Provision AppInsights in a workspace with AzAPI provider

CHANGELOG.md

@@ -41,9 +41,10 @@ ENHANCEMENTS:
 BUG FIXES:
 * Reauth CLI if TRE endpoint has changed [#3137](https://github.com/microsoft/AzureTRE/pull/3137)
 * Added Migration for Airlock requests that were created prior to version 0.5.0 ([#3152](https://github.com/microsoft/AzureTRE/pull/3152))
-* Temporarly use the remote bundle for `check-params` target [#3149](https://github.com/microsoft/AzureTRE/pull/3149)
+* Temporarily use the remote bundle for `check-params` target [#3149](https://github.com/microsoft/AzureTRE/pull/3149)
 * Workspace module dependency to resolve _AnotherOperationInProgress_ errors [#3194](https://github.com/microsoft/AzureTRE/pull/3194)
 * Skip Certs shared service E2E on Friday & Saturday due to LetsEncrypt limits [#3203](https://github.com/microsoft/AzureTRE/pull/3203)
+* Create Workspace AppInsights via AzAPI provider due to an issue with AzureRM [#3207](https://github.com/microsoft/AzureTRE/pull/3207)
 
 COMPONENTS:
 
@@ -116,8 +117,8 @@ COMPONENTS:
 ## 0.7.0 (November 17, 2022)
 
 **BREAKING CHANGES & MIGRATIONS**:
-* The airlock request object has changed. Make sure you have ran the db migration step after deploying the new API image and UI (which runs automatically in `make all`/`make tre-deploy` but can be manually invoked with `make db-migrate`) so that existing requests in your DB are migrated to the new model.
-* Also the model for creating new airlock requests with the API has changed slightly; this is updated in the UI and CLI but if you have written custom tools ensure you are POSTing to `/requests` with the following model:
+* The airlock request object has changed. Make sure you have ran the DB migration step after deploying the new API image and UI (which runs automatically in `make all`/`make tre-deploy` but can be manually invoked with `make db-migrate`) so that existing requests in your DB are migrated to the new model.
+* Also the model for creating new airlock requests with the API has changed slightly; this is updated in the UI and CLI but if you have written custom tools ensure you POST to `/requests` with the following model:
 ```json
 {
     "type": "'import' or 'export'",
@@ -199,7 +200,7 @@ FEATURES:
 
 ENHANCEMENTS:
 * Add cran support to nexus, open port 80 for the workspace nsg and update the firewall config to allow let's encrypt CRLs ([#2694](https://github.com/microsoft/AzureTRE/pull/2694))
-* Upgrade Github Actions versions ([#2731](https://github.com/microsoft/AzureTRE/pull/2744))
+* Upgrade GitHub Actions versions ([#2731](https://github.com/microsoft/AzureTRE/pull/2744))
 * Install TRE CLI inside the devcontainer image (rather than via a post-create step) ([#2757](https://github.com/microsoft/AzureTRE/pull/2757))
 * Upgrade Terraform to 1.3.2 ([#2758](https://github.com/microsoft/AzureTRE/pull/2758))
 * `tre` CLI: added `raw` output option, improved `airlock-requests` handling, more consistent exit codes on error, added examples to CLI README.md
@@ -274,8 +275,8 @@ COMPONENTS:
 
 **BREAKING CHANGES & MIGRATIONS**:
 
-* Github Actions deployments use a single ACR instead of two. Github secrets might need updating, see PR for details. ([#2654](https://github.com/microsoft/AzureTRE/pull/2654))
-* Align Github Action secret names. Existing Github environments must be updated, see PR for details. ([#2655](https://github.com/microsoft/AzureTRE/pull/2655))
+* GitHub Actions deployments use a single ACR instead of two. GitHub secrets might need updating, see PR for details. ([#2654](https://github.com/microsoft/AzureTRE/pull/2654))
+* Align GitHub Action secret names. Existing GitHub environments must be updated, see PR for details. ([#2655](https://github.com/microsoft/AzureTRE/pull/2655))
 * Add workspace creator as an owner of the workspace enterprise application ([#2627](https://github.com/microsoft/AzureTRE/pull/2627)). **Migration** if the `AUTO_WORKSPACE_APP_REGISTRATION` is set, the `Directory.Read.All` MS Graph API permission permission needs granting to the Application Registration identified by `APPLICATION_ADMIN_CLIENT_ID`.
 * Add support for setting AppService plan SKU in GitHub Actions. Previous environment variable names of `API_APP_SERVICE_PLAN_SKU_SIZE` and `APP_SERVICE_PLAN_SKU` have been renamed to `CORE_APP_SERVICE_PLAN_SKU` and `WORKSPACE_APP_SERVICE_PLAN_SKU` ([#2684](https://github.com/microsoft/AzureTRE/pull/2684))
 * Reworked how status update messages are handled by the API, to enforce ordering and run the queue subscription in a dedicated thread. Since sessions are now enabled for the status update queue, a `tre-deploy` is required, which will re-create the queue. ([#2700](https://github.com/microsoft/AzureTRE/pull/2700))
@@ -317,7 +318,6 @@ COMPONENTS:
 | devops | 0.4.2 |
 | core | 0.4.36 |
 | porter-hello | 0.1.0 |
-| tre-workspace-base-sl-test | 0.3.19 |
 | tre-workspace-base | 0.4.0 |
 | tre-workspace-unrestricted | 0.2.0 |
 | tre-workspace-airlock-import-review | 0.4.0 |
@@ -410,7 +410,7 @@ COMPONENTS:
 
 FEATURES:
 
-* MySql workspace service ([#2476](https://github.com/microsoft/AzureTRE/pull/2476))
+* MySQL workspace service ([#2476](https://github.com/microsoft/AzureTRE/pull/2476))
 
 ENHANCEMENTS:
 

templates/workspaces/base/porter.yaml

@@ -1,7 +1,7 @@
 ---
 schemaVersion: 1.0.0
 name: tre-workspace-base
-version: 1.0.2
+version: 1.1.0
 description: "A base Azure TRE workspace"
 dockerfile: Dockerfile.tmpl
 registry: azuretre

templates/workspaces/base/terraform/azure-monitor/azure-monitor.tf

@@ -63,24 +63,53 @@ resource "azurerm_monitor_private_link_scoped_service" "ampls_log_anaytics" {
 
 # Application Insights
 
-resource "azurerm_application_insights" "workspace" {
-  name                                = "appi-${var.tre_id}-ws-${local.short_workspace_id}"
-  location                            = var.location
-  resource_group_name                 = var.resource_group_name
-  workspace_id                        = azurerm_log_analytics_workspace.workspace.id
-  application_type                    = "web"
-  internet_ingestion_enabled          = var.enable_local_debugging ? true : false
-  force_customer_storage_for_profiler = true
-  tags                                = var.tre_workspace_tags
-
-  lifecycle { ignore_changes = [tags] }
+# TODO: switch from the azapi implementation to azurerm when resolved https://github.com/microsoft/AzureTRE/issues/3200
+# resource "azurerm_application_insights" "workspace" {
+#   name                                = local.app_insights_name
+#   location                            = var.location
+#   resource_group_name                 = var.resource_group_name
+#   workspace_id                        = azurerm_log_analytics_workspace.workspace.id
+#   application_type                    = "web"
+#   internet_ingestion_enabled          = var.enable_local_debugging ? true : false
+#   force_customer_storage_for_profiler = true
+#   tags                                = var.tre_workspace_tags
+
+#   lifecycle { ignore_changes = [tags] }
+# }
+
+resource "azapi_resource" "appinsights" {
+  type      = "Microsoft.Insights/components@2020-02-02"
+  name      = local.app_insights_name
+  parent_id = var.resource_group_id
+  location  = var.location
+  tags      = var.tre_workspace_tags
+
+  body = jsonencode({
+    kind = "web"
+    properties = {
+      Application_Type                = "web"
+      Flow_Type                       = "Bluefield"
+      Request_Source                  = "rest"
+      IngestionMode                   = "LogAnalytics"
+      WorkspaceResourceId             = azurerm_log_analytics_workspace.workspace.id
+      ForceCustomerStorageForProfiler = true
+      publicNetworkAccessForIngestion = var.enable_local_debugging ? "Enabled" : "Disabled"
+    }
+  })
+
+  response_export_values = [
+    "id",
+    "properties.ConnectionString",
+  ]
 }
 
 resource "azurerm_monitor_private_link_scoped_service" "ampls_app_insights" {
   name                = "ampls-app-insights-service"
   resource_group_name = var.resource_group_name
   scope_name          = azurerm_monitor_private_link_scope.workspace.name
-  linked_resource_id  = azurerm_application_insights.workspace.id
+
+  # linked_resource_id  = azurerm_application_insights.workspace.id
+  linked_resource_id = jsondecode(azapi_resource.appinsights.output).id
 }
 
 resource "azurerm_private_endpoint" "azure_monitor_private_endpoint" {
@@ -119,10 +148,16 @@ resource "azurerm_private_endpoint" "azure_monitor_private_endpoint" {
 # We don't really need this, but if not present the RG will not be empty and won't be destroyed
 # TODO: remove when this is resolved: https://github.com/hashicorp/terraform-provider-azurerm/issues/18026
 resource "azurerm_monitor_action_group" "failure_anomalies" {
-  name                = "${azurerm_application_insights.workspace.name}-failure-anomalies-action-group"
+  name                = "${local.app_insights_name}-failure-anomalies-action-group"
   resource_group_name = var.resource_group_name
   short_name          = "Failures"
   tags                = var.tre_workspace_tags
+  depends_on = [
+    # azurerm_application_insights.workspace
+    azapi_resource.appinsights
+  ]
+
+  lifecycle { ignore_changes = [tags] }
 }
 
 # We don't really need this, but if not present the RG will not be empty and won't be destroyed
@@ -131,12 +166,17 @@ resource "azurerm_monitor_smart_detector_alert_rule" "failure_anomalies" {
   name                = "Failure Anomalies - ${local.app_insights_name}"
   resource_group_name = var.resource_group_name
   severity            = "Sev3"
-  scope_resource_ids  = [azurerm_application_insights.workspace.id]
-  frequency           = "PT1M"
-  detector_type       = "FailureAnomaliesDetector"
-  tags                = var.tre_workspace_tags
+  scope_resource_ids = [
+    # azurerm_application_insights.workspace.id
+    jsondecode(azapi_resource.appinsights.output).id
+  ]
+  frequency     = "PT1M"
+  detector_type = "FailureAnomaliesDetector"
+  tags          = var.tre_workspace_tags
 
   action_group {
     ids = [azurerm_monitor_action_group.failure_anomalies.id]
   }
+
+  lifecycle { ignore_changes = [tags] }
 }

templates/workspaces/base/terraform/azure-monitor/outputs.tf

@@ -1,5 +1,7 @@
 output "app_insights_connection_string" {
-  value = azurerm_application_insights.workspace.connection_string
+  # value = azurerm_application_insights.workspace.connection_string
+  value     = jsondecode(azapi_resource.appinsights.output).properties.ConnectionString
+  sensitive = true
 }
 
 output "log_analytics_workspace_id" {

templates/workspaces/base/terraform/azure-monitor/providers.tf

@@ -5,5 +5,10 @@ terraform {
       source  = "hashicorp/azurerm"
       version = ">= 3.8.0"
     }
+
+    azapi = {
+      source  = "Azure/azapi"
+      version = ">= 1.3.0"
+    }
   }
 }

templates/workspaces/base/terraform/azure-monitor/variables.tf

@@ -1,6 +1,7 @@
 variable "tre_id" {}
 variable "location" {}
 variable "resource_group_name" {}
+variable "resource_group_id" {}
 variable "tre_workspace_tags" {}
 variable "workspace_subnet_id" {}
 variable "azure_monitor_dns_zone_id" {}

templates/workspaces/base/terraform/providers.tf

@@ -12,6 +12,10 @@ terraform {
       source  = "hashicorp/null"
       version = "=3.2.1"
     }
+    azapi = {
+      source  = "Azure/azapi"
+      version = "=1.3.0"
+    }
   }
 
   backend "azurerm" {}
@@ -39,3 +43,6 @@ provider "azuread" {
   client_secret = var.auth_client_secret
   tenant_id     = var.auth_tenant_id
 }
+
+provider "azapi" {
+}

templates/workspaces/base/terraform/workspace.tf

@@ -69,6 +69,7 @@ module "azure_monitor" {
   tre_id                                   = var.tre_id
   location                                 = var.location
   resource_group_name                      = azurerm_resource_group.ws.name
+  resource_group_id                        = azurerm_resource_group.ws.id
   tre_resource_id                          = var.tre_resource_id
   tre_workspace_tags                       = local.tre_workspace_tags
   workspace_subnet_id                      = module.network.services_subnet_id