Extend azure monitor container insights with container network logs

README.md

@@ -380,6 +380,7 @@ No modules.
 | <a name="input_monitor_data_collection_rule_extensions_streams"></a> [monitor\_data\_collection\_rule\_extensions\_streams](#input\_monitor\_data\_collection\_rule\_extensions\_streams) | An array of container insights table streams. See documentation in DCR for a list of the valid streams and their corresponding table: https://learn.microsoft.com/en-us/azure/azure-monitor/containers/container-insights-data-collection-configure?tabs=portal#stream-values-in-dcr | `list(any)` | <pre>[<br/>  "Microsoft-ContainerLog",<br/>  "Microsoft-ContainerLogV2",<br/>  "Microsoft-KubeEvents",<br/>  "Microsoft-KubePodInventory",<br/>  "Microsoft-KubeNodeInventory",<br/>  "Microsoft-KubePVInventory",<br/>  "Microsoft-KubeServices",<br/>  "Microsoft-KubeMonAgentEvents",<br/>  "Microsoft-InsightsMetrics",<br/>  "Microsoft-ContainerInventory",<br/>  "Microsoft-ContainerNodeInventory",<br/>  "Microsoft-Perf"<br/>]</pre> | no |
 | <a name="input_monitor_metrics"></a> [monitor\_metrics](#input\_monitor\_metrics) | (Optional) Specifies a Prometheus add-on profile for the Kubernetes Cluster<br/>object({<br/>  annotations\_allowed = "(Optional) Specifies a comma-separated list of Kubernetes annotation keys that will be used in the resource's labels metric."<br/>  labels\_allowed      = "(Optional) Specifies a Comma-separated list of additional Kubernetes label keys that will be used in the resource's labels metric."<br/>}) | <pre>object({<br/>    annotations_allowed = optional(string)<br/>    labels_allowed      = optional(string)<br/>  })</pre> | `null` | no |
 | <a name="input_msi_auth_for_monitoring_enabled"></a> [msi\_auth\_for\_monitoring\_enabled](#input\_msi\_auth\_for\_monitoring\_enabled) | (Optional) Is managed identity authentication for monitoring enabled? | `bool` | `null` | no |
+| <a name="input_retina_flow_logs_enabled"></a> [retina\_flow\_logs\_enabled](#input\_retina\_flow\_logs\_enabled) | Enable container network observability logs for OMS agent. This applies to Linux nodes in the cluster. | `bool` | `false` | no |
 | <a name="input_nat_gateway_profile"></a> [nat\_gateway\_profile](#input\_nat\_gateway\_profile) | `nat_gateway_profile` block supports the following:<br/>- `idle_timeout_in_minutes` - (Optional) Desired outbound flow idle timeout in minutes for the managed nat gateway. Must be between `4` and `120` inclusive. Defaults to `4`.<br/>- `managed_outbound_ip_count` - (Optional) Count of desired managed outbound IPs for the managed nat gateway. Must be between `1` and `100` inclusive. | <pre>object({<br/>    idle_timeout_in_minutes   = optional(number)<br/>    managed_outbound_ip_count = optional(number)<br/>  })</pre> | `null` | no |
 | <a name="input_net_profile_dns_service_ip"></a> [net\_profile\_dns\_service\_ip](#input\_net\_profile\_dns\_service\_ip) | (Optional) IP address within the Kubernetes service address range that will be used by cluster service discovery (kube-dns). Changing this forces a new resource to be created. | `string` | `null` | no |
 | <a name="input_net_profile_outbound_type"></a> [net\_profile\_outbound\_type](#input\_net\_profile\_outbound\_type) | (Optional) The outbound (egress) routing method which should be used for this Kubernetes Cluster. Possible values are loadBalancer and userDefinedRouting. Defaults to loadBalancer. | `string` | `"loadBalancer"` | no |

main.tf

@@ -505,6 +505,7 @@ resource "azurerm_kubernetes_cluster" "main" {
     content {
       log_analytics_workspace_id      = local.log_analytics_workspace.id
       msi_auth_for_monitoring_enabled = var.msi_auth_for_monitoring_enabled
+      retina_flow_logs_enabled        = var.retina_flow_logs_enabled
     }
   }
   dynamic "service_mesh_profile" {

variables.tf

@@ -958,6 +958,12 @@ variable "msi_auth_for_monitoring_enabled" {
   description = "(Optional) Is managed identity authentication for monitoring enabled?"
 }
 
+variable "retina_flow_logs_enabled" {
+  type        = bool
+  default     = false
+  description = "(Optional) Enable container network observability logs for OMS agent."
+}
+
 variable "nat_gateway_profile" {
   type = object({
     idle_timeout_in_minutes   = optional(number)