-
Notifications
You must be signed in to change notification settings - Fork 14
/
Copy pathmain.tf
116 lines (100 loc) · 3.77 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
terraform {
required_version = ">= 0.13"
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "~> 3.95.0"
}
null = {
source = "hashicorp/null"
version = "~> 3.2.2"
}
}
}
provider "azurerm" {
features {}
}
locals {
roles_map = { for role in var.roles : "${role.object_id}.${role.role}" => role }
diag_contreg_logs = [
"ContainerRegistryRepositoryEvents",
"ContainerRegistryLoginEvents",
]
diag_contreg_metrics = [
"AllMetrics",
]
diag_resource_list = var.diagnostics != null ? split("/", var.diagnostics.destination) : []
parsed_diag = var.diagnostics != null ? {
log_analytics_id = contains(local.diag_resource_list, "Microsoft.OperationalInsights") ? var.diagnostics.destination : null
storage_account_id = contains(local.diag_resource_list, "Microsoft.Storage") ? var.diagnostics.destination : null
event_hub_auth_id = contains(local.diag_resource_list, "Microsoft.EventHub") ? var.diagnostics.destination : null
metric = contains(var.diagnostics.metrics, "all") ? local.diag_contreg_metrics : var.diagnostics.metrics
log = contains(var.diagnostics.logs, "all") ? local.diag_contreg_logs : var.diagnostics.logs
} : {
log_analytics_id = null
storage_account_id = null
event_hub_auth_id = null
metric = []
log = []
}
}
data "azurerm_client_config" "current" {}
resource "azurerm_resource_group" "acr" {
name = var.resource_group_name
location = var.location
tags = var.tags
}
resource "azurerm_container_registry" "acr" {
name = format("%sregistry", lower(replace(var.name, "/[[:^alnum:]]/", "")))
resource_group_name = azurerm_resource_group.acr.name
location = azurerm_resource_group.acr.location
sku = var.sku
admin_enabled = false
tags = var.tags
trust_policy {
enabled = var.content_trust && var.sku == "Premium"
}
dynamic "georeplications" {
for_each = var.georeplications != null ? var.georeplications : []
content {
location = georeplications.value["location"]
zone_redundancy_enabled = georeplications.value["zone_redundancy_enabled"]
regional_endpoint_enabled = georeplications.value["regional_endpoint_enabled"]
tags = georeplications.value["tags"]
}
}
}
resource "azurerm_role_assignment" "roles" {
for_each = local.roles_map
scope = azurerm_container_registry.acr.id
role_definition_name = each.value.role
principal_id = each.value.object_id
}
data "azurerm_monitor_diagnostic_categories" "default" {
resource_id = azurerm_container_registry.acr.id
}
resource "azurerm_monitor_diagnostic_setting" "namespace" {
count = var.diagnostics != null ? 1 : 0
name = "${var.name}-registry-diag"
target_resource_id = azurerm_container_registry.acr.id
log_analytics_workspace_id = local.parsed_diag.log_analytics_id
eventhub_authorization_rule_id = local.parsed_diag.event_hub_auth_id
eventhub_name = local.parsed_diag.event_hub_auth_id != null ? var.diagnostics.eventhub_name : null
storage_account_id = local.parsed_diag.storage_account_id
dynamic "enabled_log" {
for_each = {
for k, v in data.azurerm_monitor_diagnostic_categories.default.log_category_types : k => v
if contains(local.parsed_diag.log, "all") || contains(local.parsed_diag.log, v)
}
content {
category = enabled_log.value
}
}
dynamic "metric" {
for_each = data.azurerm_monitor_diagnostic_categories.default.metrics
content {
category = metric.value
enabled = contains(local.parsed_diag.metric, metric.value)
}
}
}