Skip to content

tomweston/audit-log-exporter

BranchesTags

Repository files navigation

Pulumi Audit Logs Exporter to Azure Blob

This project provisions all Azure resources and deploys an Azure Functions app that exports Pulumi Cloud audit logs to Azure Blob Storage on a daily schedule.

What This Stack Creates

  • Resource Group, Storage Account and private Blob containers:
    • audit-logs<stack> (JSON logs + checkpoint state/checkpoint.json)
    • audit-logs-archive (CSV exports)
    • audit-logs-errors (error details)
  • User‑Assigned Managed Identity with Blob Data Contributor
  • Consumption plan and Function App (Linux, Node 20)
  • Application Insights
  • A Pulumi Service‑generated access token for the function (PULUMI_ACCESS_TOKEN)

Prerequisites

  • Azure subscription
  • Node.js LTS
  • Pulumi CLI and account
  • Azure credentials available for Pulumi providers

Usage

  1. Configure the stack:
pulumi config set audit-log-exporter:subscriptionId <your-azure-subscription-id>
pulumi config set audit-log-exporter:pulumiOrg <your-pulumi-org>
# Optional: increase page cap for large catch-up
pulumi config set audit-log-exporter:maxPages 1000
  1. Deploy:
npm install
pulumi up --yes

Project Layout

.
├── Pulumi.yaml
├── Pulumi.<stack>.yaml          # Stack config (subscriptionId, pulumiOrg, maxPages)
├── index.ts                     # Pulumi program (infra + deployment)
├── function-app/
│   ├── auditLogProcessor/
│   │   ├── function.json        # schedule (daily) + scriptFile
│   │   └── index.js             # logic w/ checkpointing & pagination
│   ├── host.json
│   └── package.json
└── tsconfig.json

Configuration

Stack keys of interest (set with pulumi config set <key> <value>):

  • audit-log-exporter:subscriptionId (required): Azure subscription UUID.
  • audit-log-exporter:pulumiOrg (required): Pulumi organization name used for API queries.
  • audit-log-exporter:maxPages (optional, default 100): Pagination safety cap per run.
  • audit-log-exporter:blobPrefix (optional, default empty): Path prefix for emitted blobs (e.g., Pulumi-audit-logs).
  • audit-log-exporter:exportJson (optional, default true): Emit JSON export.
  • audit-log-exporter:exportCsv (optional, default true): Emit CSV export.
  • audit-log-exporter:exportCef (optional, default false): Emit CEF export.
  • audit-log-exporter:immutableRetentionDays (optional): When set, enables immutable storage with versioning on containers with the given retention period.

Function Behavior

  • Runs daily at 01:45 UTC
  • Fetches audit logs in pages (default ~101 events/page)
  • Stops duplicates via a blob checkpoint (state/checkpoint.json)
  • If it reaches maxPages, saves a continuation token and resumes next run
  • Writes JSON/CSV/CEF blobs under (<prefix>/)year=YYYY/month=MM/day=DD/audit-logs-<ts>.<ext>

Outputs

  • functionAppUrl
  • storageAccountName
  • Container names
  • App Insights details

About

Pulumi Audit Logs Exporter to Azure Blob

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages