I trying to execute the below resource block using the azurerm provider of the terraform for creating an Alert Rule for monitoring the behavior of Azure Update Manager:
resource "azurerm_monitor_scheduled_query_rules_alert_v2" "patch_assessment_failure" {
name = "Patch-Assessment-Failure"
description = "Alert when the patch assessment operation for a specific VM is failed."
resource_group_name = "ospm-rg"
location = "northeurope"
evaluation_frequency = "P1D"
window_duration = "P1D"
scopes = ["/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourcegroups/ospm-rg/providers/microsoft.operationalinsights/workspaces/ospm-la"]
severity = 1
criteria {
query = <<-QUERY
arg('').patchassessmentresources
| where type in~ ("microsoft.compute/virtualmachines/patchassessmentresults", "microsoft.hybridcompute/machines/patchassessmentresults")
| where properties.status =~ "Failed"
| where properties.lastModifiedDateTime > ago(1d)
| project vmResourceId
QUERY
time_aggregation_method = "Count"
threshold = 0
operator = "GreaterThan"
dimension {
name = "vmResourceId"
operator = "Include"
values = ["*"]
}
failing_periods {
minimum_failing_periods_to_trigger_alert = 1
number_of_evaluation_periods = 1
}
}
auto_mitigation_enabled = false
enabled = true
skip_query_validation = true
action {
action_groups = ["/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/ospm-rg/providers/microsoft.insights/actiongroups/ospm-ag"]
}
}
But, the creation of the resource is failing with the following error:
Error: creating Scheduled Query Rule (Subscription: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
│ Resource Group Name: "ospm-rg"
│ Scheduled Query Rule Name: "Assessment-Failure"): unexpected status 400 with error: DraftClientException: The request had some invalid properties Activity ID: 174a8ae7-808c-4ceb-af13-fce8fdef28fe.
As per my observation, the resource query block azurerm_monitor_scheduled_query_rules_alert_v2 is not able to execute the Azure Resource Graph Queries because if I remove the arg(''). part from the query above, terraform apply works absolutely fine giving no errors but the query in the resulting alert rule becomes invalid because the table I am trying to put a query on is not available in the log analytics workspace directly and is coming up from the Azure Resource Graph.
So, can anyone please provide some suggestions on how we can define an Azure Resource Graph query in the azurerm_monitor_scheduled_query_rules_alert_v2 resource block or if there is any workaround available for this issue?
2
Answers
The issue you’re facing with the
azurerm_monitor_scheduled_query_rules_alert_v2resource while attempting to utilize an Azure Resource Graph query underscores a typical problem. Theazurerm_monitor_scheduled_query_rules_alert_v2resource is intended for establishing alert rules that are based on queries of data within Azure Monitor Logs (Log Analytics workspaces), rather than directly querying the Azure Resource Graph.The Azure Resource Graph is a distinct service that enables querying across various resources and subscriptions. However, its queries cannot be directly executed within Azure Monitor Log Analytics workspaces.
I made the changes in the requirement and rewrite the code below.
Terraform configuration:
Note: Replace the KQL query mentioned as per your own requirement.
Deployment succeeded:
I ran into a similar issue recently. The alert needs to be granted access to query the Resource Graph. This is supported by using an assigned identity. Unfortunately this is not yet supported by
azurerm_monitor_scheduled_query_rules_alert_v2as mentioned here. I was still able to provision the alert with Terraform using theazapi_resourceinstead. You could use something like this (wasn’t sure how to map dimensions):