Azure Monitor & Log Analytics Baseline

azure-monitor-baseline

Status: static-validated, live-test pending. Ships under live-test quarantine — the live apply→verify→destroy gate runs once an Azure cloud sandbox is available. Statically validated (fmt, validate, tflint).

A central Log Analytics workspace plus the supporting monitoring scaffold: optional workspace-based Application Insights, action groups, a diagnostic-settings-everywhere pattern (ship logs + metrics from any resource into the workspace), and a starter alert pack — static metric alerts and scheduled KQL query alerts wired to your action groups.

Secure defaults & design

• Entra-only workspace auth (local_authentication_enabled = false).
• Bounded retention (90 days) and an optional daily ingestion cap (daily_quota_gb) so a runaway log source can't blow up the bill.
• Diagnostic settings default to the allLogs category group + AllMetrics. Per-resource-type diagnostic categories differ across Azure; using the provider-discovered category group sidesteps the discovery problem and keeps coverage from silently drifting as resource types add categories. You can still pin explicit log_categories per setting.
• Application Insights is workspace-based (the only non-deprecated model) with local auth disabled by default.
• Alerts reference action groups by their map key, and a precondition fails the plan if an alert points at an action group you didn't define — no silent no-op alerts.

Works with Terraform and OpenTofu (>= 1.6), azurerm provider >= 4.0, < 5.0.

Requirements

Requirement	Version
Terraform / OpenTofu	>= 1.6
hashicorp/azurerm	>= 4.0, < 5.0

License

Commercial — LicenseRef-IaCBazaar-Commercial. © IaC Bazaar. Original work (not derived from a third-party module).