monitor_diagnostic_setting_resource crashes with Error: ID was missing the authorizationRules element

[andrey-dubnik]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

azurerm 2.42.0
terraform 0.12.30

Affected Resource(s)

• monitor_diagnostic_setting_resource

Issue Description

Over the last few days we start having issues with the infrastructure builds and modifications while using the diagnostics resource.

The cause seem to be the diagnostic receives AuthorizationRules where Azure SDK change now requires authorizationRules.

Following is the current state representation

{
      "module": "module.bastionhost.module.bastion_diagnostics",
      "mode": "managed",
      "type": "azurerm_monitor_diagnostic_setting",
      "name": "logs",
      "each": "list",
      "provider": "provider.azurerm",
      "instances": [
        {
          "index_key": 0,
          "schema_version": 0,
          "attributes": {
            "eventhub_authorization_rule_id": "/subscriptions/****/resourceGroups/rgpazewp-udm-cms/providers/Microsoft.EventHub/namespaces/udmcmsuf-prod-ehnm/AuthorizationRules/DataWriter",

Accordingly to the code event rule gets parsed when received from the diagnostics resource

https://github.com/terraform-providers/terraform-provider-azurerm/blob/31341dda6bf1c8771b2f57e54522961872dfcddd/azurerm/internal/services/monitor/monitor_diagnostic_setting_resource.go#L321

Result of the parse ends up being "Error: ID was missing the authorizationRules element" cause Parse logic expects authorizationRules in the path...

The obvious fix would be to alter the retrieved ID and replace AuthorizationRules with authorizationRules but I suspect there may be a better option?

[andrey-dubnik]

P.S. the issue here is not the state but the actual ID resource returns - e.g. AuthorizationRules VS authorizationRules hence the parse fails. This also only affect existing resources which originally were configured with AuthorizationRules , new builds work just fine as they only accept and return authorizationRules.

[ecarlson94]

This is a breaking change between 2.41 and 2.42 that has cause my company a massive headache.

[andrey-dubnik]

@tombuildsstuff @katbyte is this possible to cut a release with a fix as the impact of this issue is indeed widespread?

[tombuildsstuff]

Fixed via #10104

@andrey-dubnik the next release will go out Thursday - since there's several other instances of this to fix in the interim unfortunately

[ghost]

This has been released in version 2.43.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example:

provider "azurerm" {
    version = "~> 2.43.0"
}
# ... other configuration ...

[travis-crowder-kr]

TF Version: 0.13.5
AzureRM Provider: 2.43.0

State content:

      "module": "module.XXX.module.diag_monitor",
      "mode": "managed",
      "type": "azurerm_monitor_diagnostic_setting",
      "name": "kv_keyvault",
      "provider": "provider[\"registry.terraform.io/hashicorp/azurerm\"]",
      "instances": [
        {
          "schema_version": 0,
          "attributes": {
            "eventhub_authorization_rule_id": "/subscriptions/XXXXa3d7-XXXX-XXXX-XXXX-670d4c28XXXX/resourceGroups/cloud-monitoring/providers/Microsoft.EventHub/namespaces/XXXXX-eventhub-namespace/AuthorizationRules/RootManageSharedAccessKey",
            "eventhub_name": "insights-operational-logs",
            "id": "/subscriptions/XXXXa3d7-XXXX-XXXX-XXXX-670d4c28XXXX/resourceGroups/XXXXX/providers/Microsoft.KeyVault/vaults/kv-XXXX|keyvault_to_XXX",
            ....

Created with 2.41.0:

resource "azurerm_monitor_diagnostic_setting" "test" {
  name                           = var.name
  target_resource_id             = var.target-id
  eventhub_name                  = var.eventhub-name
  eventhub_authorization_rule_id = var.eventhub-auth-rule-id
}

Output:
Error: ID was missing the authorizationRules element

Expected:
Case insensitive parser to work

Is 2.43.0 supposed to fix the breaking changes or are users expected to recreate rules?

[andrey-dubnik]

@CrowderKroger 2.43 fixed the issue for my teams. Fix only target the retrofit scenario where resources were created with the AuthorizationRules. I suggest validating that you are passing correct syntax (/authorizationRules/) via the var.eventhub-auth-rule-id as it may be the input still have AuthorizationRules. This will trigger the issue as Input validation was not intentionally changed to the case insensitive in order to make sure the input value is correctly formed in line with the SDK specifications.

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!