Azure · lonegunmanb · Sep 30, 2022 · Sep 27, 2022 · Sep 28, 2022 · Sep 28, 2022
diff --git a/README.md b/README.md
@@ -312,7 +312,7 @@ No modules.
 | <a name="input_log_analytics_workspace_sku"></a> [log\_analytics\_workspace\_sku](#input\_log\_analytics\_workspace\_sku)                                                     | The SKU (pricing level) of the Log Analytics workspace. For new subscriptions the SKU should be set to PerGB2018                                                                                                                                                                                                                 | `string`                                                                                                                                                                                                                   | `"PerGB2018"`               |    no    |
 | <a name="input_log_retention_in_days"></a> [log\_retention\_in\_days](#input\_log\_retention\_in\_days)                                                                       | The retention period for the logs in days                                                                                                                                                                                                                                                                                        | `number`                                                                                                                                                                                                                   | `30`                        |    no    |
 | <a name="input_maintenance_window"></a> [maintenance\_window](#input\_maintenance\_window)                                                                                    | (Optional) Maintenance configuration of the managed cluster.                                                                                                                                                                                                                                                                     | <pre>object({<br>    allowed = list(object({<br>      day   = string<br>      hours = set(number)<br>    })),<br>    not_allowed = list(object({<br>      end   = string<br>      start = string<br>    })),<br>  })</pre> | `null`                      |    no    |
-| <a name="input_microsoft_defender_enabled"></a> [microsoft\_defender\_enabled](#input\_microsoft\_defender\_enabled)                                                          | (Optional) Is Microsoft Defender on the cluster enabled?                                                                                                                                                                                                                                                                         | `bool`                                                                                                                                                                                                                     | `false`                     |    no    |
+| <a name="input_microsoft_defender_enabled"></a> [microsoft\_defender\_enabled](#input\_microsoft\_defender\_enabled)                                                          | (Optional) Is Microsoft Defender on the cluster enabled? Requires `var.log_analytics_workspace_enabled` to be `true` to set this variable to `true`.                                                                                                                                                                             | `bool`                                                                                                                                                                                                                     | `false`                     |    no    |
 | <a name="input_net_profile_dns_service_ip"></a> [net\_profile\_dns\_service\_ip](#input\_net\_profile\_dns\_service\_ip)                                                      | (Optional) IP address within the Kubernetes service address range that will be used by cluster service discovery (kube-dns). Changing this forces a new resource to be created.                                                                                                                                                  | `string`                                                                                                                                                                                                                   | `null`                      |    no    |
 | <a name="input_net_profile_docker_bridge_cidr"></a> [net\_profile\_docker\_bridge\_cidr](#input\_net\_profile\_docker\_bridge\_cidr)                                          | (Optional) IP address (in CIDR notation) used as the Docker bridge IP address on nodes. Changing this forces a new resource to be created.                                                                                                                                                                                       | `string`                                                                                                                                                                                                                   | `null`                      |    no    |
 | <a name="input_net_profile_outbound_type"></a> [net\_profile\_outbound\_type](#input\_net\_profile\_outbound\_type)                                                           | (Optional) The outbound (egress) routing method which should be used for this Kubernetes Cluster. Possible values are loadBalancer and userDefinedRouting. Defaults to loadBalancer.                                                                                                                                             | `string`                                                                                                                                                                                                                   | `"loadBalancer"`            |    no    |

diff --git a/main.tf b/main.tf
@@ -1,3 +1,27 @@
+locals {
+
+  # Abstract the decision whether to create an Analytics Workspace or not.
+  create_analytics_solution  = var.log_analytics_workspace_enabled && var.log_analytics_solution_id == null
+  create_analytics_workspace = var.log_analytics_workspace_enabled && var.log_analytics_workspace == null
+  # Abstract the decision whether to use an Analytics Workspace supplied via vars, provision one ourselves or leave it null.
+  # This guarantees that local.log_analytics_workspace will contain a valid `id` and `name` IFF log_analytics_workspace_enabled
+  # is set to `true`.
+  log_analytics_workspace = var.log_analytics_workspace_enabled ? (
+    # The Log Analytics Workspace should be enabled:
+    var.log_analytics_workspace == null ? {
+      # `log_analytics_workspace_enabled` is `true` but `log_analytics_workspace` was not supplied.
+      # Create an `azurerm_log_analytics_workspace` resource and use that.
+      id   = azurerm_log_analytics_workspace.main[0].id
+      name = azurerm_log_analytics_workspace.main[0].name
+      } : {
+      # `log_analytics_workspace` is supplied. Let's use that.
+      id   = var.log_analytics_workspace.id
+      name = var.log_analytics_workspace.name
+    }
+  ) : null # Finally, the Log Analytics Workspace should be disabled.
+
+}
+
 data "azurerm_resource_group" "main" {
   name = var.resource_group_name
 }
@@ -175,7 +199,7 @@ resource "azurerm_kubernetes_cluster" "main" {
     for_each = var.microsoft_defender_enabled ? ["microsoft_defender"] : []
 
