...

The App Logs setup is neither simple nor rocket science but was chosen with a bit of scalability in mind. This is why logs get written to a Storage Account via a Diagnostic setting. Instead of putting the logs into the clients database, producing unnecessary load to the database, the development debug applications logs (App Logs) are put into a Storage Account and get read back from there to display them in the App Repository.

...

...

Get started

Pre-requisites

...

uses: Unique-AG/sdk-deploy-action@v3 # >v3
  with:
    module: my_own_app
    environment: playground
    azure_storage_account_id: ${{ vars.AZURE_STORAGE_ACCOUNT_ID }}

uses: Unique-AG/sdk-deploy-action@v3 # >v3
  with:
    module: my_own_app
    environment: playground
    azure_storage_account_id: ${{ vars.AZURE_STORAGE_ACCOUNT_ID }}

uses: Unique-AG/sdk-deploy-action@v3 # >v3
  with:
    module: my_own_app
    environment: playground
    azure_storage_account_id: ${{ vars.AZURE_STORAGE_ACCOUNT_ID }}

uses: Unique-AG/sdk-deploy-action@v3 # >v3
  with:
    module: my_own_app
    environment: playground
    azure_storage_account_id: ${{ vars.AZURE_STORAGE_ACCOUNT_ID }}

Specs

The logs clear use case is debugging application insights and secure development of apps. A developer can consult them in the rare event of discovering an edge case only in production or when triaging an unseen issue.

Unique strongly discourages debugging in production (near live) and advocates for a proper SSDL (like its own Secure Software Development Lifecycle). These logs are not meant to be used for live-debugging, apps are to be properly tested before being deployed to production environments.

Logs

Naturally, the maximum duration of logs you can browse are limited by the Retention. The UI currently shows only the last 10 48 hours of logs in separate entries. If the feature matures, further improvements could be done on this behalf.

The logs are not live streams, it can take some worst case some minutes for them to appear (<10).Each hour a new file gets created by the Azure Monitor and Unique caches the last 10 hours (except the last one) refreshing them every hour (the latter nine). Unique does not offer real time log streaming. Clients requiring faster scrape intervals than Azure Monitors maximum 5 minute interval must self host apps.

The logs capture stdout (the console), means they also show container or boot errors etc.

...

Azure Monitor is the only allowed writer to the account while the App Repository (via Workload Identity) is the sole reader (both via RBAC). No humans have access to the account, also not via PIM or privileged roles.

Secure Deployment

Log scrubbing

The setup does not scrub the logs or sanitize them. If developers log classified data, it will be present in the logs within the retention period. The Legal Amendment to the Co-Development Agreement holds more information about the logs and their use case (or not-use-case) and how developers must interact with them.

...