I try to create scheduled alert rule in terraform. This is my code:
resource "azurerm_monitor_scheduled_query_rules_alert_v2" "failed_alert" {
name = "test"
resource_group_name = var.rg_name
description = "desc"
scopes = [var.app_insights_id]
location = var.location
evaluation_frequency = "PT5M"
window_duration = "PT5M"
severity = 0
auto_mitigation_enabled = false
enabled = true
criteria {
query = <<-QUERY
requests
| where success == 'False'
| project timestamp,
name,
success,
itemType,
duration,
operation_Name
QUERY
operator = "GreaterThanOrEqual"
threshold = 1
time_aggregation_method = "Count"
failing_periods {
minimum_failing_periods_to_trigger_alert = 1
number_of_evaluation_periods = 1
}
}
action {
action_groups = [var.action_group_id]
}
}
The problem is, that this alert is never triggered.
When i want to change something in that alert, my screen is blank:
But when i try to edit alert rule created via portal, it works:
When I was investigating i realized, that exported template looks a little bit different from alert rule created by hand and created via Terraform. With one created via terraform the difference is property kind
which is set to LogAlert
:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"variables": {},
"resources": [
{
"type": "microsoft.insights/scheduledqueryrules",
"apiVersion": "2023-03-15-preview",
"name": "alert",
"location": "westeurope",
"tags": {
},
"kind": "LogAlert",
"identity": {
"type": "None"
},
"properties": {
"description": "Gives an alert for specified workflows that failed.",
"severity": 0,
"enabled": true,
"evaluationFrequency": "PT5M",
"scopes": [
"/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.Insights/components/{component-name}"
],
"windowSize": "PT5M",
"criteria": {
"allOf": [
{
"query": "requests | where success == 'False' | project timestamp, name, success, itemType, duration, operation_Name, LogicappName = cloud_RoleName",
"timeAggregation": "Count",
"operator": "GreaterThanOrEqual",
"threshold": 1,
"failingPeriods": {
"numberOfEvaluationPeriods": 1,
"minFailingPeriodsToAlert": 1
}
}
]
},
"autoMitigate": false,
"actions": {
"actionGroups": [
"/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.Insights/actionGroups/{action-group-name}"
],
"customProperties": {}
},
"checkWorkspaceAlertsStorageConfigured": false,
"skipQueryValidation": false
}
}
]
}
Why my alert provisioned via terraform doesnt work? KQL works perfectly fine on AI scope
Adding Kind
property is not exactly required when you are scheduling monitor log alert query. Because the resource azurerm_monitor_scheduled_query_rules_alert_v2
itself mentioning that it is scheduling a log alert query. You can also add it and try deployment again.
Check the scope parameter and also the query which you are using doesn't contain any extra characters.
Also check the terraform version installed in your environment and always include the terraform provider in the tf
code to avoid version related conflicts.
I tried the below terraform code in my environment and was able to deploy and edit it successfully.
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "3.111.0"
}
}
}
provider "azurerm"{
features{}
}
data "azurerm_resource_group" "main" {
name = "Jahnavi"
}
resource "azurerm_application_insights" "example" {
name = "examplej-ai"
location = data.azurerm_resource_group.main.location
resource_group_name = data.azurerm_resource_group.main.name
application_type = "web"
}
resource "azurerm_monitor_action_group" "example" {
name = "examplejag"
resource_group_name = data.azurerm_resource_group.main.name
short_name = "test mag"
}
resource "azurerm_monitor_scheduled_query_rules_alert_v2" "failed_alert" {
name = "test"
resource_group_name = data.azurerm_resource_group.main.name
description = "desc"
scopes = [azurerm_application_insights.example.id]
location = data.azurerm_resource_group.main.location
evaluation_frequency = "PT5M"
window_duration = "PT5M"
severity = 0
auto_mitigation_enabled = false
enabled = true
criteria {
query = <<-QUERY
requests
| where success == 'False'
| project timestamp,
name,
success,
itemType,
duration,
operation_Name
QUERY
operator = "GreaterThanOrEqual"
threshold = 1
time_aggregation_method = "Count"
failing_periods {
minimum_failing_periods_to_trigger_alert = 1
number_of_evaluation_periods = 1
}
}
action {
action_groups = [azurerm_monitor_action_group.example.id]
}
}
Deployment succeeded: