Prevent diff on unchanged diagnostics (#5)

* Add each available diagnostics category, but enable only those we want This is a workaround for a know issue: hashicorp/terraform-provider-azurerm#7235 * Use azurerm v2.51.0 * Run terraform fmt * Don't rename resource name * Use required_providers block to set azurerm version
avinor · Mar 19, 2021 · 013e475 · 013e475
1 parent 59dc045
commit 013e475
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 7 deletions.
diff --git a/examples/simple/main.tf b/examples/simple/main.tf
@@ -1,7 +1,7 @@
 module "simple" {
-    source = "../../"
+  source = "../../"
 
-    name = "simple"
-    resource_group_name = "simple-kv-rg"
-    location = "westeurope"
+  name                = "simple"
+  resource_group_name = "simple-kv-rg"
+  location            = "westeurope"
 }
diff --git a/main.tf b/main.tf
@@ -1,9 +1,13 @@
 terraform {
   required_version = ">= 0.12.6"
+  required_providers {
+    azurerm = {
+      version = "~> 2.51.0"
+    }
+  }
 }
 
 provider "azurerm" {
-  version = "~> 2.50.0"
   features {}
 }
 
@@ -79,6 +83,10 @@ resource "azurerm_key_vault_access_policy" "main" {
   storage_permissions     = var.access_policies[count.index].storage_permissions
 }
 
+data "azurerm_monitor_diagnostic_categories" "default" {
+  resource_id = azurerm_key_vault.main.id
+}
+
 resource "azurerm_monitor_diagnostic_setting" "keyvault" {
   count                          = var.diagnostics != null ? 1 : 0
   name                           = "${var.name}-ns-diag"
@@ -88,24 +96,34 @@ resource "azurerm_monitor_diagnostic_setting" "keyvault" {
   eventhub_name                  = local.parsed_diag.event_hub_auth_id != null ? var.diagnostics.eventhub_name : null
   storage_account_id             = local.parsed_diag.storage_account_id
 
+  # For each available log category, check if it should be enabled and set enabled = true if it should.
+  # All other categories are created with enabled = false to prevent TF from showing changes happening with each plan/apply.
+  # Ref: https://github.com/terraform-providers/terraform-provider-azurerm/issues/7235
   dynamic "log" {
-    for_each = local.parsed_diag.log
+    for_each = data.azurerm_monitor_diagnostic_categories.default.logs
     content {
       category = log.value
+      enabled  = contains(local.parsed_diag.log, log.value)
 
       retention_policy {
         enabled = false
+        days    = 0
       }
     }
   }
 
+  # For each available metric category, check if it should be enabled and set enabled = true if it should.
+  # All other categories are created with enabled = false to prevent TF from showing changes happening with each plan/apply.
+  # Ref: https://github.com/terraform-providers/terraform-provider-azurerm/issues/7235
   dynamic "metric" {
-    for_each = local.parsed_diag.metric
+    for_each = data.azurerm_monitor_diagnostic_categories.default.metrics
     content {
       category = metric.value
+      enabled  = contains(local.parsed_diag.metric, metric.value)
 
       retention_policy {
         enabled = false
+        days    = 0
       }
     }
   }