Expected a Workspace ID that matched

mounikakandagadda29 commented 4 months ago

Is there an existing issue for this?

[X] I have searched the existing issues

Community Note

Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

0.13.5

AzureRM Provider Version

3.105.0

Affected Resource(s)/Data Source(s)

azurerm

Terraform Configuration Files

resource "azurerm_sentinel_automation_rule" "send_incident_to_soc" {
  name                    = "ebd13114-37d9-46dc-af18-08bda8d09e91"
  log_analytics_workspace_id = "/subscriptions/ebd13114-37d9-46dc-af18-08bda8d09e91/resourceGroups/rg-informationsecurity-production-eastus2-sentinel/providers/Microsoft.Logic/workflows/Roy-Send-Incident"

Debug Output/Panic Output

parsing "/subscriptions/ebd13114-37d9-46dc-af18-08bda8d09e91/resourceGroups/rg-informationsecurity-production-eastus2-sentinel/providers/Microsoft.Logic/workflows/Roy-Send-Incident": parsing segment "staticMicrosoftOperationalInsights": parsing the Workspace ID: the segment at position 5 didn't match

Expected a Workspace ID that matched:

> /subscriptions/12345678-1234-9876-4563-123456789012/resourceGroups/example-resource-group/providers/Microsoft.OperationalInsights/workspaces/workspaceValue

However this value was provided:

> /subscriptions/ebd13114-37d9-46dc-af18-08bda8d09e91/resourceGroups/rg-informationsecurity-production-eastus2-sentinel/providers/Microsoft.Logic/workflows/Roy-Send-Incident

The parsed Resource ID was missing a value for the segment at position 5
(which should be the name of the Resource Provider [for example 'Microsoft.OperationalInsights']).

  on sl-audit-log-cleared-linux.tf line 57, in resource "azurerm_sentinel_automation_rule" "send_incident_to_soc":
  57:   log_analytics_workspace_id = "/subscriptions/ebd13114-37d9-46dc-af18-08bda8d09e91/resourceGroups/rg-informationsecurity-production-eastus2-sentinel/providers/Microsoft.Logic/workflows/Roy-Send-Incident"

Expected Behaviour

i only have microsoft.logic in my workspace id, but it asking me for microsoft operationalInsights

Actual Behaviour

it is giving an error.

Steps to Reproduce

resource "azurerm_sentinel_automation_rule" "send_incident_to_soc" { name = "ebd13114-37d9-46dc-af18-08bda8d09e91" log_analytics_workspace_id = "/subscriptions/ebd13114-37d9-46dc-af18-08bda8d09e91/resourceGroups/rg-informationsecurity-production-eastus2-sentinel/providers/Microsoft.Logic/workflows/Roy-Send-Incident"

Important Factoids

No response

References

No response

magodo commented 4 months ago

@mounikakandagadda29 By definition, the log_analytics_workspace_id wants a log analytics workspace.

tombuildsstuff commented 3 months ago

Closing since per @magodo's comment above, this is expected behaviour as we're expecting a Log Analytics Workspace ID to be provided for this field, but a Logic App Workflow is being specified here instead - and as such this can be fixed by specifying the Log Analytics Workspace to use.

Thanks!

github-actions[bot] commented 2 months ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

hashicorp / terraform-provider-azurerm