Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for Subnet scoped VNET flow logs #28175

Closed
1 task done
alexkunde opened this issue Dec 4, 2024 · 0 comments · Fixed by #28177
Closed
1 task done

Support for Subnet scoped VNET flow logs #28175

alexkunde opened this issue Dec 4, 2024 · 0 comments · Fixed by #28177
Labels
documentation enhancement service/network
Milestone
v4.13.0

Comments

@alexkunde
Copy link

alexkunde commented Dec 4, 2024
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Description

Azure supports scoping of VNET flow logs onto a subnet. This is not yet possible via Terraform.
Fun fact: Importing a subnet resource actually works, but the ID validation will still fail.

New or Affected Resource(s)/Data Source(s)

azurerm_network_watcher_flow_log

Potential Terraform Configuration

## Expectation


resource "azurerm_network_watcher_flow_log" "vnet_flow_log_test" {
  # name an rg are the same for nonprod and prod
  # because it's created automatically by Azure when Subscription is created
  name    = "${azurerm_subnet.test_sn.name}-vnet-flow-log"
  enabled = true
  version = 2

  network_watcher_name = "NetworkWatcher_germanywestcentral"
  resource_group_name  = "NetworkWatcherRG"
  target_resource_id   = azurerm_subnet.test_sn.id
  storage_account_id   = var.vnet_flow_logs_storage_account.id

  retention_policy {
    enabled = true
    days    = 30
  }

  traffic_analytics {
    enabled               = true
    workspace_id          = var.log_analytics_workspace.workspace_id
    workspace_region      = var.log_analytics_workspace.location
    workspace_resource_id = var.log_analytics_workspace.id
    interval_in_minutes   = 10
  }
}

Terraform plan (fails)

│ Error: parsing "/subscriptions/xxx/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/test_sn": parsing segment "staticNetworkSecurityGroups": parsing the NetworkSecurityGroup ID: the segment at position 6 didn't match

│ Expected a NetworkSecurityGroup ID that matched:

│ > /subscriptions/12345678-1234-9876-4563-123456789012/resourceGroups/example-resource-group/providers/Microsoft.Network/networkSecurityGroups/networkSecurityGroupName

│ However this value was provided:

│ > /subscriptions/xxx/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/test_sn

│ The parsed Resource ID was missing a value for the segment at position 6
│ (which should be the literal value "networkSecurityGroups").



│   with module.xxx.azurerm_network_watcher_flow_log.vnet_flow_log_test,
│   on ../../modules/xxx/test.tf line 67, in resource "azurerm_network_watcher_flow_log" "vnet_flow_log_test":
│   67:   target_resource_id   = azurerm_subnet.test_sn.id

Terraform import (works)

terraform import module.xxx.azurerm_network_watcher_flow_log.vnet_flow_log_test /subscriptions/xxx/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_germanywestcentral/flowLogs/test-flowlog

[...]
module.xxx.azurerm_network_watcher_flow_log.vnet_flow_log_test: Import prepared!
  Prepared azurerm_network_watcher_flow_log for import
[...]
Import successful!

The resources that were imported are shown above. These resources are now in
your Terraform state and will henceforth be managed by Terraform.

Afterwards Terraform plan will fail once again with validation.
I tried out, switching the resource to a network_security_group_id, just to get the plan working. The changes proposed are as follows. Old is the imported resource, new is my nsg_id.

  # module.mongodb-config.azurerm_network_watcher_flow_log.vnet_flow_log_test must be replaced
-/+ resource "azurerm_network_watcher_flow_log" "vnet_flow_log_test" {
      ~ target_resource_id        = "/subscriptions/xxx/resourceGroups/test-rg/providers/Microsoft.Network/virtualNetworks/test-vnet/subnets/test_sn" -> "/subscriptions/xxx/resourceGroups/test-rg/providers/Microsoft.Network/networkSecurityGroups/test-nsg"
        # (4 unchanged attributes hidden)
        # (2 unchanged blocks hidden)
    }

You can see the target_resource_id the import uses is actually what we would expect, it seems only the validation is actually broken right now and does not support subnet scoping.

PS: The documentation is also out of date and still showing network_security_group_id instead of target_resource_id



### References

_No response_
@alexkunde alexkunde mentioned this issue Dec 4, 2024
Closed
1 task
favoretti added a commit to favoretti/terraform-provider-azurerm that referenced this issue Dec 4, 2024
@favoretti
azurerm_network_watcher_flow_log: Add 2 more resource types to `tar…
65078d5 
…get_resource_id`

Added NIC and subnet as accepted value types for `target_resource_id`.

Fixes hashicorp#28175
@favoretti favoretti mentioned this issue Dec 4, 2024
Merged
14 tasks
stephybun pushed a commit that referenced this issue Dec 5, 2024
@favoretti
azurerm_network_watcher_flow_log: Add 2 more resource types to `tar…
4f7f6b7 
…get_resource_id` (#28177)

* `azurerm_network_watcher_flow_log`: Add 2 more resource types to `target_resource_id`

Added NIC and subnet as accepted value types for `target_resource_id`.

Fixes #28175

* fmt
@github-actions github-actions bot added this to the v4.13.0 milestone Dec 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
documentation enhancement service/network
Projects
None yet
Milestone
v4.13.0
2 participants
@alexkunde @rcskosir