azurerm_monitor_aad_diagnostic_setting missing support for NetworkAccessTrafficLogs log category

[slynickel]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

latest

$ terraform -v
Terraform v1.1.5
+ provider registry.terraform.io/hashicorp/azurerm v2.96.0

Affected Resource(s)

• azurerm_monitor_aad_diagnostic_setting

Terraform Configuration Files

resource "azurerm_monitor_aad_diagnostic_setting" "aad_diagnostic_setting" {
  name = "aad-diagnostic-setting"
  storage_account_id = "/subscriptions/<redacted>/resourceGroups/<redacted>/providers/Microsoft.Storage/storageAccounts/<redacted>"

  log {
    category = "SignInLogs"
    enabled  = true
    retention_policy {}
  }
  log {
    category = "AuditLogs"
    enabled  = true
    retention_policy {}
  }
  log {
    category = "NonInteractiveUserSignInLogs"
    enabled  = true
    retention_policy {}
  }
  log {
    category = "ServicePrincipalSignInLogs"
    enabled  = true
    retention_policy {}
  }
  log {
    category = "ManagedIdentitySignInLogs"                                                                                                                                                                                                                                                                                                                                   enabled  = true
    retention_policy {}
  }
  log {
    category = "ProvisioningLogs"
    enabled  = true
    retention_policy {}
  }
  log {
    category = "ADFSSignInLogs"
    enabled  = true
    retention_policy {}
  }
  log {
    category = "RiskyUsers"
    enabled  = true
    retention_policy {}
  }
  log {
    category = "UserRiskEvents"
    enabled  = true
    retention_policy {}
  }
  # You can't put the following block, otherwise the error below happens
  log {
    category = "NetworkAccessTrafficLogs"
    enabled = false
    retention_policy {}
  }
}

Debug Output

N/A not useful

Panic Output

N/A not useful

Expected Behaviour

Deploy should happen without error.

Actual Behaviour

If you put the last block I specified the following occurs.

Error: expected log.3.category to be one of [AuditLogs SignInLogs ADFSSignInLogs ManagedIdentitySignInLogs NonInteractiveUserSignInLogs ProvisioningLogs ServicePrincipalSignInLogs RiskyUsers UserRiskEvents], got NetworkAccessTrafficLogs

If you instead leave that last block out you get a forever re-applying loop that looks like this.

        log {                                                                                                                                                                                                                                                                                                                                                                        category = "ManagedIdentitySignInLogs"
            enabled  = true

            retention_policy {
                days    = 0
                enabled = false
            }
        }
      - log {
          - category = "NetworkAccessTrafficLogs" -> null
          - enabled  = false -> null

          - retention_policy {
              - days    = 0 -> null
              - enabled = false -> null
            }
        }
        log {
            category = "NonInteractiveUserSignInLogs"
            enabled  = true

            retention_policy {
                days    = 0
                enabled = false                                                                                                                                                                                                                                                                                                                                                      
     }
        }
        log {
            category = "ProvisioningLogs"
            enabled  = true

            retention_policy {
                days    = 0
                enabled = false
            }
        }

Steps to Reproduce

1. terraform apply

Important Factoids

N/A

References

• https://github.com/MicrosoftDocs/azure-docs/issues/87926
  • This particular diagnostic setting is not documented publically or in preview anywhere I could find. I wrote up a different issue with Microsoft docs to document this.

Suggested Fix

Add the category item NetworkAccessTrafficLogs to https://github.com/hashicorp/terraform-provider-azurerm/blob/main/internal/services/monitor/monitor_aad_diagnostic_setting_resource.go#L104

I doesn't look like this will require a dependency update. One question I don't know the answer to is if this particular category item is universal across all Azure Active Directory Tenants at this point.

[slynickel]

MSFT is changing this a lot right now. There are another two that were added between when I posted this and today. Same sort of issue of repeated changes needed being generated.

The additional categories are ServicePrincipalRiskEvents and RiskyServicePrincipals.

[github-actions]

This functionality has been released in v3.4.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.