     content {
-      log_analytics_workspace_id = coalesce(try(var.log_analytics_workspace.id, null), azurerm_log_analytics_workspace.main[0].id)
+      log_analytics_workspace_id = local.log_analytics_workspace.id
     }
   }
   network_profile {
@@ -191,7 +215,7 @@ resource "azurerm_kubernetes_cluster" "main" {
     for_each = var.log_analytics_workspace_enabled ? ["oms_agent"] : []
 
     content {
-      log_analytics_workspace_id = var.log_analytics_workspace == null ? azurerm_log_analytics_workspace.main[0].id : var.log_analytics_workspace.id
+      log_analytics_workspace_id = local.log_analytics_workspace.id
     }
   }
   dynamic "service_principal" {
@@ -213,11 +237,15 @@ resource "azurerm_kubernetes_cluster" "main" {
       condition     = (var.client_id != "" && var.client_secret != "") || (var.identity_type == "SystemAssigned") || (var.identity_ids == null ? false : length(var.identity_ids) > 0)
       error_message = "If use identity and `UserAssigned` or `SystemAssigned, UserAssigned` is set, an `identity_ids` must be set as well."
     }
+    precondition {
+      condition     = !(var.microsoft_defender_enabled && !var.log_analytics_workspace_enabled)
+      error_message = "Enabling Microsoft Defender requires that `log_analytics_workspace_enabled` be set to true."
+    }
   }
 }
 
 resource "azurerm_log_analytics_workspace" "main" {
-  count = var.log_analytics_workspace_enabled && var.log_analytics_workspace == null ? 1 : 0
+  count = local.create_analytics_workspace ? 1 : 0
 
   location            = coalesce(var.location, data.azurerm_resource_group.main.location)
   name                = var.cluster_log_analytics_workspace_name == null ? "${var.prefix}-workspace" : var.cluster_log_analytics_workspace_name
@@ -228,17 +256,17 @@ resource "azurerm_log_analytics_workspace" "main" {
 }
 
 resource "azurerm_log_analytics_solution" "main" {
-  count = var.log_analytics_workspace_enabled && var.log_analytics_solution_id == null ? 1 : 0
+  count = local.create_analytics_solution ? 1 : 0
 
   location              = coalesce(var.location, data.azurerm_resource_group.main.location)
   resource_group_name   = coalesce(var.log_analytics_workspace_resource_group_name, var.resource_group_name)
   solution_name         = "ContainerInsights"
-  workspace_name        = var.log_analytics_workspace != null ? var.log_analytics_workspace.name : azurerm_log_analytics_workspace.main[0].name
-  workspace_resource_id = var.log_analytics_workspace != null ? var.log_analytics_workspace.id : azurerm_log_analytics_workspace.main[0].id
+  workspace_name        = local.log_analytics_workspace.name
+  workspace_resource_id = local.log_analytics_workspace.id
   tags                  = var.tags
 
   plan {
     product   = "OMSGallery/ContainerInsights"
     publisher = "Microsoft"
   }
-}
+}
diff --git a/variables.tf b/variables.tf
@@ -288,7 +288,7 @@ variable "maintenance_window" {
 
 variable "microsoft_defender_enabled" {
   type        = bool
-  description = "(Optional) Is Microsoft Defender on the cluster enabled?"
+  description = "(Optional) Is Microsoft Defender on the cluster enabled? Requires `var.log_analytics_workspace_enabled` to be `true` to set this variable to `true`."
   default     = false
   nullable    = false
 }