Longw/multi tenant templates with Terraform (#1505)

* add Bicep tempalte for multitenancy

Author: wanlonghenry

scripts/onboarding/aks/multi-tenancy-terraform/README.md

@@ -0,0 +1,99 @@
+# Multi-tenancy AKS Monitoring Configuration
+
+This Terraform configuration enables multi-tenancy monitoring for an existing AKS cluster by creating and configuring:
+- Data Collection Endpoint
+- Data Collection Rule
+- Data Collection Rule Association
+
+## Prerequisites
+
+1. An existing AKS cluster
+2. Azure Log Analytics workspace
+3. [Terraform](https://www.terraform.io/downloads.html) installed (version >= 1.0.0)
+4. Azure CLI installed and logged in
+
+## Usage
+
+1. Clone this repository and navigate to this directory:
+   ```bash
+   cd scripts/onboarding/aks/multi-tenancy-terraform
+   ```
+
+2. Create a `terraform.tfvars` file with your configuration values:
+   ```hcl
+   aksResourceId         = "/subscriptions/<SubscriptionId>/resourcegroups/<ResourceGroup>/providers/Microsoft.ContainerService/managedClusters/<ClusterName>"
+   aksResourceLocation   = "<aksClusterLocation>"
+   workspaceResourceId   = "/subscriptions/<SubscriptionId>/resourceGroups/<ResourceGroup>/providers/Microsoft.OperationalInsights/workspaces/<WorkspaceName>"
+   workspaceRegion       = "<workspaceRegion>"
+   k8sNamespaces        = ["namespace1", "namespace2"]
+   resourceTagValues     = {
+     "environment" = "production"
+     "owner"       = "team-name"
+   }
+   transformKql         = "" # Optional: Add your KQL transformation query
+   ```
+
+3. Initialize Terraform:
+   ```bash
+   terraform init
+   ```
+
+4. Review the planned changes:
+   ```bash
+   terraform plan
+   ```
+
+5. Apply the configuration:
+   ```bash
+   terraform apply
+   ```
+
+## Important Notes
+
+1. This configuration only manages the monitoring components for an existing AKS cluster. It does not create or modify the AKS cluster itself.
+
+2. The following resources will be created:
+   - Data Collection Endpoint for ingestion
+   - Data Collection Rule for multi-tenancy logging
+   - Data Collection Rule Association linking the DCR to your AKS cluster
+
+3. Terraform state will only track the monitoring components, not the existing AKS cluster.
+
+## Variables
+
+| Variable | Description | Required |
+|----------|-------------|----------|
+| aksResourceId | Full resource ID of the existing AKS cluster | Yes |
+| aksResourceLocation | Location of the AKS resource (e.g., "eastus") | Yes |
+| workspaceResourceId | Full resource ID of the Log Analytics workspace | Yes |
+| workspaceRegion | Region of the Log Analytics workspace | Yes |
+| k8sNamespaces | Array of Kubernetes namespaces to monitor | Yes |
+| resourceTagValues | Map of tags to apply to created resources | No |
+| transformKql | KQL transformation query for log ingestion | No |
+
+## Example terraform.tfvars
+
+```hcl
+aksResourceId = "/subscriptions/00000000-0000-0000-0000-000000000000/resourcegroups/my-rg/providers/Microsoft.ContainerService/managedClusters/my-aks"
+aksResourceLocation = "eastus"
+workspaceResourceId = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-rg/providers/Microsoft.OperationalInsights/workspaces/my-workspace"
+workspaceRegion = "eastus"
+k8sNamespaces = [
+  "default",
+  "kube-system"
+]
+resourceTagValues = {
+  "environment" = "production"
+  "managed-by" = "terraform"
+}
+transformKql = ""
+```
+
+## Cleanup
+
+To remove the monitoring configuration:
+```bash
+terraform destroy
+```
+
+This will remove all monitoring components but will not affect the AKS cluster itself.

