search

aztfmod / terraform-azurerm-caf

Terraform supermodule for the Terraform platform engineering for Azure
https://aztfmod.github.io/documentation/
MIT License
556 stars 702 forks source link

Network watcher - Unable to assign workspace in different region #613

Open hriaz opened 3 years ago

hriaz commented 3 years ago

If log analytics workspaces are created in a different region vs the network watcher, you receive an error that the region is invalid. However, you are able to manually set this via the Azure portal.

Error: Error creating "Flow Log: (Name \"Microsoft.Networkrg-samplenet-002snet-use2-prod-002\" / Network Watcher Name \"NetworkWatcher_eastus2\" / Resource Group \"NetworkWatcherRG\")": network.FlowLogsClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error: Code="InvalidTAWorkspaceRegion" Message="The specified region eastus2 for workspace is invalid. Workspace /subscriptions/xxxxxxxxxxx/resourceGroups/rg-global-launchpad-operations/providers/Microsoft.OperationalInsights/workspaces/log-emea-launchpad-euno located in northeurope region." Details=[]

arnaudlh commented 3 years ago

hi @hriaz you probably need to create your own network watchers as per the following examples: https://github.com/aztfmod/terraform-azurerm-caf/tree/master/examples/networking/virtual_network/202-nsg-flow-logs-v2

kiebrew commented 3 years ago

@hriaz did you manage to resolve this issue? I've just hit the same thing when trying to enable network watcher & NSG flow logs

kiebrew commented 3 years ago

I think the issue might be with the way workspace_region gets populated from resource_location.

In our case, we want to use a central UK South Log Analytics Workspace, but have the resources (Network Watcher & NSG) we are applying this to, exist in UK West.

Therefore the workspace_region is actually different to the value getting set at resource_location

snippet from https://github.com/aztfmod/terraform-azurerm-caf/blob/master/modules/networking/virtual_network/nsg/flow_logs/flow_logs.tf

  dynamic "traffic_analytics" {
    for_each = try(var.settings.traffic_analytics, {}) != {} ? [1] : []
    content {
      enabled               = var.settings.traffic_analytics.enabled
      interval_in_minutes   = try(var.settings.traffic_analytics.interval_in_minutes, null)
      workspace_id          = var.diagnostics.log_analytics[var.diagnostics.diagnostics_destinations.log_analytics[var.settings.traffic_analytics.log_analytics_workspace_destination].log_analytics_key].workspace_id
      workspace_region      = var.resource_location
      workspace_resource_id = var.diagnostics.log_analytics[var.diagnostics.diagnostics_destinations.log_analytics[var.settings.traffic_analytics.log_analytics_workspace_destination].log_analytics_key].id
    }