How to fix 400 Error: autorest/azure: Service returned an error. Status=400 Code="BadRequest" Message="Category 'StorageRead' is not supported

Question

I'm trying to enable all activity logs for a Storage Account in Azure. Here's the code code block, which seems to be causing errors.

resource "azurerm_monitor_diagnostic_setting" "storage_account_logs" {
  name               = "storage-account-logs"
  target_resource_id = azurerm_storage_account.example.id
  storage_account_id = azurerm_storage_account.example.id

  enabled_log {
    category = "StorageRead"
    retention_policy {
      enabled = false
    }
  }
  enabled_log {
    category = "StorageWrite"
    retention_policy {
      enabled = false
    }
  }
  enabled_log {
    category = "StorageDelete"
    retention_policy {
      enabled = false
    }
  }
  metric {
    category = "AllMetrics"
    retention_policy {
      enabled = false
    }
  }
}

The code runs into errors when I add in the enabled_logs for either StorageRead, StorageWrite, or StorageDelete. Here's the error that I get:

Error: updating Monitor Diagnostics Setting "storage-account-logs" for Resource "/subscriptions//resourceGroups//providers/Microsoft.Storage/storageAccounts/": diagnosticsettings.DiagnosticSettingsClient#CreateOrUpdate: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="BadRequest" Message="Category 'StorageRead' is not supported." │ │ with azurerm_monitor_diagnostic_setting.storage_account_logs, │
on main.tf line 42, in resource "azurerm_monitor_diagnostic_setting" "storage_account_logs": │ 42: resource "azurerm_monitor_diagnostic_setting" "storage_account_logs" {

Answer 1

The code runs into errors when I add in the enabled_logs for either StorageRead, StorageWrite, or StorageDelete. Here's the error that I get:

I tried to enable the diagnostic settings for a storage account using Terraform but faced the same error.

In order to enable to StorageWrite,StorageRead and StorageDelete in storage account diagnostic settings. Essentially you can create a diagnostic setting at different levels within the storage account type in storage account.

Enable diagnostic settings in storage account using below terraform code.

 provider "azurerm" {
   features{}
 }
 data "azurerm_storage_account" "venkatstorage" {
   name                = "venkatstoragetest"
   resource_group_name = "<resource_Name>"
 }
 resource "azurerm_monitor_diagnostic_setting" "storage_account_logs" {
   name               = "storage-account-logs"
   target_resource_id = azurerm_storage_account.venkatstoragetest.id
   storage_account_id = azurerm_storage_account.venkatstoragetest.id
   metric {
     category = "Transaction"
     retention_policy {
       enabled = false
     }
   }
 }

Once enable the diagnostic settings for storage account then enable metrics for particular resources like blob.

provider "azurerm" {
  features{}
}
data "azurerm_storage_account" "venkatstorage" {
  name                = "venkatstoragetest"
  resource_group_name = "<resourcegroup>"
}

data "azurerm_log_analytics_workspace" "shakti-log-analytics" {
  name                = "shakti-log-analytics"
  resource_group_name = "shaktisingh-analytics"
}
 resource "azurerm_monitor_diagnostic_setting" "storage-account-logs" {
   name               = "storage-account-logs"
   target_resource_id = "${data.azurerm_storage_account.venkatstorage.id}/blobServices/default"
   log_analytics_workspace_id = data.azurerm_log_analytics_workspace.shakti-log-analytics.id
   log {
    category = "StorageRead"
    enabled  = true

    retention_policy {
      enabled = false
    }
   }
   
   log {
    category = "StorageWrite"
    enabled  = true

    retention_policy {
      enabled = false
    }
   }
   
   log {
    category = "StorageDelete"
    enabled  = true

    retention_policy {
      enabled = false
    }
   }

   metric {
     category = "Transaction"

     retention_policy {
       enabled = false
     }
   }
 }

Terraform Apply: