Error azurerm_monitor_diagnostic_setting produced anunexpected new value: Root resource was present, but now absent

[JoDexsph]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.3.6

AzureRM Provider Version

3.41.0

Affected Resource(s)/Data Source(s)

azurerm_monitor_diagnostic_setting

Terraform Configuration Files

Main TF
===================================
terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "=3.41.0"
    }
  }
}

data "azurerm_subscription" "subscription" {
}

data "azurerm_role_definition" "builtin" {
  name = "Contributor"
}

resource "azurerm_resource_group" "rg" {
  name     = "resource-group-${var.training_id}"
  location = var.location
}

resource "azurerm_log_analytics_workspace" "workspace" {
  name                = "workspace-${var.training_id}"
  location            = azurerm_resource_group.rg.location
  resource_group_name = azurerm_resource_group.rg.name
  sku                 = "PerGB2018"
  depends_on = [
    azurerm_resource_group.rg
  ]
}

resource "azurerm_log_analytics_solution" "sentinel" {
  solution_name         = "SecurityInsights"
  location              = azurerm_resource_group.rg.location
  resource_group_name   = azurerm_resource_group.rg.name
  workspace_resource_id = azurerm_log_analytics_workspace.workspace.id
  workspace_name        = azurerm_log_analytics_workspace.workspace.name

  plan {
    publisher = "Microsoft"
    product   = "OMSGallery/SecurityInsights"
  }
}

resource "azurerm_log_analytics_solution" "activity" {
  solution_name         = "AzureActivity"
  location              = azurerm_resource_group.rg.location
  resource_group_name   = azurerm_resource_group.rg.name
  workspace_resource_id = azurerm_log_analytics_workspace.workspace.id
  workspace_name        = azurerm_log_analytics_workspace.workspace.name

  plan {
    publisher = "Microsoft"
    product   = "OMSGallery/AzureActivity"
  }
}
resource "azurerm_monitor_diagnostic_setting" "monitor_logs" {
  name                        = "monitor"
  target_resource_id          = data.azurerm_subscription.subscription.id
  log_analytics_workspace_id  = azurerm_log_analytics_workspace.workspace.id

   enabled_log {
    category = "Administrative"
  }

  enabled_log {
    category = "Security"
  }

  enabled_log {
    category = "ServiceHealth"
  }

  enabled_log {
    category = "Alert"
  }

  enabled_log {
    category = "Recommendation"
  }

  enabled_log {
    category = "Policy"
  }

  enabled_log {
    category = "Autoscale"
  }

  enabled_log {
    category = "ResourceHealth"
  }
}

resource "azuread_user" "aaduser" {
  user_principal_name = var.user_principal_name
  display_name        = var.display_name
  mail_nickname       = var.mail_nickname
  password            = var.password
}

data "azuread_group" "DefenderEndpoints" {
  display_name     = "DefenderEndpoints"
}

resource "time_sleep" "wait_90_seconds" {
  depends_on = [azuread_user.aaduser]

  create_duration = "90s"
}

resource "azuread_group_member" "DefenderEndpoints" {
  depends_on = [time_sleep.wait_90_seconds]
  group_object_id  = data.azuread_group.DefenderEndpoints.id
  member_object_id = azuread_user.aaduser.object_id
}

resource "random_uuid" "uuid1" {
}

resource "random_uuid" "uuid2" {
}

resource "azurerm_role_assignment" "assignrole_log" {
  name               = random_uuid.uuid1.result
  scope              = azurerm_log_analytics_workspace.workspace.id
  role_definition_id = data.azurerm_role_definition.builtin.id
  principal_id       = azuread_user.aaduser.object_id
  depends_on = [
    azuread_user.aaduser
  ]
}

resource "azurerm_role_assignment" "assignrole_sentinel" {
  name               = random_uuid.uuid2.result
  scope              = azurerm_log_analytics_solution.sentinel.id
  role_definition_id = data.azurerm_role_definition.builtin.id
  principal_id       = azuread_user.aaduser.object_id
  depends_on = [
    azuread_user.aaduser
  ]
}

#--------------------------------------------------------------------------#
# Microsoft defender connector

resource "azurerm_sentinel_data_connector_microsoft_defender_advanced_threat_protection" "connector" {
  name                       = "connector"
  log_analytics_workspace_id = azurerm_log_analytics_workspace.workspace.id
  depends_on = [
    azurerm_log_analytics_solution.sentinel
  ]
}

#--------------------------------------------------------------------------#
# Sentinel rule

resource "azurerm_sentinel_alert_rule_ms_security_incident" "alertrule" {
  name                       = "Collect events from Microsoft Defender for Endpoint"
  log_analytics_workspace_id = azurerm_log_analytics_solution.sentinel.workspace_resource_id
  product_filter             = "Microsoft Defender Advanced Threat Protection"
  display_name               = "MS Defender Rule"
  severity_filter            = ["High" ,"Medium" ,"Low"]
  depends_on = [
    azurerm_sentinel_data_connector_microsoft_defender_advanced_threat_protection.connector
  ]
}


variables.tf
============================

variable "location" {
  type    = string
  default = "eastus"
}

variable "training_id" {
  type    = string
}
variable "user_principal_name" {
  type    = string
}
variable "display_name" {
  type    = string
}
variable "mail_nickname" {
  type    = string
}
variable "password" {
  type    = string
}

Debug Output/Panic Output

https://gist.github.com/JoDexsph/7400083e9115b761ff067a6b6b7f1518

Expected Behaviour

Terraform should exit with code 0, the following resources should be created in Azure and placed inside the terraform state.

Actual Behaviour

The following error shown:
Error: Provider produced inconsistent result after applyWhen applying changes to azurerm_monitor_diagnostic_setting.monitor_logs,provider "provider["registry.terraform.io/hashicorp/azurerm"]" produced anunexpected new value: Root resource was present, but now absent.This is a bug in the provider, which should be reported in the provider's ownissue tracker.

Steps to Reproduce

TFVars file

location="eastus"
training_id=""
user_principal_name=""
display_name="user"
mail_nickname=""
password="password$"

Important Factoids

No response

References

No response

[rcskosir]

Thank you for taking the time to open this issue. Please subscribe to PR #25697 created by @teowa for this issue.

[teowa]

@JoDexsph can you please share a full log with HTTP logs about PUT diagnostic setting and GET diagnostic setting, so I can submit the issue to REST API as suggested in #25697 (review). The log you previously shared is not complete. And I am unable to repro this error on my local.

[JoDexsph]

Thanks for the feedback @teowa , however seems like the issue doesn't; reoccur to us as well in all our environments.
I have to say it is odd, your PR hasn't merged yet with the fix.
Can it be a fix made by Azure API or other components in the Azure end?