Deploy export to Log Analytics workspace for Microsoft Defender for Cloud data: Issue with deployed policy via terraform

Question

Deploy export to Log Analytics workspace for Microsoft Defender for Cloud data: Issue with deployed policy via terraform

derchristian56 opened this issue 6 months ago · 0 comments

Description:
I deployed this policy via terraform with following settings:

createResourceGroup: true
resourceGroupName:
resourceGroupLocation: westeurope (same as subscriptions itself)
workspaceResourceId:

Policy itself applied on Management Group scope with a system assigned Managed Identity. Managed Identity was given the role of "Contributor" and "Log Analytics Contributor" also on Management Group scope.

All subscriptions below have Defender for Cloud enabled by another policy. Checked in the portal.

Expected behavior:

Policy is applied on Management Group scope
Configuration for export to log analytics workspace is deployed into new resource group with name specified in policy parameters.
Logs are exported to log analytics workspace

Current behavior:

Policy is applied on Management Group (ok)
Policy detects all subscriptions below Management Group (ok)
No resource group was created (not ok)
Export configurations are not deployed and in portal the policy shows Compliance State "Non-Compliant" with the Compliance reason "ResourceGroupNotFound" (not ok)
Inside singe Compliance State the reason for non-compliance is shown as "No related resource match the effect details in the policy definition"

Question:

Is there an issue in the Policy?
Did I miss something in the documentation for this policy?
Can anybody can confirm this behavior deploying the policy via terraform?