Scheduled alert rule created in Terraform doesn't work

Question

I try to create scheduled alert rule in terraform. This is my code:

resource "azurerm_monitor_scheduled_query_rules_alert_v2" "failed_alert" {

  name                = "test"
  resource_group_name = var.rg_name
  description         = "desc"
  scopes              = [var.app_insights_id]
  location            = var.location
  
  evaluation_frequency    = "PT5M"
  window_duration         = "PT5M"
  severity                = 0
  auto_mitigation_enabled = false
  enabled                 = true

  criteria {
    query = <<-QUERY
requests 
| where success == 'False'
| project timestamp,
 name,
 success,
 itemType,
 duration,
 operation_Name
    QUERY

    operator                = "GreaterThanOrEqual"
    threshold               = 1
    time_aggregation_method = "Count"

    failing_periods {
      minimum_failing_periods_to_trigger_alert = 1
      number_of_evaluation_periods             = 1
    }
  }

  action {
    action_groups = [var.action_group_id]
  }

}

The problem is, that this alert is never triggered.

When i want to change something in that alert, my screen is blank:

But when i try to edit alert rule created via portal, it works:

When I was investigating i realized, that exported template looks a little bit different from alert rule created by hand and created via Terraform. With one created via terraform the difference is property kind which is set to LogAlert:

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {},
    "variables": {},
    "resources": [
        {
            "type": "microsoft.insights/scheduledqueryrules",
            "apiVersion": "2023-03-15-preview",
            "name": "alert",
            "location": "westeurope",
            "tags": {
            },
            "kind": "LogAlert",
            "identity": {
                "type": "None"
            },
            "properties": {
                "description": "Gives an alert for specified workflows that failed.",
                "severity": 0,
                "enabled": true,
                "evaluationFrequency": "PT5M",
                "scopes": [
                    "/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.Insights/components/{component-name}"
                ],
                "windowSize": "PT5M",
                "criteria": {
                    "allOf": [
                        {
                            "query": "requests | where success == 'False' | project timestamp, name, success, itemType, duration, operation_Name, LogicappName = cloud_RoleName",
                            "timeAggregation": "Count",
                            "operator": "GreaterThanOrEqual",
                            "threshold": 1,
                            "failingPeriods": {
                                "numberOfEvaluationPeriods": 1,
                                "minFailingPeriodsToAlert": 1
                            }
                        }
                    ]
                },
                "autoMitigate": false,
                "actions": {
                    "actionGroups": [
                        "/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.Insights/actionGroups/{action-group-name}"
                    ],
                    "customProperties": {}
                },
                "checkWorkspaceAlertsStorageConfigured": false,
                "skipQueryValidation": false
            }
        }
    ]
}

Why my alert provisioned via terraform doesnt work? KQL works perfectly fine on AI scope

Answer 1

Adding Kind property is not exactly required when you are scheduling monitor log alert query. Because the resource azurerm_monitor_scheduled_query_rules_alert_v2 itself mentioning that it is scheduling a log alert query. You can also add it and try deployment again.

Check the scope parameter and also the query which you are using doesn't contain any extra characters.

Also check the terraform version installed in your environment and always include the terraform provider in the tf code to avoid version related conflicts.

I tried the below terraform code in my environment and was able to deploy and edit it successfully.

terraform {
  required_providers {
    azurerm = {
      source = "hashicorp/azurerm"
      version = "3.111.0"
    }
  }
}
provider "azurerm"{
features{}
}
data "azurerm_resource_group" "main" {
 name = "Jahnavi"
 }
resource "azurerm_application_insights" "example" {
  name                = "examplej-ai"
  location            = data.azurerm_resource_group.main.location
  resource_group_name = data.azurerm_resource_group.main.name
  application_type    = "web"
}

resource "azurerm_monitor_action_group" "example" {
  name                = "examplejag"
  resource_group_name = data.azurerm_resource_group.main.name
  short_name          = "test mag"
}
resource "azurerm_monitor_scheduled_query_rules_alert_v2" "failed_alert" {

  name                = "test"
  resource_group_name = data.azurerm_resource_group.main.name
  description         = "desc"
  scopes              = [azurerm_application_insights.example.id]
  location            = data.azurerm_resource_group.main.location
  
  evaluation_frequency    = "PT5M"
  window_duration         = "PT5M"
  severity                = 0
  auto_mitigation_enabled = false
  enabled                 = true

  criteria {
    query = <<-QUERY
requests 
| where success == 'False'
| project timestamp,
 name,
 success,
 itemType,
 duration,
 operation_Name
    QUERY

    operator                = "GreaterThanOrEqual"
    threshold               = 1
    time_aggregation_method = "Count"

    failing_periods {
      minimum_failing_periods_to_trigger_alert = 1
      number_of_evaluation_periods             = 1
    }
  }

  action {
    action_groups = [azurerm_monitor_action_group.example.id]
  }

}

Deployment succeeded: