search

Azure / bicep-types-az

Bicep type definitions for ARM resources
MIT License
84 stars 27 forks source link

Creating Log Alert together with log analytics workspace and diagnosticSettings for BlobStorage fails #1757

Open 1fabi0 opened 1 year ago

1fabi0 commented 1 year ago

Bicep version 0.19.5

Describe the bug When creating a Log Alert that runs a KQL on the StorageBlobLogs-Table together with the required DiagnosticSettings for the BlobStorageService and the Log Analytics Workspace, the creation of the Log Alert fails with the message "A semantic error occured"/"SEM0100".

My assumption is that the table is not created yet or the columns are not created yet, I also tried to create the table in the bicep, but that still fails because the default Columns seem not to be created automatically.

To Reproduce Execute a deployments that deployes the above described setup(Make sure the KQL uses default Columns of the StorageBlobLogs-Table)

Additional context When waiting some time(wait until the StorageBlobLogs-Table is shown in the Log Analytics Workspace-Ressource) and executing the deployment a second time it doesn't fail anymore and the LogAlert is created successfully.

alex-frankel commented 1 year ago

Can you provide a complete bicep sample that reproduces this issue as well as the entire error message? The issue doesn't appear to be directly related to bicep, but that will help us route this properly.

1fabi0 commented 1 year ago

The main.bicep I have

resource storageAccount 'Microsoft.Storage/storageAccounts@2022-05-01' = {
  name: resourceGroup().name
  kind: 'StorageV2'
  sku: {
    name: 'Standard_LRS'
  }
  location: resourceGroup().location
  properties: {
    allowBlobPublicAccess: false
    supportsHttpsTrafficOnly: true
    minimumTlsVersion: 'TLS1_2'
  }

}

resource LogAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2021-12-01-preview' = {
  name: resourceGroup().name
  location: resourceGroup().location
  properties: {
    sku: {
      name: 'pergb2018'
    }
    retentionInDays: 30
    features: {
      enableLogAccessUsingOnlyResourcePermissions: true
    }
    workspaceCapping: {
      dailyQuotaGb: -1
    }
    publicNetworkAccessForIngestion: 'Enabled'
    publicNetworkAccessForQuery: 'Enabled'
  }
}

resource storageAccountBlob 'Microsoft.Storage/storageAccounts/blobServices@2022-09-01' = {
  parent: storageAccount
  name: 'default'
  properties: {
    cors: {
      corsRules: []
    }
    deleteRetentionPolicy: {
      allowPermanentDelete: false
      enabled: false
    }
  }
}

resource LogAnalyticsWorkspaceStorageBlobLogs 'Microsoft.OperationalInsights/workspaces/tables@2021-12-01-preview' = {
  parent: LogAnalyticsWorkspace
  name: 'StorageBlobLogs'
  properties: {
    totalRetentionInDays: 30
    plan: 'Analytics'
    schema: {
      name: 'StorageBlobLogs'
    }
    retentionInDays: 30
  }
}

resource LogStorageAccountDiagnosticSetting 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = {
  name: 'BlobStorageWrite'
  scope: storageAccountBlob
  properties:{
    logs:[
      {
        category:'StorageWrite'
        enabled: true
        retentionPolicy: {
          days: 0
          enabled: false
        }
      }
    ]
    workspaceId: LogAnalyticsWorkspace.id
  }
}

resource IllegalUploadAlert 'microsoft.insights/scheduledqueryrules@2023-03-15-preview' = {
  name: 'IllegalUpload_Alert'
  location: resourceGroup().location
  properties: {
    severity: 2
    enabled: true
    evaluationFrequency: 'PT6H'
    scopes: [
      storageAccount.id
    ]
    targetResourceTypes: [
      'Microsoft.Storage/storageAccounts'
    ]
    windowSize: 'PT6H'
    overrideQueryTimeRange: 'P2D'
    criteria: {
      allOf: [
        {
          query: 'StorageBlobLogs |where TimeGenerated < ago(1h) and ObjectKey has("IllegalName") and OperationName == "PutBlob" |project ObjectKey'
          timeAggregation: 'Count'
          dimensions: []
          operator: 'GreaterThan'
          threshold: 0
          failingPeriods: {
            numberOfEvaluationPeriods: 1
            minFailingPeriodsToAlert: 1
          }
        }
      ]
    }
    autoMitigate: true
    actions: {

    }
  }
}

The error Message(I removed correlationId and OperationId for now)

{"status":"Failed","error":{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.","details":[{"code":"BadRequest","message":"{\r\n  \"error\": {\r\n    \"code\": \"BadRequest\",\r\n    \"message\": \"{\\r\\n  \\\"error\\\": {\\r\\n    \\\"message\\\": \\\"The request had some invalid properties\\\",\\r\\n    \\\"code\\\": \\\"BadArgumentError\\\",\\r\\n    \\\"correlationId\\\": \\\"00000000-0000-0000-0000-000000000000\\\",\\r\\n    \\\"innererror\\\": {\\r\\n      \\\"code\\\": \\\"SemanticError\\\",\\r\\n      \\\"message\\\": \\\"A semantic error occurred.\\\",\\r\\n      \\\"innererror\\\": {\\r\\n        \\\"code\\\": \\\"SEM0100\\\",\\r\\n        \\\"message\\\": \\\"'where' operator: Failed to resolve scalar expression named 'ObjectKey'\\\"\\r\\n      }\\r\\n    }\\r\\n  }\\r\\n}\"\r\n  }\r\n}"},{"code":"NotFound","message":"{\r\n  \"error\": {\r\n    \"code\": \"ResourceNotFound\",\r\n    \"message\": \"The specified table: 'DSMAzureStorageBlobLogs' does not exist. Operation Id: '00000000000000000000000000000000'\"\r\n  }\r\n}"}]}}

After waiting some time and executing the deployment again it is successful

alex-frankel commented 1 year ago

Definitely seems like an issue with the Resource Provider. We would recommend opening a support case for this. This is optional, but if you navigate to the deployment in the portal, you can see which specific operation failed and you can include that detail in the support case to help with routing.

microsoft-github-policy-service[bot] commented 10 months ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @xgithubtriage. Please see https://aka.ms/biceptypesinfo for troubleshooting help.