chore: added additional group for security admins

kit/azure/logging/README.md

@@ -54,11 +54,13 @@ AzureActivity
 
 | Name | Type |
 |------|------|
+| [azuread_group.security_admins](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group) | resource |
 | [azuread_group.security_auditors](https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/group) | resource |
 | [azurerm_log_analytics_workspace.law](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/log_analytics_workspace) | resource |
 | [azurerm_resource_group.law_rg](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/resource_group) | resource |
 | [azurerm_role_assignment.cloudfoundation_tfdeploy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.logging](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
+| [azurerm_role_assignment.security_admins](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_assignment.security_auditors](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_assignment) | resource |
 | [azurerm_role_definition.cloudfoundation_tfdeploy](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/role_definition) | resource |
 | [azurerm_subscription.current](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/subscription) | data source |
@@ -78,6 +80,8 @@ AzureActivity
 | Name | Description |
 |------|-------------|
 | <a name="output_documentation_md"></a> [documentation\_md](#output\_documentation\_md) | n/a |
+| <a name="output_security_admins_azuread_group_displayname"></a> [security\_admins\_azuread\_group\_displayname](#output\_security\_admins\_azuread\_group\_displayname) | n/a |
+| <a name="output_security_admins_azuread_group_id"></a> [security\_admins\_azuread\_group\_id](#output\_security\_admins\_azuread\_group\_id) | n/a |
 | <a name="output_security_auditors_azuread_group_displayname"></a> [security\_auditors\_azuread\_group\_displayname](#output\_security\_auditors\_azuread\_group\_displayname) | n/a |
 | <a name="output_security_auditors_azuread_group_id"></a> [security\_auditors\_azuread\_group\_id](#output\_security\_auditors\_azuread\_group\_id) | n/a |
 <!-- END_TF_DOCS -->

kit/azure/logging/main.tf

@@ -72,15 +72,26 @@ resource "azurerm_role_assignment" "logging" {
   scope                = var.scope
 }
 
+# creates group and permissions for security admins
+resource "azuread_group" "security_admins" {
+  display_name     = "cloudfoundation-security-admins"
+  security_enabled = true
+}
+
+resource "azurerm_role_assignment" "security_admins" {
+  role_definition_name = "Log Analytics Contributor"
+  principal_id         = azuread_group.security_admins.object_id
+  scope                = var.scope
+}
+
+# creates group and permissions for security auditors
 resource "azuread_group" "security_auditors" {
-  display_name = "cloudfoundation-security-auditors"
-  #owners           = [data.azuread_client_config.current.object_id]
+  display_name     = "cloudfoundation-security-auditors"
   security_enabled = true
 }
 
-# Set permissions for security auditors
 resource "azurerm_role_assignment" "security_auditors" {
-  role_definition_name = "Log Analytics Contributor"
+  role_definition_name = "Log Analytics Reader"
   principal_id         = azuread_group.security_auditors.object_id
   scope                = var.scope
 }

kit/azure/logging/outputs.tf

@@ -1,3 +1,11 @@
+output "security_admins_azuread_group_id" {
+  value = azuread_group.security_admins.id
+}
+
+output "security_admins_azuread_group_displayname" {
+  value = azuread_group.security_admins.display_name
+}
+
 output "security_auditors_azuread_group_id" {
   value = azuread_group.security_auditors.id
 }