AzureRM Diagnostic Setting Errors When Using Dynamic Blocks

Avatar
Mahima Sharu
  • Updated

Overview:

When creating Azure Monitor Diagnostic Settings with Terraform using dynamic blocks, you may encounter validation or API errors during terraform apply. These issues typically arise when logs and metrics are driven through variables and evaluated dynamically.

This article explains the observed errors, their root causes, and the correct way to structure diagnostic settings when using the AzureRM provider.

Problem:

While applying diagnostic settings, you may encounter one of the following errors:

Error 1

one of 'enabled_log, enabled_metric, metric' must be specified

Error 2

unexpected status 400 (400 Bad Request) with response: {"code":"BadRequest","message":"Category 'AllLogs' is not supported."

Cause:

Error 1: Empty Diagnostic Configuration

Azure Monitor requires at least one diagnostic category to be configured per diagnostic setting. When using dynamic blocks, this error occurs if:

  • diag_logs evaluates to an empty list

  • diag_metrics evaluates to an empty list

In this scenario, Terraform does not generate any enabled_log or enabled_metric blocks, and Azure rejects the configuration.

Error 2: Incorrect Log Attribute Usage

The second error occurs when AllLogs is passed as a category value. In Azure Monitor:

  • AllLogs is a category group

  • It must be defined using category_group, not category

Passing it incorrectly causes Azure to return a 400 Bad Request error.

Solution:

  • At least one diagnostic input (diag_logs or diag_metrics) must be provided.

  • Logs and metrics can be configured independently or together.

  • Log groups such as AllLogs must use category_group.

  • Metric categories such as AllMetrics must use category.

  • Avoid configurations where both logs and metrics resolve to empty lists.

  • Validate inputs when building reusable modules to prevent invalid configurations.

Recommended Implementation:

main.tf

resource "azurerm_monitor_diagnostic_setting" "this" {
  for_each = {
    for k, v in var.diag_options : k => v
    if var.enable_diagnostics
  }

  name               = "my-vnet"
  storage_account_id = azurerm_storage_account.this.id
  target_resource_id = azurerm_virtual_network.this.id

  dynamic "enabled_log" {
    for_each = each.value.diag_logs
    content {
      category_group = enabled_log.value
    }
  }

  dynamic "enabled_metric" {
    for_each = each.value.diag_metrics
    content {
      category = enabled_metric.value
    }
  }
}

terraform.tfvars

diag_options = {
  logs = {
    log_type      = "activity_logs"
    settings_name = "logs"
    diag_logs     = ["AllLogs"]
    diag_metrics  = []
  }

  metrics = {
    log_type      = "resource_logs"
    settings_name = "metrics"
    diag_logs     = []
    diag_metrics  = ["AllMetrics"]
  }
}

Conclusion:

These errors are expected behaviors enforced by Azure Monitor and the AzureRM provider. They typically occur when dynamic blocks evaluate to empty inputs or when log groups are defined using the wrong attribute. Following the configuration patterns outlined above ensures consistent and error-free diagnostic settings.

Additional Information:

AzureRM Provider Documentation:
https://registry.terraform.io/providers/hashicorp/azurerm/4.55.0/docs/resources/monitor_diagnostic_setting#enabled_log-6

Articles in this section