You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.
Description
Azure supports scoping of VNET flow logs onto a subnet. This is not yet possible via Terraform.
Fun fact: Importing a subnet resource actually works, but the ID validation will still fail.
New or Affected Resource(s)/Data Source(s)
azurerm_network_watcher_flow_log
Potential Terraform Configuration
## Expectationresource"azurerm_network_watcher_flow_log""vnet_flow_log_test" {
# name an rg are the same for nonprod and prod# because it's created automatically by Azure when Subscription is createdname="${azurerm_subnet.test_sn.name}-vnet-flow-log"enabled=trueversion=2network_watcher_name="NetworkWatcher_germanywestcentral"resource_group_name="NetworkWatcherRG"target_resource_id=azurerm_subnet.test_sn.idstorage_account_id=var.vnet_flow_logs_storage_account.idretention_policy {
enabled=truedays=30
}
traffic_analytics {
enabled=trueworkspace_id=var.log_analytics_workspace.workspace_idworkspace_region=var.log_analytics_workspace.locationworkspace_resource_id=var.log_analytics_workspace.idinterval_in_minutes=10
}
}
Terraform plan (fails)
│ Error: parsing "/subscriptions/xxx/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/test_sn": parsing segment "staticNetworkSecurityGroups": parsing the NetworkSecurityGroup ID: the segment at position 6 didn't match│ │ Expected a NetworkSecurityGroup ID that matched:│ │ > /subscriptions/12345678-1234-9876-4563-123456789012/resourceGroups/example-resource-group/providers/Microsoft.Network/networkSecurityGroups/networkSecurityGroupName│ │ However this value was provided:│ │ > /subscriptions/xxx/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/test_sn│ │ The parsed Resource ID was missing a value for the segment at position 6│ (which should be the literal value "networkSecurityGroups").│ │ │ │ with module.xxx.azurerm_network_watcher_flow_log.vnet_flow_log_test,│ on ../../modules/xxx/test.tf line 67, in resource "azurerm_network_watcher_flow_log" "vnet_flow_log_test":│ 67: target_resource_id = azurerm_subnet.test_sn.id
Terraform import (works)
terraform import module.xxx.azurerm_network_watcher_flow_log.vnet_flow_log_test /subscriptions/xxx/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_germanywestcentral/flowLogs/test-flowlog
[...]
module.xxx.azurerm_network_watcher_flow_log.vnet_flow_log_test: Import prepared!
Prepared azurerm_network_watcher_flow_log for import
[...]
Import successful!
The resources that were imported are shown above. These resources are now in
your Terraform state and will henceforth be managed by Terraform.
Afterwards Terraform plan will fail once again with validation.
I tried out, switching the resource to a network_security_group_id, just to get the plan working. The changes proposed are as follows. Old is the imported resource, new is my nsg_id.
You can see the target_resource_id the import uses is actually what we would expect, it seems only the validation is actually broken right now and does not support subnet scoping.
PS: The documentation is also out of date and still showing network_security_group_id instead of target_resource_id
### References
_No response_
The text was updated successfully, but these errors were encountered:
…get_resource_id` (#28177)
* `azurerm_network_watcher_flow_log`: Add 2 more resource types to `target_resource_id`
Added NIC and subnet as accepted value types for `target_resource_id`.
Fixes#28175
* fmt
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
Is there an existing issue for this?
Community Note
Description
Azure supports scoping of VNET flow logs onto a subnet. This is not yet possible via Terraform.
Fun fact: Importing a subnet resource actually works, but the ID validation will still fail.
New or Affected Resource(s)/Data Source(s)
azurerm_network_watcher_flow_log
Potential Terraform Configuration
Terraform plan (fails)
Terraform import (works)
Afterwards Terraform plan will fail once again with validation.
I tried out, switching the resource to a network_security_group_id, just to get the plan working. The changes proposed are as follows. Old is the imported resource, new is my nsg_id.
You can see the target_resource_id the import uses is actually what we would expect, it seems only the validation is actually broken right now and does not support subnet scoping.
PS: The documentation is also out of date and still showing
network_security_group_id
instead oftarget_resource_id
The text was updated successfully, but these errors were encountered: