Provider produced inconsistent final plan in azurerm_monitor_diagnostic_setting

[srikanth-vattey]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.7.4

AzureRM Provider Version

3.94.0

Affected Resource(s)/Data Source(s)

azurerm_monitor_diagnostic_setting

Terraform Configuration Files

data "azurerm_monitor_diagnostic_categories" "monitor_diagnostic_categories" {
  resource_id = var.target_resource_id
}

locals {
  name = var.resource_prefix != null ? join("", [var.resource_prefix, "-log-analytics-diag"]) : "log-analytics-diag"
}

resource "azurerm_monitor_diagnostic_setting" "monitor_diagnostic_setting" {
  name                           = local.name
  target_resource_id             = var.target_resource_id
  log_analytics_workspace_id     = var.log_analytics_workspace_id
  log_analytics_destination_type = var.log_analytics_destination_type

  dynamic "enabled_log" {
    for_each = data.azurerm_monitor_diagnostic_categories.monitor_diagnostic_categories.log_category_types
    content {
      category = enabled_log.value
    }
  }

  dynamic "metric" {
    for_each = data.azurerm_monitor_diagnostic_categories.monitor_diagnostic_categories.metrics
    content {
      category = metric.value
      enabled  = true
    }
  }

}

Debug Output/Panic Output

2024-03-27T08:39:41.8655556Z Error: Provider produced inconsistent final plan
2024-03-27T08:39:41.8655924Z 
2024-03-27T08:39:41.8656348Z When expanding the plan for
2024-03-27T08:39:41.8657881Z module.function_app.module.function_app_plan_diagnostic_settings.azurerm_monitor_diagnostic_setting.monitor_diagnostic_setting
2024-03-27T08:39:41.8658591Z to include new values learned so far during apply, provider
2024-03-27T08:39:41.8659825Z "registry.terraform.io/hashicorp/azurerm" produced an invalid new value for
2024-03-27T08:39:41.8660511Z .enabled_log: planned set element
2024-03-27T08:39:41.8661217Z cty.ObjectVal(map[string]cty.Value{"category":cty.StringVal("FunctionAppLogs"),
2024-03-27T08:39:41.8662190Z "category_group":cty.StringVal(""),
2024-03-27T08:39:41.8662859Z "retention_policy":cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"days":cty.NumberIntVal(0),
2024-03-27T08:39:41.8663458Z "enabled":cty.True})})}) does not correlate with any element in actual.
2024-03-27T08:39:41.8663671Z 
2024-03-27T08:39:41.8664052Z This is a bug in the provider, which should be reported in the provider's own
2024-03-27T08:39:41.8664298Z issue tracker.
2024-03-27T08:39:41.8664384Z 
2024-03-27T08:39:41.8664587Z Error: Provider produced inconsistent final plan
2024-03-27T08:39:41.8664693Z 
2024-03-27T08:39:41.8665039Z When expanding the plan for
2024-03-27T08:39:41.8665520Z module.function_app.module.function_app_plan_diagnostic_settings.azurerm_monitor_diagnostic_setting.monitor_diagnostic_setting
2024-03-27T08:39:41.8666460Z to include new values learned so far during apply, provider
2024-03-27T08:39:41.8666980Z "registry.terraform.io/hashicorp/azurerm" produced an invalid new value for
2024-03-27T08:39:41.8668231Z .enabled_log: block set length changed from 1 to 2.
2024-03-27T08:39:41.8668489Z 
2024-03-27T08:39:41.8669469Z This is a bug in the provider, which should be reported in the provider's own
2024-03-27T08:39:41.8669806Z issue tracker.
2024-03-27T08:39:41.9322745Z ##[error]Error: The process '/azp/agent/_work/_tool/terraform/1.5.4/x64/terraform' failed with exit code 1

Expected Behaviour

No response

Actual Behaviour

No response

Steps to Reproduce

1. terraform apply

Important Factoids

No response

References

No response

[ArtiomMatiom]

As a hot fix, managed to bypass the issue, by manually deleting the diagnostic settings, and re-appling the modules to re-create

[srikanth-vattey]

As a hot fix, managed to bypass the issue, by manually deleting the diagnostic settings, and re-appling the modules to re-create

We tried the same thing but the diagnostic settings are created and still the pipelines are failing on the apply stage with the same error mentioned

[teowa]

Hi @srikanth-vattey , thanks for submitting this! I tried to reproduce the issue with below config but seems I cannot.

provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "test" {
  name     = "test-func-app-diag"
  location = "west us"
}

resource "azurerm_storage_account" "test" {
  name                     = "fadstorageahsga"
  resource_group_name      = azurerm_resource_group.test.name
  location                 = azurerm_resource_group.test.location
  account_tier             = "Standard"
  account_replication_type = "LRS"
}

resource "azurerm_app_service_plan" "test" {
  name                = "azure-functions-test-ahsga"
  location            = azurerm_resource_group.test.location
  resource_group_name = azurerm_resource_group.test.name

  sku {
    tier = "Standard"
    size = "S1"
  }
}

resource "azurerm_function_app" "test" {
  name                       = "fadahsga"
  location                   = azurerm_resource_group.test.location
  resource_group_name        = azurerm_resource_group.test.name
  app_service_plan_id        = azurerm_app_service_plan.test.id
  storage_account_name       = azurerm_storage_account.test.name
  storage_account_access_key = azurerm_storage_account.test.primary_access_key
}

resource "azurerm_log_analytics_workspace" "test" {
  name                = "fad-test-01"
  location            = azurerm_resource_group.test.location
  resource_group_name = azurerm_resource_group.test.name
  sku                 = "PerGB2018"
  retention_in_days   = 30
}

data "azurerm_monitor_diagnostic_categories" "monitor_diagnostic_categories" {
  resource_id = azurerm_function_app.test.id
}

resource "azurerm_monitor_diagnostic_setting" "monitor_diagnostic_setting" {
  name                       = "test-func-app-diag"
  target_resource_id         = azurerm_function_app.test.id
  log_analytics_workspace_id = azurerm_log_analytics_workspace.test.id

  dynamic "enabled_log" {
    for_each = data.azurerm_monitor_diagnostic_categories.monitor_diagnostic_categories.log_category_types
    content {
      category = enabled_log.value
    }
  }

  dynamic "metric" {
    for_each = data.azurerm_monitor_diagnostic_categories.monitor_diagnostic_categories.metrics
    content {
      category = metric.value
      enabled  = true
    }
  }

}

Could you please share a minial config which can reproduce this? Or is it possible to share related logs of the data.azurerm_monitor_diagnostic_categories.monitor_diagnostic_categories and azurerm_monitor_diagnostic_setting.monitor_diagnostic_categories in terraform debug log, the log looks like below (hide sensitive info):

