This feature is EXPERIMENTAL. Learn what this means…

When this feature matures, its documentation will move into https://unique-ch.atlassian.net/wiki/pages/createpage.action?spaceKey=PUB&title=Products&linkCreation=true&fromPageId=545128582.

App Logs allow users with the admin.app-repository.* role to see the standard out logs of an app which was deployed via the Hosted SDK option.

Apps that are self-hosted or not deployed via Unique will not show any logs at this time.

Overview of the logs in an example

The App Logs setup is neither simple nor rocket science but was chosen with a bit of scalability in mind. This is why logs get written to a Storage Account via a Diagnostic setting. Instead of putting the logs into the clients database, producing unnecessary load to the database, the applications logs (App Logs) are put into a Storage Account and get read back from there to display them in the App Repository.

Learn more about some of the architectural components below in https://unique-ch.atlassian.net/wiki/spaces/SD/pages/545292322/App+Logs#Architecture and how they are secured in https://unique-ch.atlassian.net/wiki/spaces/SD/pages/545292322/App+Logs#Security .

Get started

Pre-requisites

In order to leverage the logs, these bullets have to be fulfilled:

Valid contract holder of Hosted SDK
Acknowledged https://unique-ch.atlassian.net/wiki/x/moB5I
Push permissions on a Unique owned/controlled and deployed GitHub Repository
admin.app-repository.* on the Unique instances where the logs should be seen
Noted down environment names (provided inside the GitHub Repository) and the module names
The Unique instance (Single Tenant) must have been enabled for logs (its apps deployments)
- PaaS is enabled by default

Deploying a module with the logs enabled

In order to activate the logging to the Monitor/Storage Account, deployments with GitHub Actions have to be either created or modified.

sdk-deploy-template/readme#upgrading instructs developers on how the actions have to be modified.

Enabling the logs

The App Repository will not show logs directly. You must edit your app and pass in the azureEnvironmentName which is the same name as your GitHub environment you are deploying from.

You will not see any logs if you did not deploy with the logs enabled, see above!

Edit the app

Or add it from beginning if the app is new

then Save

Wait some minutes so something actually gets written and propagated

	Deploying Action	In the App Repository

	Deploying Action	In the App Repository
Works	`uses: Unique-AG/sdk-deploy-action@v3 # >v3 with: module: my_own_app environment: playground azure_storage_account_id: ${{ vars.AZURE_STORAGE_ACCOUNT_ID }}`	Name: `my-own-app` Azure Environment Name: `playground`
Does not work	`uses: Unique-AG/sdk-deploy-action@v3 # >v3 with: module: my_own_app environment: playground azure_storage_account_id: ${{ vars.AZURE_STORAGE_ACCOUNT_ID }}`	Name: `my-own-app` Azure Environment Name: `proid`
Does not work	`uses: Unique-AG/sdk-deploy-action@v3 # >v3 with: module: my_own_app environment: playground azure_storage_account_id: ${{ vars.AZURE_STORAGE_ACCOUNT_ID }}`	Name: `joke-teller-app` Azure Environment Name: `playground`
Does not work		Name: `my-own-app` Azure Environment Name: `playground` Forgetting to set the correct account.

Specs

The logs clear use case is application insights and secure development of apps. A developer can consult them in the rare event of discovering an edge case only in production or when triaging an unseen issue.

Unique strongly discourages debugging in production (near live) and advocates for a proper SSDL (like its own Secure Software Development Lifecycle). These logs are not meant to be used for live-debugging, apps are to be properly tested before being deployed to production environments.

Logs

Naturally, the maximum duration of logs you can browse are limited by the Retention. The UI currently shows only the last 48 hours of logs in separate entries. If the feature matures, further improvements could be done on this behalf.

The logs are not live streams, it can take some worst case some minutes for them to appear. Unique does not offer real time log streaming. Clients requiring faster scrape intervals than Azure Monitors maximum 5 minute interval must self host apps.

The logs capture stdout (the console), means they also show container or boot errors etc.

The logs contain two timestamps:

More ideas

Let Unique know via a known-to-you channel what can be improved or added to the App Logs. Be aware that since this is EXPERIMENTAL Unique does not commit to implement the feedback directly or ever but will for sure take it up valuably.

Limitations

The App Logs (including their endpoints) must never be used to store any form of data, implement automations or triaging issues with clients data held within Unique. Unique reserves the right to disable and remove logs that violate Legal Amendment to the Co-Development Agreement or put its clients at risk.

Architecture

Security

Storage Account

The storage account is Customer Managed Key encrypted while Unique holds the key in an Azure Key Vault. The key size is 2048, type RSA and HSM backed. Its minimum TLS version is 1.2.

Retention

The retention is defaulted to 7 days. Clients can request changes to this period between 1 and 31 days. As these are logs for developers only, longer or no retention periods are not supported. Clients with different logging requirements must self-host apps.

Permissions

Azure Monitor is the only allowed writer to the account while the App Repository (via Workload Identity) is the sole reader (both via RBAC). No humans have access to the account, also not via PIM or privileged roles.

Secure Deployment

Log scrubbing

The setup does not scrub the logs or sanitize them. If developers log classified data, it will be present in the logs within the retention period. The Legal Amendment to the Co-Development Agreement holds more information about the logs and their use case (or not-use-case) and how developers must interact with them.

Unique can emergency delete the logs on a clients request at an hourly rate, see the amendment for that as well. In that case, all logs of the period for the affected app/module will be deleted (not selectively).

Author	@Dominik Meyer