Log Analytics Workspace

Overview

Log Analytics Workspaces are the destination for platform logs and metrics emitted by other Azure resources via diagnostic settings. This module creates one or more workspaces and exposes them as outputs that other modules (notably monitor_diagnostic_setting) can reference by key.

The module supports both creating new workspaces and adopting workspaces that already exist outside Terraform through the existing = true pattern.

Module Structure

Module	Azure Resource	Purpose
`log_analytics_workspace`	`azurerm_log_analytics_workspace`	Workspace used as a diagnostic setting destination

Usage

1. Create a Workspace

log_analytics_workspace = {
  shared = {
    resource_group    = "shared"
    sku               = "PerGB2018"
    retention_in_days = 30
  }
}

The workspace key (shared above) is what downstream modules use to reference the workspace — for example, workspace = "shared" in a diagnostic_setting block on a recovery vault.

2. Reference an Existing Workspace

If the workspace already exists (for example, created by a central platform team), set existing = true. The module will read it via a data source instead of creating it, and downstream references continue to work identically:

log_analytics_workspace = {
  shared = {
    name           = "prod-shared-eastus2-law"  # Required for existing — must match the deployed name
    resource_group = "shared"
    existing       = true
  }
}

Note: When existing = true, name and resource_group must resolve to the actual workspace. The other fields (sku, retention_in_days, etc.) are ignored because no resource is being created.

3. Tune Retention and Quota

log_analytics_workspace = {
  shared = {
    resource_group    = "shared"
    sku               = "PerGB2018"
    retention_in_days = 90      # Up to 730 for PerGB2018
    daily_quota_gb    = 5       # Cap ingestion to control cost; -1 = unlimited
  }
}

Variable Reference

`log_analytics_workspace`

Field	Type	Description	Default
`name`	string	Override the resource name	Prefix + key + suffix
`resource_group`	string	Resource group key	Required
`location`	string	Override location	`var.location`
`sku`	string	Pricing tier (`PerGB2018`, `Free`, `Standalone`, `CapacityReservation`, etc.)	`"PerGB2018"`
`retention_in_days`	number	Data retention (30–730 for `PerGB2018`)	`30`
`daily_quota_gb`	number	Daily ingestion cap in GB; `-1` disables the cap	`-1`
`internet_ingestion_enabled`	bool	Allow ingestion over the public internet	`true`
`internet_query_enabled`	bool	Allow queries over the public internet	`true`
`local_authentication_enabled`	bool	Allow workspace key auth. Set `false` to require Entra ID auth only.	`true`
`existing`	bool	Adopt an existing workspace via `data` source instead of creating it	`false`
`tags`	map(string)	Resource tags (merged with `default_tags`)	`{}`

Naming Convention

Resources follow the standard {prefix}{key}{suffix} pattern. Add entries to your name_prefixes and name_suffixes in tfvars:

name_prefixes = {
  log_analytics_workspace = "prod-"
}

name_suffixes = {
  log_analytics_workspace = "-eastus2-law"
}

With the shared key above, the workspace is named prod-shared-eastus2-law.

Consuming the Workspace

Other modules reference the workspace by its key (not its ID). For example, in a recovery vault diagnostic setting:

recovery_services_vault = {
  epic = {
    resource_group = "recoveryvault"
    diagnostic_settings = {
      law = {
        workspace = "shared"      # log_analytics_workspace key
        enabled_logs = {
          categories = ["CoreAzureBackup"]
        }
      }
    }
  }
}

See Backup and Monitor Diagnostic Setting for the full diagnostic settings flow.