Add Diagnostic Settings to Azure Storage account via Terraform

So you want to add a diagnostic setting to your Azure storage account via Terraform and you pass the storage account ID to target_resource_id only to get the following error:

Status=400 Code=”BadRequest” Message=”Category ‘StorageWrite’ is not supported.”

Here is the fix, the diagnostic target resource actually needs to be a sub-resource of the storage account, the ID for that is constructed as:

<StorageAccountId>/blobServices/default/

Using this you can create a terraform file similar to the below and it will create the diagnostic setting for you on the blob account.

For a more detailed explanation the issue here goes into more detail.

	resource "random_string" "random" {
	length = 5
	special = false
	upper = false
	number = false
	}

	resource "azurerm_log_analytics_workspace" "core" {
	name = "corelaw${random_string.random.result}"
	location = "westeurope"
	resource_group_name = "test1"
	sku = "PerGB2018"
	retention_in_days = 30
	}

	resource "azurerm_storage_account" "core" {
	location = "westeurope"
	resource_group_name = "test1"

	name = "corestor${random_string.random.result}"
	account_tier = "Standard"
	account_replication_type = "LRS"
	allow_blob_public_access = "false"
	is_hns_enabled = true
	enable_https_traffic_only = true
	}

	resource "azurerm_monitor_diagnostic_setting" "core-diagnostic" {
	name = "readwritecore${random_string.random.result}"
	# See workaround details: https://github.com/terraform-providers/terraform-provider-azurerm/issues/8275#issuecomment-755222989
	target_resource_id = "${azurerm_storage_account.core.id}/blobServices/default/"
	log_analytics_workspace_id = azurerm_log_analytics_workspace.core.id

	log {
	category = "StorageRead"
	enabled = true
	}

	log {
	category = "StorageWrite"
	enabled = true
	}

	metric {
	category = "Transaction"
	enabled = true
	retention_policy {
	days = 5
	enabled = true
	}
	}
	}

view raw storagediagnosticlogs.tf hosted with ❤ by GitHub

Leave a Reply Cancel reply

Enter your comment here...

Fill in your details below or click an icon to log in:

Email (required) (Address never made public)

Name (required)

Website

You are commenting using your WordPress.com account. ( Log Out / Change )

You are commenting using your Facebook account. ( Log Out / Change )

Connecting to %s

%d bloggers like this: