feat(azure): create azure monitor workspace

[arealmaas]

Description

Adds an azure monitor workspace which will enable us to send metrics to Prometheus

Related Issue(s)

• Add an Azure Monitor Workspace in our IAC #1462

Verification

• Your code builds clean without any errors or warnings
• Manual testing done (required)
• Relevant automated test added (if you find this hard, leave it and we'll help out)

Documentation

• Documentation is updated (either in docs-directory, Altinnpedia or a separate linked PR in altinn-studio-docs., if applicable)

Summary by CodeRabbit

• New Features
  • Introduced a monitoring workspace module for enhanced resource monitoring capabilities.
  • Added a dedicated network security group and subnet for monitoring purposes.
• Bug Fixes
  • Improved network configuration without affecting existing setups for other components.
• Documentation
  • Updated output sections to include new identifiers for monitoring resources.

[coderabbitai]

📝 Walkthrough

📝 Walkthrough

Walkthrough

This pull request introduces a new module for monitoring workspace resources in Azure using Bicep. It adds a monitorWorkspace module to the main Bicep file and defines a new Bicep file for deploying Azure Monitor resources, which includes parameters for customization and resources for the monitor workspace and its private endpoint. Additionally, it modifies the existing virtual network configuration to include a new subnet and network security group dedicated to monitoring.

Changes

File Path	Change Summary
.azure/infrastructure/main.bicep	Added module declaration for monitorWorkspace with parameters including namePrefix, location, subnetId, vnetId, and tags.
.azure/modules/monitor-workspace/main.bicep	Introduced parameters for namePrefix, location, subnetId, tags, and vnetId. Added resources for monitorWorkspace and monitorPrivateEndpoint, included modules for privateDnsZone and privateDnsZoneGroup, and defined outputs for monitorWorkspaceId and monitorWorkspaceName.
.azure/modules/vnet/main.bicep	Added a new network security group monitorNSG with inbound and outbound rules, created a new subnet monitorSubnet, and updated outputs to include monitorSubnetId.

Possibly related PRs

• feat(infrastructure): add availability test for apim #1327: Adds a new module for an availability test in the Bicep file, related to monitoring capabilities similar to the monitorWorkspace module.
• fix(azure): set diagnostic setting to allow query perf insights #1422: Enhances monitoring by linking the PostgreSQL module to Application Insights, aligning with the monitoring focus of the monitorWorkspace module.

Suggested reviewers

• MagnusSandgren
• oskogstad

Warning

Rate limit exceeded

@arealmaas has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 13 minutes and 7 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between a67f747 and c6b4b50.

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 2

🧹 Outside diff range and nitpick comments (2)

.azure/infrastructure/main.bicep (1)

128-138: Consider documenting integration points and security configurations.

Since this monitor workspace is intended for Prometheus metrics:

1. Integration Documentation:

   • Document how other services should be configured to send metrics
   • Include Prometheus endpoint information and scraping configuration
   • Consider adding these details to the repository's documentation

2. Security Considerations:

   • Ensure the private endpoint is properly configured in the monitor-workspace module
   • Verify network security group rules allow necessary metric collection traffic
   • Consider documenting the network security requirements

3. Monitoring Strategy:

   • Consider defining standard metric naming conventions
   • Plan for metric retention policies and scaling considerations

.azure/modules/vnet/main.bicep (1)

Line range hint 1-418: Consider implementing a comprehensive security review across all NSGs

I notice that all NSGs in this file have similarly permissive configurations with TODO comments about restricting ports. Consider:

1. Implementing a security baseline for all NSGs
2. Using service tags where applicable (e.g., 'AzureMonitor', 'AzureContainerApps')
3. Documenting required ports and protocols for each service
4. Setting up network watcher flow logs for monitoring

Would you like assistance in creating a security baseline template for all NSGs in this file?

🧰 Tools

🪛 checkov

[HIGH] 266-302: Ensure that RDP access is restricted from the internet

(CKV_AZURE_9)

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between bced96a and a67f747.

