Terraform: Unable to find request URI when creating diagnostic settings resource for Azure Key Vault

0
votes

I'm deploying a Key Vault in Azure via an ARM template and the "azurerm_template_deployment" resource, but I need to enable diagnostic settings and stream diagnostic data to my existing log analytics workspace.

The aim is to deploy the key vault itself with the diagnostic settings in the same "terraform apply"

When running terraform apply, the key vault itself gets deployed, but the diagnostic settings do not get enabled, and fail via the following message:

[error]Error: Error creating Monitor Diagnostics Setting "kv-diagnostics" for Resource "/subscriptions/----/resourceGroups/rg-test-001/providers/Microsoft.Resources/deployments/kv-diagnostics": insights.DiagnosticSettingsClient#CreateOrUpdate: Failure responding to request: StatusCode=404 -- Original Error: autorest/azure: Service returned an error. Status=404 Code="" Message="No HTTP resource was found that matches the request URI 'h_ttps://management.azure.com/subscriptions/---/resourceGroups/rg-test-001/providers/Microsoft.Resources/deployments/kv_test/providers/microsoft.insights/diagnosticSettings/kv-diagnostics?api-version=2017-05-01-preview'."

The following is my code for the diagnostic settings resource in Terraform:

resource "azurerm_monitor_diagnostic_setting" "kv-diag" {
  count              = length(var.kv_name)
  name               = "kv-diagnostics"
  target_resource_id = azurerm_template_deployment.kv[count.index].id
  log_analytics_workspace_id = azurerm_log_analytics_workspace.log.id

  log {
    ...
    }
  }

  metric {
    ...
    }
  }


}

Where azurerm_log_analytics_workspace.logs.id already exists and the variable var.kv_name is a list of names (so far there is only 1 name in the list). The output of "terraform plan" shows the target_resource_id = (known after apply), which makes sense as in the ideal situation the key vault hasn't been deployed yet, so it doesn't have an id.

Why is Azure throwing this error? Where am I going wrong?

1
azureterraformazure-keyvaultterraform-provider-azure
Do you have any questions? Is the reply helpful to you?Nancy Xiong
yes this is helpful thank you. I do have questions, for example how do I make sure that my ARM template doesn't keep deploying the key vault each time an apply is run?mkcoding
I think you can deploy the Key vault template solely without terraform. The result should be the same when you run the template via azurerm_template_deployment.Nancy Xiong
Any more questions? If the reply helps you, please mark it.Nancy Xiong

1 Answers

1
votes

You could export the value of the key vault Id from your template azurerm_template_deployment with outputs, then reference key vault Id instead of template deployment ID as your code to the target_resource_id.

For example, 

resource "azurerm_resource_group" "example" {
  name     = "nancy-resources"
  location = "West US"
}

resource "azurerm_template_deployment" "example" {
  name                = "nancytemplate-01"
  resource_group_name = azurerm_resource_group.example.name

  deployment_mode = "Incremental"

  template_body = <<DEPLOY

{
    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "vaults_ancykeyvault_name": {
            "defaultValue": "nanvalut123",
            "type": "String"
        }
    },
    "variables": {},
    "resources": [
        {
            "type": "Microsoft.KeyVault/vaults",
            "apiVersion": "2016-10-01",
            "name": "[parameters('vaults_ancykeyvault_name')]",
            "location": "westus",

            "properties": {
                "sku": {
                    "family": "A",
                    "name": "standard"
                },
                "tenantId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
                "accessPolicies": [
                    {
                        "tenantId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
                        "objectId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
                        "permissions": {
                            "keys": [
                                "Get",
                                "Create",
                                "Delete",
                                "List",
                                "Update",
                                "Import",
                                "Backup",
                                "Restore",
                                "Recover"
                            ],
                            "secrets": [
                                "Get",
                                "List",
                                "Set",
                                "Delete",
                                "Backup",
                                "Restore",
                                "Recover"
                            ],
                            "certificates": [
                                "Get",
                                "List",
                                "Delete",
                                "Create",
                                "Import",
                                "Update",
                                "ManageContacts",
                                "GetIssuers",
                                "ListIssuers",
                                "SetIssuers",
                                "DeleteIssuers",
                                "ManageIssuers",
                                "Recover"
                            ],
                            "storage": [
                                "get",
                                "list",
                                "delete",
                                "set",
                                "update",
                                "regeneratekey",
                                "setsas",
                                "listsas",
                                "getsas",
                                "deletesas"
                            ]
                        }
                    }
                ],
                "enabledForDeployment": false,
                "enabledForDiskEncryption": false,
                "enabledForTemplateDeployment": true
            }
        }



    ],

    "outputs": {
    "myKvID": {
      "type": "string",
      "value": "[resourceId('Microsoft.KeyVault/vaults',parameters('vaults_ancykeyvault_name'))]"
    }
  }
}

DEPLOY



}




resource "azurerm_log_analytics_workspace" "example" {
  name                = "nancytest-01"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
  sku                 = "PerGB2018"
  retention_in_days   = 30
}

resource "azurerm_monitor_diagnostic_setting" "example" {
  name               = "nancymonitoring"

  target_resource_id = azurerm_template_deployment.example.outputs["myKvID"]
  log_analytics_workspace_id = azurerm_log_analytics_workspace.example.id

  log {
    category = "AuditEvent"
    enabled  = false

    retention_policy {
      enabled = false
    }
  }

  metric {
    category = "AllMetrics"

    retention_policy {
      enabled = false
    }
  }
}

output "exsitingKvID" {
  value = azurerm_template_deployment.example.outputs["myKvID"]
}

Result

enter image description here