You can set Diagnostic Settings on Azure Management Groups with REST API, and by extension Terraform AzApi!
Tag: Diagnostic Settings
Connect Subscription Activity Log with Azure Event Hubs for sending logs to third party SIEM using Terraform. Reduced scope for RBAC permission on Auth rule.