This feature is EXPERIMENTAL
. Learn what this means…
When this feature matures, its documentation will move into Products.
admin.app-repository.*
role to see the standard out logs of an app which was deployed via the Hosted SDK option.Apps that are self-hosted or not deployed via Unique will not show any logs at this time.
The App Logs setup is neither simple nor rocket science but was chosen with a bit of scalability in mind. This is why logs get written to a Storage Account via a Diagnostic setting. Instead of putting the logs into the clients database, producing unnecessary load to the database, the development debug logs (App Logs) are put into a Storage Account and get read back from there to display them in the App Repository.
Learn more about some of the architectural components below in https://unique-ch.atlassian.net/wiki/spaces/PUB/pages/545292322/App+Logs#Architecture and how they are secured in https://unique-ch.atlassian.net/wiki/spaces/PUB/pages/545292322/App+Logs#Security .
Get started
Pre-requisites
In order to leverage the logs, these bullets have to be fulfilled:
Valid contract holder of Hosted SDK
Acknowledged https://unique-ch.atlassian.net/wiki/x/moB5I
Push permissions on a Unique owned/controlled and deployed GitHub Repository
admin.app-repository.*
on the Unique instances where the logs should be seenNoted down environment names (provided inside the GitHub Repository) and the module names
The Unique instance (Single Tenant) must have been enabled for logs (its
apps
deployments)PaaS is enabled by default
Deploying a module with the logs enabled
In order to activate the logging to the Monitor/Storage Account, deployments with GitHub Actions have to be either created or modified.
sdk-deploy-template/readme#upgrading instructs developers on how the actions have to be modified.
Enabling the logs
The App Repository will not show logs directly. You must edit your app and pass in the azureEnvironmentName
which is the same name as your GitHub environment
you are deploying from.
You will not see any logs if you did not deploy with the logs enabled, see above!
Or add it from beginning if the app is new | then Save | 🕐 Wait some minutes so something actually gets written and propagated |
The apps Name
and Azure Environment Name
must match exactly the values of the deployed app. If they do not match, no logs will be shown!
Note that the _ in the example changes with -.
In case you made a mistake, you can simply rename your app in the UI itself via Edit
button.
Deploying Action | In the App Repository | |
---|---|---|
Works | uses: Unique-AG/sdk-deploy-action@v3 # >v3 with: module: my_own_app environment: playground | Name: Azure Environment Name: |
Does not work 🤯 | uses: Unique-AG/sdk-deploy-action@v3 # >v3 with: module: my_own_app environment: playground | Name: Azure Environment Name: |
Does not work 🤯 | uses: Unique-AG/sdk-deploy-action@v3 # >v3 with: module: my_own_app environment: playground | Name: Azure Environment Name: |
Specs
The logs clear use case is debugging and secure development of apps.
Logs
Naturally, the maximum duration of logs you can browse are limited by the Retention. The UI currently shows only the last 10 hours of logs in separate entries. If the feature matures, further improvements could be done on this behalf.
The logs are not live streams, it can take some worst case some minutes for them to appear (<10).
Each hour a new file gets created by the Azure Monitor and Unique caches the last 10 hours (except the last one) refreshing them every hour (the latter nine).
The logs capture stdout
(the console), means they also show container or boot errors etc.
The logs contain two timestamps:
More ideas
Let Unique know via a known-to-you channel what can be improved or added to the App Logs. Be aware that since this is EXPERIMENTAL
Unique does not commit to implement the feedback directly or ever but will for sure take it up valuably.
Limitations
The App Logs (including their endpoints) must never be used to store any form of data, implement automations or triaging issues with clients data held within Unique. Unique reserves the right to disable and remove logs that violate Legal Amendment to the Co-Development Agreement or put its clients at risk.
Architecture
Security
Storage Account
The storage account is Customer Managed Key encrypted while Unique holds the key in an Azure Key Vault. The key size is 2048, type RSA and HSM backed. Its minimum TLS version is 1.2.
Retention
The retention is defaulted to 7 days. Clients can request changes to this period between 1 and 31 days. As these are logs for developers only, longer or no retention periods are not supported. Clients with different logging requirements must self-host apps.
Permissions
Azure Monitor is the only allowed writer to the account while the App Repository (via Workload Identity) is the sole reader (both via RBAC). No humans have access to the account, also not via PIM or privileged roles.
Secure Deployment
See Hosted SDK, only mentioned here for completeness.
Log scrubbing
The setup does not scrub the logs or sanitize them. If developers log classified data, it will be present in the logs within the retention period. The Legal Amendment to the Co-Development Agreement holds more information about the logs and their use case (or not-use-case) and how developers must interact with them.
Unique can emergency delete the logs on a clients request at an hourly rate, see the amendment for that as well. In that case, all logs of the period for the affected app/module will be deleted (not selectively).
Author |
---|