Azure · lonegunmanb · Sep 30, 2022 · Sep 27, 2022 · Sep 28, 2022 · Sep 28, 2022
diff --git a/README.md b/README.md
@@ -311,7 +311,7 @@ No modules.
 | <a name="input_log_analytics_workspace_resource_group_name"></a> [log\_analytics\_workspace\_resource\_group\_name](#input\_log\_analytics\_workspace\_resource\_group\_name) | (Optional) Resource group name to create azurerm\_log\_analytics\_solution.                                                                                                                                                                                                                                                      | `string`                                                              | `null`                      |    no    |
 | <a name="input_log_analytics_workspace_sku"></a> [log\_analytics\_workspace\_sku](#input\_log\_analytics\_workspace\_sku)                                                     | The SKU (pricing level) of the Log Analytics workspace. For new subscriptions the SKU should be set to PerGB2018                                                                                                                                                                                                                 | `string`                                                              | `"PerGB2018"`               |    no    |
 | <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days)                                                                       | The retention period for the logs in days                                                                                                                                                                                                                                                                                        | `number`                                                              | `30`                        |    no    |
-| <a name="input_microsoft_defender_enabled"></a> [microsoft\_defender\_enabled](#input\_microsoft\_defender\_enabled)                                                          | (Optional) Is Microsoft Defender on the cluster enabled?                                                                                                                                                                                                                                                                         | `bool`                                                                | `false`                     |    no    |
+| <a name="input_microsoft_defender_enabled"></a> [microsoft\_defender\_enabled](#input\_microsoft\_defender\_enabled)                                                          | (Optional) Is Microsoft Defender on the cluster enabled? Requires an Analytics Workspace (see: [`var.log_analytics_workspace_enabled`](#input_log_analytics_workspace_enabled))                                                                                                                                                  | `bool`                                                                | `false`                     |    no    |
 | <a name="input_net_profile_dns_service_ip"></a> [net\_profile\_dns\_service\_ip](#input\_net\_profile\_dns\_service\_ip)                                                      | (Optional) IP address within the Kubernetes service address range that will be used by cluster service discovery (kube-dns). Changing this forces a new resource to be created.                                                                                                                                                  | `string`                                                              | `null`                      |    no    |
 | <a name="input_net_profile_docker_bridge_cidr"></a> [net\_profile\_docker\_bridge\_cidr](#input\_net\_profile\_docker\_bridge\_cidr)                                          | (Optional) IP address (in CIDR notation) used as the Docker bridge IP address on nodes. Changing this forces a new resource to be created.                                                                                                                                                                                       | `string`                                                              | `null`                      |    no    |
 | <a name="input_net_profile_outbound_type"></a> [net\_profile\_outbound\_type](#input\_net\_profile\_outbound\_type)                                                           | (Optional) The outbound (egress) routing method which should be used for this Kubernetes Cluster. Possible values are loadBalancer and userDefinedRouting. Defaults to loadBalancer.                                                                                                                                             | `string`                                                              | `"loadBalancer"`            |    no    |

diff --git a/main.tf b/main.tf
@@ -1,3 +1,27 @@
+locals {
+
+  # Abstract the decision whether to create an Analytics Workspace or not.
+  create_analytics_workspace = var.log_analytics_workspace_enabled && var.log_analytics_workspace == null
+
+  # Abstract the decision whether to use an Analytics Workspace supplied via vars, provision one ourselves or leave it null.
+  # This guarantees that local.log_analytics_workspace will contain a valid `id` and `name` IFF log_analytics_workspace_enabled
+  # is set to `true`.
+  log_analytics_workspace = var.log_analytics_workspace_enabled ? (
+    # The Log Analytics Workspace should be enabled:
+    var.log_analytics_workspace == null ? {
+      # `log_analytics_workspace_enabled` is `true` but `log_analytics_workspace` was not supplied.
+      # Create an `azurerm_log_analytics_workspace` resource and use that.
+      id   = azurerm_log_analytics_workspace.main[0].id
+      name = azurerm_log_analytics_workspace.main[0].name
+      } : {
+      # `log_analytics_workspace` is supplied. Let's use that.
+      id   = var.log_analytics_workspace.id
+      name = var.log_analytics_workspace.name
+    }
+  ) : null # Finally, the Log Analytics Workspace should be disabled.
+
+} # /end locals clause
+
 data "azurerm_resource_group" "main" {
   name = var.resource_group_name
 }
@@ -150,10 +174,11 @@ resource "azurerm_kubernetes_cluster" "main" {
     }
   }
   dynamic "microsoft_defender" {
-    for_each = var.microsoft_defender_enabled ? ["microsoft_defender"] : []
+
+    for_each = (var.microsoft_defender_enabled && var.log_analytics_workspace_enabled) ? ["microsoft_defender"] : []
 
