Pallab
Reputation: 2333
Getting Error from Azure API while doing Terraform Apply while creating Azure Data Collection Rule
I am trying to create Azure Data Collection Rule using Terraform Please find below the code
******Local Block ****************
locals {
data_collection_rule = {
rule1 = {
name = "001"
data_flow = {
streams = ["Microsoft-Event"]
destinations= ["la--210586112"]
transform_kql = "source"
output_stream = "Microsoft-Event"
}
data_sources = {
Windows_Event_Log = {
streams = ["Microsoft-WindowsEvent"]
x_path_queries = ["Application!*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0)]]",
"Security!*[System[(band(Keywords,13510798882111488))]]",
"System!*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0)]]"]
name = "eventLogsDataSource"
}
}
}
rule2 = {
name = "002"
data_flow = {
streams = ["Microsoft-Syslog"]
destinations= ["la--210586112"]
transform_kql = "source"
output_stream = "Microsoft-Syslog"
}
data_sources = {
SysLog = {
streams = ["Microsoft-Syslog"]
facility_names = [
"alert",
"audit",
"auth",
"authpriv",
"clock",
"cron",
"daemon",
"ftp",
"kern",
"local0",
"local1",
"local2",
"local3",
"local4",
"local5",
"local6",
"local7",
"lpr",
"mail",
"news",
"nopri",
"ntp",
"syslog",
"user",
"uucp"
]
name = "sysLogsDataSource-1688419672"
log_levels = "*"
}
}
}
}
}
****Resource Block *************
resource "azurerm_monitor_data_collection_rule" "amdcr" {
for_each = local.data_collection_rule
name = format("dcr-monitoring-%s-%s-%s",var.environment,var.location_short_name,each.value.name)
resource_group_name = module.resource_group.rg_name_subs
location = var.location
data_collection_endpoint_id = azurerm_monitor_data_collection_endpoint.monitor_dce.id
destinations {
log_analytics {
workspace_resource_id = module.log_analytics_workspace.id
name = "dataCollectionRules_${each.value.name}_law"
}
}
dynamic "data_flow" {
for_each = each.value.data_flow != null ? [each.value.data_flow] : []
content {
streams = data_flow.value.streams
destinations = data_flow.value.destinations
transform_kql = data_flow.value.transform_kql
output_stream = data_flow.value.output_stream
}
}
dynamic "data_sources" {
for_each = each.value.data_sources != null ? each.value.data_sources : {}
content {
dynamic "windows_event_log" {
for_each = contains(keys(data_sources.value), "Windows_Event_Log") ? [1] : []
content {
streams = lookup(data_sources.value.Windows_Event_Log, "streams", [])
x_path_queries = lookup(data_sources.value.Windows_Event_Log, "x_path_queries", [])
name = lookup(data_sources.value.Windows_Event_Log, "name", "")
}
}
dynamic "syslog" {
for_each = contains(keys(data_sources.value), "SysLog") ? [1] : []
content {
streams = lookup(data_sources.value.SysLog, "streams", [])
facility_names = lookup(data_sources.value.SysLog, "facility_names", [])
log_levels = lookup(data_sources.value.SysLog, "log_levels", "*")
name = lookup(data_sources.value.SysLog, "name", "")
}
}
}
}
}
I am getting the below error while doing Terraform Apply
Error: creating Data Collection Rule (Subscription: "***"
│ Resource Group Name: "rg-management-prd-cus-001"
│ Data Collection Rule Name: "dcr-monitoring-prd-cus-001"): unexpected status 400 (400 Bad Request) with error: InvalidPayload: Data collection rule is invalid
│
│ with module.management_subscription[0].azurerm_monitor_data_collection_rule.amdcr["rule1"],
│ on subscriptions/management/management.tf line 751, in resource "azurerm_monitor_data_collection_rule" "amdcr":
│ 751: resource "azurerm_monitor_data_collection_rule" "amdcr" {
│
│ creating Data Collection Rule (Subscription:
│ "***"
│ Resource Group Name: "rg-management-prd-cus-001"
│ Data Collection Rule Name: "dcr-monitoring-prd-cus-001"): unexpected status
│ 400 (400 Bad Request) with error: InvalidPayload: Data collection rule is
│ invalid
╵
╷
│ Error: creating Data Collection Rule (Subscription: "***"
│ Resource Group Name: "rg-management-prd-cus-001"
│ Data Collection Rule Name: "dcr-monitoring-prd-cus-002"): unexpected status 400 (400 Bad Request) with error: InvalidPayload: Data collection rule is invalid
│
│ with module.management_subscription[0].azurerm_monitor_data_collection_rule.amdcr["rule2"],
│ on subscriptions/management/management.tf line 751, in resource "azurerm_monitor_data_collection_rule" "amdcr":
│ 751: resource "azurerm_monitor_data_collection_rule" "amdcr" {
│
│ creating Data Collection Rule (Subscription:
│ "***"
│ Resource Group Name: "rg-management-prd-cus-001"
│ Data Collection Rule Name: "dcr-monitoring-prd-cus-002"): unexpected status
│ 400 (400 Bad Request) with error: InvalidPayload: Data collection rule is
│ invalid
Upvotes: 0
Views: 85
Answers (1)
Vinay B
Reputation: 2426
Getting Error from Azure API while doing Terraform Apply while creating Azure Data Collection Rule
Issue seems to the way you refer the log_levels and destinations and also replace the contains(keys(data_sources.value)) with lookup() for safer looping search for the inputs
always its best pratice to use the latest version so that we will be having the better security and features.
Demo Configuration:
locals {
data_collection_rule = {
rule1 = {
name = "001"
data_flow = {
streams = ["Microsoft-Event"]
destinations = ["la_destination"]
transform_kql = "source"
output_stream = "Microsoft-Event"
}
data_sources = {
Windows_Event_Log = {
streams = ["Microsoft-WindowsEvent"]
x_path_queries = [
"Application!*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0)]]",
"Security!*[System[(band(Keywords,13510798882111488))]]",
"System!*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0)]]"
]
name = "eventLogsDataSource"
}
}
}
rule2 = {
name = "002"
data_flow = {
streams = ["Microsoft-Syslog"]
destinations = ["la_destination"]
transform_kql = "source"
output_stream = "Microsoft-Syslog"
}
data_sources = {
SysLog = {
streams = ["Microsoft-Syslog"]
facility_names = [
"alert", "audit", "auth", "authpriv", "clock", "cron", "daemon",
"ftp", "kern", "local0", "local1", "local2", "local3", "local4",
"local5", "local6", "local7", "lpr", "mail", "news", "nopri",
"ntp", "syslog", "user", "uucp"
]
log_levels = ["Debug", "Info", "Notice", "Warning", "Error", "Critical", "Alert", "Emergency"]
name = "sysLogsDataSource"
}
}
}
}
}
resource "azurerm_monitor_data_collection_rule" "dcr" {
for_each = local.data_collection_rule
name = "dcr-monitoring-${each.value.name}"
resource_group_name = azurerm_resource_group.rg.name
location = azurerm_resource_group.rg.location
data_collection_endpoint_id = azurerm_monitor_data_collection_endpoint.dce.id
destinations {
log_analytics {
name = "la_destination"
workspace_resource_id = azurerm_log_analytics_workspace.law.id
}
}
dynamic "data_flow" {
for_each = each.value.data_flow != null ? [each.value.data_flow] : []
content {
streams = data_flow.value.streams
destinations = data_flow.value.destinations
transform_kql = data_flow.value.transform_kql
output_stream = data_flow.value.output_stream
}
}
dynamic "data_sources" {
for_each = each.value.data_sources != null ? each.value.data_sources : {}
content {
dynamic "windows_event_log" {
for_each = contains(keys(data_sources.value), "Windows_Event_Log") ? [1] : []
content {
streams = lookup(data_sources.value.Windows_Event_Log, "streams", [])
x_path_queries = lookup(data_sources.value.Windows_Event_Log, "x_path_queries", [])
name = lookup(data_sources.value.Windows_Event_Log, "name", "")
}
}
dynamic "syslog" {
for_each = contains(keys(data_sources.value), "SysLog") ? [1] : []
content {
streams = lookup(data_sources.value.SysLog, "streams", [])
facility_names = lookup(data_sources.value.SysLog, "facility_names", [])
log_levels = lookup(data_sources.value.SysLog, "log_levels", [])
name = lookup(data_sources.value.SysLog, "name", "")
}
}
}
}
}
Deployment:
Refer:
Unable to create Data Collection Rule via Terraform in Azure answered by me
Upvotes: 0
Related Questions
- Terraform Error while creating Resource Group in Azure
- How to create an Alert for Data Collection Rule deletion across all VMs in a subscription?
- Can't create data collection rule for Azure log analytics using Terraform - missing Terraform options?
- Connect Azure Log Workspace with Data Collection Rule (Terrraform) custom json logs
- unable to deploy Azure Api management in the existingazure vnet subnet
- Connect Azure Log Workspace with Data Collection Rule (Terrraform)
- Terraform Throwing Error while doing Init with Azure DevOps
- Getting cyclic error with Terraform while doing Azure app registration
- Error creating new azure resource group using terraform