mgmt-infra: enable audit logging for cx, msi and mgmt key vaults

dev-infrastructure/configurations/mgmt-infra.tmpl.bicepparam

@@ -24,3 +24,6 @@ param aroDevopsMsiId = '{{ .aroDevopsMsiId }}'
 // Cluster Service identity
 // used for Key Vault access
 param clusterServiceMIResourceId = '__clusterServiceMIResourceId__'
+
+// Log Analytics Workspace ID will be passed from global pipeline if enabled in config
+param logAnalyticsWorkspaceId = '__logAnalyticsWorkspaceId__'

dev-infrastructure/mgmt-pipeline.yaml

@@ -42,7 +42,12 @@ resourceGroups:
       input:
         step: svc-output
         name: cs
+    - name: logAnalyticsWorkspaceId
+      input:
+        step: global-output
+        name: logAnalyticsWorkspaceId 
     dependsOn:
+    - global-output
     - svc-output
   # Configure certificate issuers for the MC KVs
   - name: cx-oncert-public-kv-issuer

dev-infrastructure/templates/mgmt-infra.bicep

@@ -40,6 +40,9 @@ param kvCertOfficerPrincipalId string
 @description('MSI that will be used during pipeline runs')
 param aroDevopsMsiId string
 
+// Log Analytics Workspace ID will be passed from global pipeline if enabled in config
+param logAnalyticsWorkspaceId string = ''
+
 resource resourcegroupTags 'Microsoft.Resources/tags@2024-03-01' = {
   name: 'default'
   scope: resourceGroup()
@@ -80,6 +83,7 @@ module cxKeyVault '../modules/keyvault/keyvault.bicep' = {
     private: cxKeyVaultPrivate
     enableSoftDelete: cxKeyVaultSoftDelete
     purpose: 'cx'
+    logAnalyticsWorkspaceId: logAnalyticsWorkspaceId
   }
 }
 
@@ -110,6 +114,7 @@ module msiKeyVault '../modules/keyvault/keyvault.bicep' = {
     private: msiKeyVaultPrivate
     enableSoftDelete: msiKeyVaultSoftDelete
     purpose: 'msi'
+    logAnalyticsWorkspaceId: logAnalyticsWorkspaceId
   }
 }
 
@@ -123,6 +128,8 @@ module mgmtKeyVault '../modules/keyvault/keyvault.bicep' = {
     private: mgmtKeyVaultPrivate
     enableSoftDelete: mgmtKeyVaultSoftDelete
     purpose: 'mgmt'
+    logAnalyticsWorkspaceId: logAnalyticsWorkspaceId
+
   }
 }