Revert "Support & enable audit logging for Key Vault and AKS for dev …

…& cspr e…" This reverts commit f62915b.
Azure · Feb 27, 2025 · e5a8d3d · e5a8d3d
1 parent 7cf92f7
commit e5a8d3d
Show file tree

Hide file tree

Showing 27 changed files with 1 addition and 252 deletions.
diff --git a/config/config.msft.yaml b/config/config.msft.yaml
@@ -203,7 +203,6 @@ defaults:
 
   # Logs
   logs:
-    enableLogAnalytics: false
     namespace: logs
     msiName: logs-mdsd
     serviceAccountName: genevabit-aggregator

diff --git a/config/config.schema.json b/config/config.schema.json
@@ -820,9 +820,6 @@
     "logs": {
       "type": "object",
       "properties": {
-        "enableLogAnalytics": {
-          "type": "boolean"
-        },
         "namespace": {
           "type": "string"
         },
@@ -835,7 +832,6 @@
       },
       "additionalProperties": false,
       "required": [
-        "enableLogAnalytics",
         "namespace",
         "msiName",
         "serviceAccountName"
@@ -999,4 +995,4 @@
     "svcAcrName",
     "svcAcrZoneRedundantMode"
   ]
-}
+}
diff --git a/config/config.yaml b/config/config.yaml
@@ -22,9 +22,6 @@ defaults:
     namespace: hypershift
     additionalInstallArg: '--tech-preview-no-upgrade'
 
-  logs:
-    enableLogAnalytics: false
-
   # SVC cluster specifics
   svc:
     subscription: ARO Hosted Control Planes (EA Subscription 1)
@@ -327,8 +324,6 @@ clouds:
       dev:
         # this is the integrated DEV environment
         defaults:
-          logs:
-            enableLogAnalytics: true
           mgmt:
             aks:
               systemAgentPool:
@@ -358,8 +353,6 @@ clouds:
       cs-pr:
         # this is the cluster service PR check and full cycle test environment
         defaults:
-          logs:
-            enableLogAnalytics: true
           svc:
             aks:
               # MC AKS nodepools

diff --git a/config/public-cloud-cs-pr.json b/config/public-cloud-cs-pr.json
@@ -142,7 +142,6 @@
   },
   "kvCertOfficerPrincipalId": "c9b1819d-bb29-4ac2-9abe-39e4fe9b59eb",
   "logs": {
-    "enableLogAnalytics": true,
     "msiName": "logs-mdsd",
     "namespace": "logs",
     "serviceAccountName": "genevabit-aggregator"

diff --git a/config/public-cloud-dev.json b/config/public-cloud-dev.json
@@ -142,7 +142,6 @@
   },
   "kvCertOfficerPrincipalId": "c9b1819d-bb29-4ac2-9abe-39e4fe9b59eb",
   "logs": {
-    "enableLogAnalytics": true,
     "msiName": "logs-mdsd",
     "namespace": "logs",
     "serviceAccountName": "genevabit-aggregator"

diff --git a/config/public-cloud-msft-int.json b/config/public-cloud-msft-int.json
@@ -142,7 +142,6 @@
   },
   "kvCertOfficerPrincipalId": "32af88de-a61c-4f71-b709-50538598c4f2",
   "logs": {
-    "enableLogAnalytics": false,
     "msiName": "logs-mdsd",
     "namespace": "logs",
     "serviceAccountName": "genevabit-aggregator"

diff --git a/config/public-cloud-personal-dev.json b/config/public-cloud-personal-dev.json
@@ -142,7 +142,6 @@
   },
   "kvCertOfficerPrincipalId": "c9b1819d-bb29-4ac2-9abe-39e4fe9b59eb",
   "logs": {
-    "enableLogAnalytics": false,
     "msiName": "logs-mdsd",
     "namespace": "logs",
     "serviceAccountName": "genevabit-aggregator"

diff --git a/dev-infrastructure/configurations/global-infra.tmpl.bicepparam b/dev-infrastructure/configurations/global-infra.tmpl.bicepparam
@@ -9,5 +9,3 @@ param safeDnsIntAppObjectId = '{{ .global.safeDnsIntAppObjectId }}'
 param grafanaName = '{{ .monitoring.grafanaName }}'
 param grafanaAdminGroupPrincipalId = '{{ .monitoring.grafanaAdminGroupPrincipalId }}'
 param grafanaZoneRedundantMode = '{{ .monitoring.grafanaZoneRedundantMode }}'
-
-param enableLogAnalytics = {{ .logs.enableLogAnalytics }}
diff --git a/dev-infrastructure/configurations/mgmt-cluster.tmpl.bicepparam b/dev-infrastructure/configurations/mgmt-cluster.tmpl.bicepparam
@@ -51,6 +51,3 @@ param azureMonitoringWorkspaceId = '__azureMonitoringWorkspaceId__'
 param logsNamespace = '{{ .logs.namespace }}'
 param logsMSI = '{{ .logs.msiName }}'
 param logsServiceAccount = '{{ .logs.serviceAccountName }}'
-
-// Log Analytics Workspace ID will be passed from global pipeline if enabled in config
-param logAnalyticsWorkspaceId = '__logAnalyticsWorkspaceId__'
diff --git a/dev-infrastructure/configurations/mgmt-infra.tmpl.bicepparam b/dev-infrastructure/configurations/mgmt-infra.tmpl.bicepparam
@@ -24,6 +24,3 @@ param aroDevopsMsiId = '{{ .aroDevopsMsiId }}'
 // Cluster Service identity
 // used for Key Vault access
 param clusterServiceMIResourceId = '__clusterServiceMIResourceId__'
-
-// Log Analytics Workspace ID will be passed from global pipeline if enabled in config
-param logAnalyticsWorkspaceId = '__logAnalyticsWorkspaceId__'
diff --git a/dev-infrastructure/configurations/output-global.tmpl.bicepparam b/dev-infrastructure/configurations/output-global.tmpl.bicepparam
@@ -5,4 +5,3 @@ param ocpAcrName = '{{ .ocpAcrName }}'
 param cxParentZoneName = '{{ .dns.cxParentZoneName }}'
 param svcParentZoneName = '{{ .dns.svcParentZoneName }}'
 param grafanaName = '{{ .monitoring.grafanaName }}'
-param enableLogAnalytics = {{ .logs.enableLogAnalytics }}
diff --git a/dev-infrastructure/configurations/region.tmpl.bicepparam b/dev-infrastructure/configurations/region.tmpl.bicepparam
@@ -21,6 +21,3 @@ param maestroCertificateIssuer = '{{ .maestro.certIssuer }}'
 
 // MI for resource access during pipeline runs
 param aroDevopsMsiId = '{{ .aroDevopsMsiId }}'
-
-// Log Analytics Workspace ID will be passed from region pipeline if enabled in config
-param logAnalyticsWorkspaceId = '__logAnalyticsWorkspaceId__'
diff --git a/dev-infrastructure/configurations/svc-cluster.tmpl.bicepparam b/dev-infrastructure/configurations/svc-cluster.tmpl.bicepparam
@@ -81,6 +81,3 @@ param azureMonitoringWorkspaceId = '__azureMonitoringWorkspaceId__'
 param logsNamespace = '{{ .logs.namespace }}'
 param logsMSI = '{{ .logs.msiName }}'
 param logsServiceAccount = '{{ .logs.serviceAccountName }}'
-
-// Log Analytics Workspace ID will be passed from global pipeline if enabled in config
-param logAnalyticsWorkspaceId = '__logAnalyticsWorkspaceId__'
diff --git a/dev-infrastructure/configurations/svc-infra.tmpl.bicepparam b/dev-infrastructure/configurations/svc-infra.tmpl.bicepparam
@@ -11,6 +11,3 @@ param aroDevopsMsiId = '{{ .aroDevopsMsiId }}'
 
 // SP for KV certificate issuer registration
 param kvCertOfficerPrincipalId = '{{ .kvCertOfficerPrincipalId }}'
-
-// Log Analytics Workspace ID will be passed from global pipeline if enabled in config
-param logAnalyticsWorkspaceId = '__logAnalyticsWorkspaceId__'
diff --git a/dev-infrastructure/mgmt-pipeline.yaml b/dev-infrastructure/mgmt-pipeline.yaml
@@ -42,12 +42,7 @@ resourceGroups:
       input:
         step: svc-output
         name: cs
-    - name: logAnalyticsWorkspaceId
-      input:
-        step: global-output
-        name: logAnalyticsWorkspaceId
     dependsOn:
-    - global-output
     - svc-output
   # Configure certificate issuers for the MC KVs
   - name: cx-oncert-public-kv-issuer
@@ -103,10 +98,6 @@ resourceGroups:
       input:
         step: region-output
         name: maestroEventGridNamespaceId
-    - name: logAnalyticsWorkspaceId
-      input:
-        step: global-output
-        name: logAnalyticsWorkspaceId
     dependsOn:
     - cx-oncert-public-kv-issuer
     - mgmt-oncert-private-kv-issuer

diff --git a/dev-infrastructure/modules/aks-cluster-base.bicep b/dev-infrastructure/modules/aks-cluster-base.bicep
@@ -62,8 +62,6 @@ var istioIngressGatewayIPAddressIPTagsArray = [
 @maxLength(24)
 param aksKeyVaultName string
 
-param logAnalyticsWorkspaceId string = ''
-
 // Local Params
 @description('Optional DNS prefix to use with hosted Kubernetes API server FQDN.')
 param dnsPrefix string = aksClusterName
@@ -462,82 +460,6 @@ resource aksCluster 'Microsoft.ContainerService/managedClusters@2024-04-02-previ
   ]
 }
 
-resource aksDiagnosticSettings 'Microsoft.Insights/diagnosticSettings@2017-05-01-preview' = if (logAnalyticsWorkspaceId != '') {
-  scope: aksCluster
-  name: aksClusterName
-  properties: {
-    logs: [
-      {
-        category: 'kube-audit'
-        enabled: true
-      }
-      {
-        category: 'kube-audit-admin'
-        enabled: true
-      }
-    ]
-    workspaceId: logAnalyticsWorkspaceId
-  }
-}
-
-resource aksClusterDcr 'Microsoft.Insights/dataCollectionRules@2023-03-11' = if (logAnalyticsWorkspaceId != '') {
-  name: '${aksClusterName}-dcr'
-  location: location
-  kind: 'Linux'
-  properties: {
-    dataSources: {
-      extensions: [
-        {
-          name: 'ContainerInsightsExtension'
-          streams: [
-            'Microsoft-ContainerLog'
-            'Microsoft-ContainerLogV2'
-            'Microsoft-KubeEvents'
-            'Microsoft-KubePodInventory'
-          ]
-          extensionSettings: {
-            dataCollectionSettings: {
-              interval: '1m'
-              namespaceFilteringMode: 'Off'
-              enableContainerLogV2: true
-            }
-          }
-          extensionName: 'ContainerInsights'
-        }
-      ]
-    }
-    destinations: {
-      logAnalytics: [
-        {
-          name: 'ContainerInsightsWorkspace'
-          workspaceResourceId: logAnalyticsWorkspaceId
-        }
-      ]
-    }
-    dataFlows: [
-      {
-        destinations: [
-          'ContainerInsightsWorkspace'
-        ]
-        streams: [
-          'Microsoft-ContainerLog'
-          'Microsoft-ContainerLogV2'
-          'Microsoft-KubeEvents'
-        ]
-      }
-    ]
-  }
-}
-
-resource aksClusterDcra 'Microsoft.Insights/dataCollectionRuleAssociations@2023-03-11' = if (logAnalyticsWorkspaceId != '') {
-  name: '${aksClusterName}-dcra'
-  scope: aksCluster
-  properties: {
-    description: 'Association of data collection rule. Deleting this association will break the data collection for this AKS Cluster.'
-    dataCollectionRuleId: aksClusterDcr.id
-  }
-}
-
 resource userAgentPools 'Microsoft.ContainerService/managedClusters/agentPools@2024-04-02-preview' = [
   for i in range(0, userAgentPoolAZCount): {
     parent: aksCluster

diff --git a/dev-infrastructure/modules/keyvault/keyvault.bicep b/dev-infrastructure/modules/keyvault/keyvault.bicep
@@ -13,9 +13,6 @@ param private bool
 @description('Purpose of the keyvault.')
 param purpose string
 
-@description('Log Analytics Workspace ID if logging to Log Analytics')
-param logAnalyticsWorkspaceId string = ''
-
 resource keyVault 'Microsoft.KeyVault/vaults@2024-04-01-preview' = {
   location: location
   name: keyVaultName
@@ -38,24 +35,6 @@ resource keyVault 'Microsoft.KeyVault/vaults@2024-04-01-preview' = {
   }
 }
 
-resource keyVaultDiagnosticSettings 'Microsoft.Insights/diagnosticSettings@2017-05-01-preview' = if (logAnalyticsWorkspaceId != '') {
-  scope: keyVault
-  name: keyVaultName
-  properties: {
-    logs: [
-      {
-        category: 'AuditEvent'
-        enabled: true
-      }
-      {
-        category: 'AzurePolicyEvaluationDetails'
-        enabled: true
-      }
-    ]
-    workspaceId: logAnalyticsWorkspaceId
-  }
-}
-
 output kvId string = keyVault.id
 
 output kvName string = keyVault.name

diff --git a/dev-infrastructure/modules/maestro/maestro-infra.bicep b/dev-infrastructure/modules/maestro/maestro-infra.bicep
@@ -24,9 +24,6 @@ param maxClientSessionsPerAuthName int
 ])
 param publicNetworkAccess string
 
-@description('Log Analytics Workspace ID if logging to Log Analytics')
-param logAnalyticsWorkspaceId string = ''
-
 param certificateIssuer string
 
 //
@@ -56,44 +53,6 @@ resource eventGridNamespace 'Microsoft.EventGrid/namespaces@2024-12-15-preview'
   }
 }
 
-resource eventGridNamespaceDiagnostics 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (logAnalyticsWorkspaceId != '') {
-  scope: eventGridNamespace
-  name: eventGridNamespaceName
-  properties: {
-    logs: [
-      {
-        category: 'SuccessfulMqttConnections'
-        enabled: true
-      }
-      {
-        category: 'FailedMqttConnections'
-        enabled: true
-      }
-      {
-        category: 'MqttDisconnections'
-        enabled: true
-      }
-      {
-        category: 'FailedMqttPublishedMessages'
-        enabled: true
-      }
-      {
-        category: 'FailedMqttSubscriptionOperations'
-        enabled: true
-      }
-      {
-        category: 'SuccessfulHttpDataPlaneOperations'
-        enabled: true
-      }
-      {
-        category: 'FailedHttpDataPlaneOperations'
-        enabled: true
-      }
-    ]
-    workspaceId: logAnalyticsWorkspaceId
-  }
-}
-
 // find a better way to register the OneCert
 resource certificateSignerCA 'Microsoft.EventGrid/namespaces/caCertificates@2024-12-15-preview' = if (startsWith(
   certificateIssuer,

diff --git a/dev-infrastructure/region-pipeline.yaml b/dev-infrastructure/region-pipeline.yaml
@@ -45,10 +45,6 @@ resourceGroups:
         input:
           step: global-output
           name: svcParentZoneResourceId
-      - name: logAnalyticsWorkspaceId
-        input:
-          step: global-output
-          name: logAnalyticsWorkspaceId
     dependsOn:
     - global-output
   - name: metrics-infra

diff --git a/dev-infrastructure/svc-pipeline.yaml b/dev-infrastructure/svc-pipeline.yaml
@@ -41,13 +41,6 @@ resourceGroups:
     template: templates/svc-infra.bicep
     parameters: configurations/svc-infra.tmpl.bicepparam
     deploymentLevel: ResourceGroup
-    variables:
-    - name: logAnalyticsWorkspaceId
-      input:
-        step: global-output
-        name: logAnalyticsWorkspaceId
-    dependsOn:
-    - global-output
   # Configure certificate issuers for the SVC KV
   - name: svc-oncert-private-kv-issuer
     action: SetCertificateIssuer
@@ -88,10 +81,6 @@ resourceGroups:
       input:
         step: region-output
         name: azureMonitoringWorkspaceId
-    - name: logAnalyticsWorkspaceId
-      input:
-        step: global-output
-        name: logAnalyticsWorkspaceId
     dependsOn:
     - svc-oncert-private-kv-issuer
     - svc-oncert-public-kv-issuer