group_ok.location
resource_group_name = azurerm_resource_group.resource_group_ok.name
sku = "PerGB2018"
retention_in_days = 30
}
resource "azurerm_storage_account" "storage_account_ok" {
name = "examplestoracc"
resource_group_name = azurerm_resource_group.resource_group_ok.name
location = azurerm_resource_group.resource_group_ok.location
account_tier = "Standard"
account_replication_type = "LRS"
}
resource "azurerm_log_analytics_storage_insights" "analytics_storage_insights_ok" {
name = "example-storageinsightconfig"
resource_group_name = azurerm_resource_group.resource_group_ok.name
workspace_id = azurerm_log_analytics_workspace.analytics_workspace_ok.id
storage_account_id = azurerm_storage_account.storage_account_ok.id
storage_account_key = azurerm_storage_account.storage_account_ok.primary_access_key
blob_container_names= ["blobExample_ok"]
}
resource "azurerm_storage_container" "storage_container_ok" {
name = "my-awesome-content.zip"
storage_account_name = azurerm_storage_account.storage_account_ok.name
storage_container_name = azurerm_storage_container.storage_container_ok.name
container_access_type = "blob"
}
Instead the code that would produce StorageBlobLogs would look like:
{
"resource "azurerm_resource_group" "resource_group_ok" {
name = "example-resources"
location = "West Europe"
}
resource "azurerm_log_analytics_workspace" "analytics_workspace_ok" {
name = "exampleworkspace"
location = azurerm_resource_group.resource_group_ok.location
resource_group_name = azurerm_resource_group.resource_group_ok.name
sku = "PerGB2018"
retention_in_days = 30
}
resource "azurerm_storage_account" "storage_account_ok" {
name = "examplestoracc"
resource_group_name = azurerm_resource_group.resource_group_ok.name
location = azurerm_resource_group.resource_group_ok.location
account_tier = "Standard"
account_replication_type = "LRS"
}
resource "azurerm_monitor_diagnostic_setting" "diagnostic_setting_ok" {
log_analytics_workspace_id = azurerm_log_analytics_workspace.analytics_workspace_ok.id
name = "examplediagsetting"
target_resource_id = "${azurerm_storage_account.storage_account_ok.id}/blobServices/default"
enabled_log {
category_group = "allLogs"
}
metric {
category = "Capacity"
enabled = false
}
metric {
category = "Transaction"
enabled = false
}
}
resource "azurerm_storage_container" "storage_container_ok" {
name = "my-awesome-content.zip"
storage_account_name = azurerm_storage_account.storage_account_ok.name
storage_container_name = azurerm_storage_container.storage_container_ok.name
container_access_type = "blob"
}
Version (please complete the following information):
The text was updated successfully, but these errors were encountered: