Unable to deploy Fusion and Microsoft Security type Sentinel MS Security Incident Alert Rules with 3.34.0

[PCNZ]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.3.2

AzureRM Provider Version

3.34.0

Affected Resource(s)/Data Source(s)

azurerm_sentinel_alert_rule_ms_security_incident

Terraform Configuration Files

terraform {
  required_providers {
    azurerm = {
      source = "hashicorp/azurerm"
    }
  }
  backend "azurerm" {
  }
}

Debug Output/Panic Output

Error: setting ResourceData for Sentinel Alert Rule Template "Advanced Multistage Attack Detection" (Workspace "xxxxxxxxxxxxxxxxxxxxxx" / Resource Group "xxxxxxxxxxxxxxxxx") ID
2022-12-07T02:22:54.1033107Z 
2022-12-07T02:22:54.1033748Z   with module.sentinel_analytics.module.sentinel_fusion_analytics["Advanced Multistage Attack Detection"].data.azurerm_sentinel_alert_rule_template.alert_rule_template,
2022-12-07T02:22:54.1034651Z   on analytics/fusion/alert_rule_fusion.tf line 10, in data "azurerm_sentinel_alert_rule_template" "alert_rule_template":
2022-12-07T02:22:54.1035310Z   10: data "azurerm_sentinel_alert_rule_template" "alert_rule_template" {

Expected Behaviour

No response

Actual Behaviour

No response

Steps to Reproduce

Deploy using this (no version specified - defaults to lastest)

terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
}
}
backend "azurerm" {
}
}

To workaround hard set the version to 3.33.0 and the deploy works
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "3.33.0"
}
}
backend "azurerm" {
}
}

Important Factoids

No response

References

https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/sentinel_alert_rule_ms_security_incident

[magodo]

@PCNZ Thank you for raising this and sorry you ran into trouble here.

The issue is introduced by #19487. @mbfrahry The azurerm_sentinel_alert_rule_template is a data source, where we will parse the id that directly from Azure, rather than from what we construct ourselves. So in this case I think we shall keep the casing as is returned by Azure, especially for the alert rule template, the resource type segment is AlertRuleTemplates rather than alertRuleTemplates. Do you think we shall just revert the change in #19487 for the alert rule template part only? If yes, then I'll be happy to submit a PR for that.

[jkyamog]

@magodo Hi! I work with Pete. Let me see if I can explain a bit further some context:

• for this issue. We get the ids from the template of security incident and fusion types. Is it correct that if just we generate our own UUID for the id it should be ok? From my understand it is a yes. We just generate ids and save on state and create the security incident and fusion from our ids.
• we are experiencing a big issue since we upgrade used 3.34 azurerm, but it is very random and we are unsure of it. We are getting sometimes deletion of workspaces on "apply" even if the "plan" didn't have this deletion. Could the migration of state on data.azurerm_sentinel_alert_rule_template and azurerm_sentinel_automation_rule - a state migration to work around the previously incorrect id casing #19487 cause a accidental deletion of the log analytics workspace?