2024-04-01T08:14:09.279Z [DEBUG] provider.terraform-provider-azurerm: AzureRM Response for https://management.azure.com/subscriptions/xxx/resourceGroups/test-func-app-diag/providers/Microsoft.Web/sites/fadahsga/providers/Microsoft.Insights/diagnosticSettingsCategories?api-version=2021-05-01-preview:
HTTP/2.0 200 OK
Content-Length: 1380
Cache-Control: no-cache
Content-Type: application/json; charset=utf-8
Date: Mon, 01 Apr 2024 08:14:07 GMT
Expires: -1
Pragma: no-cache
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Cache: CONFIG_NOCACHE
X-Content-Type-Options: nosniff
X-Ms-Correlation-Request-Id: e04594ff-bcc3-450d-18e6-02c33293155c
X-Ms-Ratelimit-Remaining-Subscription-Reads: 11997
X-Ms-Request-Id: 05f22139-25e4-43c5-99a5-a59bfa410dab
X-Ms-Routing-Request-Id: JAPANEAST:20240401T081408Z:c33de9fc-8f97-417e-82d2-45b68ad2cf41
X-Msedge-Ref: Ref A: 94A24285F28043FEAFDF243C0C288189 Ref B: TYO201100117037 Ref C: 2024-04-01T08:14:07Z

{"value":[{"id":"/subscriptions/xxx/resourcegroups/test-func-app-diag/providers/microsoft.web/sites/fadahsga/providers/microsoft.insights/diagnosticSettingsCategories/FunctionAppLogs","type":"microsoft.insights/diagnosticSettingsCategories","name":"FunctionAppLogs","location":null,"kind":null,"tags":null,"properties":{"displayName":"Function Application Logs","categoryType":"Logs","categoryGroups":["audit","allLogs"]},"identity":null},{"id":"/subscriptions/xxx/resourcegroups/test-func-app-diag/providers/microsoft.web/sites/fadahsga/providers/microsoft.insights/diagnosticSettingsCategories/AppServiceAuthenticationLogs","type":"microsoft.insights/diagnosticSettingsCategories","name":"AppServiceAuthenticationLogs","location":null,"kind":null,"tags":null,"properties":{"displayName":"App Service Authentication logs (preview)","categoryType":"Logs","categoryGroups":["audit","allLogs"]},"identity":null},{"id":"/subscriptions/xxx/resourcegroups/test-func-app-diag/providers/microsoft.web/sites/fadahsga/providers/microsoft.insights/diagnosticSettingsCategories/AllMetrics","type":"microsoft.insights/diagnosticSettingsCategories","name":"AllMetrics","location":null,"kind":null,"tags":null,"properties":{"displayName":"AllMetrics","categoryType":"Metrics"},"identity":null}]}: timestamp=2024-04-01T08:14:09.278Z


2024-04-01T08:14:09.279Z [DEBUG] provider.terraform-provider-azurerm: AzureRM Response for https://management.azure.com/subscriptions/xxx/resourceGroups/test-func-app-diag/providers/Microsoft.Web/sites/fadahsga/providers/Microsoft.Insights/diagnosticSettingsCategories?api-version=2021-05-01-preview:
HTTP/2.0 200 OK
Content-Length: 1380
Cache-Control: no-cache
Content-Type: application/json; charset=utf-8
Date: Mon, 01 Apr 2024 08:14:07 GMT
Expires: -1
Pragma: no-cache
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Cache: CONFIG_NOCACHE
X-Content-Type-Options: nosniff
X-Ms-Correlation-Request-Id: e04594ff-bcc3-450d-18e6-02c33293155c
X-Ms-Ratelimit-Remaining-Subscription-Reads: 11997
X-Ms-Request-Id: 05f22139-25e4-43c5-99a5-a59bfa410dab
X-Ms-Routing-Request-Id: JAPANEAST:20240401T081408Z:c33de9fc-8f97-417e-82d2-45b68ad2cf41
X-Msedge-Ref: Ref A: 94A24285F28043FEAFDF243C0C288189 Ref B: TYO201100117037 Ref C: 2024-04-01T08:14:07Z

{"value":[{"id":"/subscriptions/xxx/resourcegroups/test-func-app-diag/providers/microsoft.web/sites/fadahsga/providers/microsoft.insights/diagnosticSettingsCategories/FunctionAppLogs","type":"microsoft.insights/diagnosticSettingsCategories","name":"FunctionAppLogs","location":null,"kind":null,"tags":null,"properties":{"displayName":"Function Application Logs","categoryType":"Logs","categoryGroups":["audit","allLogs"]},"identity":null},{"id":"/subscriptions/xxx/resourcegroups/test-func-app-diag/providers/microsoft.web/sites/fadahsga/providers/microsoft.insights/diagnosticSettingsCategories/AppServiceAuthenticationLogs","type":"microsoft.insights/diagnosticSettingsCategories","name":"AppServiceAuthenticationLogs","location":null,"kind":null,"tags":null,"properties":{"displayName":"App Service Authentication logs (preview)","categoryType":"Logs","categoryGroups":["audit","allLogs"]},"identity":null},{"id":"/subscriptions/xxx/resourcegroups/test-func-app-diag/providers/microsoft.web/sites/fadahsga/providers/microsoft.insights/diagnosticSettingsCategories/AllMetrics","type":"microsoft.insights/diagnosticSettingsCategories","name":"AllMetrics","location":null,"kind":null,"tags":null,"properties":{"displayName":"AllMetrics","categoryType":"Metrics"},"identity":null}]}: timestamp=2024-04-01T08:14:09.278Z

[jarpoole]

@teowa I also tried to create a reproduction with new resources without much luck. I only seem to observe the problem on my existing resources...

I've attached some logs below to hopefully help figure out what is wrong...

