Enable Azure Monitor Diagnostic Settings with Terraform

Sarah Lean -

Most Azure resources support what is called an Azure Monitor Diagnostic setting. This diagnostic setting allows you to configure which logs or metrics you want to collect from a resource and where you want to send them.  Your destination could be Azure Log Analytics, a storage account, an event hub or a 3rd party solution. 

In this blog post, I am going to walk you through the process of enabling Azure Monitor diagnostic settings using Terraform. 

What are Azure Monitor diagnostic settings?

Within nearly all Azure resources, you can configure a setting called Azure Diagnostics to allow you to collect and route logs and metrics from that resource to different destinations for monitoring and analysis.  Each Azure resource has different diagnostic logs and metrics available to it. 

You can route the logs and metrics to different destinations:

  • Log Analytics for querying and alerting.
  • Event Hub for streaming to external services.
  • Storage Account, for long-term retention.
  • Partner solutions such as Splunk or Datadog.

How to configure Azure diagnostic settings using Terraform

To enable Azure Monitor diagnostic settings using Terraform, you must define the azurerm_monitor_diagnostic_setting resource. This resource allows you to configure logs and metrics for a given Azure resource and specify where to send them.

Before you start, ensure you have:

  • A Log Analytics workspace, Event Hub, or Storage Account to send logs to.

Below is a snipnet of Terraform configuration to enable diagnostic settings for an Azure Communication Services resource and send logs to a Log Analytics workspace:

# Deploy an Azure Communication Services resource
resource "azurerm_communication_service" "acs" {
  name                = "acsservice"
  resource_group_name = "rg-lpzt"
  data_location       = "UK"
}

# Fetch information about an existing Azure Log Analytics workspace
data "azurerm_log_analytics_workspace" "observability_log_analytics_workspace" {
  name                = "log analytics space name"
  resource_group_name = "rg where log analytics resides"
}

# Turn on logs being sent to a Log Analytics Workspace
resource "azurerm_monitor_diagnostic_setting" "acs-logs" {
  name                           = "acs-diagnostic-logs"
  target_resource_id             = azurerm_communication_service.acs.id
  log_analytics_workspace_id     = data.azurerm_log_analytics_workspace.observability_log_analytics_workspace.id
  log_analytics_destination_type = "Dedicated"

  enabled_log {
    category = "EmailSendMailOperational"
  }

  enabled_log {
    category = "Usage"
  }

  enabled_log {
    category = "EmailStatusUpdateOperational"
  }

  enabled_log {
    category = "EmailUserEngagementOperational"
  }

  metric {
    category = "AllMetrics"
  }
}

We first use the azurerm_communication_service module to deploy our Azure Communication Services resource

We then use a data source to fetch information about our existing Azure Log Analytics workspace. 

Then, we use the azurerm_monitor_diagnostic_serttings module to configure the logs we want to gather about the Azure Communication Service resource. In this instance, we will be using the Azure Communication Service to send emails, so we want to enable the related logs and send them to our Log Analytics workspace. 

We’ve also set the Log Analytics destination type to Dedicated. This means the logs will go to resource-specific tables instead of the legacy AzureDiagnotics table. 

💡
If you are looking for my Terraform deployment files for Azure Communication Services you can find them fully within GitHub here: https://github.com/weeyin83/terraform-acs-deployment

Best Practices for Azure Diagnostics Settings

  • Enable diagnostics for all critical resources, especially security-related ones like Key Vault, Azure Firewall, and Virtual Machines. Logs help with incident response and compliance audits.
  • Use Log Analytics for structured analysis, send logs to Azure Monitor Log Analytics to run queries, create dashboards, and set up alerts using Kusto Query Language (KQL).
  • Avoid sending everything. Filter logs to only collect what’s necessary to reduce storage costs and noise. Prioritise security, performance, and availability-related logs.

Conclusion

We have explored how to enable Azure Monitor diagnostic settings using Terraform, allowing you to collect and route logs and metrics for better observability. 

By leveraging the azurerm_monitor_diagnostic_setting resource, you can ensure that critical logs are sent to the appropriate destinations, such as Log Analytics, Event Hub, or Storage Accounts.

Remember to enable diagnostics for the correct resources, but avoid capturing all the logs to help optimise your monitoring while managing costs.