Add diagnostic setting for NFSv3 containers

data_safe_haven/infrastructure/components/composite/nfsv3_blob_container.py

@@ -1,9 +1,10 @@
 from pulumi import ComponentResource, Input, ResourceOptions
-from pulumi_azure_native import storage
+from pulumi_azure_native import insights, storage
 
-from data_safe_haven.infrastructure.components.dynamic.blob_container_acl import (
+from data_safe_haven.infrastructure.components import (
     BlobContainerAcl,
     BlobContainerAclProps,
+    WrappedLogAnalyticsWorkspace,
 )
 
 
@@ -15,6 +16,7 @@ def __init__(
         acl_other: Input[str],
         apply_default_permissions: Input[bool],
         container_name: Input[str],
+        log_analytics_workspace: Input[WrappedLogAnalyticsWorkspace],
         resource_group_name: Input[str],
         storage_account: Input[storage.StorageAccount],
         subscription_name: Input[str],
@@ -24,6 +26,7 @@ def __init__(
         self.acl_other = acl_other
         self.apply_default_permissions = apply_default_permissions
         self.container_name = container_name
+        self.log_analytics_workspace = log_analytics_workspace
         self.resource_group_name = resource_group_name
         self.storage_account = storage_account
         self.subscription_name = subscription_name
@@ -52,6 +55,7 @@ def __init__(
                 ResourceOptions(parent=props.storage_account),
             ),
         )
+
         BlobContainerAcl(
             f"{storage_container._name}_acl",
             BlobContainerAclProps(
@@ -70,6 +74,42 @@ def __init__(
             ),
         )
 
+        insights.DiagnosticSetting(
+            f"{storage_container._name}_diagnostic_settings",
+            name="firewall_diagnostic_settings",
+            log_analytics_destination_type="Dedicated",
+            logs=[
+                {
+                    "category_group": "allLogs",
+                    "enabled": True,
+                    "retention_policy": {
+                        "days": 0,
+                        "enabled": False,
+                    },
+                },
+                {
+                    "category_group": "audit",
+                    "enabled": True,
+                    "retention_policy": {
+                        "days": 0,
+                        "enabled": False,
+                    },
+                },
+            ],
+            metrics=[
+                {
+                    "category": "Transaction",
+                    "enabled": True,
+                    "retention_policy": {
+                        "days": 0,
+                        "enabled": False,
+                    },
+                }
+            ],
+            resource_uri=storage_container.id,
+            workspace_id=props.log_analytics_workspace.id,
+        )
+
         self.name = storage_container.name
 
         self.register_outputs({})

data_safe_haven/infrastructure/programs/sre/data.py

@@ -33,6 +33,7 @@
     NFSV3BlobContainerProps,
     SSLCertificate,
     SSLCertificateProps,
+    WrappedLogAnalyticsWorkspace,
     WrappedNFSV3StorageAccount,
 )
 from data_safe_haven.types import AzureDnsZoneNames, AzureServiceTag
@@ -51,6 +52,7 @@ def __init__(
         dns_record: Input[network.RecordSet],
         dns_server_admin_password: Input[pulumi_random.RandomPassword],
         location: Input[str],
+        log_analytics_workspace: Input[WrappedLogAnalyticsWorkspace],
         resource_group: Input[resources.ResourceGroup],
         sre_fqdn: Input[str],
         storage_quota_gb_home: Input[int],
@@ -69,6 +71,7 @@ def __init__(
         self.dns_record = dns_record
         self.password_dns_server_admin = dns_server_admin_password
         self.location = location
+        self.log_analytics_workspace = log_analytics_workspace
         self.resource_group_id = Output.from_input(resource_group).apply(get_id_from_rg)
         self.resource_group_name = Output.from_input(resource_group).apply(
             get_name_from_rg
@@ -492,6 +495,7 @@ def __init__(
                 # 65533 ownership of the fileshare (preventing use inside the SRE)
                 apply_default_permissions=False,
                 container_name="egress",
+                log_analytics_workspace=props.log_analytics_workspace,
                 resource_group_name=props.resource_group_name,
                 storage_account=storage_account_data_private_sensitive,
                 subscription_name=props.subscription_name,
@@ -507,6 +511,7 @@ def __init__(
                 # files (eg. with Azure Storage Explorer)
                 apply_default_permissions=True,
                 container_name="ingress",
+                log_analytics_workspace=props.log_analytics_workspace,
                 resource_group_name=props.resource_group_name,
                 storage_account=storage_account_data_private_sensitive,
                 subscription_name=props.subscription_name,