Logging, diagnostics, and observability gap detection

Domain: monitoring

---

Check	Description
ANTI-MON-001	Log retention set to 0 days — set retention_in_days to at least 30 for POC.
ANTI-MON-002	Logging or metrics disabled in diagnostic settings — enable both for observability.
ANTI-MON-003	InstrumentationKey detected — use ConnectionString (APPLICATIONINSIGHTS_CONNECTION_STRING) instead.

---

Log retention set to 0 days — set retention_in_days to at least 30 for POC.

Rationale: Zero retention means logs are immediately discarded, making incident investigation impossible.
Agents: terraform-agent, bicep-agent

Services	Triggers On	Correct Patterns
Microsoft.Insights/diagnosticSettings Microsoft.OperationalInsights/workspaces	'retention_in_days = 0' 'retention_days = 0'	'retention_in_days = 30' 'retentionInDays = 30'

---

Logging or metrics disabled in diagnostic settings — enable both for observability.

Rationale: Disabled log or metric collection creates blind spots where failures and security events go undetected.
Agents: terraform-agent, bicep-agent

Services	Triggers On	Correct Patterns
Microsoft.Insights/diagnosticSettings	'enabled_log_category = []' 'logs_enabled = false' 'metrics_enabled = false'	'logs_enabled = true' 'metrics_enabled = true' '# Enable diagnostic settings for all PaaS resources'

---

InstrumentationKey detected — use ConnectionString (APPLICATIONINSIGHTS_CONNECTION_STRING) instead.

Rationale: InstrumentationKey is deprecated by Microsoft. ConnectionString is the supported integration point and includes region routing.
Agents: terraform-agent, bicep-agent, app-developer, csharp-developer, python-developer

Services	Triggers On	Correct Patterns
Microsoft.Insights/components Microsoft.App/containerApps Microsoft.Web/sites	'instrumentation_key' 'instrumentationkey'	'connection_string' 'APPLICATIONINSIGHTS_CONNECTION_STRING' '# Use connection_string instead of InstrumentationKey'

---