Create diagnostic settings module and incorporate into all modules

[shawngib]

Is your feature request related to a problem? Please describe.
Parity between TF and Bicep deployment results as well as central logging requirement for compliance.

Describe the solution you'd like
Currently the Bicep deployment only sets diagnostic settings for virtual network metrics, activity logs and the central log analytics workspace itself. Terraform sets for firewall, publicIP, vnet and nsg. Terraform also sends to both LA workspace and storage accounts.

Describe alternatives you've considered
This can be done by creating policies that enable diagnostic settings and then forcing remediation against each and can be done out of band. As policy via remediation it will incur latency in deployment as remediation applies changes but will also benefit by performing on any future resource deployments. Doing out of band risks being immediately out of compliance for basic requirement.

Additional context
Diagnotic settings needs to be complete either on or off and shouldn't leave uncertain results.

[glennmusa]

for an example, here's how the diagnostic settings for the Firewall and Firewall PIP are configured in the Terraform implementation:

missionlz/src/terraform/modules/firewall/main.tf

Lines 91 to 177 in aba1e46

	resource "azurerm_monitor_diagnostic_setting" "firewall-diagnostics" {
	name = "${azurerm_firewall.firewall.name}-fw-diagnostics"
	target_resource_id = "/subscriptions/${var.sub_id}/resourceGroups/${var.resource_group_name}/providers/Microsoft.Network/azureFirewalls/${var.firewall_name}"
	storage_account_id = azurerm_storage_account.loganalytics.id
	log_analytics_workspace_id = var.log_analytics_workspace_resource_id
	log {
	category = "AzureFirewallApplicationRule"
	enabled = true
	retention_policy {
	days = 30
	enabled = true
	}
	}
	log {
	category = "AzureFirewallNetworkRule"
	enabled = true
	retention_policy {
	days = 30
	enabled = true
	}
	}
	log {
	category = "AzureFirewallDnsProxy"
	enabled = true
	retention_policy {
	days = 30
	enabled = true
	}
	}
	metric {
	category = "AllMetrics"
	retention_policy {
	enabled = false
	}
	}
	}
	resource "azurerm_monitor_diagnostic_setting" "publicip-diagnostics" {
	name = "${azurerm_public_ip.fw_client_pip.name}-pip-diagnostics"
	target_resource_id = azurerm_public_ip.fw_client_pip.id
	storage_account_id = azurerm_storage_account.loganalytics.id
	log_analytics_workspace_id = var.log_analytics_workspace_resource_id
	log {
	category = "DDoSProtectionNotifications"
	enabled = true
	retention_policy {
	days = 30
	enabled = true
	}
	}
	log {
	category = "DDoSMitigationFlowLogs"
	enabled = true
	retention_policy {
	days = 30
	enabled = true
	}
	}
	log {
	category = "DDoSMitigationReports"
	enabled = true
	retention_policy {
	days = 30
	enabled = true
	}
	}
	metric {
	category = "AllMetrics"
	retention_policy {
	enabled = false
	}
	}
	}

[glennmusa]

Today's Terraform implementation configures these logs categories and the All Metrics metric for these resources:

Azure Firewall

• AzureFirewallApplicationRule
• AzureFirewallNetworkRule
• AzureFirewallDnsProxy
• AllMetrics

Public IP Address

• DDoSProtectionNotifications
• DDoSMitigationFlowLogs
• DDoSMitigationReports
• AllMetrics

Network Security Group

• NetworkSecurityGroupEvent
• NetworkSecurityGroupRuleCounter

Virtual Network

• AllMetrics