Add diagnostic setting for user data shares

data_safe_haven/infrastructure/programs/declarative_sre.py

@@ -211,6 +211,7 @@ def __call__(self) -> None:
                 dns_record=networking.shm_ns_record,
                 dns_server_admin_password=dns.password_admin,
                 location=self.config.azure.location,
+                log_analytics_workspace=monitoring.log_analytics,
                 resource_group=resource_group,
                 sre_fqdn=networking.sre_fqdn,
                 storage_quota_gb_home=self.config.sre.storage_quota_gb.home,

data_safe_haven/infrastructure/programs/sre/data.py

@@ -7,6 +7,7 @@
 from pulumi import ComponentResource, Input, Output, ResourceOptions
 from pulumi_azure_native import (
     authorization,
+    insights,
     keyvault,
     managedidentity,
     network,
@@ -33,6 +34,7 @@
     NFSV3BlobContainerProps,
     SSLCertificate,
     SSLCertificateProps,
+    WrappedLogAnalyticsWorkspace,
     WrappedNFSV3StorageAccount,
 )
 from data_safe_haven.types import AzureDnsZoneNames, AzureServiceTag
@@ -51,6 +53,7 @@ def __init__(
         dns_record: Input[network.RecordSet],
         dns_server_admin_password: Input[pulumi_random.RandomPassword],
         location: Input[str],
+        log_analytics_workspace: Input[WrappedLogAnalyticsWorkspace],
         resource_group: Input[resources.ResourceGroup],
         sre_fqdn: Input[str],
         storage_quota_gb_home: Input[int],
@@ -69,6 +72,7 @@ def __init__(
         self.dns_record = dns_record
         self.password_dns_server_admin = dns_server_admin_password
         self.location = location
+        self.log_analytics_workspace = log_analytics_workspace
         self.resource_group_id = Output.from_input(resource_group).apply(get_id_from_rg)
         self.resource_group_name = Output.from_input(resource_group).apply(
             get_name_from_rg
@@ -615,6 +619,47 @@ def __init__(
             opts=child_opts,
             tags=child_tags,
         )
+        # Add diagnostic setting for files
+        insights.DiagnosticSetting(
+            f"{storage_account_data_private_user._name}_diagnostic_setting",
+            name=f"{storage_account_data_private_user._name}_diagnostic_setting",
+            log_analytics_destination_type="Dedicated",
+            logs=[
+                {
+                    "category_group": "allLogs",
+                    "enabled": True,
+                    "retention_policy": {
+                        "days": 0,
+                        "enabled": False,
+                    },
+                },
+                {
+                    "category_group": "audit",
+                    "enabled": True,
+                    "retention_policy": {
+                        "days": 0,
+                        "enabled": False,
+                    },
+                },
+            ],
+            metrics=[
+                {
+                    "category": "Transaction",
+                    "enabled": True,
+                    "retention_policy": {
+                        "days": 0,
+                        "enabled": False,
+                    },
+                }
+            ],
+            resource_uri=storage_account_data_private_user.id.apply(
+                # This is the URI of the fileServices resource which is automatically
+                # created.
+                lambda resource_id: resource_id
+                + "/fileServices/default"
+            ),
+            workspace_id=props.log_analytics_workspace.id,
+        )
         storage.FileShare(
             f"{storage_account_data_private_user._name}_files_home",
             access_tier=storage.ShareAccessTier.PREMIUM,