azurerm_security_center_workspace": parsing segment "staticResourceGroups": expected the segment "resourcegroups" to be "resourceGroups

[darren-johnson]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.2.9

AzureRM Provider Version

3.22.0

Affected Resource(s)/Data Source(s)

azurerm_security_center_workspace

Terraform Configuration Files

resource "azurerm_security_center_workspace" "workspace" {
  scope        = join("", ["/subscriptions/", data.azurerm_subscriptions.msdn.subscriptions.0.subscription_id])
  workspace_id = azurerm_log_analytics_workspace.workspace.id
}

Debug Output/Panic Output

Error: parsing segment "staticResourceGroups": expected the segment "resourcegroups" to be "resourceGroups"

Expected Behaviour

Should work.

Appears the same issue as #18235 .

Actual Behaviour

Brand new configuration which fails to deploy or destroy. Other security center resources are present in state and need removing via the CLI to destroy.

Error: Reading Security Center Log Analytics Workspace ID: parsing "/subscriptions/SUB_ID/resourcegroups/RG_NAME/providers/microsoft.operationalinsights/workspaces/WORKSPACE_NAME": parsing segment "staticResourceGroups": expected the segment "resourcegroups" to be "resourceGroups"

Present in state file as per below:

tf state show azurerm_security_center_workspace.workspace
# azurerm_security_center_workspace.workspace: (tainted)
resource "azurerm_security_center_workspace" "workspace" {
    id           = "/subscriptions/SUB_ID/providers/Microsoft.Security/workspaceSettings/default"
    scope        = "/subscriptions/SUB_ID"
    workspace_id = "/subscriptions/SUB_ID/resourceGroups/RG_NAME/providers/Microsoft.OperationalInsights/workspaces/WORKSPACE_NAME"
}

Steps to Reproduce

No response

Important Factoids

No response

References

No response

[myc2h6o]

Hi @darren-johnson thanks for opening the issue! The issue seems to be similar to #17426, I'll be checking if we could apply the same fix for this.

[grillba]

Hi @myc2h6o,

This is identical to #18244 which was incorrectly closed as a duplicate. I've added some information to the bottom of that ticket here #18244 (comment)

The issue is a result of a lower cased resource ID being stored in Azure from a previous version of the provider. After upgrade to 3.21.0 or above, the provider is incorrectly doing a case sensitive parse of the returned value from the Azure API.

Happy to send on some diagnostics information if you'd like

[josh-barker]

Hey @myc2h6o and @tombuildsstuff ,

As per 18244, the response string from Azure is not the correct case.

I've also looked at older LAW's and their id is /subscriptions/xxx/resourcegroups/xxx, whereas a newly deployed LAW has /subscriptions/xxx/resourceGroups/xxx. Potentially the id format has changed over time?

There could be an issue in the Read function as it's using workspaces.ParseWorkspaceID, instead of ParseWorkspaceIDInsensitively.

I can put together a PR if that's helpful?

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.