Logs

azurerm_linux_web_app.main: Refreshing state... [id=*******]
2024-04-01T08:21:43.251-0400 [WARN]  Provider "registry.terraform.io/hashicorp/azurerm" produced an invalid plan for azurerm_linux_web_app.main, but we are tolerating it because it is using the legacy plugin SDK.
    The following problems may be the cause of any confusing errors from downstream operations:
      - .enabled: planned value cty.True for a non-computed attribute
      - .virtual_network_subnet_id: planned value cty.StringVal("") for a non-computed attribute
      - .client_certificate_mode: planned value cty.StringVal("Required") for a non-computed attribute
      - .public_network_access_enabled: planned value cty.True for a non-computed attribute
      - .client_certificate_exclusion_paths: planned value cty.StringVal("") for a non-computed attribute
      - .client_certificate_enabled: planned value cty.False for a non-computed attribute
      - .https_only: planned value cty.False for a non-computed attribute
      - .client_affinity_enabled: planned value cty.False for a non-computed attribute
      - .site_config[0].app_command_line: planned value cty.StringVal("") for a non-computed attribute
      - .site_config[0].load_balancing_mode: planned value cty.StringVal("LeastRequests") for a non-computed attribute
      - .site_config[0].container_registry_use_managed_identity: planned value cty.False for a non-computed attribute
      - .site_config[0].api_management_api_id: planned value cty.StringVal("") for a non-computed attribute
      - .site_config[0].container_registry_managed_identity_client_id: planned value cty.StringVal("") for a non-computed attribute
      - .site_config[0].managed_pipeline_mode: planned value cty.StringVal("Integrated") for a non-computed attribute
      - .site_config[0].local_mysql_enabled: planned value cty.False for a non-computed attribute
      - .site_config[0].minimum_tls_version: planned value cty.StringVal("1.2") for a non-computed attribute
      - .site_config[0].auto_heal_enabled: planned value cty.False for a non-computed attribute
      - .site_config[0].ftps_state: planned value cty.StringVal("Disabled") for a non-computed attribute
      - .site_config[0].remote_debugging_enabled: planned value cty.False for a non-computed attribute
      - .site_config[0].scm_minimum_tls_version: planned value cty.StringVal("1.2") for a non-computed attribute
      - .site_config[0].vnet_route_all_enabled: planned value cty.False for a non-computed attribute
      - .site_config[0].http2_enabled: planned value cty.False for a non-computed attribute
      - .site_config[0].scm_use_main_ip_restriction: planned value cty.False for a non-computed attribute
      - .site_config[0].websockets_enabled: planned value cty.False for a non-computed attribute
      - .site_config[0].api_definition_url: planned value cty.StringVal("") for a non-computed attribute
      - .site_config[0].application_stack: block count in plan (1) disagrees with count in config (0)
      - .site_config[0].ip_restriction[0].priority: planned value cty.NumberIntVal(65000) for a non-computed attribute
      - .site_config[0].ip_restriction[0].service_tag: planned value cty.StringVal("") for a non-computed attribute
      - .site_config[0].ip_restriction[0].headers: planned value cty.ListValEmpty(cty.Object(map[string]cty.Type{"x_azure_fdid":cty.List(cty.String), "x_fd_health_probe":cty.List(cty.String), "x_forwarded_for":cty.List(cty.String), "x_forwarded_host":cty.List(cty.String)})) for a non-computed attribute
      - .site_config[0].ip_restriction[0].ip_address: planned value cty.StringVal("") for a non-computed attribute
      - .sticky_settings[0].connection_string_names: planned value cty.ListValEmpty(cty.String) for a non-computed attribute
      - .logs[0].detailed_error_messages: planned value cty.False for a non-computed attribute
      - .logs[0].failed_request_tracing: planned value cty.False for a non-computed attribute
2024-04-01T08:21:43.252-0400 [INFO]  ReferenceTransformer: reference not found: "var.resource_group_name"
2024-04-01T08:21:43.252-0400 [INFO]  ReferenceTransformer: reference not found: "local.app_name"
2024-04-01T08:21:43.252-0400 [INFO]  ReferenceTransformer: reference not found: "local.app_name"
2024-04-01T08:21:43.252-0400 [INFO]  ReferenceTransformer: reference not found: "local.app_name"
2024-04-01T08:21:43.252-0400 [INFO]  ReferenceTransformer: reference not found: "local.app_name"
2024-04-01T08:21:43.252-0400 [INFO]  ReferenceTransformer: reference not found: "var.resource_group_name"
2024-04-01T08:21:43.253-0400 [INFO]  ReferenceTransformer: reference not found: "local.app_name"
2024-04-01T08:21:43.253-0400 [INFO]  ReferenceTransformer: reference not found: "local.app_name"
2024-04-01T08:21:43.253-0400 [INFO]  ReferenceTransformer: reference not found: "var.resource_group_name"
2024-04-01T08:21:43.253-0400 [INFO]  ReferenceTransformer: reference not found: "var.log_analytics_workspace_id"
azurerm_monitor_diagnostic_setting.main: Refreshing state... [id=*************]
2024-04-01T08:21:43.431-0400 [WARN]  Provider "registry.terraform.io/hashicorp/azurerm" produced an invalid plan for azurerm_monitor_activity_log_alert.started, but we are tolerating it because it is using the legacy plugin SDK.
    The following problems may be the cause of any confusing errors from downstream operations:
      - .tags: planned value cty.MapValEmpty(cty.String) for a non-computed attribute
      - .enabled: planned value cty.True for a non-computed attribute
      - .criteria[0].levels: planned value cty.ListValEmpty(cty.String) for a non-computed attribute
      - .criteria[0].statuses: planned value cty.ListValEmpty(cty.String) for a non-computed attribute
      - .criteria[0].sub_status: planned value cty.StringVal("") for a non-computed attribute
      - .criteria[0].level: planned value cty.StringVal("") for a non-computed attribute
      - .criteria[0].resource_id: planned value cty.StringVal("") for a non-computed attribute
      - .criteria[0].recommendation_category: planned value cty.StringVal("") for a non-computed attribute
      - .criteria[0].resource_providers: planned value cty.ListValEmpty(cty.String) for a non-computed attribute
      - .criteria[0].resource_type: planned value cty.StringVal("") for a non-computed attribute
      - .criteria[0].caller: planned value cty.StringVal("") for a non-computed attribute
      - .criteria[0].recommendation_impact: planned value cty.StringVal("") for a non-computed attribute
      - .criteria[0].recommendation_type: planned value cty.StringVal("") for a non-computed attribute
      - .criteria[0].resource_group: planned value cty.StringVal("") for a non-computed attribute
      - .criteria[0].resource_groups: planned value cty.ListValEmpty(cty.String) for a non-computed attribute
      - .criteria[0].resource_ids: planned value cty.ListValEmpty(cty.String) for a non-computed attribute
      - .criteria[0].resource_provider: planned value cty.StringVal("") for a non-computed attribute
      - .criteria[0].resource_types: planned value cty.ListValEmpty(cty.String) for a non-computed attribute
      - .criteria[0].sub_statuses: planned value cty.ListValEmpty(cty.String) for a non-computed attribute
2024-04-01T08:21:43.436-0400 [WARN]  Provider "registry.terraform.io/hashicorp/azurerm" produced an invalid plan for azurerm_monitor_activity_log_alert.start-failed, but we are tolerating it because it is using the legacy plugin SDK.
    The following problems may be the cause of any confusing errors from downstream operations:
      - .tags: planned value cty.MapValEmpty(cty.String) for a non-computed attribute
      - .enabled: planned value cty.True for a non-computed attribute
      - .criteria[0].resource_id: planned value cty.StringVal("") for a non-computed attribute
      - .criteria[0].recommendation_category: planned value cty.StringVal("") for a non-computed attribute
      - .criteria[0].resource_providers: planned value cty.ListValEmpty(cty.String) for a non-computed attribute
      - .criteria[0].resource_type: planned value cty.StringVal("") for a non-computed attribute
      - .criteria[0].caller: planned value cty.StringVal("") for a non-computed attribute
      - .criteria[0].recommendation_impact: planned value cty.StringVal("") for a non-computed attribute
      - .criteria[0].recommendation_type: planned value cty.StringVal("") for a non-computed attribute
      - .criteria[0].resource_group: planned value cty.StringVal("") for a non-computed attribute
      - .criteria[0].resource_groups: planned value cty.ListValEmpty(cty.String) for a non-computed attribute
      - .criteria[0].resource_ids: planned value cty.ListValEmpty(cty.String) for a non-computed attribute
      - .criteria[0].resource_provider: planned value cty.StringVal("") for a non-computed attribute
      - .criteria[0].resource_types: planned value cty.ListValEmpty(cty.String) for a non-computed attribute
      - .criteria[0].sub_statuses: planned value cty.ListValEmpty(cty.String) for a non-computed attribute
      - .criteria[0].levels: planned value cty.ListValEmpty(cty.String) for a non-computed attribute
      - .criteria[0].statuses: planned value cty.ListValEmpty(cty.String) for a non-computed attribute
      - .criteria[0].sub_status: planned value cty.StringVal("") for a non-computed attribute
      - .criteria[0].level: planned value cty.StringVal("") for a non-computed attribute
2024-04-01T08:21:43.498-0400 [WARN]  Provider "registry.terraform.io/hashicorp/azurerm" produced an invalid plan for azurerm_monitor_activity_log_alert.stopped, but we are tolerating it because it is using the legacy plugin SDK.
    The following problems may be the cause of any confusing errors from downstream operations:
      - .tags: planned value cty.MapValEmpty(cty.String) for a non-computed attribute
      - .enabled: planned value cty.True for a non-computed attribute
      - .criteria[0].resource_groups: planned value cty.ListValEmpty(cty.String) for a non-computed attribute
      - .criteria[0].resource_ids: planned value cty.ListValEmpty(cty.String) for a non-computed attribute
      - .criteria[0].resource_provider: planned value cty.StringVal("") for a non-computed attribute
      - .criteria[0].resource_types: planned value cty.ListValEmpty(cty.String) for a non-computed attribute
      - .criteria[0].recommendation_impact: planned value cty.StringVal("") for a non-computed attribute
      - .criteria[0].recommendation_type: planned value cty.StringVal("") for a non-computed attribute
      - .criteria[0].resource_group: planned value cty.StringVal("") for a non-computed attribute
      - .criteria[0].sub_statuses: planned value cty.ListValEmpty(cty.String) for a non-computed attribute
      - .criteria[0].sub_status: planned value cty.StringVal("") for a non-computed attribute
      - .criteria[0].level: planned value cty.StringVal("") for a non-computed attribute
      - .criteria[0].levels: planned value cty.ListValEmpty(cty.String) for a non-computed attribute
      - .criteria[0].statuses: planned value cty.ListValEmpty(cty.String) for a non-computed attribute
      - .criteria[0].recommendation_category: planned value cty.StringVal("") for a non-computed attribute
      - .criteria[0].resource_id: planned value cty.StringVal("") for a non-computed attribute
      - .criteria[0].caller: planned value cty.StringVal("") for a non-computed attribute
      - .criteria[0].resource_providers: planned value cty.ListValEmpty(cty.String) for a non-computed attribute
      - .criteria[0].resource_type: planned value cty.StringVal("") for a non-computed attribute
2024-04-01T08:21:43.592-0400 [WARN]  Provider "registry.terraform.io/hashicorp/azurerm" produced an unexpected new value for azurerm_monitor_diagnostic_setting.main during refresh.
      - .enabled_log: planned set element cty.ObjectVal(map[string]cty.Value{"category":cty.StringVal("AppServiceAntivirusScanAuditLogs"), "category_group":cty.StringVal(""), "retention_policy":cty.ListValEmpty(cty.Object(map[string]cty.Type{"days":cty.Number, "enabled":cty.Bool}))}) does not correlate with any element in actual
      - .enabled_log: planned set element cty.ObjectVal(map[string]cty.Value{"category":cty.StringVal("AppServiceAppLogs"), "category_group":cty.StringVal(""), "retention_policy":cty.ListValEmpty(cty.Object(map[string]cty.Type{"days":cty.Number, "enabled":cty.Bool}))}) does not correlate with any element in actual
      - .enabled_log: planned set element cty.ObjectVal(map[string]cty.Value{"category":cty.StringVal("AppServiceAuditLogs"), "category_group":cty.StringVal(""), "retention_policy":cty.ListValEmpty(cty.Object(map[string]cty.Type{"days":cty.Number, "enabled":cty.Bool}))}) does not correlate with any element in actual
      - .enabled_log: planned set element cty.ObjectVal(map[string]cty.Value{"category":cty.StringVal("AppServiceAuthenticationLogs"), "category_group":cty.StringVal(""), "retention_policy":cty.ListValEmpty(cty.Object(map[string]cty.Type{"days":cty.Number, "enabled":cty.Bool}))}) does not correlate with any element in actual
      - .enabled_log: planned set element cty.ObjectVal(map[string]cty.Value{"category":cty.StringVal("AppServiceConsoleLogs"), "category_group":cty.StringVal(""), "retention_policy":cty.ListValEmpty(cty.Object(map[string]cty.Type{"days":cty.Number, "enabled":cty.Bool}))}) does not correlate with any element in actual
      - .enabled_log: planned set element cty.ObjectVal(map[string]cty.Value{"category":cty.StringVal("AppServiceFileAuditLogs"), "category_group":cty.StringVal(""), "retention_policy":cty.ListValEmpty(cty.Object(map[string]cty.Type{"days":cty.Number, "enabled":cty.Bool}))}) does not correlate with any element in actual
      - .enabled_log: planned set element cty.ObjectVal(map[string]cty.Value{"category":cty.StringVal("AppServiceHTTPLogs"), "category_group":cty.StringVal(""), "retention_policy":cty.ListValEmpty(cty.Object(map[string]cty.Type{"days":cty.Number, "enabled":cty.Bool}))}) does not correlate with any element in actual
      - .enabled_log: planned set element cty.ObjectVal(map[string]cty.Value{"category":cty.StringVal("AppServiceIPSecAuditLogs"), "category_group":cty.StringVal(""), "retention_policy":cty.ListValEmpty(cty.Object(map[string]cty.Type{"days":cty.Number, "enabled":cty.Bool}))}) does not correlate with any element in actual
      - .enabled_log: planned set element cty.ObjectVal(map[string]cty.Value{"category":cty.StringVal("AppServicePlatformLogs"), "category_group":cty.StringVal(""), "retention_policy":cty.ListValEmpty(cty.Object(map[string]cty.Type{"days":cty.Number, "enabled":cty.Bool}))}) does not correlate with any element in actual
      - .metric: planned set element cty.ObjectVal(map[string]cty.Value{"category":cty.StringVal("AllMetrics"), "enabled":cty.True, "retention_policy":cty.ListValEmpty(cty.Object(map[string]cty.Type{"days":cty.Number, "enabled":cty.Bool}))}) does not correlate with any element in actual
2024-04-01T08:21:43.599-0400 [WARN]  Provider "registry.terraform.io/hashicorp/azurerm" produced an invalid plan for azurerm_monitor_diagnostic_setting.main, but we are tolerating it because it is using the legacy plugin SDK.
    The following problems may be the cause of any confusing errors from downstream operations:
      - .eventhub_name: planned value cty.StringVal("") for a non-computed attribute
      - .eventhub_authorization_rule_id: planned value cty.StringVal("") for a non-computed attribute
      - .enabled_log: planned value cty.SetVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"category":cty.StringVal("AppServiceAntivirusScanAuditLogs"), "category_group":cty.StringVal(""), "retention_policy":cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"days":cty.NumberIntVal(0), "enabled":cty.False})})}), cty.ObjectVal(map[string]cty.Value{"category":cty.StringVal("AppServiceAppLogs"), "category_group":cty.StringVal(""), "retention_policy":cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"days":cty.NumberIntVal(0), "enabled":cty.False})})}), cty.ObjectVal(map[string]cty.Value{"category":cty.StringVal("AppServiceAuditLogs"), "category_group":cty.StringVal(""), "retention_policy":cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"days":cty.NumberIntVal(0), "enabled":cty.False})})}), cty.ObjectVal(map[string]cty.Value{"category":cty.StringVal("AppServiceAuthenticationLogs"), "category_group":cty.StringVal(""), "retention_policy":cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"days":cty.NumberIntVal(0), "enabled":cty.False})})}), cty.ObjectVal(map[string]cty.Value{"category":cty.StringVal("AppServiceConsoleLogs"), "category_group":cty.StringVal(""), "retention_policy":cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"days":cty.NumberIntVal(0), "enabled":cty.False})})}), cty.ObjectVal(map[string]cty.Value{"category":cty.StringVal("AppServiceFileAuditLogs"), "category_group":cty.StringVal(""), "retention_policy":cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"days":cty.NumberIntVal(0), "enabled":cty.False})})}), cty.ObjectVal(map[string]cty.Value{"category":cty.StringVal("AppServiceHTTPLogs"), "category_group":cty.StringVal(""), "retention_policy":cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"days":cty.NumberIntVal(0), "enabled":cty.False})})}), cty.ObjectVal(map[string]cty.Value{"category":cty.StringVal("AppServiceIPSecAuditLogs"), "category_group":cty.StringVal(""), "retention_policy":cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"days":cty.NumberIntVal(0), "enabled":cty.False})})}), cty.ObjectVal(map[string]cty.Value{"category":cty.StringVal("AppServicePlatformLogs"), "category_group":cty.StringVal(""), "retention_policy":cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"days":cty.NumberIntVal(0), "enabled":cty.False})})})}) for unknown dynamic block

