azurerm_log_analytics_cluster_customer_managed_key incompatibility with azurerm_key_vault_managed_hardware_security_module_key

[annaBarczykPredica]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.9.5

AzureRM Provider Version

3.116.0

Affected Resource(s)/Data Source(s)

azurerm_log_analytics_cluster_customer_managed_key

Terraform Configuration Files

resource "azurerm_log_analytics_cluster_customer_managed_key" "managed_key" {
  log_analytics_cluster_id = azurerm_log_analytics_cluster.cluster.id
  key_vault_key_id         = "https://example.managedhsm.azure.net/keys/example"
}

Debug Output/Panic Output

│ Error: parsing https://example.managedhsm.azure.net/keys/example": internal-error: Managed HSM IDs are not supported as Key Vault Nested Items

{
│   "error": {
│     "code": "InvalidParameter",
│     "message": "'properties.associatedWorkspaces' is a read only property and cannot be set. Please refer to https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/logs-dedicated-clusters#link-a-workspace-to-the-cluster for more information on how to associate a workspace to the cluster.'"
│   }
│ }

Expected Behaviour

HSM key should be supported.

Actual Behaviour

We successfully encrypted the Log Analytics Cluster using a Key Vault key. However, we had to perform this process other way and then import it into Terraform, as attempting to create the encryption directly using the azurerm_log_analytics_cluster_customer_managed_key resource led to an issue with invalid parameters.

Steps to Reproduce

No response

Important Factoids

No response

References

https://learn.microsoft.com/en-us/azure/azure-monitor/logs/customer-managed-keys

[sschmeck]

Got the same issue when setting up a Key Vault key via key_vault_key_id.

resource "azurerm_log_analytics_cluster_customer_managed_key" "example" {
  log_analytics_cluster_id = azapi_resource.law_dedicated_cluster.id
  key_vault_key_id         = azurerm_key_vault_key.law_cmk.id
}

Results in the following error.

azurerm_log_analytics_cluster_customer_managed_key.example: Creating...
╷
│ Error: updating Customer Managed Key for Cluster (Subscription: "[..]"
│ Resource Group Name: "[..]"
│ Cluster Name: "[..]"): performing CreateOrUpdate: unexpected status 400 (400 Bad Request) with error: InvalidParameter: 'properties.associatedWorkspaces' is a read only property and cannot be set. Please refer to https://docs.microsoft.com/en-us/azure/azure-monitor/log-query/logs-dedicated-clusters#link-a-workspace-to-the-cluster for more information on how to associate a workspace to the cluster. Operation Id: '[..]'

---

I enabled the DEBUG logs and it seems that the issue is raised at log_analytics_cluster_customer_managed_key_resource.go. The implementation requests the cluster resource by log_analytics_cluster_id and updates the response with the CMK properties. The updated cluster resource is sent via PUT, which results in the error message above.

The documentation Update cluster with key identifier details suggests to use PATCH with key credentials only instead of PUT.

Terraform version: v1.7.5 AzureRM provider version: 3.104.0

Since the error is not related to HSM key support, would it make sense to create a separate issue?