From da0aa8f974742c146207e64db817bbb6e732dff2 Mon Sep 17 00:00:00 2001
From: Are Almaas <arealmaas@gmail.com>
Date: Tue, 19 Nov 2024 14:29:09 +0100
Subject: [PATCH] feat(azure): create azure monitor workspace (#1485)

<!--- Provide a general summary of your changes in the Title above -->

## Description

<!--- Describe your changes in detail -->

Adds an azure monitor workspace which will enable us to send metrics to
Prometheus

## Related Issue(s)

- #1462

## Verification

- [ ] **Your** code builds clean without any errors or warnings
- [ ] Manual testing done (required)
- [ ] Relevant automated test added (if you find this hard, leave it and
we'll help out)

## Documentation

- [ ] Documentation is updated (either in `docs`-directory, Altinnpedia
or a separate linked PR in
[altinn-studio-docs.](https://github.com/Altinn/altinn-studio-docs), if
applicable)


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

- **New Features**
- Introduced a monitoring workspace module for enhanced resource
monitoring capabilities.
- Added a dedicated network security group and subnet for monitoring
purposes.
- **Bug Fixes**
- Improved network configuration without affecting existing setups for
other components.
- **Documentation**
- Updated output sections to include new identifiers for monitoring
resources.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
---
 .azure/infrastructure/main.bicep            | 12 ++++
 .azure/modules/monitor-workspace/main.bicep | 75 +++++++++++++++++++++
 .azure/modules/vnet/main.bicep              | 54 +++++++++++++++
 3 files changed, 141 insertions(+)
 create mode 100644 .azure/modules/monitor-workspace/main.bicep

diff --git a/.azure/infrastructure/main.bicep b/.azure/infrastructure/main.bicep
index 6390fd78a..06d7b9230 100644
--- a/.azure/infrastructure/main.bicep
+++ b/.azure/infrastructure/main.bicep
@@ -125,6 +125,18 @@ module appInsights '../modules/applicationInsights/create.bicep' = {
   }
 }
 
+module monitorWorkspace '../modules/monitor-workspace/main.bicep' = {
+  scope: resourceGroup
+  name: 'monitorWorkspace'
+  params: {
+    namePrefix: namePrefix
+    location: location
+    subnetId: vnet.outputs.monitorSubnetId
+    vnetId: vnet.outputs.virtualNetworkId
+    tags: tags
+  }
+}
+
 module apimAvailabilityTest '../modules/applicationInsights/availabilityTest.bicep' = {
   scope: resourceGroup
   name: 'apimAvailabilityTest'
diff --git a/.azure/modules/monitor-workspace/main.bicep b/.azure/modules/monitor-workspace/main.bicep
new file mode 100644
index 000000000..b042a1f89
--- /dev/null
+++ b/.azure/modules/monitor-workspace/main.bicep
@@ -0,0 +1,75 @@
+@description('The prefix used for naming resources to ensure unique names')
+param namePrefix string
+
+@description('The location where the resources will be deployed')
+param location string
+
+@description('The ID of the subnet for the Private Link')
+param subnetId string
+
+@description('Tags to apply to resources')
+param tags object
+
+@description('The ID of the virtual network for the private DNS zone')
+param vnetId string
+
+resource monitorWorkspace 'Microsoft.Monitor/accounts@2023-04-03' = {
+  name: '${namePrefix}-monitor'
+  location: location
+  properties: {
+    publicNetworkAccess: 'Disabled'
+  }
+  tags: tags
+}
+
+// private endpoint name max characters is 80
+var monitorPrivateEndpointName = '${namePrefix}-monitor-pe'
+
+resource monitorPrivateEndpoint 'Microsoft.Network/privateEndpoints@2024-03-01' = {
+  name: monitorPrivateEndpointName
+  location: location
+  properties: {
+    privateLinkServiceConnections: [
+      {
+        name: monitorPrivateEndpointName
+        properties: {
+          privateLinkServiceId: monitorWorkspace.id
+          groupIds: [
+            'prometheusMetrics'
+          ]
+        }
+      }
+    ]
+    customNetworkInterfaceName: '${namePrefix}-monitor-pe-nic'
+    subnet: {
+      id: subnetId
+    }
+  }
+  tags: tags
+}
+
+module privateDnsZone '../privateDnsZone/main.bicep' = {
+  name: '${namePrefix}-monitor-pdz'
+  params: {
+    namePrefix: namePrefix
+    defaultDomain: 'privatelink.${location}.prometheus.monitor.azure.com'
+    vnetId: vnetId
+    tags: tags
+  }
+}
+
+module privateDnsZoneGroup '../privateDnsZoneGroup/main.bicep' = {
+  name: '${namePrefix}-monitor-privateDnsZoneGroup'
+  dependsOn: [
+    privateDnsZone
+  ]
+  params: {
+    name: 'default'
+    dnsZoneGroupName: 'privatelink-${location}-prometheus-monitor-azure-com'
+    dnsZoneId: privateDnsZone.outputs.id
+    privateEndpointName: monitorPrivateEndpoint.name
+  }
+}
+
+output monitorWorkspaceId string = monitorWorkspace.id
+output monitorWorkspaceName string = monitorWorkspace.name
diff --git a/.azure/modules/vnet/main.bicep b/.azure/modules/vnet/main.bicep
index 2fdabf5df..a4e75fbed 100644
--- a/.azure/modules/vnet/main.bicep
+++ b/.azure/modules/vnet/main.bicep
@@ -263,6 +263,44 @@ resource serviceBusNSG 'Microsoft.Network/networkSecurityGroups@2024-03-01' = {
   tags: tags
 }
 
+resource monitorNSG 'Microsoft.Network/networkSecurityGroups@2024-03-01' = {
+  name: '${namePrefix}-monitor-nsg'
+  location: location
+  properties: {
+    securityRules: [
+      {
+        name: 'AllowAzureMonitorInbound'
+        type: 'Microsoft.Network/networkSecurityGroups/securityRules'
+        properties: {
+          protocol: 'Tcp'
+          sourcePortRange: '*'
+          destinationPortRanges: ['443']
+          sourceAddressPrefix: 'AzureMonitor'
+          destinationAddressPrefix: '*'
+          access: 'Allow'
+          priority: 120
+          direction: 'Inbound'
+        }
+      }
+      {
+        name: 'AllowAzureMonitorOutbound'
+        type: 'Microsoft.Network/networkSecurityGroups/securityRules'
+        properties: {
+          protocol: 'Tcp'
+          sourcePortRange: '*'
+          destinationPortRanges: ['443']
+          sourceAddressPrefix: '*'
+          destinationAddressPrefix: 'AzureMonitor'
+          access: 'Allow'
+          priority: 120
+          direction: 'Outbound'
+        }
+      }
+    ]
+  }
+  tags: tags
+}
+
 resource virtualNetwork 'Microsoft.Network/virtualNetworks@2024-03-01' = {
   name: '${namePrefix}-vnet'
   location: location
@@ -334,6 +372,17 @@ resource virtualNetwork 'Microsoft.Network/virtualNetworks@2024-03-01' = {
           }
         }
       }
+      {
+        name: 'monitorSubnet'
+        properties: {
+          addressPrefix: '10.0.6.0/24'
+          networkSecurityGroup: {
+            id: monitorNSG.id
+          }
+          privateEndpointNetworkPolicies: 'Disabled'
+          privateLinkServiceNetworkPolicies: 'Enabled'
+        }
+      }
     ]
   }
   tags: tags
@@ -362,3 +411,8 @@ output redisSubnetId string = resourceId(
   virtualNetwork.name,
   'redisSubnet'
 )
+output monitorSubnetId string = resourceId(
+  'Microsoft.Network/virtualNetworks/subnets',
+  virtualNetwork.name,
+  'monitorSubnet'
+)