Cannot import azurerm_network_watcher_flow_log

[ekhaydarov]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform (and AzureRM Provider) Version

• hashicorp/azurerm v2.70.0
• terraform v0.15.5

Affected Resource(s)

• hashicorp/azurerm v2.70.0

Terraform Configuration Files

resource "azurerm_network_watcher_flow_log" "flowlog" {
  for_each = local.nsgs

  network_watcher_name = data.azurerm_network_watcher.watcher.name
  resource_group_name  = data.azurerm_network_watcher.watcher.resource_group_name

  network_security_group_id = data.azurerm_network_security_group.nsg[each.key].id
  storage_account_id        = module.storage_account["network"].storage_account_id[0]
  enabled                   = true

  retention_policy {
    enabled = true
    days    = 3
  }

  traffic_analytics {
    enabled               = true
    workspace_id          = azurerm_log_analytics_workspace.flowlogs.workspace_id
    workspace_region      = azurerm_log_analytics_workspace.flowlogs.location
    workspace_resource_id = azurerm_log_analytics_workspace.flowlogs.id
    interval_in_minutes   = 60
  }
}

Debug Output

Panic Output

Expected Behaviour

terraform import azurerm_network_watcher_flow_log.flowlog["nsg"] /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.Network/networkWatchers/watcher1/networkSecurityGroupId/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.Network/networkSecurityGroups/group1

results in successful import of resource

Actual Behaviour

terraform import azurerm_network_watcher_flow_log.flowlog["nsg"] /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.Network/networkWatchers/watcher1/networkSecurityGroupId/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.Network/networkSecurityGroups/group1

Throws an error that the resource does not exist. Confirmed via portal that it does exist. construction of this resource id is less than ideal but can lodge this complaint to azure team where it will be added to the pile of things that are backwards.

run az network watcher flow-log list and extract a completely different resource id for exactly the flow log above that looks like this

/subscriptions/xxx/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_westeurope/flowLogs/nameoftheflowlog

try to import it

terraform import azurerm_network_watcher_flow_log.flowlog["nsg"]  /subscriptions/xxx/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_westeurope/flowLogs/nameoftheflowlog

Error: Network Watcher Flow Log ID could not be split on `/networkSecurityGroupId`: /subscriptions/xxx/resourceGroups/NetworkWatcherRG/providers/Microsoft.Network/networkWatchers/NetworkWatcher_westeurope/flowLogs/nameoftheflowlog

Steps to Reproduce

Pretty sure we did nothing. One day we just had a terraform state drift alert and here we are trying to sync the state. Terraform says there has been a change outside it. The same flow logs had been deleted. Again when i look at portal nothing has changed to the flow logs in the last month.

Important Factoids

References

• #0000

[umersyed]

Any update on this one?

[smitp11]

hey @ekhaydarov , please see here on the issue we had and the resolution.

[theharrisonchow]

Can confirm issue still exists:

masked.path: Importing from ID ".../networkSecurityGroupId/..."...
masked.path: Import prepared!
  Prepared azurerm_network_watcher_flow_log for import
masked.path: Refreshing state... [id=.../networkSecurityGroupId/...]
╷
│ Error: Cannot import non-existent remote object
│ 
│ While attempting to import an existing object to "masked.path", the provider detected that no object exists with the
│ given id. Only pre-existing objects can be imported; check that the id is correct and that it is associated with the provider's configured region or endpoint, or use "terraform apply" to create a new
│ remote object for this resource.
╵

[magodo]

@ekhaydarov This should now be fixed by #15016, please confirm and feel free to reopen this issue if it still exists.

[github-actions]

This functionality has been released in v2.96.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.