using moved() on a diagnostic setting results in a resource create conflict

[kewalaka]

When using a moved() block to update a diagnostic setting between AzureRM and AzAPI, the provider wants to create the resource rather than update-in-place.

Here's an example from my vnet module fork:

https://github.com/kewalaka/terraform-azurerm-avm-res-network-virtualnetwork/blob/48ec566ea0305269fabd025ccfcefa9b193dc772/main.interfaces.tf#L130-L133

moved {
  from = azurerm_monitor_diagnostic_setting.this
  to   = azapi_resource.diagnostic_setting
}

This results in the following:

# module.vnet1.azapi_resource.diagnostic_setting["sendToLogAnalytics"] will be created
  # (moved from module.vnet1.azurerm_monitor_diagnostic_setting.this["sendToLogAnalytics"])
  + resource "azapi_resource" "diagnostic_setting" {

When this runs, we get the expected issue because the resource already exists:

Error: Resource already exists
│ 
│   with module.vnet1.azapi_resource.diagnostic_setting["sendToLogAnalytics"],
│   on ../../main.interfaces.tf line 66, in resource "azapi_resource" "diagnostic_setting":
│   66: resource "azapi_resource" "diagnostic_setting" {

Is this a bug, or have I got something wrong?

[ms-henglu]

Hi @kewalaka ,

Thank you for taking time to report this issue.

Please check wether the source resource exists in the terraform state, it's expected to see a similar results like

azurerm_management_lock.this[0] has moved to azapi_resource.cluster_lock[0]

If you're deploying in a new workspace, I think you need to delete the existing resource and retry.

More info could be found here

[kewalaka]

hi @ms-henglu - thanks for the feedback.

I've created a demo project to illustrate:

https://github.com/kewalaka/terraform-azapi-704

Strangely, I noticed it worked fine if the diagnostic settings were in the root module, but within a child module this is the behaviour:

• diagnostic settings are marked to be moved
• but...diagnostic settings are still marked to be recreated.

This approach works with other resource types - it just seems to be diagnostic settings in a module where something isn't right.

Let me know if I can help further, or if you can spot what I'm doing wrong!

[ms-henglu]

Hi @kewalaka - Thanks for the details! I can reproduce the issue now.

The root cause is that the ID of azurerm_monitor_diagnostic_setting is different from the Azure Resource ID:

azurerm_monitor_diagnostic_setting:
/subscriptions/000000/resourceGroups/rg-artistic-monitor/providers/Microsoft.Network/virtualNetworks/vnet-artistic-monitor|sendToLogAnalytics


Azure resource ID:
/subscriptions/000000/resourceGroups/rg-artistic-monitor/providers/Microsoft.Network/virtualNetworks/vnet-artistic-monitor/providers/Microsoft.Insights/diagnosticSettings/sendToLogAnalytics

I'll improve it to support similar scenarios in the next release.