Support for VNet in azurerm_network_watcher_flow_log

terrymandin commented 6 months ago

Is there an existing issue for this?

[X] I have searched the existing issues

Community Note

Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Description

I am creating a Terraform Azure Verified Module for Flow Logs. We have a requirement to create a flow log as part of the VNet creation. This is supported in the portal:

but not in the provider. Please add this capability.

I believe that the network_security_group_id variable should be renamed to target_resource_id similar to azapi. I confirmed that setting this to a VNet also works. It doesn't have to be just a NSG.

New or Affected Resource(s)/Data Source(s)

azurerm_network_watcher_flow_log

Potential Terraform Configuration

resource "azurerm_network_watcher_flow_log" "test" {
  network_watcher_name = azurerm_network_watcher.test.name
  resource_group_name  = azurerm_resource_group.example.name
  name                 = "example-log"

  target_resource_id        = azurerm_virtual_network.this.id
  storage_account_id        = azurerm_storage_account.test.id
  enabled                   = true

  retention_policy {
    enabled = true
    days    = 7
  }

  traffic_analytics {
    enabled               = true
    workspace_id          = azurerm_log_analytics_workspace.test.workspace_id
    workspace_region      = azurerm_log_analytics_workspace.test.location
    workspace_resource_id = azurerm_log_analytics_workspace.test.id
    interval_in_minutes   = 10
  }
}

References

No response

speed400m commented 6 months ago

also looking for this..

michasacuer commented 4 months ago

@favoretti any updates?

VillageIke commented 3 months ago

Any updates?

ryanghavidel2024 commented 2 months ago

I guess it's not doable in Terraform yet! target_resource_id or resource_id to specify the VNET are not simply working in azurerm_network_watcher_flow_log. We seem to have to use NSG' for now...

MrImpossibru commented 2 months ago

@ryanghavidel2024 I just tried to set a VNet id to the "targetResourceId" field in their REST API endpoint to create flow logs and successfully created VNet Flow Logs. Since Azure Go SDK supports sending this field, it should work. API definition: https://learn.microsoft.com/en-us/rest/api/network-watcher/flow-logs/create-or-update?view=rest-network-watcher-2024-01-01

kaplik commented 2 months ago

it also works with azapi provider

resource "azapi_resource" "vnet_flow_logs" {
  type      = "Microsoft.Network/networkWatchers/flowLogs@2023-11-01"
  name      = "${azurerm_virtual_network.this.name}-logs"
  location  = data.azurerm_network_watcher.this.location
  parent_id = data.azurerm_network_watcher.this.id
  tags      = var.tags

  body = jsonencode({
    properties = {
      enabled = true
      flowAnalyticsConfiguration = {
        networkWatcherFlowAnalyticsConfiguration = {
          enabled = false
        }
      }
      format = {
        type    = "JSON"
        version = 2
      }
      retentionPolicy = {
        days    = 7
        enabled = true
      }
      storageId        = azurerm_storage_account.flow_logs.id
      targetResourceId = azurerm_virtual_network.this.id
    }
  })
}

RyanGhavidel commented 2 months ago

@kaplik @MrImpossibru Super! Thanks so much.

jhutchings commented 3 weeks ago

Looks like NSG targeted flow logs have a deprecation announcement, luckily it's not till June 2025 (2027 for EOL) but it's now official that VNET Flow Logs will be the go forward: https://learn.microsoft.com/en-us/azure/network-watcher/nsg-flow-logs-overview

gguibert commented 1 week ago

Hi there, Please update this issue has been open since May... ??? Thanks @kaplik for the workarround ;)
But it's better to have this basic feature in azurerm provider especially since the announcement of the nsgflowlogs deprecation.
Fortunately yes we have a little time @jhutchings , but it's going to happen very quickly.

rapster83 commented 1 week ago

Any updates regarding the timeline?

keisari-ch commented 2 days ago

Looks like NSG targeted flow logs have a deprecation announcement, luckily it's not till June 2025 (2027 for EOL) but it's now official that VNET Flow Logs will be the go forward: https://learn.microsoft.com/en-us/azure/network-watcher/nsg-flow-logs-overview

A bit off-topic, but this was about time. Having to create a NSG flow log to have traces from network activity on a subnet level is a weird approach.

cmrvsix commented 14 hours ago

are we sure this was resolved? I'm pointing to v4.10.0 and am still seeing that "network_security_group_id" is a required parameter, and "target_resource_id" is not recognized as a valid parameter.

MarcosAlanoSecurrency commented 14 hours ago

are we sure this was resolved? I'm pointing to v4.10.0 and am still seeing that "network_security_group_id" is a required parameter, and "target_resource_id" is not recognized as a valid parameter.

They still need to release a newer version with this change.

hashicorp / terraform-provider-azurerm