Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for AssessmentsSnapshot and SubAssessmentsSnapshot in azurerm_security_center_automation #18919

Open
1 task done
BasLangenberg opened this issue Oct 21, 2022 · 1 comment

Comments

@BasLangenberg
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

We'd like to have support to add continuous exports from Defender for Cloud for the AssessmentSnapshot and SubAssessmentSnapshot type. I tried to implement this myself, but I was blocked by the azure-sdk-for-go module.

$ make
==> Checking that code complies with gofmt requirements...                                                                                                                                  
==> Checking that Custom Timeouts are used...                                                                                                                                               
==> Checking that acceptance test packages are used...                                                                                                                                      
go generate ./internal/services/...                                                                                                                                                         
go generate ./internal/provider/                                                                                                                                                            
# github.com/hashicorp/terraform-provider-azurerm/internal/services/securitycenter                                                                                                          
../services/securitycenter/security_center_automation_resource.go:137:25: undefined: security.EventSourceAssessmentsSnapshot                                                                
../services/securitycenter/security_center_automation_resource.go:145:25: undefined: 
security.EventSourceSubAssessmentsSnapshot                                                             internal/provider/services.go:114: running 
"go": exit status 2                                                                                                                              make: *** [GNUmakefile:49: 
generate] Error 1                                                                                                                                                zsh: exit 2     make                                                                                                                                                                        
$ go test internal/services/securitycenter/security_center_automation_resource_test.go                                                                                                      
# github.com/hashicorp/terraform-provider-azurerm/internal/services/securitycenter
internal/services/securitycenter/security_center_automation_resource.go:137:25: undefined: security.EventSourceAssessmentsSnapshot
internal/services/securitycenter/security_center_automation_resource.go:145:25: undefined: security.EventSourceSubAssessmentsSnapshot
FAIL    command-line-arguments [build failed]
FAIL

I've checked the upstream branch and could not find the references for these 2 types implemented there. I assume we need to get them to do the actual work, but I'm logging this issue with this repository anyway because I want to make sure I understand the issue correctly, and people here might have better ways to get this resolved in the azure sdk repo by regenerating the service files there using autorest. (Which I have never done)

New or Affected Resource(s)/Data Source(s)

azurerm_security_center_automation

Potential Terraform Configuration

resource "azurerm_security_center_automation" "security_center_automation" {
  name                = var.security_center_automation_name
  location            = data.azurerm_resource_group.security_center_automation_resource_group.location
  resource_group_name = data.azurerm_resource_group.security_center_automation_resource_group.name
  scopes              = ["/subscriptions/${var.security_center_automation_scope_subscription_id}"]
  action {
    type        = var.security_center_automation_action_type
    resource_id = data.azurerm_log_analytics_workspace.workspace.id
  }


  source {
    event_source = "Alerts"
    rule_set {
      rule {
        property_path  = "Severity"
        property_type  = "String"
        expected_value = "low"
        operator       = "Equals"
      }
      rule {
        property_path  = "Severity"
        property_type  = "String"
        expected_value = "medium"
        operator       = "Equals"
      }
      rule {
        property_path  = "Severity"
        property_type  = "String"
        expected_value = "high"
        operator       = "Equals"
      }
      rule {
        property_path  = "Severity"
        property_type  = "String"
        expected_value = "informational"
        operator       = "Equals"
      }
    }
  }

  source {
    event_source = "Assessments"
    rule_set {
      rule {
        property_path  = "type"
        property_type  = "String"
        expected_value = "Microsoft.Security/assessments"
        operator       = "Contains"
      }
    }
  }

  source {
    event_source = "AssessmentsSnapshot"
    rule_set {
      rule {
        property_path  = "type"
        property_type  = "String"
        expected_value = "Microsoft.Security/assessments"
        operator       = "Contains"
      }
    }
  }

  source {
    event_source = "SubAssessments"
  }


  source {
    event_source = "SubAssessmentsSnapshot"
  }

  source {
    event_source = "SecureScores"
  }

  source {
    event_source = "SecureScoresSnapshot"
  }

  source {
    event_source = "SecureScoreControls"
  }

  source {
    event_source = "SecureScoreControlsSnapshot"
  }

  source {
    event_source = "RegulatoryComplianceAssessment"
  }

  source {
    event_source = "RegulatoryComplianceAssessmentSnapshot"
  }

}

References

I noticed this PR containing the references was not merged.
https://github.com/Azure/azure-sdk-for-go/pull/17559/files#diff-6a6b4f45d5baa543d107ab6d37aa122b30c56dd06f97c1b35ec94340ddc98b07L4989

@BasLangenberg
Copy link
Author

Just for other people having the same problem an stumbling on this issue, we fixed it by using the AzApi module.

resource "azapi_resource" "continuous_export" {
  type      = "Microsoft.Security/automations@2019-01-01-preview"
  name      = "ExportToWorkspace"
  parent_id = data.azurerm_resource_group.security_center_automation_resource_group.id

  location = data.azurerm_resource_group.security_center_automation_resource_group.location
  body = jsonencode({
    properties = {
      description = "",
      isEnabled   = true,
      scopes = [
        {
          description = "Security Export for the subscription",
          scopePath   = data.azurerm_resource_group.security_center_automation_resource_group.id
        }
      ],
      sources = [
        {
          eventSource = "Assessments",
          ruleSets = [
            {
              rules = [
                {
                  propertyJPath = "type",
                  propertyType  = "String",
                  expectedValue = "Microsoft.Security/assessments",
                  operator      = "Contains"
                }
              ]
            }
          ]
        },
        {
          eventSource = "AssessmentsSnapshot",
          ruleSets = [
            {
              rules = [
                {
                  propertyJPath = "type",
                  propertyType  = "String",
                  expectedValue = "Microsoft.Security/assessments",
                  operator      = "Contains"
                }
              ]
            }
          ]
        },
        {
          eventSource = "SubAssessments"
        },
        {
          eventSource = "SubAssessmentsSnapshot"
        },
        {
          eventSource = "Alerts",
          ruleSets = [
            {
              rules = [
                {
                  propertyJPath = "Severity",
                  propertyType  = "String",
                  expectedValue = "low",
                  operator      = "Equals"
                }
              ]
            },
            {
              rules = [
                {
                  propertyJPath = "Severity",
                  propertyType  = "String",
                  expectedValue = "medium",
                  operator      = "Equals"
                }
              ]
            },
            {
              rules = [
                {
                  propertyJPath = "Severity",
                  propertyType  = "String",
                  expectedValue = "high",
                  operator      = "Equals"
                }
              ]
            },
            {
              rules = [
                {
                  propertyJPath = "Severity",
                  propertyType  = "String",
                  expectedValue = "informational",
                  operator      = "Equals"
                }
              ]
            }
          ]
        },
        {
          eventSource = "SecureScores"
        },
        {
          eventSource = "SecureScoresSnapshot"
        },
        {
          eventSource = "SecureScoreControls"
        },
        {
          eventSource = "SecureScoreControlsSnapshot"
        },
        {
          eventSource = "RegulatoryComplianceAssessment"
        },
        {
          eventSource = "RegulatoryComplianceAssessmentSnapshot"
        }
      ],
      actions = [
        {
          workspaceResourceId = data.azurerm_log_analytics_workspace.workspace.id
          actionType          = "Workspace"
        }
      ]
    }
  })
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants