bugfix: Make the Azure Defender clause robust against a non-existent …

[gzur]

Fixes #257

Changes proposed in the pull request:

Support setting var.microsoft_defender_enabled to false and supplying your own analytics workspace to Microsoft Defender.

Signed-off-by: Gissur Þórhallsson [email protected]

[github-actions]

MAIN BRANCH PUSH DETECTED DUE TO #259, THIS PR NEED TO BE UPDATED TO TRIGGER CI.

[lonegunmanb]

Hi @gzur thanks a lot for opening this pr! Unfortunately we've got a bug in our CI pipeline code and I've just fixed it, would you please merge your branch with the latest master branch so I can re-run the failed job again? Thanks!

[lonegunmanb]

Btw I've reviewed your code, almost LGTM but I've got a new idea. How about adding a new local like this right behind the workspace resource:

locals {
  log_analytics_workspace = var.log_analytics_workspace_enabled ? (
    var.log_analytics_workspace == null ? {
      id   = azurerm_log_analytics_workspace.main[0].id
      name = azurerm_log_analytics_workspace.main[0].name
      } : {
      id   = var.log_analytics_workspace.id
      name = var.log_analytics_workspace.name
    }
    ) : {
    id   = null
    name = null
  }
}

Then we change all references to workspace id and name to this local, sounds good?

[lonegunmanb]

Please merge with the latest master branch, thanks for your understanding.

[github-actions]

MAIN BRANCH PUSH DETECTED DUE TO #262, THIS PR NEED TO BE UPDATED TO TRIGGER CI.

[gzur]

Btw I've reviewed your code, almost LGTM but I've got a new idea. How about adding a new local like this right behind the workspace resource:

locals {
  log_analytics_workspace = var.log_analytics_workspace_enabled ? (
    var.log_analytics_workspace == null ? {
      id   = azurerm_log_analytics_workspace.main[0].id
      name = azurerm_log_analytics_workspace.main[0].name
      } : {
      id   = var.log_analytics_workspace.id
      name = var.log_analytics_workspace.name
    }
    ) : {
    id   = null
    name = null
  }
}

Then we change all references to workspace id and name to this local, sounds good?

Sure thing.

But on a related note: we are introducing some fairly complex behaviour here. Do we have a framework for testing this?

[ghost]

All CLA requirements met.

[lonegunmanb]

Btw I've reviewed your code, almost LGTM but I've got a new idea. How about adding a new local like this right behind the workspace resource:

locals {
  log_analytics_workspace = var.log_analytics_workspace_enabled ? (
    var.log_analytics_workspace == null ? {
      id   = azurerm_log_analytics_workspace.main[0].id
      name = azurerm_log_analytics_workspace.main[0].name
      } : {
      id   = var.log_analytics_workspace.id
      name = var.log_analytics_workspace.name
    }
    ) : {
    id   = null
    name = null
  }
}

Then we change all references to workspace id and name to this local, sounds good?

Sure thing.

But on a related note: we are introducing some fairly complex behaviour here. Do we have a framework for testing this?

Good question! What about we modify named_cluster folder in examples to create this log analysis workspace in root module and pass it via var.log_analytics_workspace so our e2e tests can cover both cases?

[github-actions]

MAIN BRANCH PUSH DETECTED DUE TO #260, THIS PR NEED TO BE UPDATED TO TRIGGER CI.

[gzur]

Good question! What about we modify named_cluster folder in examples to create this log analysis workspace in root module and pass it via var.log_analytics_workspace so our e2e tests can cover both cases?

Sounds fun. I always wanted to try out how infrastructure tests work.

Should I modify the named_cluster test/example or duplicate it?

[lonegunmanb]

Good question! What about we modify named_cluster folder in examples to create this log analysis workspace in root module and pass it via var.log_analytics_workspace so our e2e tests can cover both cases?

Sounds fun. I always wanted to try out how infrastructure tests work.

Should I modify the named_cluster test/example or duplicate it?

You can modify examples/named_cluster/main.tf directly, our e2e test steps will apply every sub folders under examples to ensure that all our examples work.

[lonegunmanb]

Good question! What about we modify named_cluster folder in examples to create this log analysis workspace in root module and pass it via var.log_analytics_workspace so our e2e tests can cover both cases?

Sounds fun. I always wanted to try out how infrastructure tests work.

Should I modify the named_cluster test/example or duplicate it?

@gzur I had designed "unit tests" for our new CI pipeline but I haven't added it to this aks module yet. I'll add one to test this complex local after we've merged your pr, please stay tuned if you're interested in how to write quick and cheap tests for locals.

[gzur]

I'll add one to test this complex local after we've merged your pr, please stay tuned if you're interested in how to write quick and cheap tests for locals.

Ok. I'll hold off on diving into the tests until after we've merged this.

[lonegunmanb]

Thanks @gzur almost LGTM, only a few issues.

Btw we have a CI check issue, would you please run the following commands before you commit after you've finished your modification? Thanks in advance:

docker run --rm -v $(pwd):/src -w /src mcr.microsoft.com/azterraform:latest make pre-commit
docker run --rm -v $(pwd):/src -w /src mcr.microsoft.com/azterraform:latest make pr-check

If you're using Windows, please run the following commands:

docker run --rm -v ${pwd}:/src -w /src mcr.microsoft.com/azterraform:latest make pre-commit
docker run --rm -v ${pwd}:/src -w /src mcr.microsoft.com/azterraform:latest make pr-check

Once the pr-check command return with no error, you're good to commit.

[lonegunmanb]

Would an object with null field be better (the caller don't need to check whether this object is null)?

) : {
  id       = null
  name = null
}

[gzur]

But won't the caller just have to check whether local.log_analytics_workspace.id/name is null instead?

I feel that this breaks the Principle of Least Astonishment, since the module will have already decided that there is no log_analytics_workspace - based on the inputs.

In this scenario, I would not expect there to be an object of that type but with attributes as null.
I would expect the object itself to be null.

[lonegunmanb]

In Terraform assign null to an argument is equal to omit this argument, in some cases the caller doesn't need to check whether the log analytics workspace id is null or not, if the caller just assigns it to an optional argument, in that case we can save a null check. I personally prefer this "null safe" style, but I think your point also make sense. Please allow me to have more discuss with other people, thanks for your understanding.

[gzur]

did we reach a consensus on:

) : {
  id       = null
  name = null
}

vs.

) : null

?

[github-actions]

MAIN BRANCH PUSH DETECTED DUE TO #251, THIS PR NEED TO BE UPDATED TO TRIGGER CI.

[lonegunmanb]

Please allow me to have some discusses with others on the null object issue. Thanks for your understanding.

[lonegunmanb]

Thanks @gzur for your updating, I think we'll be ready to test this pr once we've rollbacked the count expression for azurerm_log_analytics_solution to the original version, and remove the tflint annotation. Thanks for your patience!

[gzur]

Thanks @gzur for your updating, I think we'll be ready to test this pr once we've rollbacked the count expression for azurerm_log_analytics_solution to the original version, and remove the tflint annotation. Thanks for your patience!

How about:

count = (local.create_analytics_workspace && var.log_analytics_solution_id == null) ? 1 : 0

so that we use our recently introduced control variable.

I feel that this preserves the original intent of var.log_analytics_solution_id while also making the module easier to reason about.

[lonegunmanb]

Thanks @gzur for your updating, I think we'll be ready to test this pr once we've rollbacked the count expression for azurerm_log_analytics_solution to the original version, and remove the tflint annotation. Thanks for your patience!

How about:

count = (local.create_analytics_workspace && var.log_analytics_solution_id == null) ? 1 : 0

so that we use our recently introduced control variable.

I feel that this preserves the original intent of var.log_analytics_solution_id while also making the module easier to reason about.

My apology, it was mid-night in my time zone because from Oct 1st to 7th it'll be national holiday in China and I'll be on vacation, so I'd like to close all remaining pull requests before that, apparently I've made a mistake. It should be:

count = var.log_analytics_workspace_enabled && var.log_analytics_solution_id == null ? 1 : 0

I think you've just pointed out a blind point of mine, that is we need a new local named local.create_analytics_solution just like local.create_analytics_workspace. Then the count expression will be:

count = local.create_analytics_solution ? 1 : 0

This local.create_analytics_solution will be:

create_analytics_workspace = var.log_analytics_workspace_enabled && var.log_analytics_solution_id == null

How does that sound?

[lonegunmanb]

An update, I've opened a new issue #263 to improve this var.log_analytics_solution_id and I'll submit a new pr to improve that after we merge this one.

[github-actions]

MAIN BRANCH PUSH DETECTED DUE TO #, THIS PR NEED TO BE UPDATED TO TRIGGER CI.

[github-actions]

MAIN BRANCH PUSH DETECTED DUE TO #256, THIS PR NEED TO BE UPDATED TO TRIGGER CI.

[github-actions]

MAIN BRANCH PUSH DETECTED DUE TO #, THIS PR NEED TO BE UPDATED TO TRIGGER CI.

[github-actions]

MAIN BRANCH PUSH DETECTED DUE TO #248, THIS PR NEED TO BE UPDATED TO TRIGGER CI.

[github-actions]

MAIN BRANCH PUSH DETECTED DUE TO #, THIS PR NEED TO BE UPDATED TO TRIGGER CI.

[gzur]

My apology, it was mid-night in my time zone because from Oct 1st to 7th it'll be national holiday in China and I'll be on vacation, so I'd like to close all remaining pull requests before that, [...]

No worries. Let's see if we can't get it merged then :)

[...] It should be:

count = var.log_analytics_workspace_enabled && var.log_analytics_solution_id == null ? 1 : 0

I'm assuming you are referring to the azurerm_log_analytics_solution.main resource here - for which we are introducing the create_analytics_workspace control variable (per your suggestion above).

Right?

[gzur]

[...]
we need a new local named local.create_analytics_solution just like local.create_analytics_workspace.
[...]
How does that sound?

That sounds great. I'll put it in.

[gzur]

@lonegunmanb - Done

[lonegunmanb]

Thanks @gzur , nice job and I cannot ask for more. It is the last pr we're going to merge for v6.1.0. LGTM!