scripts/onboarding/aks/multi-tenancy-terraform/main.tf

@@ -0,0 +1,76 @@
+# Data source for existing AKS cluster
+data "azurerm_kubernetes_cluster" "existing" {
+  name                = local.cluster_name
+  resource_group_name = local.resource_group_name
+}
+
+locals {
+  cluster_id_parts     = split("/", var.aksResourceId)
+  cluster_name         = local.cluster_id_parts[8]
+  resource_group_name  = local.cluster_id_parts[4]
+  subscription_id      = local.cluster_id_parts[2]
+  workspace_name       = split("/", var.workspaceResourceId)[8]
+  workspace_location   = replace(var.workspaceRegion, " ", "")
+  cluster_location     = replace(var.aksResourceLocation, " ", "")
+  
+  dce_name_full       = "MSCI-multi-tenancy-${local.workspace_location}-${sha1(var.workspaceResourceId)}"
+  dce_name            = length(local.dce_name_full) > 43 ? substr(local.dce_name_full, 0, 43) : local.dce_name_full
+  ingestion_dce_name  = endswith(local.dce_name, "-") ? substr(local.dce_name, 0, length(local.dce_name) - 1) : local.dce_name
+  
+  dcr_name_full       = "MSCI-multi-tenancy-${local.workspace_location}-${sha1(var.workspaceResourceId)}"
+  dcr_name            = length(local.dcr_name_full) > 64 ? substr(local.dcr_name_full, 0, 64) : local.dcr_name_full
+}
+
+# Data Collection Endpoint for ingestion
+resource "azurerm_monitor_data_collection_endpoint" "ingestion_dce" {
+  name                = local.ingestion_dce_name
+  resource_group_name = local.resource_group_name
+  location            = var.workspaceRegion
+  kind               = "Linux"
+  tags               = var.resourceTagValues
+}
+
+# Data Collection Rule
+resource "azurerm_monitor_data_collection_rule" "dcr" {
+  name                        = local.dcr_name
+  resource_group_name        = local.resource_group_name
+  location                   = var.workspaceRegion
+  tags                      = var.resourceTagValues
+  kind                      = "Linux"
+  
+  destinations {
+    log_analytics {
+      workspace_resource_id = var.workspaceResourceId
+      name                 = "ciworkspace"
+    }
+  }
+
+  data_flow {
+    streams      = ["Microsoft-ContainerLogV2-HighScale"]
+    destinations = ["ciworkspace"]
+    transform_kql = var.transformKql != "" ? var.transformKql : null
+  }
+
+  data_sources {
+    extension {
+      name            = "ContainerLogV2Extension"
+      extension_name  = "ContainerLogV2Extension"
+      streams         = ["Microsoft-ContainerLogV2-HighScale"]
+      extension_json  = jsonencode({
+        "dataCollectionSettings": {
+          "namespaces": var.k8sNamespaces
+        }
+      })
+    }
+  }
+
+  data_collection_endpoint_id = azurerm_monitor_data_collection_endpoint.ingestion_dce.id
+}
+
+# Data Collection Rule Association
+resource "azurerm_monitor_data_collection_rule_association" "dcra" {
+  name                    = "ContainerLogV2Extension-${sha1(var.workspaceResourceId)}"
+  target_resource_id      = var.aksResourceId
+  data_collection_rule_id = azurerm_monitor_data_collection_rule.dcr.id
+  description            = "Association of Logs Multi-tenancy collection rule. Deleting this association will break the Multi-tenancy logs data collection for this AKS Cluster."
+}

scripts/onboarding/aks/multi-tenancy-terraform/providers.tf

@@ -0,0 +1,13 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "~> 3.47"
+    }
+  }
+  required_version = ">= 1.0.0"
+}
+
+provider "azurerm" {
+  features {}
+}

scripts/onboarding/aks/multi-tenancy-terraform/terraform.tfvars

@@ -0,0 +1,16 @@
+aksResourceId = "/subscriptions/<SubscriptionId>/resourcegroups/<ResourceGroup>/providers/Microsoft.ContainerService/managedClusters/<ResourceName>"
+aksResourceLocation = "<aksClusterLocation>"
+workspaceResourceId = "/subscriptions/<SubscriptionId>/resourceGroups/<ResourceGroup>/providers/Microsoft.OperationalInsights/workspaces/<workspaceName>"
+workspaceRegion = "<workspaceRegion>"
+k8sNamespaces = [
+  "<namespace1>",
+  "<namespace2>",
+  "<namespaceN>"
+]
+resourceTagValues = {
+  "<existingOrnew-tag-name1>": "<existingOrnew-tag-value1>",
+  "<existingOrnew-tag-name2>": "<existingOrnew-tag-value2>",
+  "<existingOrnew-tag-nameN>": "<existingOrnew-tag-valueN>"
+}
+transformKql = "<KQL filter for ingestion transformation>"
+

scripts/onboarding/aks/multi-tenancy-terraform/variables.tf

@@ -0,0 +1,36 @@
+variable "aksResourceId" {
+  type        = string
+  description = "AKS Cluster Resource ID"
+}
+
+variable "aksResourceLocation" {
+  type        = string
+  description = "Location of the AKS Resource"
+}
+
+variable "workspaceRegion" {
+  type        = string
+  description = "Workspace Region for data collection rule"
+}
+
+variable "workspaceResourceId" {
+  type        = string
+  description = "Full Resource ID of the log analytics workspace that will be used for data destination"
+}
+
+variable "resourceTagValues" {
+  type        = map(string)
+  description = "Existing or new tags to use on AKS, ContainerInsights and DataCollectionRule Resources"
+  default     = {}
+}
+
+variable "k8sNamespaces" {
+  type        = list(string)
+  description = "An array of Kubernetes namespaces for Multi-tenancy logs filtering"
+}
+
+variable "transformKql" {
+  type        = string
+  description = "KQL filter for ingestion transformation"
+  default     = ""
+}