Support for VNet in azurerm_network_watcher_flow_log

[terrymandin]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Description

I am creating a Terraform Azure Verified Module for Flow Logs. We have a requirement to create a flow log as part of the VNet creation. This is supported in the portal:

but not in the provider. Please add this capability.

I believe that the network_security_group_id variable should be renamed to target_resource_id similar to azapi. I confirmed that setting this to a VNet also works. It doesn't have to be just a NSG.

New or Affected Resource(s)/Data Source(s)

azurerm_network_watcher_flow_log

Potential Terraform Configuration

resource "azurerm_network_watcher_flow_log" "test" {
  network_watcher_name = azurerm_network_watcher.test.name
  resource_group_name  = azurerm_resource_group.example.name
  name                 = "example-log"

  target_resource_id        = azurerm_virtual_network.this.id
  storage_account_id        = azurerm_storage_account.test.id
  enabled                   = true

  retention_policy {
    enabled = true
    days    = 7
  }

  traffic_analytics {
    enabled               = true
    workspace_id          = azurerm_log_analytics_workspace.test.workspace_id
    workspace_region      = azurerm_log_analytics_workspace.test.location
    workspace_resource_id = azurerm_log_analytics_workspace.test.id
    interval_in_minutes   = 10
  }
}

References

No response

[michasacuer]

@favoretti any updates?

[VillageIke]

Any updates?

[ryanghavidel2024]

I guess it's not doable in Terraform yet! target_resource_id or resource_id to specify the VNET are not simply working in azurerm_network_watcher_flow_log. We seem to have to use NSG' for now...

[MrImpossibru]

@ryanghavidel2024 I just tried to set a VNet id to the "targetResourceId" field in their REST API endpoint to create flow logs and successfully created VNet Flow Logs. Since Azure Go SDK supports sending this field, it should work. API definition: https://learn.microsoft.com/en-us/rest/api/network-watcher/flow-logs/create-or-update?view=rest-network-watcher-2024-01-01

[kaplik]

it also works with azapi provider

resource "azapi_resource" "vnet_flow_logs" {
  type      = "Microsoft.Network/networkWatchers/flowLogs@2023-11-01"
  name      = "${azurerm_virtual_network.this.name}-logs"
  location  = data.azurerm_network_watcher.this.location
  parent_id = data.azurerm_network_watcher.this.id
  tags      = var.tags

  body = jsonencode({
    properties = {
      enabled = true
      flowAnalyticsConfiguration = {
        networkWatcherFlowAnalyticsConfiguration = {
          enabled = false
        }
      }
      format = {
        type    = "JSON"
        version = 2
      }
      retentionPolicy = {
        days    = 7
        enabled = true
      }
      storageId        = azurerm_storage_account.flow_logs.id
      targetResourceId = azurerm_virtual_network.this.id
    }
  })
}

[RyanGhavidel]

@kaplik @MrImpossibru Super! Thanks so much.

[jhutchings]

Looks like NSG targeted flow logs have a deprecation announcement, luckily it's not till June 2025 (2027 for EOL) but it's now official that VNET Flow Logs will be the go forward:
https://learn.microsoft.com/en-us/azure/network-watcher/nsg-flow-logs-overview

[gguibert]

Hi there,
Please update this issue has been open since May... ???
Thanks @kaplik for the workarround ;)
But it's better to have this basic feature in azurerm provider especially since the announcement of the nsgflowlogs deprecation.
Fortunately yes we have a little time @jhutchings , but it's going to happen very quickly.

[rapster83]

Any updates regarding the timeline?

[keisari-ch]

Looks like NSG targeted flow logs have a deprecation announcement, luckily it's not till June 2025 (2027 for EOL) but it's now official that VNET Flow Logs will be the go forward: https://learn.microsoft.com/en-us/azure/network-watcher/nsg-flow-logs-overview

A bit off-topic, but this was about time. Having to create a NSG flow log to have traces from network activity on a subnet level is a weird approach.

[cmrvsix]

are we sure this was resolved? I'm pointing to v4.10.0 and am still seeing that "network_security_group_id" is a required parameter, and "target_resource_id" is not recognized as a valid parameter.

[MarcosAlanoSecurrency]

are we sure this was resolved? I'm pointing to v4.10.0 and am still seeing that "network_security_group_id" is a required parameter, and "target_resource_id" is not recognized as a valid parameter.

They still need to release a newer version with this change.

[kevinrosal]

@stephybun

was able to deploy using v.4.12.0. however it looks like it only allows VNET as the target_resource_id. when setting the value to be a subnet its not working. any chance we allow target_resource_id to allow subnets as well?

Error: parsing "/subscriptions/7187238787123/resourceGroups/test-rgp/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/subnet1": unexpected segment "subnets/subnet1" present at the end of the URI (input "/subscriptions/7187238787123/resourceGroups/test-rgp/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/subnet1")

[favoretti]

@kevinrosal is that supported through portal? Apologies, I somehow didn't check API specs. I can add it as a followup PR.

[kevinrosal]

@favoretti yes. from the portal possible options are VNET, Subnet, NIC

[favoretti]

@kevinrosal mind opening a new issue for this? I'll work on adding it in the meantime.

[alexkunde]

Please see #28175 for this

[favoretti]

#28177