     content {
-      log_analytics_workspace_id = coalesce(try(var.log_analytics_workspace.id, null), azurerm_log_analytics_workspace.main[0].id)
+      log_analytics_workspace_id = local.log_analytics_workspace.id
     }
   }
   network_profile {
@@ -169,7 +194,7 @@ resource "azurerm_kubernetes_cluster" "main" {
     for_each = var.log_analytics_workspace_enabled ? ["oms_agent"] : []
 
     content {
-      log_analytics_workspace_id = var.log_analytics_workspace == null ? azurerm_log_analytics_workspace.main[0].id : var.log_analytics_workspace.id
+      log_analytics_workspace_id = local.log_analytics_workspace.id
     }
   }
   dynamic "service_principal" {
@@ -191,11 +216,15 @@ resource "azurerm_kubernetes_cluster" "main" {
       condition     = (var.client_id != "" && var.client_secret != "") || (var.identity_type == "SystemAssigned") || (var.identity_ids == null ? false : length(var.identity_ids) > 0)
       error_message = "If use identity and `UserAssigned` or `SystemAssigned, UserAssigned` is set, an `identity_ids` must be set as well."
     }
+    precondition {
+      condition     = (var.microsoft_defender_enabled == true && var.log_analytics_workspace_enabled == true) || var.microsoft_defender_enabled == false
+      error_message = "Enabling Microsoft Defender requires that `log_analytics_workspace_enabled` be set to true."
+    }
   }
 }
 
 resource "azurerm_log_analytics_workspace" "main" {
-  count = var.log_analytics_workspace_enabled && var.log_analytics_workspace == null ? 1 : 0
+  count = local.create_analytics_workspace ? 1 : 0
 
   location            = coalesce(var.location, data.azurerm_resource_group.main.location)
   name                = var.cluster_log_analytics_workspace_name == null ? "${var.prefix}-workspace" : var.cluster_log_analytics_workspace_name
@@ -206,13 +235,13 @@ resource "azurerm_log_analytics_workspace" "main" {
 }
 
 resource "azurerm_log_analytics_solution" "main" {
-  count = var.log_analytics_workspace_enabled && var.log_analytics_solution_id == null ? 1 : 0
+  count = local.create_analytics_workspace ? 1 : 0
 
   location              = coalesce(var.location, data.azurerm_resource_group.main.location)
   resource_group_name   = coalesce(var.log_analytics_workspace_resource_group_name, var.resource_group_name)
   solution_name         = "ContainerInsights"
-  workspace_name        = var.log_analytics_workspace != null ? var.log_analytics_workspace.name : azurerm_log_analytics_workspace.main[0].name
-  workspace_resource_id = var.log_analytics_workspace != null ? var.log_analytics_workspace.id : azurerm_log_analytics_workspace.main[0].id
+  workspace_name        = local.log_analytics_workspace.name
+  workspace_resource_id = local.log_analytics_workspace.id
   tags                  = var.tags
 
   plan {

diff --git a/variables.tf b/variables.tf
@@ -273,7 +273,7 @@ variable "log_retention_in_days" {
 
 variable "microsoft_defender_enabled" {
   type        = bool
-  description = "(Optional) Is Microsoft Defender on the cluster enabled?"
+  description = "(Optional) Is Microsoft Defender on the cluster enabled? Requires a Log Analytics Workspace."
   default     = false
   nullable    = false
 }