Diagnostic profiles regression when moving from v5 to v6

[LaurentLesle]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Versions

terraform: 1.9.5

azure provider: 3.107.0

module: 6.1.0

Description

Until version 5.x it was possible to create diagnostic profiles with Metrics and for some resource like Firewall and API Management to store the logs into dedicated tables.

Following the upgrade to version 6 which is transitioning to the built-in policies those features are not available anymore and are not documented into the upgrade wiki breaking change section <link>.

Describe the bug

In Versions <= 5 the policy assignment Deploy-Resource-Diag was used. Example of the policy parameters

Deploy-Resource-Diag:
        logAnalytics: ${log_analytics_workspace_resource_id}
        APIMgmtLogAnalyticsDestinationType: Dedicated
        FirewallLogAnalyticsDestinationType: Dedicated
        profileName: setbypolicy

From V6 Deploy-Resource-Diag has been replaced by Deploy-Diag-Logs >> link

Three Bugs in Deploy-Diag-Logs:

1. Does not support Metrics
2. Does not support Destination tabled like Dedicated
3. Upgrade note does not explain how to change from Deploy-Resource-Diag to Deploy-Diag-Logs

I understand the motivation to move to native policies but it should only been done if it is at feature parity.

Steps to Reproduce

1. Deploy ALZ module version 5 with the above settings and a firewall in secure hub
2. Trigger the policy remediation to get the diagnostic profiles created
3. Upgrade to v6.1.0
4. trigger a policy remediation

Screenshots

Additional context

https://github.com/Azure/azure-policy/blob/50fb8cf4c71dc97530398c71094ca9ff98930e30/built-in-policies/policyDefinitions/Monitoring/DS_LA_network-azurefirewalls_DINE.json

[matt-FFFFFF]

Hi @Springstone can you comment please?