azurerm_log_analytics_workspace_table looks for resource group in wrong subscription

[xescab]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.7.4

AzureRM Provider Version

4.4.0

Affected Resource(s)/Data Source(s)

azurerm_log_analytics_workspace_table

Terraform Configuration Files

terraform {
  required_version = ">= 1.0.1"
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = ">= 3.115.0"
    }
    random = {
      source  = "hashicorp/random"
      version = ">= 3.6.0"
    }
  }
}

provider "azurerm" {
  features {}

  #alias           = "test_cwz"
  subscription_id = "xxxx-xxxx-x7aa"
}

provider "azurerm" {
  features {}

  alias           = "test_csz"
  subscription_id = "xxxx-xxxx-x24a"
}

resource "random_id" "diagnostic" {
  byte_length = 3
}

locals {
  law_rg_name   = "rg-test-csz-${random_id.diagnostic.hex}"
  law_location  = "northeurope"
  law_name      = "log-test-${random_id.diagnostic.hex}"
  rg_name       = "rg-test-${random_id.diagnostic.hex}"
  location      = "eastus"
  diag_name     = "diag-test-${random_id.diagnostic.hex}"
  keyvault_name = "kv-test-${random_id.diagnostic.hex}"
}


## Create LAW in CSZ (Central Service Zone)

resource "azurerm_resource_group" "law_rg" {
  name     = local.law_rg_name
  location = local.law_location
  provider = azurerm.test_csz
}

resource "azurerm_log_analytics_workspace" "test" {
  name                          = local.law_name
  location                      = azurerm_resource_group.law_rg.location
  resource_group_name           = azurerm_resource_group.law_rg.name
  local_authentication_disabled = false
  sku                           = "PerGB2018"
  retention_in_days             = 30
  provider                      = azurerm.test_csz
}


## Create resource and diagnostic settings in CWZ (Client Workload Zone)

resource "azurerm_resource_group" "diag_rg" {
  name     = local.rg_name
  location = local.location
}

data "azurerm_client_config" "current" {
}

resource "azurerm_key_vault" "diag_kv" {
  name                        = local.keyvault_name
  location                    = azurerm_resource_group.diag_rg.location
  resource_group_name         = azurerm_resource_group.diag_rg.name
  enabled_for_disk_encryption = true
  tenant_id                   = data.azurerm_client_config.current.tenant_id
  soft_delete_retention_days  = 7
  purge_protection_enabled    = false

  sku_name = "standard"

  access_policy {
    tenant_id          = data.azurerm_client_config.current.tenant_id
    object_id          = data.azurerm_client_config.current.object_id
    key_permissions    = ["Get", "Create", "Delete", "List", "Restore", "Recover", "UnwrapKey", "WrapKey", "Purge", "Encrypt", "Decrypt", "Sign", "Verify", "GetRotationPolicy"]
    secret_permissions = ["Get", "Set"]
  }
}

## Table should be managed in correct subscription, as the subscription ID
## is present in azurerm_log_analytics_workspace.test.id
resource "azurerm_log_analytics_workspace_table" "table" {
  for_each                = toset(["Usage"])
  workspace_id            = azurerm_log_analytics_workspace.test.id
  name                    = each.key
  retention_in_days       = 90
  total_retention_in_days = 180
}

Debug Output/Panic Output

module.diagnostic_settings.azurerm_monitor_diagnostic_setting.diag[0]: Creation complete after 14s [id=/subscriptions/xxxx-xxxx-x7aa/resourceGroups/rg-test-7fc24b/providers/Microsoft.KeyVault/vaults/kv-test-7fc24b|diag-test-7fc24b]
╷
│ Error: failed to update table Usage in workspace log-test-7fc24b in resource group rg-test-csz-7fc24b: performing CreateOrUpdate: unexpected status 404 (404 Not Found) with error: ResourceGroupNotFound: Resource group 'rg-test-csz-7fc24b' could not be found.
│
│   with module.diagnostic_settings.azurerm_log_analytics_workspace_table.table["Usage"],
│   on ../../main.tf line 37, in resource "azurerm_log_analytics_workspace_table" "table":
│   37: resource "azurerm_log_analytics_workspace_table" "table" {
│
│ failed to update table Usage in workspace log-test-7fc24b in resource group rg-test-csz-7fc24b: performing CreateOrUpdate: unexpected status 404 (404 Not Found) with error: ResourceGroupNotFound: Resource group 'rg-test-csz-7fc24b' could not be found.

Expected Behaviour

Resource group for the Log Analytics Workspace should be looked at in correct subscription, as the subscription ID
is present in workspace_id variable, and the table retention should be updated correctly.

Actual Behaviour

We get an unexpected status 404 (404 Not Found) with error: ResourceGroupNotFound: Resource group 'rg-test-csz-7fc24b' could not be found. It appears the azurerm provider is looking for the resource group in the wrong subscription.

Steps to Reproduce

• Create azurerm_log_analytics_workspace in a subscription (alias CSZ in the example) together with other central resources
• Create azurerm_log_analytics_workspace_table in a different module and subcription

Important Factoids

No response

References

No response

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.