Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Excerpt
namesummary

App Logs allow users with the admin.app-repository.* role to see the standard out logs of an app which was deployed via the Hosted SDK option.

Apps that are self-hosted or not deployed via Unique will not show any logs at this time.

DrawiomVer2simple0zoom1inComment0pageId545292322custContentId545849536diagramDisplayNamehosted-sdk-logs.drawiolbox1contentVer1revision1baseUrlhttps://unique-ch.atlassian.net/wikidiagramNamehosted-sdk-logs.drawiopCenter0width769linkstbstyleheight421image-20240515-120418.pngImage Added

The App Logs setup is neither simple nor rocket science but was chosen with a bit of scalability in mind. This is why logs get written to a Storage Account via a Diagnostic setting. Instead of putting the logs into the clients database, producing unnecessary load to the database, the development debug applications logs (App Logs) are put into a Storage Account and get read back from there to display them in the App Repository.

Panel
panelIconId2139
panelIcon:information_source:
panelIconTextℹ️
bgColor#E6FCFF

Learn more about some of the architectural components below in https://unique-ch.atlassian.net/wiki/spaces/SD/pages/545292322/App+Logs#Architecture and how they are secured in https://unique-ch.atlassian.net/wiki/spaces/SD/pages/545292322/App+Logs#Security .

Get started

Pre-requisites

...

  • Valid contract holder of Hosted SDK

  • Acknowledged https://unique-ch.atlassian.net/wiki/x/moB5I

  • Push permissions on a Unique owned/controlled and deployed GitHub Repository

  • admin.app-repository.* on the Unique instances where the logs should be seen

  • Noted down environment names (provided inside the GitHub Repository) and the module names

Security

Storage Account

Retention

  • The Unique instance (Single Tenant) must have been enabled for logs (its apps deployments)

    • PaaS is enabled by default

Deploying a module with the logs enabled

In order to activate the logging to the Monitor/Storage Account, deployments with GitHub Actions have to be either created or modified.

sdk-deploy-template/readme#upgrading instructs developers on how the actions have to be modified.

Enabling the logs

The App Repository will not show logs directly. You must edit your app and pass in the azureEnvironmentName which is the same name as your GitHub environment you are deploying from.

Note

You will not see any logs if you did not deploy with the logs enabled, see above!

image-20240515-115842.pngImage Added

Or add it from beginning if the app is new

image-20240515-115820.pngImage Added

then Save

🕐 Wait some minutes so something actually gets written and propagated

image-20240515-120008.pngImage Added

Panel
panelIconId1f7f0
panelIcon:heavy_equals_sign:
panelIconText🟰
bgColor#FF8F73

The apps Name and Azure Environment Name must match exactly the values of the deployed app. If they do not match, no logs will be shown!

Note that the _ in the example changes with -.

In case you made a mistake, you can simply rename your app in the UI itself via Edit button.

Deploying Action

In the App Repository

Works (tick)

Code Block
uses: Unique-AG/sdk-deploy-action@v3 # >v3
  with:
    module: my_own_app
    environment: playground
    azure_storage_account_id: ${{ vars.AZURE_STORAGE_ACCOUNT_ID }}

Name: my-own-app

Azure Environment Name: playground

Does not work 🤯

Code Block
uses: Unique-AG/sdk-deploy-action@v3 # >v3
  with:
    module: my_own_app
    environment: playground
    azure_storage_account_id: ${{ vars.AZURE_STORAGE_ACCOUNT_ID }}

Name: my-own-app

Azure Environment Name: proid

Does not work 🤯

Code Block
uses: Unique-AG/sdk-deploy-action@v3 # >v3
  with:
    module: my_own_app
    environment: playground
    azure_storage_account_id: ${{ vars.AZURE_STORAGE_ACCOUNT_ID }}

Name: joke-teller-app

Azure Environment Name: playground

Does not work 🤯

Code Block
uses: Unique-AG/sdk-deploy-action@v3 # >v3
  with:
    module: my_own_app
    environment: playground
    azure_storage_account_id: ${{ vars.AZURE_STORAGE_ACCOUNT_ID }}

Name: my-own-app

Azure Environment Name: playground

Forgetting to set the correct account.

Specs

The logs clear use case is application insights and secure development of apps. A developer can consult them in the rare event of discovering an edge case only in production or when triaging an unseen issue.

Unique strongly discourages debugging in production (near live) and advocates for a proper SSDL (like its own Secure Software Development Lifecycle). These logs are not meant to be used for live-debugging, apps are to be properly tested before being deployed to production environments.

Logs

Naturally, the maximum duration of logs you can browse are limited by the Retention. The UI currently shows only the last 48 hours of logs in separate entries. If the feature matures, further improvements could be done on this behalf.

The logs are not live streams, it can take some worst case some minutes for them to appear. Unique does not offer real time log streaming. Clients requiring faster scrape intervals than Azure Monitors maximum 5 minute interval must self host apps.

The logs capture stdout (the console), means they also show container or boot errors etc.

The logs contain two timestamps:

image-20240515-120135.pngImage Added

More ideas

Let Unique know via a known-to-you channel what can be improved or added to the App Logs. Be aware that since this is EXPERIMENTAL Unique does not commit to implement the feedback directly or ever but will for sure take it up valuably.

Limitations

The App Logs (including their endpoints) must never be used to store any form of data, implement automations or triaging issues with clients data held within Unique. Unique reserves the right to disable and remove logs that violate Legal Amendment to the Co-Development Agreement or put its clients at risk.

Architecture

Drawio
mVer2
zoom1
simple0
inComment0
custContentId545849536
pageId545292322
lbox1
diagramDisplayNamehosted-sdk-logs.drawio
contentVer1
revision1
baseUrlhttps://unique-ch.atlassian.net/wiki

...

diagramNamehosted-sdk-logs.drawio
pCenter0
width769
links
tbstyle
height421

Security

Storage Account

The storage account is Customer Managed Key encrypted while Unique holds the key in an Azure Key Vault. The key size is 2048, type RSA and HSM backed. Its minimum TLS version is 1.2.

Retention

The retention is defaulted to 7 days. Clients can request changes to this period between 1 and 31 days. As these are logs for developers only, longer or no retention periods are not supported. Clients with different logging requirements must self-host apps.

Permissions

Azure Monitor is the only allowed writer to the account while the App Repository (via Workload Identity) is the sole reader (both via RBAC). No humans have access to the account, also not via PIM or privileged roles.

Secure Deployment

Panel
panelIconId2139
panelIcon:information_source:
panelIconTextℹ️
bgColor#E6FCFF

See Hosted SDK, only mentioned here for completeness.

Log scrubbing

The setup does not scrub the logs or sanitize them. If developers log classified data, it will be present in the logs within the retention period. The Legal Amendment to the Co-Development Agreement holds more information about the logs and their use case (or not-use-case) and how developers must interact with them.

Unique can emergency delete the logs on a clients request at an hourly rate, see the amendment for that as well. In that case, all logs of the period for the affected app/module will be deleted (not selectively).

...