Cannot add Diagnostic Settings for Management Groups with azurerm_monitor_diagnostic_setting

[rikunarhi-cloud2]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.3.1

AzureRM Provider Version

3.52.0

Affected Resource(s)/Data Source(s)

azurerm_monitor_diagnostic_setting

Terraform Configuration Files

resource "azurerm_monitor_diagnostic_setting" "management_groups" {

  target_resource_id = "providers/Microsoft.Management/managementGroups/example"
  log_analytics_workspace_id = "/subscriptions/xxxxx/resourcegroups/xxxx/providers/microsoft.operationalinsights/workspaces/xxxxx"

  enabled_log {
    category = "Administrative"

    retention_policy {
      enabled = false
    }
  }

  enabled_log {
    category = "Policy"

    retention_policy {
      enabled = false
    }
  }
}

Debug Output/Panic Output

│ Error: Can not parse "target_resource_id" as a resource id: No subscription ID found in: "providers/Microsoft.Management/managementGroups/example"

Expected Behaviour

You should be able to add Diagnostic settings for a Management group. This is possible to add with REST API https://learn.microsoft.com/en-us/rest/api/monitor/management-group-diagnostic-settings/create-or-update?tabs=HTTP

Actual Behaviour

Plan fails as there is no subscription in target_resource_id parameter.

Steps to Reproduce

1. terraform plan

Important Factoids

No response

References

No response

[AlexBevan]

Just adding a code snippet for an azapi work around until this is resolved:

resource "azapi_resource" "management_group_diag_settings" {
  name                      = join("-", [data.azurerm_management_group.this.name, "diag"])
  parent_id                 = azurerm_management_group.this.id
  type                      = "Microsoft.Insights/diagnosticSettings@2021-05-01-preview"
  schema_validation_enabled = false // This is required otherwise gets stuck in a destroy/create loop https://github.com/Azure/terraform-provider-azapi/issues/655
  location                  = "global"
  body = {
    properties = {
      logs = [
        {
          category = "Administrative"
          enabled  = true
        },
        {
          category = "Policy"
          enabled  = true
        }
      ]
      workspaceId = var.workspace_id
    }
  }
  response_export_values = ["*"]
}