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place
 <= read (data resources)

Terraform will perform the following actions:

  # data.azurerm_monitor_diagnostic_categories.main will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "azurerm_monitor_diagnostic_categories" "main" {
      + id                  = (known after apply)
      + log_category_groups = (known after apply)
      + log_category_types  = (known after apply)
      + logs                = (known after apply)
      + metrics             = (known after apply)
      + resource_id         = "*********************"
    }

  # azurerm_linux_web_app.main will be updated in-place
  ~ resource "azurerm_linux_web_app" "main" {
        id                                = "**********************"
        name                              = "***********************"
        tags                              = ***************
        # (19 unchanged attributes hidden)

      ~ sticky_settings {
          ~ app_setting_names       = ***********
            # (1 unchanged attribute hidden)
        }

        # (2 unchanged blocks hidden)
    }

  # azurerm_monitor_diagnostic_setting.main will be updated in-place
  ~ resource "azurerm_monitor_diagnostic_setting" "main" {
        id                         = "*********************"
        name                       = "*********************"
        # (2 unchanged attributes hidden)

      - metric {
          - category = "AllMetrics" -> null
          - enabled  = true -> null

          - retention_policy {
              - days    = 0 -> null
              - enabled = false -> null
            }
        }

        # (18 unchanged blocks hidden)
    }

Plan: 0 to add, 2 to change, 0 to destroy.

[jarpoole]

@teowa I experimented a little bit more and I think I got the relevant logs:

  dynamic "metric" {
    for_each = toset(data.azurerm_monitor_diagnostic_categories.main.metrics)
    content {
      category = metric.value
      enabled  = true
    }
  }

Note that I've also tried to add a retention_policy block with no luck.

2024-04-01T09:59:44.549-0400 [DEBUG] provider.terraform-provider-azurerm_v3.73.0_x5: AzureRM Response for https://management.azure.com/subscriptions/***/resourceGroups/***/providers/Microsoft.Web/sites/***/providers/Microsoft.Insights/diagnosticSettings/***?api-version=2021-05-01-preview: 
HTTP/2.0 200 OK
Content-Length: 1833
Cache-Control: no-cache
Content-Type: application/json; charset=utf-8
Date: Mon, 01 Apr 2024 13:59:43 GMT
Expires: -1
Pragma: no-cache
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Cache: CONFIG_NOCACHE
X-Content-Type-Options: nosniff
X-Ms-Correlation-Request-Id: ***
X-Ms-Ratelimit-Remaining-Subscription-Reads: 11999
X-Ms-Request-Id: ***
X-Ms-Routing-Request-Id: ***
X-Msedge-Ref: Ref A: ***

