Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

This feature is EXPERIMENTAL. Learn what this means…

When this feature matures, its documentation will move into Products.

App Logs allow users with the admin.app-repository.* role to see the standard out logs of an app which was deployed via the Hosted SDK option.

Apps that are self-hosted or not deployed via Unique will not show any logs at this time.

image-20240515-120418.png

The App Logs setup is neither simple nor rocket science but was chosen with a bit of scalability in mind. This is why logs get written to a Storage Account via a Diagnostic setting. Instead of putting the logs into the clients database, producing unnecessary load to the database, the development debug logs (App Logs) are put into a Storage Account and get read back from there to display them in the App Repository.

Learn more about some of the architectural components below in https://unique-ch.atlassian.net/wiki/spaces/PUB/pages/545292322/App+Logs#Architecture and how they are secured in https://unique-ch.atlassian.net/wiki/spaces/PUB/pages/545292322/App+Logs#Security .

Get started

Pre-requisites

In order to leverage the logs, these bullets have to be fulfilled:

  • Valid contract holder of Hosted SDK

  • Acknowledged https://unique-ch.atlassian.net/wiki/x/moB5I

  • Push permissions on a Unique owned/controlled and deployed GitHub Repository

  • admin.app-repository.* on the Unique instances where the logs should be seen

  • Noted down environment names (provided inside the GitHub Repository) and the module names

  • The Unique instance (Single Tenant) must have been enabled for logs (its apps deployments)

    • PaaS is enabled by default

Deploying a module with the logs enabled

In order to activate the logging to the Monitor/Storage Account, deployments with GitHub Actions have to be either created or modified.

sdk-deploy-template/readme#upgrading instructs developers on how the actions have to be modified.

Enabling the logs

The App Repository will not show logs directly. You must edit your app and pass in the azureEnvironmentName which is the same name as your GitHub environment you are deploying from.

You will not see any logs if you did not deploy with the logs enabled, see above!

image-20240515-115842.png

Or add it from beginning if the app is new

image-20240515-115820.png

then Save

🕐 Wait some minutes so something actually gets written and propagated

image-20240515-120008.png

The apps Name and Azure Environment Name must match exactly the values of the deployed app. If they do not match, no logs will be shown!

Note that the _ in the example changes with -.

In case you made a mistake, you can simply rename your app in the UI itself via Edit button.

Deploying Action

In the App Repository

Works (tick)

uses: Unique-AG/sdk-deploy-action@v3 # >v3
  with:
    module: my_own_app
    environment: playground

Name: my-own-app

Azure Environment Name: playground

Does not work 🤯

uses: Unique-AG/sdk-deploy-action@v3 # >v3
  with:
    module: my_own_app
    environment: playground

Name: my-own-app

Azure Environment Name: proid

Does not work 🤯

uses: Unique-AG/sdk-deploy-action@v3 # >v3
  with:
    module: my_own_app
    environment: playground

Name: joke-teller-app

Azure Environment Name: playground

Specs

The logs clear use case is application insights and secure development of apps. A developer can consult them in the rare event of discovering an edge case only in production or when triaging an unseen issue.

Unique strongly discourages debugging in production (near live) and advocates for a proper SSDL (like its own Secure Software Development Lifecycle). These logs are not meant to be used for live-debugging, apps are to be properly tested before being deployed to production environments.

Logs

Naturally, the maximum duration of logs you can browse are limited by the Retention. The UI currently shows only the last 10 hours of logs in separate entries. If the feature matures, further improvements could be done on this behalf.

The logs are not live streams, it can take some worst case some minutes for them to appear. Unique does not offer real time log streaming. Clients requiring faster scrape intervals than Azure Monitors maximum 5 minute interval must self host apps.

Each hour a new file gets created by the Azure Monitor and Unique caches the last 10 hours (except the last one) refreshing them every hour (the latter nine).

The logs capture stdout (the console), means they also show container or boot errors etc.

The logs contain two timestamps:

image-20240515-120135.png

More ideas

Let Unique know via a known-to-you channel what can be improved or added to the App Logs. Be aware that since this is EXPERIMENTAL Unique does not commit to implement the feedback directly or ever but will for sure take it up valuably.

Limitations

The App Logs (including their endpoints) must never be used to store any form of data, implement automations or triaging issues with clients data held within Unique. Unique reserves the right to disable and remove logs that violate Legal Amendment to the Co-Development Agreement or put its clients at risk.

Architecture

Security

Storage Account

The storage account is Customer Managed Key encrypted while Unique holds the key in an Azure Key Vault. The key size is 2048, type RSA and HSM backed. Its minimum TLS version is 1.2.

Retention

The retention is defaulted to 7 days. Clients can request changes to this period between 1 and 31 days. As these are logs for developers only, longer or no retention periods are not supported. Clients with different logging requirements must self-host apps.

Permissions

Azure Monitor is the only allowed writer to the account while the App Repository (via Workload Identity) is the sole reader (both via RBAC). No humans have access to the account, also not via PIM or privileged roles.

Secure Deployment

See Hosted SDK, only mentioned here for completeness.

Log scrubbing

The setup does not scrub the logs or sanitize them. If developers log classified data, it will be present in the logs within the retention period. The Legal Amendment to the Co-Development Agreement holds more information about the logs and their use case (or not-use-case) and how developers must interact with them.

Unique can emergency delete the logs on a clients request at an hourly rate, see the amendment for that as well. In that case, all logs of the period for the affected app/module will be deleted (not selectively).


  • No labels