log_analytics_destination_type = "AzureDiagnostics" being removed is showing up in each plan when using eventhub destintation

[RawPatty]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.2.6

AzureRM Provider Version

3.15

Affected Resource(s)/Data Source(s)

azurerm_monitor_diagnostic_setting

Terraform Configuration Files

resource "azurerm_monitor_diagnostic_setting" "gateway_logs_to_Eventhub" {
  target_resource_id = azurerm_api_management.this.id
  name          = "toEventHub"
  eventhub_name = lookup(var.apim_configuration, "logging_eventhub_name", null)

  eventhub_authorization_rule_id = data.azurerm_eventhub_namespace_authorization_rule.eventhub_rule.id
  log {
    category = "GatewayLogs"
    enabled  = true
    retention_policy {
      days =  0
      enabled= false
    }
  }
  log {
    category = "WebSocketConnectionLogs"
    enabled  = false
    retention_policy {
      days =  0
      enabled= false
    }
  }
}

Debug Output/Panic Output

-

Expected Behaviour

After applying the change, next run should show no changes required

Actual Behaviour

Terraform plan tries to remove log_analytics_destination_type = "AzureDiagnostics" setting

Steps to Reproduce

I am configuring diagnostic settings for my API Management Azure resource to send diagnostic logs to Eventhub.

Configure azurerm_monitor_diagnostic_setting to send to eventhub destination, run terraform plan again after applying the initial plan to see one change is required - log_analytics_destination_type = "AzureDiagnostics" will be removed.
After applying a change to remove log_analytics_destination_type = "AzureDiagnostics" run the plan again and observe the setting is pending again

Important Factoids

log_analytics_destination_type is an optional variable that should only be set when specifying a log analytics workspace, I'm not sure why it's being implicitly set

References

No response

[AlexPykavy]

Hello @RawPatty,

I've encountered the same issue but in other circumstances. After some analysis, I found why it happens and asked a question on the Slack - https://terraform-azure.slack.com/archives/CB9RVKPDL/p1663449825271299.

[dvasdekis]

Although this is a real bug, and also happens when log_analytics_destination_type = "Dedicated", you can avoid it with the below block:

  # Inside whatever resource, where you specify your destination type:
  log_analytics_destination_type = "Dedicated"  # Or "AzureDiagnostics"
  # Add the below lifecycle block to make Terraform ignore changes on plan or apply:
  lifecycle {
    ignore_changes = [log_analytics_destination_type]
  }

Side note, you probably want "Dedicated" as it breaks the logs into multiple tables instead of one huge table inside LogAnalytics.

[sterol]

I have encountered the same issue on one Azure account. Surprisingly the update is not triggered on similar other landscapes. The default is set implicitly on Azure side but the Terraform configuration does not contain the parameter in the corresponding resource, only on the affected account we get an update action (-> null). All other accounts do not detect any update, tfstate obviously does not conflict with terraform configuration. If we would add the default now to the Terraform configuration I fear that I get an update on all other Azure accounts except the one, where it is already present in tfstate. Is there no possible explanation as to why this happens and only on one account.

[theadzik]

It also happens if you specify log_analytics_destination_type

resource "azurerm_monitor_diagnostic_setting" "config_keyvault" {
  name               = "keyvault_logging"
  target_resource_id = var.kv_id

  log_analytics_workspace_id     = azurerm_log_analytics_workspace.ai_workspace.id
  log_analytics_destination_type = "Dedicated"

  enabled_log {
    category_group = "allLogs"

    retention_policy {
      enabled = true
      days    = 30
    }
  }

  enabled_log {
    category_group = "audit"

    retention_policy {
      enabled = true
      days    = 30
    }
  }

  metric {
    category = "AllMetrics"

    retention_policy {
      enabled = true
      days    = 30
    }
  }
}

Output after each apply:

 ~ resource "azurerm_monitor_diagnostic_setting" "config_keyvault" {
        id                             = "xxxxxxxxx"
      + log_analytics_destination_type = "Dedicated"
        name                           = "keyvault_logging"
        # (2 unchanged attributes hidden)

        # (5 unchanged blocks hidden)
    }

[stevehipwell]

We're seeing the same as @theadzik, could this be fixed as I'd rather not ignore changes on it.

[WouterVan]

Seems like this issue has been fixed as a Bug Fix in the latest Azurerm version 3.45.0, this update fixed my issue after running one apply.
https://github.com/hashicorp/terraform-provider-azurerm/blob/main/CHANGELOG.md

[jirka-tribi]

Tested with terraform binary ver 1.3.9 and azure provider ver 3.45.0 and

log_analytics_destination_type = "Dedicated"

want to be created over and over

[Zurina]

Tested with tf binary 1.3.9 and azure provider 3.46.0, and I also see

log_analytics_destination_type = "Dedicated"

being recreated over and over again.

[oWretch]

Instead of using ignore_changes, you are better off removing the log_analytics_destination_type from the resource. The provider documentation specifically calls out that:

For some target resource type (e.g., Key Vault), this field is unconfigurable. Please see resource types for services that use each method.

Having said that, the provider should either throw an error if this is not supported rather than constantly providing a change…

[sboulema]

Tested with tf binary 1.4.2 and azure provider 3.49.0, and I also see

log_analytics_destination_type = "Dedicated"

being recreated over and over again.

[DrizzlyOwl]

Tested with tf binary 1.4.5 and azure provider 3.61.0, and I also see

+log_analytics_destination_type = "Dedicated"

being recreated over and over again.

[dkarlovi]

Stop commenting +1 on GH issues please, use reactions for that.