{"id":"/subscriptions/***/resourcegroups/***/providers/microsoft.web/sites/***/providers/microsoft.insights/diagnosticSettings/***","type":"Microsoft.Insights/diagnosticSettings","name":"***","location":null,"kind":null,"tags":null,"properties":{"storageAccountId":null,"serviceBusRuleId":null,"workspaceId":"/subscriptions/***/resourceGroups/***/providers/Microsoft.OperationalInsights/workspaces/***","eventHubAuthorizationRuleId":null,"eventHubName":null,"metrics":[{"category":"AllMetrics","enabled":true,"retentionPolicy":{"enabled":false,"days":0}}],"logs":[{"category":"AppServiceAppLogs","categoryGroup":null,"enabled":true,"retentionPolicy":{"enabled":false,"days":0}},{"category":"AppServiceHTTPLogs","categoryGroup":null,"enabled":true,"retentionPolicy":{"enabled":false,"days":0}},{"category":"AppServiceAuthenticationLogs","categoryGroup":null,"enabled":true,"retentionPolicy":{"enabled":false,"days":0}},{"category":"AppServicePlatformLogs","categoryGroup":null,"enabled":true,"retentionPolicy":{"enabled":false,"days":0}},{"category":"AppServiceFileAuditLogs","categoryGroup":null,"enabled":true,"retentionPolicy":{"enabled":false,"days":0}},{"category":"AppServiceAntivirusScanAuditLogs","categoryGroup":null,"enabled":true,"retentionPolicy":{"enabled":false,"days":0}},{"category":"AppServiceConsoleLogs","categoryGroup":null,"enabled":true,"retentionPolicy":{"enabled":false,"days":0}},{"category":"AppServiceIPSecAuditLogs","categoryGroup":null,"enabled":true,"retentionPolicy":{"enabled":false,"days":0}},{"category":"AppServiceAuditLogs","categoryGroup":null,"enabled":true,"retentionPolicy":{"enabled":false,"days":0}}],"logAnalyticsDestinationType":null},"identity":null}: timestamp=2024-04-01T09:59:44.549-0400
2024-04-01T09:59:44.554-0400 [WARN]  Provider "registry.terraform.io/hashicorp/azurerm" produced an unexpected new value for azurerm_monitor_diagnostic_setting.main during refresh.
      - .enabled_log: planned set element cty.ObjectVal(map[string]cty.Value{"category":cty.StringVal("AppServiceAntivirusScanAuditLogs"), "category_group":cty.StringVal(""), "retention_policy":cty.ListValEmpty(cty.Object(map[string]cty.Type{"days":cty.Number, "enabled":cty.Bool}))}) does not correlate with any element in actual
      - .enabled_log: planned set element cty.ObjectVal(map[string]cty.Value{"category":cty.StringVal("AppServiceAppLogs"), "category_group":cty.StringVal(""), "retention_policy":cty.ListValEmpty(cty.Object(map[string]cty.Type{"days":cty.Number, "enabled":cty.Bool}))}) does not correlate with any element in actual
      - .enabled_log: planned set element cty.ObjectVal(map[string]cty.Value{"category":cty.StringVal("AppServiceAuditLogs"), "category_group":cty.StringVal(""), "retention_policy":cty.ListValEmpty(cty.Object(map[string]cty.Type{"days":cty.Number, "enabled":cty.Bool}))}) does not correlate with any element in actual
      - .enabled_log: planned set element cty.ObjectVal(map[string]cty.Value{"category":cty.StringVal("AppServiceAuthenticationLogs"), "category_group":cty.StringVal(""), "retention_policy":cty.ListValEmpty(cty.Object(map[string]cty.Type{"days":cty.Number, "enabled":cty.Bool}))}) does not correlate with any element in actual
      - .enabled_log: planned set element cty.ObjectVal(map[string]cty.Value{"category":cty.StringVal("AppServiceConsoleLogs"), "category_group":cty.StringVal(""), "retention_policy":cty.ListValEmpty(cty.Object(map[string]cty.Type{"days":cty.Number, "enabled":cty.Bool}))}) does not correlate with any element in actual
      - .enabled_log: planned set element cty.ObjectVal(map[string]cty.Value{"category":cty.StringVal("AppServiceFileAuditLogs"), "category_group":cty.StringVal(""), "retention_policy":cty.ListValEmpty(cty.Object(map[string]cty.Type{"days":cty.Number, "enabled":cty.Bool}))}) does not correlate with any element in actual
      - .enabled_log: planned set element cty.ObjectVal(map[string]cty.Value{"category":cty.StringVal("AppServiceHTTPLogs"), "category_group":cty.StringVal(""), "retention_policy":cty.ListValEmpty(cty.Object(map[string]cty.Type{"days":cty.Number, "enabled":cty.Bool}))}) does not correlate with any element in actual
      - .enabled_log: planned set element cty.ObjectVal(map[string]cty.Value{"category":cty.StringVal("AppServiceIPSecAuditLogs"), "category_group":cty.StringVal(""), "retention_policy":cty.ListValEmpty(cty.Object(map[string]cty.Type{"days":cty.Number, "enabled":cty.Bool}))}) does not correlate with any element in actual
      - .enabled_log: planned set element cty.ObjectVal(map[string]cty.Value{"category":cty.StringVal("AppServicePlatformLogs"), "category_group":cty.StringVal(""), "retention_policy":cty.ListValEmpty(cty.Object(map[string]cty.Type{"days":cty.Number, "enabled":cty.Bool}))}) does not correlate with any element in actual
      - .metric: actual set element cty.ObjectVal(map[string]cty.Value{"category":cty.StringVal("AllMetrics"), "enabled":cty.True, "retention_policy":cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"days":cty.NumberIntVal(0), "enabled":cty.False})})}) does not correlate with any element in plan
      - .metric: block set length changed from 0 to 1
2024-04-01T09:59:44.559-0400 [DEBUG] provider.terraform-provider-azurerm_v3.73.0_x5: setting computed for "metric" from ComputedKeys: timestamp=2024-04-01T09:59:44.559-0400
2024-04-01T09:59:44.559-0400 [DEBUG] provider.terraform-provider-azurerm_v3.73.0_x5: setting computed for "enabled_log" from ComputedKeys: timestamp=2024-04-01T09:59:44.559-0400
2024-04-01T09:59:44.559-0400 [DEBUG] provider.terraform-provider-azurerm_v3.73.0_x5: A computed value with the empty string as the new value and a non-empty old value was found. Interpreting the empty string as "unset" to align with legacy behavior.: timestamp=2024-04-01T09:59:44.559-0400
2024-04-01T09:59:44.562-0400 [WARN]  Provider "registry.terraform.io/hashicorp/azurerm" produced an invalid plan for azurerm_monitor_diagnostic_setting.main, but we are tolerating it because it is using the legacy plugin SDK.
    The following problems may be the cause of any confusing errors from downstream operations:
      - .eventhub_name: planned value cty.StringVal("") for a non-computed attribute
      - .eventhub_authorization_rule_id: planned value cty.StringVal("") for a non-computed attribute
      - .enabled_log: planned value cty.SetVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"category":cty.StringVal("AppServiceAntivirusScanAuditLogs"), "category_group":cty.StringVal(""), "retention_policy":cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"days":cty.NumberIntVal(0), "enabled":cty.False})})}), cty.ObjectVal(map[string]cty.Value{"category":cty.StringVal("AppServiceAppLogs"), "category_group":cty.StringVal(""), "retention_policy":cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"days":cty.NumberIntVal(0), "enabled":cty.False})})}), cty.ObjectVal(map[string]cty.Value{"category":cty.StringVal("AppServiceAuditLogs"), "category_group":cty.StringVal(""), "retention_policy":cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"days":cty.NumberIntVal(0), "enabled":cty.False})})}), cty.ObjectVal(map[string]cty.Value{"category":cty.StringVal("AppServiceAuthenticationLogs"), "category_group":cty.StringVal(""), "retention_policy":cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"days":cty.NumberIntVal(0), "enabled":cty.False})})}), cty.ObjectVal(map[string]cty.Value{"category":cty.StringVal("AppServiceConsoleLogs"), "category_group":cty.StringVal(""), "retention_policy":cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"days":cty.NumberIntVal(0), "enabled":cty.False})})}), cty.ObjectVal(map[string]cty.Value{"category":cty.StringVal("AppServiceFileAuditLogs"), "category_group":cty.StringVal(""), "retention_policy":cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"days":cty.NumberIntVal(0), "enabled":cty.False})})}), cty.ObjectVal(map[string]cty.Value{"category":cty.StringVal("AppServiceHTTPLogs"), "category_group":cty.StringVal(""), "retention_policy":cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"days":cty.NumberIntVal(0), "enabled":cty.False})})}), cty.ObjectVal(map[string]cty.Value{"category":cty.StringVal("AppServiceIPSecAuditLogs"), "category_group":cty.StringVal(""), "retention_policy":cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"days":cty.NumberIntVal(0), "enabled":cty.False})})}), cty.ObjectVal(map[string]cty.Value{"category":cty.StringVal("AppServicePlatformLogs"), "category_group":cty.StringVal(""), "retention_policy":cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"days":cty.NumberIntVal(0), "enabled":cty.False})})})}) for unknown dynamic block
2024-04-01T09:59:44.567-0400 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF"
2024-04-01T09:59:44.569-0400 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/hashicorp/azurerm/3.73.0/linux_amd64/terraform-provider-azurerm_v3.73.0_x5 pid=29692
2024-04-01T09:59:44.569-0400 [DEBUG] provider: plugin exited
2024-04-01T09:59:44.574-0400 [DEBUG] building apply graph to check for errors
2024-04-01T09:59:44.575-0400 [DEBUG] Resource state not found for node "data.azurerm_monitor_diagnostic_categories.main", instance data.azurerm_monitor_diagnostic_categories.main

[fardarter]

Issue updating an app service:

Setup:

resource "azurerm_linux_web_app" "app" {
  name                                           = local.app_name 
  resource_group_name                            = var.resource_groups.target.name
  location                                       = var.resource_groups.target.location
  service_plan_id                                = data.azurerm_service_plan.service_plan.id
  key_vault_reference_identity_id                = var.app_service.key_vault_reference_identity_id
  webdeploy_publish_basic_authentication_enabled = true
  tags                                           = var.tags
  ftp_publish_basic_authentication_enabled       = false
  https_only                                     = true
  logs {
    failed_request_tracing  = true
    detailed_error_messages = true
    http_logs {
      file_system {
        retention_in_days = 2
        retention_in_mb   = 50
      }
    }
  }
  site_config {
    app_command_line                  = var.app_service.site_config.app_command_line
    http2_enabled                     = true
    ftps_state                        = "Disabled"
    always_on                         = var.app_service.site_config.always_on
    health_check_path                 = var.app_service.site_config.health_check_path
    health_check_eviction_time_in_min = 10
    application_stack {
      node_version   = var.app_service.site_config.application_stack.node_version
      dotnet_version = var.app_service.site_config.application_stack.dotnet_version
    }
    cors {
      allowed_origins     = ["https://${local.app_name}.azurewebsites.net"]
      support_credentials = true
    }
  }

  identity {
    type         = var.app_service.identity.type
    identity_ids = var.app_service.identity.identity_ids
  }
}

data "azurerm_monitor_diagnostic_categories" "diagnostic_categories" {
  resource_id = azurerm_linux_web_app.app.id
}

resource "azurerm_monitor_diagnostic_setting" "diagnostic_setting" {
  name                       = "log-analytics"
  target_resource_id         = azurerm_linux_web_app.app.id
  log_analytics_workspace_id = var.log_analytics_workspace.id

  dynamic "enabled_log" {
    for_each = data.azurerm_monitor_diagnostic_categories.diagnostic_categories.log_category_types
    content {
      category = enabled_log.value
    }
  }

  dynamic "metric" {
    for_each = data.azurerm_monitor_diagnostic_categories.diagnostic_categories.metrics
    content {
      category = metric.value
      enabled  = true
    }
  }
}

Error:

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  ~ update in-place
 <= read (data resources)

Terraform will perform the following actions:

  # module.app_service.data.azurerm_monitor_diagnostic_categories.diagnostic_categories will be read during apply
  # (depends on a resource or a module with changes pending)
 <= data "azurerm_monitor_diagnostic_categories" "diagnostic_categories" {
      + id                  = (known after apply)
      + log_category_groups = (known after apply)
      + log_category_types  = (known after apply)
      + logs                = (known after apply)
      + metrics             = (known after apply)
      + resource_id         = "/subscriptions/<subscription>/resourceGroups/<rg_name>/providers/Microsoft.Web/sites/<sitename>"
    }

  # module.app_service.azurerm_linux_web_app.app will be updated in-place
  ~ resource "azurerm_linux_web_app" "app" {
      ~ app_settings                                   = {
          ~ "APPLICATIONINSIGHTS_CONNECTION_STRING" = (sensitive value)
            # (7 unchanged elements hidden)
        }
        id                                             = "/subscriptions/<subscription>/resourceGroups/<rg_name>/providers/Microsoft.Web/sites/<sitename>"
        name                                           = "<sitename>"
        tags                                           = {
            "Department"            = "DOH"
            "git_branch_name"       = "main"
            "git_remote_origin_url" = "[https://HealthDevOps@dev.azure.com/HealthDevOps/Patient-Facing-Interface/_git/Patient-Facing-Interface"](https://HealthDevOps@dev.azure.com/HealthDevOps/Patient-Facing-Interface/_git/Patient-Facing-Interface%22)
            "managed_by_iac"        = "terraform"
            "managed_by_sp"         = "b2b4e62c-0615-4855-92ec-92457d381c8d"
            "security_environment"  = "nonprod"
        }
        # (24 unchanged attributes hidden)

        # (3 unchanged blocks hidden)
    }

  # module.app_service.azurerm_monitor_diagnostic_setting.diagnostic_setting will be updated in-place
  ~ resource "azurerm_monitor_diagnostic_setting" "diagnostic_setting" {
        id                             = "/subscriptions/<subscription>/resourceGroups/<rg_name>/providers/Microsoft.Web/sites/<sitename>|log-analytics"
        name                           = "log-analytics"
        # (5 unchanged attributes hidden)

      - metric {
          - category = "AllMetrics" -> null
          - enabled  = true -> null

          - retention_policy {
              - days    = 0 -> null
              - enabled = false -> null
            }
        }

        # (13 unchanged blocks hidden)
    }

...

╷
│ Error: Provider produced inconsistent final plan
│ 
│ When expanding the plan for
│ module.app_service.azurerm_monitor_diagnostic_setting.diagnostic_setting
│ to include new values learned so far during apply, provider
│ "registry.terraform.io/hashicorp/azurerm" produced an invalid new value for
│ .enabled_log: planned set element
│ cty.ObjectVal(map[string]cty.Value{"category":cty.StringVal("AppServiceAppLogs"),
│ "category_group":cty.StringVal(""),
│ "retention_policy":cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"days":cty.NumberIntVal(0),
│ "enabled":cty.False})})}) does not correlate with any element in actual.
│ 
│ This is a bug in the provider, which should be reported in the provider's
│ own issue tracker.
╵
╷
│ Error: Provider produced inconsistent final plan
│ 
│ When expanding the plan for
│ module.app_service.azurerm_monitor_diagnostic_setting.diagnostic_setting
│ to include new values learned so far during apply, provider
│ "registry.terraform.io/hashicorp/azurerm" produced an invalid new value for
│ .enabled_log: planned set element
│ cty.ObjectVal(map[string]cty.Value{"category":cty.StringVal("AppServiceAuditLogs"),
│ "category_group":cty.StringVal(""),
│ "retention_policy":cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"days":cty.NumberIntVal(0),
│ "enabled":cty.False})})}) does not correlate with any element in actual.
│ 
│ This is a bug in the provider, which should be reported in the provider's
│ own issue tracker.
╵
╷
│ Error: Provider produced inconsistent final plan
│ 
│ When expanding the plan for
│ module.app_service.azurerm_monitor_diagnostic_setting.diagnostic_setting
│ to include new values learned so far during apply, provider
│ "registry.terraform.io/hashicorp/azurerm" produced an invalid new value for
│ .enabled_log: planned set element
│ cty.ObjectVal(map[string]cty.Value{"category":cty.StringVal("AppServiceConsoleLogs"),
│ "category_group":cty.StringVal(""),
│ "retention_policy":cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"days":cty.NumberIntVal(0),
│ "enabled":cty.False})})}) does not correlate with any element in actual.
│ 
│ This is a bug in the provider, which should be reported in the provider's
│ own issue tracker.
╵
╷
│ Error: Provider produced inconsistent final plan
│ 
│ When expanding the plan for
│ module.app_service.azurerm_monitor_diagnostic_setting.diagnostic_setting
│ to include new values learned so far during apply, provider
│ "registry.terraform.io/hashicorp/azurerm" produced an invalid new value for
│ .enabled_log: planned set element
│ cty.ObjectVal(map[string]cty.Value{"category":cty.StringVal("AppServiceHTTPLogs"),
│ "category_group":cty.StringVal(""),
│ "retention_policy":cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"days":cty.NumberIntVal(0),
│ "enabled":cty.False})})}) does not correlate with any element in actual.
│ 
│ This is a bug in the provider, which should be reported in the provider's
│ own issue tracker.
╵
╷
│ Error: Provider produced inconsistent final plan
│ 
│ When expanding the plan for
│ module.app_service.azurerm_monitor_diagnostic_setting.diagnostic_setting
│ to include new values learned so far during apply, provider
│ "registry.terraform.io/hashicorp/azurerm" produced an invalid new value for
│ .enabled_log: planned set element
│ cty.ObjectVal(map[string]cty.Value{"category":cty.StringVal("AppServiceIPSecAuditLogs"),
│ "category_group":cty.StringVal(""),
│ "retention_policy":cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"days":cty.NumberIntVal(0),
│ "enabled":cty.False})})}) does not correlate with any element in actual.
│ 
│ This is a bug in the provider, which should be reported in the provider's
│ own issue tracker.
╵
╷
│ Error: Provider produced inconsistent final plan
│ 
│ When expanding the plan for
│ module.app_service.azurerm_monitor_diagnostic_setting.diagnostic_setting
│ to include new values learned so far during apply, provider
│ "registry.terraform.io/hashicorp/azurerm" produced an invalid new value for
│ .enabled_log: planned set element
│ cty.ObjectVal(map[string]cty.Value{"category":cty.StringVal("AppServicePlatformLogs"),
│ "category_group":cty.StringVal(""),
│ "retention_policy":cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"days":cty.NumberIntVal(0),
│ "enabled":cty.False})})}) does not correlate with any element in actual.
│ 
│ This is a bug in the provider, which should be reported in the provider's
│ own issue tracker.
╵
╷
│ Error: Provider produced inconsistent final plan
│ 
│ When expanding the plan for
│ module.app_service.azurerm_monitor_diagnostic_setting.diagnostic_setting
│ to include new values learned so far during apply, provider
│ "registry.terraform.io/hashicorp/azurerm" produced an invalid new value for
│ .enabled_log: block set length changed from 6 to 7.
│ 
│ This is a bug in the provider, which should be reported in the provider's
│ own issue tracker.
╵
Releasing state lock. This may take a few moments...
##[error]Terraform command 'apply' failed with exit code '1'.
##[error]╷
│ Error: Provider produced inconsistent final plan
│ 
│ When expanding the plan for
│ module.app_service.azurerm_monitor_diagnostic_setting.diagnostic_setting
│ to include new values learned so far during apply, provider
│ "registry.terraform.io/hashicorp/azurerm" produced an invalid new value for
│ .enabled_log: planned set element
│ cty.ObjectVal(map[string]cty.Value{"category":cty.StringVal("AppServiceAppLogs"),
│ "category_group":cty.StringVal(""),
│ "retention_policy":cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"days":cty.NumberIntVal(0),
│ "enabled":cty.False})})}) does not correlate with any element in actual.
│ 
│ This is a bug in the provider, which should be reported in the provider's
│ own issue tracker.
╵
╷
│ Error: Provider produced inconsistent final plan
│ 
│ When expanding the plan for
│ module.app_service.azurerm_monitor_diagnostic_setting.diagnostic_setting
│ to include new values learned so far during apply, provider
│ "registry.terraform.io/hashicorp/azurerm" produced an invalid new value for
│ .enabled_log: planned set element
│ cty.ObjectVal(map[string]cty.Value{"category":cty.StringVal("AppServiceAuditLogs"),
│ "category_group":cty.StringVal(""),
│ "retention_policy":cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"days":cty.NumberIntVal(0),
│ "enabled":cty.False})})}) does not correlate with any element in actual.
│ 
│ This is a bug in the provider, which should be reported in the provider's
│ own issue tracker.
╵

╷
│ Error: Provider produced inconsistent final plan
│ 
│ When expanding the plan for
│ module.app_service.azurerm_monitor_diagnostic_setting.diagnostic_setting
│ to include new values learned so far during apply, provider
│ "registry.terraform.io/hashicorp/azurerm" produced an invalid new value for
│ .enabled_log: planned set element
│ cty.ObjectVal(map[string]cty.Value{"category":cty.StringVal("AppServiceConsoleLogs"),
│ "category_group":cty.StringVal(""),
│ "retention_policy":cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"days":cty.NumberIntVal(0),
│ "enabled":cty.False})})}) does not correlate with any element in actual.
│ 
│ This is a bug in the provider, which should be reported in the provider's
│ own issue tracker.
╵
╷
│ Error: Provider produced inconsistent final plan
│ 
│ When expanding the plan for
│ module.app_service.azurerm_monitor_diagnostic_setting.diagnostic_setting
│ to include new values learned so far during apply, provider
│ "registry.terraform.io/hashicorp/azurerm" produced an invalid new value for
│ .enabled_log: planned set element
│ cty.ObjectVal(map[string]cty.Value{"category":cty.StringVal("AppServiceHTTPLogs"),
│ "category_group":cty.StringVal(""),
│ "retention_policy":cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"days":cty.NumberIntVal(0),
│ "enabled":cty.False})})}) does not correlate with any element in actual.
│ 
│ This is a bug in the provider, which should be reported in the provider's
│ own issue tracker.
╵
╷
│ Error: Provider produced inconsistent final plan
│ 
│ When expanding the plan for
│ module.app_service.azurerm_monitor_diagnostic_setting.diagnostic_setting
│ to include new values learned so far during apply, provider
│ "registry.terraform.io/hashicorp/azurerm" produced an invalid new value for
│ .enabled_log: planned set element
│ cty.ObjectVal(map[string]cty.Value{"category":cty.StringVal("AppServiceIPSecAuditLogs"),
│ "category_group":cty.StringVal(""),
│ "retention_policy":cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"days":cty.NumberIntVal(0),
│ "enabled":cty.False})})}) does not correlate with any element in actual.
│ 
│ This is a bug in the provider, which should be reported in the provider's
│ own issue tracker.
╵
╷
│ Error: Provider produced inconsistent final plan
│ 
│ When expanding the plan for
│ module.app_service.azurerm_monitor_diagnostic_setting.diagnostic_setting
│ to include new values learned so far during apply, provider
│ "registry.terraform.io/hashicorp/azurerm" produced an invalid new value for
│ .enabled_log: planned set element
│ cty.ObjectVal(map[string]cty.Value{"category":cty.StringVal("AppServicePlatformLogs"),
│ "category_group":cty.StringVal(""),
│ "retention_policy":cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"days":cty.NumberIntVal(0),
│ "enabled":cty.False})})}) does not correlate with any element in actual.
│ 
│ This is a bug in the provider, which should be reported in the provider's
│ own issue tracker.
╵
╷
│ Error: Provider produced inconsistent final plan
│ 
│ When expanding the plan for
│ module.app_service.azurerm_monitor_diagnostic_setting.diagnostic_setting
│ to include new values learned so far during apply, provider
│ "registry.terraform.io/hashicorp/azurerm" produced an invalid new value for
│ .enabled_log: block set length changed from 6 to 7.
│ 
│ This is a bug in the provider, which should be reported in the provider's
│ own issue tracker.

[jr8279]

I've found that the issue stems from a new Log Category that Azure pushed out which is in Preview. Checking the box for this new log fixes the errors and allows Terraform to complete.

[jarpoole]

@teowa could you take another look? Really feels like azurerm_monitor_diagnostic_setting would benefit from an enabled_metrics option as suggested in #10388

[jr8279]

We've been seeing this error in several different resources including Function App, App Service, and Event Hub. One thing I recently noticed on the Event Hub logs is that after all of the logs are manually enabled, the order of the categories changes. I believe the error is because the list is changing and Terraform doesn't know how to handle it.