Creating log search alert rules with no identity leads to incorrect alert creation (last working version 3.97.1)

[nisreen95]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.7.5

AzureRM Provider Version

3.103.1

Affected Resource(s)/Data Source(s)

azurerm_monitor_scheduled_query_rules_alert_v2

Terraform Configuration Files

provider "azurerm" {
skip_provider_registration = "true"
features{}
}

resource "azurerm_monitor_scheduled_query_rules_alert_v2" "example" {
  name                = "exampleterraform"
  resource_group_name = "REDACTED"
  location            = "eastus"

  evaluation_frequency = "PT10M"
  window_duration      = "PT10M"
  scopes               = ["REDACTED"]
  severity             = 4
  criteria {
    query  = <<-QUERY
Heartbeat
    | take 1
  QUERY
    time_aggregation_method = "Count"
    threshold               = 0
    operator                = "GreaterThan"
    failing_periods {
      minimum_failing_periods_to_trigger_alert = 1
      number_of_evaluation_periods             = 1
    }
  }

  auto_mitigation_enabled          = false
  workspace_alerts_storage_enabled = false
  description                      = "example sqr"
  display_name                     = "example-sqr"
  enabled                          = true
  query_time_range_override        = "PT1H"
  skip_query_validation            = true
}

Debug Output/Panic Output

No errors

Expected Behaviour

When no identity is included in the configuration, the alert rule should create normally and use the default authentication mechanism, which is not to use identity

Actual Behaviour

Even though the alert rule is created, the authentication does not work and alert rule never fires. The last working version is 3.97.1

Steps to Reproduce

Create a log search alert V2 without any identity specified in any module above 3.97.1
Alert will successfully create, but will be unknown in resource health and never fires as authentication does not work.

Important Factoids

None

References

None

[teowa]

similar to #25921, could you please try to add identity to solve this, the identity is introduced in version 3.98.0 from #25365. Thanks.

[nisreen95]

similar to #25921, could you please try to add identity to solve this, the identity is introduced in version 3.98.0 from #25365. Thanks.

Hi. The identity field only accepts system assigned and user assigned. There is no option for no identity, which is what a large number of customers want. It should allow for the default option of no identity assignment

[VOVELEE]

completely agree with @nisreen95 . In the current state, TF provider creates resources which are not working. Which for alerts is quite disturbing because you always understand the hard way - you expect an alert to be triggered when you have an issue but you don't get one.
I know it is not ideal that Azure Monitor API allows the creation of broken but looks like a decision should be made:

• if there will be no support for using azurerm_monitor_scheduled_query_rules_alert_v2 without an identity - please make the property mandatory.
• If there will be support - please do not provide empty identity parameter in the API call.

[JoshWeepie]

The property shouldn't be mandatory, because we can create log query alerts in the portal without assigning an identity, correct? Terraform is passing type:None, userAssignedIdentities:null in the requestbody, but creating an alert manually in the portal doesn't pass any identity parameters in the requestbody, according the Portal Activity log JSON.

The Azure log query docs say when you leave the radio as 'Default' the alert rule permissions are based on the permissions of the last user to edit the rule

https://learn.microsoft.com/en-us/azure/azure-monitor/alerts/alerts-create-log-alert-rule#configure-the-alert-rule-details

[JoshWeepie]

The API doc says identity is optional.

https://learn.microsoft.com/en-us/rest/api/monitor/scheduled-query-rules/create-or-update?view=rest-monitor-2023-03-15-preview&tabs=HTTP#request-body

The portal/API lets you create log query alerts without identity. The provider change #25365 is wrong for sending identity in the request parameters no matter what, is it not?

[JoshWeepie]

@nisreen95 A workaround is to use the Azure CLI to update the --disabled or --severity properties on the log alert. You don't even need to set disabled true and then re-enable, you can just send a '--disabled false' and the alert will fix itself. Then you can edit the alert in the portal and save like normal as well. This will fix the alert triggering and mine worked again after modifying.

az monitor scheduled-query update --disabled true --name 'Scheduled log alert name' --resource-group rgname

or

az monitor scheduled-query update --severity 3 --name 'Scheduled log alert name' --resource-group rgname

[dikshagaur1987]

similar to #25921, could you please try to add identity to solve this, the identity is introduced in version 3.98.0 from #25365. Thanks.

Hi. The identity field only accepts system assigned and user assigned. There is no option for no identity, which is what a large number of customers want. It should allow for the default option of no identity assignment

Exactly, we are using SPNs to authenticate and do not want to add an extra step to use managed identity for all our future alerts. In the meantime, as a workaround for our new alerts, we are using managed identity with log analytics reader access for the app insights resource.
We would like to be able to create alerts using no identity please with our default authentication method.