Unable to create NSG flow log

[jelicics]

What happened?

I have tried to create a network security group flow log for an existing Network Watcher.
The error I am getting is:

Diagnostics:
  azure-native:network:FlowLog (<log name>)
    error: Code="ParentResourceNotFound" Message="Can not perform requested operation on nested resource. Parent resource '<Network Watcher name not found.>"

I have tried getting the Network Watcher configuration (through the get/lookup function), both with native and classic Azure provider.
I have also tried importing said Network Watcher in the pulumi stack, with the same error.
All of the above was tried with a few newer versions of the network module.

The Network Watcher is present, accessible and able to be queried by the lookup function.
Trying the same with the az cli is successful.

Steps to reproduce

Network Watcher lookup

		netWatcher, err := network.LookupNetworkWatcher(ctx, &network.LookupNetworkWatcherArgs{
			NetworkWatcherName: "<Network Watcher name>",
			ResourceGroupName: "<Network Watcher resource group>",
		})
		if err != nil {
			return err
		}

Network Watcher import

		netWatcherimport, err := network.NewNetworkWatcher(ctx, "netwatcher", &network.NetworkWatcherArgs{
			Location:           pulumi.String("eastus2"),
			NetworkWatcherName: pulumi.String("<Network Watcher name>"),
			ResourceGroupName:  pulumi.String("<Network Watcher resource group>"),
		}, pulumi.Import(pulumi.ID("Network Watcher resource id")), pulumi.Protect(true))
		if err != nil {
			return err
		}

Flow log creation

		gatewayFlowlog, err := network.NewFlowLog(ctx, "gateway-log", &network.FlowLogArgs{
			Enabled: pulumi.Bool(true),
			FlowAnalyticsConfiguration: &network.TrafficAnalyticsPropertiesArgs{
				NetworkWatcherFlowAnalyticsConfiguration: &network.TrafficAnalyticsConfigurationPropertiesArgs{
					Enabled:                  pulumi.Bool(true),
					TrafficAnalyticsInterval: pulumi.Int(60),
					WorkspaceId:              presentWorkspace.CustomerId,
					WorkspaceRegion:     pulumi.String("eastus2"),
					WorkspaceResourceId: presentWorkspace.ID(),
				},
			},
			Location: pulumi.String("eastus2"),
                        // either through lookup or import
			NetworkWatcherName: netWatcher.Name,
			ResourceGroupName:  resourceGroup.Name,
			RetentionPolicy: &testera.RetentionPolicyParametersArgs{
				Days:    pulumi.Int(30),
				Enabled: pulumi.Bool(true),
			},
			StorageId: logStorage.ID(),
			TargetResourceId: nsgGateway.ID(),
			Format: &testera.FlowLogFormatParametersArgs{
				Type:    pulumi.String("JSON"),
				Version: pulumi.Int(1),
			},
		}, pulumi.DependsOn([]pulumi.Resource{netWatcherimport}))
		if err != nil {
			return err
		}

Expected Behavior

I expect to create a flow log based on the given network security group

Actual Behavior

The script stops witht he following error:

Diagnostics:
  azure-native:network:FlowLog (<log name>)
    error: Code="ParentResourceNotFound" Message="Can not perform requested operation on nested resource. Parent resource '<Network Watcher name not found.>"

[dixler]

Hi. Thanks for posting. I was googling the error message and it seems that the error message is coming from Azure.

I found the following stack overflow post with a similar error message, but on a different resource.
https://stackoverflow.com/questions/56671647/can-not-perform-requested-operation-on-nested-resource-parent-resource-io

I have very limited experience with azure, but my uneducated guess is that there may be another resource in the network.NewNetworkWatcher resource group that network.NewFlowLog is depending on being configured in its own resource group.

I'm going to transfer this issue to the pulumi-azure-native repository since this seems like an azure specific issue.

[danielrbradley]

A couple of questions to help me get a picture of what's happening...

1. Is this issue limited only to where you're using an imported or looked-up network watcher? Does it work correctly when creating the network watcher in the program?
2. From the error, is this the literal string being returned or have you redacted the parent resource name? Parent resource '<Network Watcher name not found.>"

[jelicics]

1. I have tried both with the imported and looked-up network watcher, with the same result.
   There can be only one network watcher in a given subscription. I tried to create one, just to see what would happen but this is
   the result (netty-watcher is the name of the network watcher I tried to create).

Diagnostics:
azure-native:network:NetworkWatcher (netty-watcher):
error: autorest/azure: Service returned an error. Status=400 Code="NetworkWatcherCountLimitReached" Message="Cannot create more than 1 network watchers for this subscription in this region." Details=[]

2. Literal string is being returned (the name of the network watcher), I just omitted it to make it more readable.
   This is the full error message (the name of the network watcher is automagically generated in Azure, "pulumi-gateway-log" is the name of the flow log).

Diagnostics:
azure-native:network:FlowLog (pulumi-gateway-log)
error: Code="ParentResourceNotFound" Message="Can not perform requested operation on nested resource. Parent resource 'NetworkWatcher_eastus2' not found."

[kAleksei]

I've got the same issue but with the service bus and topic. If the problem is the same, then the root case is that parent object resource group differs from child one.