From f0582d1cdcadc2bb8971593ea80ecdeeae0aa792 Mon Sep 17 00:00:00 2001 From: shanoor <17402800+shanoor@users.noreply.github.com> Date: Wed, 9 Oct 2024 10:47:30 +0200 Subject: [PATCH 01/11] added advanced_threat_protection and server_vulnerability_assessment --- modules/compute/virtual_machine/security.tf | 13 +++++++++++++ .../advanced_threat_protection/main.tf | 4 ++++ .../advanced_threat_protection/output.tf | 3 +++ .../advanced_threat_protection/variables.tf | 4 ++++ .../server_vulnerability_assessment/main.tf | 3 +++ .../server_vulnerability_assessment/output.tf | 3 +++ .../server_vulnerability_assessment/variables.tf | 1 + 7 files changed, 31 insertions(+) create mode 100644 modules/compute/virtual_machine/security.tf create mode 100644 modules/security/security_center/advanced_threat_protection/main.tf create mode 100644 modules/security/security_center/advanced_threat_protection/output.tf create mode 100644 modules/security/security_center/advanced_threat_protection/variables.tf create mode 100644 modules/security/security_center/server_vulnerability_assessment/main.tf create mode 100644 modules/security/security_center/server_vulnerability_assessment/output.tf create mode 100644 modules/security/security_center/server_vulnerability_assessment/variables.tf diff --git a/modules/compute/virtual_machine/security.tf b/modules/compute/virtual_machine/security.tf new file mode 100644 index 0000000000..31bba5426c --- /dev/null +++ b/modules/compute/virtual_machine/security.tf @@ -0,0 +1,13 @@ +module "vulnerability_assessment" { + for_each = var.settings.security.enable_vulnerability_assessment ? var.settings.virtual_machine_settings : {} + + source = "../../security/security_center/server_vulnerability_assessment" + virtual_machine_id = try(azurerm_virtual_machine.vm.id, azurerm_windows_virtual_machine.vm.id, azurerm_linux_virtual_machine.vm.id) +} + + +module "advanced_threat_protection" { + source = "../../security/security_center/advanced_threat_protection" + resource_id = try(azurerm_virtual_machine.vm.id, azurerm_windows_virtual_machine.vm.id, azurerm_linux_virtual_machine.vm.id) + enabled = try(var.settings.security.enable_advanced_threat_protection, false) +} diff --git a/modules/security/security_center/advanced_threat_protection/main.tf b/modules/security/security_center/advanced_threat_protection/main.tf new file mode 100644 index 0000000000..a457ff5285 --- /dev/null +++ b/modules/security/security_center/advanced_threat_protection/main.tf @@ -0,0 +1,4 @@ +resource "azurerm_advanced_threat_protection" "atp" { + target_resource_id = var.resource_id + enabled = var.enabled +} diff --git a/modules/security/security_center/advanced_threat_protection/output.tf b/modules/security/security_center/advanced_threat_protection/output.tf new file mode 100644 index 0000000000..9f3b0b95d6 --- /dev/null +++ b/modules/security/security_center/advanced_threat_protection/output.tf @@ -0,0 +1,3 @@ +output "vulnerability_assessment_resource_id" { + value = azurerm_advanced_threat_protection.atp.id +} diff --git a/modules/security/security_center/advanced_threat_protection/variables.tf b/modules/security/security_center/advanced_threat_protection/variables.tf new file mode 100644 index 0000000000..60674ba7c8 --- /dev/null +++ b/modules/security/security_center/advanced_threat_protection/variables.tf @@ -0,0 +1,4 @@ +variable "resource_id" {} +variable "enabled" { + default = true +} diff --git a/modules/security/security_center/server_vulnerability_assessment/main.tf b/modules/security/security_center/server_vulnerability_assessment/main.tf new file mode 100644 index 0000000000..a83057732f --- /dev/null +++ b/modules/security/security_center/server_vulnerability_assessment/main.tf @@ -0,0 +1,3 @@ +resource "azurerm_security_center_server_vulnerability_assessment_virtual_machine" "vuln" { + virtual_machine_id = var.virtual_machine_id +} diff --git a/modules/security/security_center/server_vulnerability_assessment/output.tf b/modules/security/security_center/server_vulnerability_assessment/output.tf new file mode 100644 index 0000000000..501cd67758 --- /dev/null +++ b/modules/security/security_center/server_vulnerability_assessment/output.tf @@ -0,0 +1,3 @@ +output "vulnerability_assessment_resource_id" { + value = azurerm_security_center_server_vulnerability_assessment_virtual_machine.vuln.id +} diff --git a/modules/security/security_center/server_vulnerability_assessment/variables.tf b/modules/security/security_center/server_vulnerability_assessment/variables.tf new file mode 100644 index 0000000000..46d2f89647 --- /dev/null +++ b/modules/security/security_center/server_vulnerability_assessment/variables.tf @@ -0,0 +1 @@ +variable "virtual_machine_id" {} From c84fdf452b0ab4985e47794fc2701394cd14a152 Mon Sep 17 00:00:00 2001 From: shanoor <17402800+shanoor@users.noreply.github.com> Date: Wed, 9 Oct 2024 10:57:27 +0200 Subject: [PATCH 02/11] update --- modules/compute/virtual_machine/security.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/compute/virtual_machine/security.tf b/modules/compute/virtual_machine/security.tf index 31bba5426c..788dc5772d 100644 --- a/modules/compute/virtual_machine/security.tf +++ b/modules/compute/virtual_machine/security.tf @@ -2,12 +2,12 @@ module "vulnerability_assessment" { for_each = var.settings.security.enable_vulnerability_assessment ? var.settings.virtual_machine_settings : {} source = "../../security/security_center/server_vulnerability_assessment" - virtual_machine_id = try(azurerm_virtual_machine.vm.id, azurerm_windows_virtual_machine.vm.id, azurerm_linux_virtual_machine.vm.id) + virtual_machine_id = try(azurerm_linux_virtual_machine.vm["linux"].id, azurerm_windows_virtual_machine.vm["windows"].id) } module "advanced_threat_protection" { source = "../../security/security_center/advanced_threat_protection" - resource_id = try(azurerm_virtual_machine.vm.id, azurerm_windows_virtual_machine.vm.id, azurerm_linux_virtual_machine.vm.id) + resource_id = try(azurerm_linux_virtual_machine.vm["linux"].id, azurerm_windows_virtual_machine.vm["windows"].id) enabled = try(var.settings.security.enable_advanced_threat_protection, false) } From 51ed13675201695a0bb09cf9a844a4624defc445 Mon Sep 17 00:00:00 2001 From: shanoor <17402800+shanoor@users.noreply.github.com> Date: Wed, 9 Oct 2024 12:03:22 +0200 Subject: [PATCH 03/11] update --- locals.tf | 45 ++++++++++--------- modules/compute/virtual_machine/security.tf | 13 ------ .../subscription_pricing/main.tf | 27 +++++++++++ .../subscription_pricing/output.tf | 3 ++ .../subscription_pricing/variables.tf | 5 +++ security_center_subscription_pricing.tf | 8 ++++ 6 files changed, 66 insertions(+), 35 deletions(-) delete mode 100644 modules/compute/virtual_machine/security.tf create mode 100644 modules/security/security_center/subscription_pricing/main.tf create mode 100644 modules/security/security_center/subscription_pricing/output.tf create mode 100644 modules/security/security_center/subscription_pricing/variables.tf create mode 100644 security_center_subscription_pricing.tf diff --git a/locals.tf b/locals.tf index 4c0d9c402c..123f3aeeff 100644 --- a/locals.tf +++ b/locals.tf @@ -355,28 +355,29 @@ locals { object_id = coalesce(var.logged_user_objectId, var.logged_aad_app_objectId, try(data.azuread_client_config.current.object_id, null), try(data.azuread_service_principal.logged_in_app[0].object_id, null)) security = { - disk_encryption_sets = try(var.security.disk_encryption_sets, {}) - dynamic_keyvault_secrets = try(var.security.dynamic_keyvault_secrets, {}) - keyvault_certificate_issuers = try(var.security.keyvault_certificate_issuers, {}) - keyvault_certificate_requests = try(var.security.keyvault_certificate_requests, {}) - keyvault_certificates = try(var.security.keyvault_certificates, {}) - keyvault_keys = try(var.security.keyvault_keys, {}) - lighthouse_definitions = try(var.security.lighthouse_definitions, {}) - sentinel_automation_rules = try(var.security.sentinel_automation_rules, {}) - sentinel_watchlists = try(var.security.sentinel_watchlists, {}) - sentinel_watchlist_items = try(var.security.sentinel_watchlist_items, {}) - sentinel_ar_fusions = try(var.security.sentinel_ar_fusions, {}) - sentinel_ar_ml_behavior_analytics = try(var.security.sentinel_ar_ml_behavior_analytics, {}) - sentinel_ar_ms_security_incidents = try(var.security.sentinel_ar_ms_security_incidents, {}) - sentinel_ar_scheduled = try(var.security.sentinel_ar_scheduled, {}) - sentinel_dc_aad = try(var.security.sentinel_dc_aad, {}) - sentinel_dc_app_security = try(var.security.sentinel_dc_app_security, {}) - sentinel_dc_aws = try(var.security.sentinel_dc_aws, {}) - sentinel_dc_azure_threat_protection = try(var.security.sentinel_dc_azure_threat_protection, {}) - sentinel_dc_ms_threat_protection = try(var.security.sentinel_dc_ms_threat_protection, {}) - sentinel_dc_office_365 = try(var.security.sentinel_dc_office_365, {}) - sentinel_dc_security_center = try(var.security.sentinel_dc_security_center, {}) - sentinel_dc_threat_intelligence = try(var.security.sentinel_dc_threat_intelligence, {}) + disk_encryption_sets = try(var.security.disk_encryption_sets, {}) + dynamic_keyvault_secrets = try(var.security.dynamic_keyvault_secrets, {}) + keyvault_certificate_issuers = try(var.security.keyvault_certificate_issuers, {}) + keyvault_certificate_requests = try(var.security.keyvault_certificate_requests, {}) + keyvault_certificates = try(var.security.keyvault_certificates, {}) + keyvault_keys = try(var.security.keyvault_keys, {}) + lighthouse_definitions = try(var.security.lighthouse_definitions, {}) + security_center_subscription_pricings = try(var.security.security_center_subscription_pricings, {}) + sentinel_automation_rules = try(var.security.sentinel_automation_rules, {}) + sentinel_watchlists = try(var.security.sentinel_watchlists, {}) + sentinel_watchlist_items = try(var.security.sentinel_watchlist_items, {}) + sentinel_ar_fusions = try(var.security.sentinel_ar_fusions, {}) + sentinel_ar_ml_behavior_analytics = try(var.security.sentinel_ar_ml_behavior_analytics, {}) + sentinel_ar_ms_security_incidents = try(var.security.sentinel_ar_ms_security_incidents, {}) + sentinel_ar_scheduled = try(var.security.sentinel_ar_scheduled, {}) + sentinel_dc_aad = try(var.security.sentinel_dc_aad, {}) + sentinel_dc_app_security = try(var.security.sentinel_dc_app_security, {}) + sentinel_dc_aws = try(var.security.sentinel_dc_aws, {}) + sentinel_dc_azure_threat_protection = try(var.security.sentinel_dc_azure_threat_protection, {}) + sentinel_dc_ms_threat_protection = try(var.security.sentinel_dc_ms_threat_protection, {}) + sentinel_dc_office_365 = try(var.security.sentinel_dc_office_365, {}) + sentinel_dc_security_center = try(var.security.sentinel_dc_security_center, {}) + sentinel_dc_threat_intelligence = try(var.security.sentinel_dc_threat_intelligence, {}) } shared_services = { diff --git a/modules/compute/virtual_machine/security.tf b/modules/compute/virtual_machine/security.tf deleted file mode 100644 index 788dc5772d..0000000000 --- a/modules/compute/virtual_machine/security.tf +++ /dev/null @@ -1,13 +0,0 @@ -module "vulnerability_assessment" { - for_each = var.settings.security.enable_vulnerability_assessment ? var.settings.virtual_machine_settings : {} - - source = "../../security/security_center/server_vulnerability_assessment" - virtual_machine_id = try(azurerm_linux_virtual_machine.vm["linux"].id, azurerm_windows_virtual_machine.vm["windows"].id) -} - - -module "advanced_threat_protection" { - source = "../../security/security_center/advanced_threat_protection" - resource_id = try(azurerm_linux_virtual_machine.vm["linux"].id, azurerm_windows_virtual_machine.vm["windows"].id) - enabled = try(var.settings.security.enable_advanced_threat_protection, false) -} diff --git a/modules/security/security_center/subscription_pricing/main.tf b/modules/security/security_center/subscription_pricing/main.tf new file mode 100644 index 0000000000..97504f3b73 --- /dev/null +++ b/modules/security/security_center/subscription_pricing/main.tf @@ -0,0 +1,27 @@ +resource "azurerm_security_center_subscription_pricing" "pricing" { + tier = var.tier + resource_type = var.resource_type + # Api + # AppServices + # Arm + # CloudPosture + # ContainerRegistry + # Containers + # CosmosDbs + # Dns + # KeyVaults + # KubernetesService + # OpenSourceRelationalDatabases + # SqlServers + # SqlServerVirtualMachines + # StorageAccounts + # VirtualMachines + + dynamic "extension" { + for_each = coalesce(var.extensions, {}) + content { + name = each.value.name + additional_extension_properties = try(each.value.additional_extension_properties, null) + } + } +} diff --git a/modules/security/security_center/subscription_pricing/output.tf b/modules/security/security_center/subscription_pricing/output.tf new file mode 100644 index 0000000000..501cd67758 --- /dev/null +++ b/modules/security/security_center/subscription_pricing/output.tf @@ -0,0 +1,3 @@ +output "vulnerability_assessment_resource_id" { + value = azurerm_security_center_server_vulnerability_assessment_virtual_machine.vuln.id +} diff --git a/modules/security/security_center/subscription_pricing/variables.tf b/modules/security/security_center/subscription_pricing/variables.tf new file mode 100644 index 0000000000..e7fe4f5c01 --- /dev/null +++ b/modules/security/security_center/subscription_pricing/variables.tf @@ -0,0 +1,5 @@ +variable "tier" {} +variable "resource_type" {} +variable "extensions" { + default = null +} diff --git a/security_center_subscription_pricing.tf b/security_center_subscription_pricing.tf new file mode 100644 index 0000000000..d732e31a43 --- /dev/null +++ b/security_center_subscription_pricing.tf @@ -0,0 +1,8 @@ +module "sentinel_automation_rules" { + source = "./modules/security/security_center/subscription_pricing" + for_each = try(local.security.security_center_subscription_pricings, {}) + + tier = each.value.tier + resource_type = each.value.resource_type + extensions = try(each.value.extensions, null) +} From 8a08021e4309253a7fcd386f9600fc476c42c769 Mon Sep 17 00:00:00 2001 From: shanoor <17402800+shanoor@users.noreply.github.com> Date: Wed, 9 Oct 2024 12:04:41 +0200 Subject: [PATCH 04/11] fix --- security_center_subscription_pricing.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security_center_subscription_pricing.tf b/security_center_subscription_pricing.tf index d732e31a43..344681b33c 100644 --- a/security_center_subscription_pricing.tf +++ b/security_center_subscription_pricing.tf @@ -1,4 +1,4 @@ -module "sentinel_automation_rules" { +module "security_center_subscription_pricings" { source = "./modules/security/security_center/subscription_pricing" for_each = try(local.security.security_center_subscription_pricings, {}) From 164b9e2ed1694d3ded215149585eec3bae901fd4 Mon Sep 17 00:00:00 2001 From: shanoor <17402800+shanoor@users.noreply.github.com> Date: Wed, 9 Oct 2024 12:07:43 +0200 Subject: [PATCH 05/11] fix --- .../security/security_center/subscription_pricing/output.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/security/security_center/subscription_pricing/output.tf b/modules/security/security_center/subscription_pricing/output.tf index 501cd67758..073a45f3a5 100644 --- a/modules/security/security_center/subscription_pricing/output.tf +++ b/modules/security/security_center/subscription_pricing/output.tf @@ -1,3 +1,3 @@ -output "vulnerability_assessment_resource_id" { - value = azurerm_security_center_server_vulnerability_assessment_virtual_machine.vuln.id +output "id" { + value = azurerm_security_center_subscription_pricing.pricing.id } From 2236e358885bf08a1f19d286cd8c3d0468b8df58 Mon Sep 17 00:00:00 2001 From: shanoor <17402800+shanoor@users.noreply.github.com> Date: Wed, 9 Oct 2024 14:49:22 +0200 Subject: [PATCH 06/11] fix --- .../security/security_center/subscription_pricing/main.tf | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/modules/security/security_center/subscription_pricing/main.tf b/modules/security/security_center/subscription_pricing/main.tf index 97504f3b73..6a05c9b0cc 100644 --- a/modules/security/security_center/subscription_pricing/main.tf +++ b/modules/security/security_center/subscription_pricing/main.tf @@ -17,11 +17,12 @@ resource "azurerm_security_center_subscription_pricing" "pricing" { # StorageAccounts # VirtualMachines + # extensions list : https://learn.microsoft.com/en-us/rest/api/defenderforcloud/pricings/get?view=rest-defenderforcloud-2024-01-01&tabs=HTTP#extension dynamic "extension" { for_each = coalesce(var.extensions, {}) content { - name = each.value.name - additional_extension_properties = try(each.value.additional_extension_properties, null) + name = extension.name + additional_extension_properties = try(extension.additional_extension_properties, null) } } } From ef35e879aec07e8cc526cc3125bc2dbb2793d9fa Mon Sep 17 00:00:00 2001 From: shanoor <17402800+shanoor@users.noreply.github.com> Date: Wed, 9 Oct 2024 15:14:54 +0200 Subject: [PATCH 07/11] fix --- modules/security/security_center/subscription_pricing/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/security/security_center/subscription_pricing/main.tf b/modules/security/security_center/subscription_pricing/main.tf index 6a05c9b0cc..d30a0e227f 100644 --- a/modules/security/security_center/subscription_pricing/main.tf +++ b/modules/security/security_center/subscription_pricing/main.tf @@ -21,8 +21,8 @@ resource "azurerm_security_center_subscription_pricing" "pricing" { dynamic "extension" { for_each = coalesce(var.extensions, {}) content { - name = extension.name - additional_extension_properties = try(extension.additional_extension_properties, null) + name = extension.value.name + additional_extension_properties = try(extension.value.additional_extension_properties, null) } } } From c522885a215e19ca0f81cf8cfbea98e31ae9ea52 Mon Sep 17 00:00:00 2001 From: shanoor <17402800+shanoor@users.noreply.github.com> Date: Wed, 9 Oct 2024 15:55:57 +0200 Subject: [PATCH 08/11] fix --- modules/security/security_center/subscription_pricing/main.tf | 1 + .../security/security_center/subscription_pricing/variables.tf | 1 + security_center_subscription_pricing.tf | 1 + 3 files changed, 3 insertions(+) diff --git a/modules/security/security_center/subscription_pricing/main.tf b/modules/security/security_center/subscription_pricing/main.tf index d30a0e227f..aba7277404 100644 --- a/modules/security/security_center/subscription_pricing/main.tf +++ b/modules/security/security_center/subscription_pricing/main.tf @@ -1,5 +1,6 @@ resource "azurerm_security_center_subscription_pricing" "pricing" { tier = var.tier + subplan = try(var.subplan, null) resource_type = var.resource_type # Api # AppServices diff --git a/modules/security/security_center/subscription_pricing/variables.tf b/modules/security/security_center/subscription_pricing/variables.tf index e7fe4f5c01..36b211d5cb 100644 --- a/modules/security/security_center/subscription_pricing/variables.tf +++ b/modules/security/security_center/subscription_pricing/variables.tf @@ -1,4 +1,5 @@ variable "tier" {} +variable "subplan" {} variable "resource_type" {} variable "extensions" { default = null diff --git a/security_center_subscription_pricing.tf b/security_center_subscription_pricing.tf index 344681b33c..71c5cf4e93 100644 --- a/security_center_subscription_pricing.tf +++ b/security_center_subscription_pricing.tf @@ -3,6 +3,7 @@ module "security_center_subscription_pricings" { for_each = try(local.security.security_center_subscription_pricings, {}) tier = each.value.tier + subplan = each.value.subplan resource_type = each.value.resource_type extensions = try(each.value.extensions, null) } From 446a4faafa99a024965ba85ca143a8954be8e167 Mon Sep 17 00:00:00 2001 From: shanoor <17402800+shanoor@users.noreply.github.com> Date: Wed, 9 Oct 2024 17:02:51 +0200 Subject: [PATCH 09/11] fix --- security_center_subscription_pricing.