Azure
`Microsoft.Insights/diagnosticSettings` being forced to recreate
Create a new Microsoft.Insights/diagnosticSettings with azapi_resource
+ resource "azapi_resource" "diag" {
+ body = jsonencode(
{
+ properties = {
+ logs = [
+ {
+ category = "Administrative"
+ enabled = true
},
+ {
+ category = "Security"
+ enabled = true
},
+ {
+ category = "ServiceHealth"
+ enabled = true
},
+ {
+ category = "Alert"
+ enabled = true
},
+ {
+ category = "Recommendation"
+ enabled = true
},
+ {
+ category = "Policy"
+ enabled = true
},
+ {
+ category = "Autoscale"
+ enabled = true
},
+ {
+ category = "ResourceHealth"
+ enabled = true
},
]
+ workspaceId = "/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.OperationalInsights/workspaces/logs"
}
}
)
+ id = (known after apply)
+ ignore_casing = false
+ ignore_missing_property = true
+ name = "logs"
+ output = (known after apply)
+ parent_id = "/subscriptions/REDACTED"
+ removing_special_chars = false
+ schema_validation_enabled = true
+ type = "Microsoft.Insights/diagnosticSettings@2021-05-01-preview"
}
apply is OK
module.xx.module.xx[0].azapi_resource.diag: Creating...
module.xx.module.xx[0].azapi_resource.diag: Creation complete after 3s [id=/subscriptions/REDACTED/providers/Microsoft.Insights/diagnosticSettings/logs]
then run apply or plan again
-/+ resource "azapi_resource" "diag" {
~ id = "/subscriptions/REDACTED/providers/Microsoft.Insights/diagnosticSettings/logs" -> (known after apply)
- location = "global" -> null # forces replacement
name = "logs"
~ output = jsonencode({}) -> (known after apply)
# (7 unchanged attributes hidden)
}
Setting location for Microsoft.Insights/diagnosticSettings leads to schema validation error, the only workaround is to set
location = "global"
schema_validation_enabled = false
Versions
Terraform v1.8.3
on darwin_arm64
+ provider registry.terraform.io/azure/azapi v1.13.1
Resource doc: https://learn.microsoft.com/en-us/azure/templates/microsoft.insights/diagnosticsettings?pivots=deployment-language-terraform
Thanks for the issue @kaplik! I'm struggling to repro this, as I'm running into a 400 myself. I'm wondering if this is a service-side issue. @ms-henglu can you take a look at this issue?
│ Error: Failed to retrieve resource
│
│ with azapi_resource.diag,
│ on main.tf line 49, in resource "azapi_resource" "diag":
│ 49: resource "azapi_resource" "diag" {
│
│ checking for presence of existing Resource: (ResourceId "/subscriptions/REDACTED/resourceGroups/playground-resources/providers/Microsoft.Insights/diagnosticSettings/logs" / Api Version "2021-05-01-preview"): GET https://management.azure.com/subscriptions/REDACTED/resourceGroups/playground-resources/providers/Microsoft.Insights/diagnosticSettings/logs
│ --------------------------------------------------------------------------------
│ RESPONSE 400: 400 Bad Request
│ ERROR CODE: ResourceTypeNotSupported
│ --------------------------------------------------------------------------------
│ {
│ "code": "ResourceTypeNotSupported",
│ "message": "The resource type '/' does not support diagnostic settings."
│ }
│ --------------------------------------------------------------------------------
│
@stemaMSFT sorry i should mention this in the issue description, try to set the diag settings on the subscription level, like this:
resource "azapi_resource" "diag" {
type = "Microsoft.Insights/diagnosticSettings@2021-05-01-preview"
name = local.diag_name
parent_id = var.subscription_resource_id
# location = "global"
# schema_validation_enabled = false
body = jsonencode({
properties = {
workspaceId = ...
logs = ....
}
})
}
I have tried to remove the definition from the code completely, apply it (which destroyed the resources), and then put it back into to code and apply, then apply again which leads to change in the region (i suppose that azure internally keeps the resource as global, returns it from api, but terraform is sending null as location is undefined on the resource level in the code).
Makes sense. It looks like there's somewhere within the resource's API that is allowing you to create the resource without a specified location and sets it to global in the backend, then Terraform state sees the missing/lacking location. @ms-henglu if this is the case, do we have a way to better catch these sorts of gotchas and avoid re-apply errors? I'd imagine a similar mechanism might also need to be in place in the case of destroy/recreate.
@stemaMSFT based on the documentation - https://learn.microsoft.com/en-us/azure/templates/microsoft.insights/diagnosticsettings?pivots=deployment-language-bicep it looks like location is not required for these resources (which kinda make sense as diagnostic settings is always a sub resource of another resource)...
try this AZ CLI command, the API is really returning location: global even tho location is not required as an input...
az resource show --ids /subscriptions/REDACTED/providers/microsoft.insights/diagnosticSettings/test --api-version 2021-05-01-preview
{
"extendedLocation": null,
"id": "subscriptions/REDACTED/providers/microsoft.insights/diagnosticSettings/test",
"identity": null,
"kind": null,
"location": "global",
"managedBy": null,
"name": "test",
"plan": null,
"properties": {
"logs": [
{
"category": "Administrative",
"categoryGroup": null,
"enabled": true
},
{
"category": "Security",
"categoryGroup": null,
"enabled": false
},
{
"category": "ServiceHealth",
"categoryGroup": null,
"enabled": false
},
{
"category": "Alert",
"categoryGroup": null,
"enabled": false
},
{
"category": "Recommendation",
"categoryGroup": null,
"enabled": false
},
{
"category": "Policy",
"categoryGroup": null,
"enabled": false
},
{
"category": "Autoscale",
"categoryGroup": null,
"enabled": false
},
{
"category": "ResourceHealth",
"categoryGroup": null,
"enabled": false
}
],
"workspaceId": "/subscriptions/REDACTED/resourceGroups/REDACTED/providers/Microsoft.OperationalInsights/workspaces/test"
},
"sku": null,
"tags": null,
"type": "Microsoft.Insights/diagnosticSettings"
}
Hi @kaplik ,
Thank you for taking time to report this issue.
This seems to be a mismatch between the API and swagger definition, I've opened this issue to track it: https://github.com/Azure/azure-rest-api-specs/issues/29198
As a workaround, please add location= "global" to the config and disable the schema validation.
Thanks @stemaMSFT for helping investigating it.
I'll close this issue in favor of https://github.com/Azure/terraform-provider-azapi/issues/655 which also includes other resource types that have same issue.
Please subscribe to https://github.com/Azure/terraform-provider-azapi/issues/655 for any updates. Thanks.