📒 Files selected for processing (3)

• .azure/infrastructure/main.bicep (1 hunks)
• .azure/modules/monitor-workspace/main.bicep (1 hunks)
• .azure/modules/vnet/main.bicep (3 hunks)

🧰 Additional context used

🪛 checkov

.azure/modules/vnet/main.bicep

[HIGH] 266-302: Ensure that RDP access is restricted from the internet

(CKV_AZURE_9)

🔇 Additional comments (6)

.azure/infrastructure/main.bicep (1)

128-138: Verify network dependencies and consider adding module outputs.

The module integration looks good, but there are a few considerations:

1. Ensure the referenced vnet.outputs.monitorSubnetId is properly defined in the vnet module.
2. Consider exposing key outputs from the monitor workspace (e.g., workspace ID, ingestion endpoints) that might be needed by other resources or for documentation.

Let's verify the vnet module outputs:

✅ Verification successful

Network dependencies are properly configured

The verification confirms that:

1. The vnet module correctly defines both required outputs:
   • monitorSubnetId is exposed through a dedicated output
   • virtualNetworkId is properly exposed
2. The monitor subnet is properly configured with:
   • Dedicated address space: '10.0.6.0/24'
   • Associated monitor NSG
   • Required network policies for private endpoints

Additionally, the monitor-workspace module correctly utilizes these dependencies for setting up the private endpoint configuration.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Verify the vnet module outputs and monitor subnet configuration

# Check if the vnet module defines the required outputs
rg "outputs\.monitorSubnetId|outputs\.virtualNetworkId" "../modules/vnet/main.bicep"

# Look for monitor subnet and NSG configuration
rg "monitorSubnet|monitorNSG" "../modules/vnet/main.bicep"

Length of output: 277

---

Script:

#!/bin/bash
# Let's first find the correct path to the vnet module
fd "main.bicep" .azure/modules

# Then check the content of any vnet-related bicep files
fd "vnet.*\.bicep" .azure/modules --exec cat {}

Length of output: 514

---

Script:

#!/bin/bash
# Let's examine the content of the vnet module
cat .azure/modules/vnet/main.bicep

# Also check the monitor workspace module to understand the expected inputs
cat .azure/modules/monitor-workspace/main.bicep

Length of output: 13862

.azure/modules/vnet/main.bicep (2)

375-385: LGTM: Monitor subnet configuration is appropriate

The subnet configuration is correctly set up with:

• Non-overlapping address space
• Disabled private endpoint policies (required for private endpoints)
• Enabled private link service policies

---

414-418: LGTM: Monitor subnet ID output follows established pattern

The output is correctly defined using the resourceId function and follows the same pattern as other subnet ID outputs in the file.

.azure/modules/monitor-workspace/main.bicep (3)

16-21: Confirm 'publicNetworkAccess' setting is appropriate

Setting publicNetworkAccess to 'Disabled' for monitorWorkspace enhances security by preventing public access. Ensure that this aligns with your accessibility requirements and that necessary private connectivity is established.

---

51-59: Validate the default domain for the private DNS zone

In the privateDnsZone module, the defaultDomain is constructed as 'privatelink.${location}.prometheus.monitor.azure.com'. Ensure that this domain is correct and matches the expected domain for the Azure Monitor Prometheus endpoint in the specified region.

Run the following script to verify the constructed domain:

#!/bin/bash
# Description: Verify that the constructed default domain is valid for the Azure Monitor Prometheus endpoint.

# Output the constructed domain for manual verification.
echo "privatelink.${location}.prometheus.monitor.azure.com"

# Optional: Search for official documentation or existing configurations that match this domain pattern.

---

28-49: ⚠️ Potential issue

Verify 'groupIds' and private endpoint configuration

Ensure that 'prometheusMetrics' is the correct groupId for the private link service connection to monitorWorkspace. Incorrect groupIds may lead to connectivity issues.

Run the following script to confirm that 'prometheusMetrics' is a valid groupId:

[sonarqubecloud]

Quality Gate passed

Issues
4 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (2)

.azure/modules/vnet/main.bicep (2)

266-302: Security configuration improvements for Monitor NSG

Good implementation of restricted NSG rules for Azure Monitor. The configuration follows security best practices by:

• Limiting to TCP protocol and port 443
• Restricting traffic to/from Azure Monitor service

Consider these additional improvements:

1. Use different priorities for inbound and outbound rules to avoid potential conflicts
2. Add explicit deny rules for other traffic types

 resource monitorNSG 'Microsoft.Network/networkSecurityGroups@2024-03-01' = {
   name: '${namePrefix}-monitor-nsg'
   location: location
   properties: {
     securityRules: [
       {
         name: 'AllowAzureMonitorInbound'
         // ... existing properties ...
         priority: 120
       }
       {
         name: 'AllowAzureMonitorOutbound'
         // ... existing properties ...
-        priority: 120
+        priority: 130
       }
+      {
+        name: 'DenyAllInbound'
+        type: 'Microsoft.Network/networkSecurityGroups/securityRules'
+        properties: {
+          protocol: '*'
+          sourcePortRange: '*'
+          destinationPortRange: '*'
+          sourceAddressPrefix: '*'
+          destinationAddressPrefix: '*'
+          access: 'Deny'
+          priority: 4096
+          direction: 'Inbound'
+        }
+      }
+      {
+        name: 'DenyAllOutbound'
+        type: 'Microsoft.Network/networkSecurityGroups/securityRules'
+        properties: {
+          protocol: '*'
+          sourcePortRange: '*'
+          destinationPortRange: '*'
+          sourceAddressPrefix: '*'
+          destinationAddressPrefix: '*'
+          access: 'Deny'
+          priority: 4096
+          direction: 'Outbound'
+        }
+      }
     ]
   }
 }

---

Line range hint 1-418: Consider comprehensive NSG security review

While the monitor NSG follows security best practices, other NSGs in the file have TODO comments about port restrictions and use overly permissive rules. Consider:

1. Applying similar security restrictions to other NSGs
2. Creating a tracking issue for comprehensive NSG security review
3. Documenting NSG security requirements

Would you like me to:

1. Generate secured configurations for other NSGs?
2. Create a GitHub issue to track the comprehensive NSG security review?

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Reviewing files that changed from the base of the PR and between a67f747 and c6b4b50.

📒 Files selected for processing (1)

• .azure/modules/vnet/main.bicep (3 hunks)

🔇 Additional comments (2)

.azure/modules/vnet/main.bicep (2)

414-418: LGTM: Monitor subnet output follows existing patterns

The output declaration is consistent with other subnet ID outputs in the file.

---

375-385: LGTM: Monitor subnet configuration follows best practices

The subnet configuration is well-structured with:

• Appropriate CIDR block allocation (10.0.6.0/24)
• Correct private endpoint and service policies
• Proper NSG association

Verify address space availability:

✅ Verification successful

Monitor subnet configuration is correctly allocated within the VNet address space

The monitor subnet configuration (10.0.6.0/24) is properly allocated within the VNet's address space (10.0.0.0/16) and doesn't conflict with other subnet allocations:

• default: 10.0.0.0/24
• postgresql: 10.0.1.0/24
• containerAppEnv: 10.0.2.0/23
• serviceBus: 10.0.4.0/24
• redis: 10.0.5.0/24
• monitor: 10.0.6.0/24

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for potential address space conflicts
# Look for other address space allocations in the codebase
rg "addressPrefix.*10\.0\.[0-9]+\.0/[0-9]+" -A 1

Length of output: 50

---

Script:

#!/bin/bash
# Let's try a broader search for address prefixes in bicep files
fd -e bicep -x cat {} | grep -A 1 "addressPrefix.*10\."

Length of output: 59

---

Script:

#!/bin/bash
# Let's look at the entire vnet module to understand the address space allocation
cat .azure/modules/vnet/main.bicep

Length of output: 11865