Support app service application logs blob storage

[hdpe]

I've just started having a look at #1082. I didn't want to get much further without seeking feedback because this is already raising several questions.

This PR just addresses writing app service application logs to blob storage.

Service SAS Tokens

It seems that the applicationLogs.azureBlobStorage.sasUrl Resource Manager property requires a Container Service SAS rather than an Account SAS, which is a shame because the latter could be provided by azurerm_storage_account_sas.

I couldn't find any documentation proving this was the case, but attempts to use an Account SAS return

Error Message: Missing mandatory parameters for valid Shared Access Signature

to the app service.

There is an outstanding issue to support this Feature Request: Add support for Azure Container SAS tokens which I haven't implemented. It's the user's responsibility to generate the Container Service SAS token. Is this approach acceptable for now?

DIAGNOSTICS* Application Setting Syncing

Updating the applicationLogs.azureBlobStorage Resource Manager properties also writes two new application settings DIAGNOSTICS_AZUREBLOBCONTAINERSASURL and DIAGNOSTICS_AZUREBLOBRETENTIONINDAYS. When the properties are changed the application settings are updated; when the application settings are changed the properties are updated. I therefore remove the application settings at read time: this prevents them from being maintained in the state and means they don't need to be maintained in a .tf configuration in both places. I think something similar is going on already in the azure_arm_function_app resource. Is this a good idea?

Defaults

There's some discussion on the original issue about what values to set when the logs blocks are removed. I haven't really addressed this. It seems that when the Azure SDK UpdateDiagnosticLogsConfig method is hit with empty values, the values in Resource Manager seem to return to their defaults, so it seems OK.

Putting it all together, the following seems to be working okay for our needs:

data "azurerm_storage_account" "main" {
  ...
}

resource "azurerm_storage_container" "main" {
  ...
}

data "external" "container_sas_token" {
  // Do NOT use "--https-only" or token will not work, leading to 403 responses to the app service...
  // I'm unsure why this is the case.
  program = [
    "sh",
    "-c",
    "az storage container generate-sas -n ${azurerm_storage_container.main.name} --permissions dlrw --account-name myaccount --start 2019-05-22 --expiry 2199-12-30 -otsv | xargs printf '{\"token\":\"%s\"}'"
  ]
}

resource "azurerm_app_service" "main" {
  ...
  
  logs {
    application_logs {
      azure_blob_storage {
        level = "Verbose"
        sas_url = "${data.azurerm_storage_account.main.primary_blob_endpoint}${azurerm_storage_container.main.name}?${data.external.container_sas_token.result.token}"
        retention_in_days = 7
      }
    }
  }
}

Thanks in advance for looking at this -- any feedback gratefully received!

[katbyte]

Thanks for the PR @hdpe,

This LGTM 👍

[ghost]

This has been released in version 1.31.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 1.31.0"
}
# ... other configuration ...

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks!