[#IOPID-1253] audit log container with custom policy (#812)

pagopa · Jan 5, 2024 · 09db33e · 09db33e
1 parent 26c8005
commit 09db33e
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 1 deletion.
diff --git a/src/domains/ioweb-common/03_storage.tf b/src/domains/ioweb-common/03_storage.tf
@@ -78,6 +78,13 @@ resource "azurerm_storage_container" "immutable_spid_logs" {
   container_access_type = "private"
 }
 
+resource "azurerm_storage_container" "immutable_audit_logs" {
+  depends_on            = [module.immutable_spid_logs_storage, azurerm_private_endpoint.immutable_spid_logs_storage_blob]
+  name                  = "auditlogs"
+  storage_account_name  = module.immutable_spid_logs_storage.name
+  container_access_type = "private"
+}
+
 
 # Policies
 resource "azurerm_storage_management_policy" "immutable_spid_logs_storage_management_policy" {
@@ -106,4 +113,33 @@ resource "azurerm_storage_management_policy" "immutable_spid_logs_storage_manage
       }
     }
   }
-}
+}
+
+## Policy ONLY for audit logs
+resource "azurerm_storage_management_policy" "immutable_audit_logs_storage_management_policy" {
+  depends_on = [module.immutable_spid_logs_storage, azurerm_storage_container.immutable_audit_logs]
+
+  storage_account_id = module.immutable_spid_logs_storage.id
+
+  rule {
+    name    = "deleteafter2yrsplus1week"
+    enabled = true
+    filters {
+      prefix_match = [
+        azurerm_storage_container.immutable_audit_logs.name,
+      ]
+      blob_types = ["blockBlob"]
+    }
+    actions {
+      base_blob {
+        delete_after_days_since_creation_greater_than = local.immutability_policy_days + 8
+      }
+      snapshot {
+        delete_after_days_since_creation_greater_than = local.immutability_policy_days + 8
+      }
+      version {
+        delete_after_days_since_creation = local.immutability_policy_days + 8
+      }
+    }
+  }
+}
diff --git a/src/domains/ioweb-common/README.md b/src/domains/ioweb-common/README.md
@@ -44,7 +44,9 @@
 | [azurerm_resource_group.fe_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
 | [azurerm_resource_group.sec_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
 | [azurerm_resource_group.storage_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
+| [azurerm_storage_container.immutable_audit_logs](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_container) | resource |
 | [azurerm_storage_container.immutable_spid_logs](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_container) | resource |
+| [azurerm_storage_management_policy.immutable_audit_logs_storage_management_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_management_policy) | resource |
 | [azurerm_storage_management_policy.immutable_spid_logs_storage_management_policy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_management_policy) | resource |
 | [tls_private_key.jwt](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
 | [azuread_group.adgroup_admin](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/group) | data source |