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security_center_subscription_pricing.tf b/security_center_subscription_pricing.tf index 71c5cf4e93..8ede861f0e 100644 --- a/security_center_subscription_pricing.tf +++ b/security_center_subscription_pricing.tf @@ -3,7 +3,7 @@ module "security_center_subscription_pricings" { for_each = try(local.security.security_center_subscription_pricings, {}) tier = each.value.tier - subplan = each.value.subplan + subplan = try(each.value.subplan, null) resource_type = each.value.resource_type extensions = try(each.value.extensions, null) } From 4e8ee5a2ecbde04c082111692dd82f7dea0cc35d Mon Sep 17 00:00:00 2001 From: shanoor <17402800+shanoor@users.noreply.github.com> Date: Fri, 11 Oct 2024 09:25:47 +0200 Subject: [PATCH 10/11] fix --- .../security_center/advanced_threat_protection/main.tf | 4 ---- .../security_center/advanced_threat_protection/output.tf | 3 --- .../security_center/advanced_threat_protection/variables.tf | 4 ---- .../security_center/server_vulnerability_assessment/main.tf | 3 --- .../security_center/server_vulnerability_assessment/output.tf | 3 --- .../server_vulnerability_assessment/variables.tf | 1 - 6 files changed, 18 deletions(-) delete mode 100644 modules/security/security_center/advanced_threat_protection/main.tf delete mode 100644 modules/security/security_center/advanced_threat_protection/output.tf delete mode 100644 modules/security/security_center/advanced_threat_protection/variables.tf delete mode 100644 modules/security/security_center/server_vulnerability_assessment/main.tf delete mode 100644 modules/security/security_center/server_vulnerability_assessment/output.tf delete mode 100644 modules/security/security_center/server_vulnerability_assessment/variables.tf diff --git a/modules/security/security_center/advanced_threat_protection/main.tf b/modules/security/security_center/advanced_threat_protection/main.tf deleted file mode 100644 index a457ff5285..0000000000 --- a/modules/security/security_center/advanced_threat_protection/main.tf +++ /dev/null @@ -1,4 +0,0 @@ -resource "azurerm_advanced_threat_protection" "atp" { - target_resource_id = var.resource_id - enabled = var.enabled -} diff --git a/modules/security/security_center/advanced_threat_protection/output.tf b/modules/security/security_center/advanced_threat_protection/output.tf deleted file mode 100644 index 9f3b0b95d6..0000000000 --- a/modules/security/security_center/advanced_threat_protection/output.tf +++ /dev/null @@ -1,3 +0,0 @@ -output "vulnerability_assessment_resource_id" { - value = azurerm_advanced_threat_protection.atp.id -} diff --git a/modules/security/security_center/advanced_threat_protection/variables.tf b/modules/security/security_center/advanced_threat_protection/variables.tf deleted file mode 100644 index 60674ba7c8..0000000000 --- a/modules/security/security_center/advanced_threat_protection/variables.tf +++ /dev/null @@ -1,4 +0,0 @@ -variable "resource_id" {} -variable "enabled" { - default = true -} diff --git a/modules/security/security_center/server_vulnerability_assessment/main.tf b/modules/security/security_center/server_vulnerability_assessment/main.tf deleted file mode 100644 index a83057732f..0000000000 --- a/modules/security/security_center/server_vulnerability_assessment/main.tf +++ /dev/null @@ -1,3 +0,0 @@ -resource "azurerm_security_center_server_vulnerability_assessment_virtual_machine" "vuln" { - virtual_machine_id = var.virtual_machine_id -} diff --git a/modules/security/security_center/server_vulnerability_assessment/output.tf b/modules/security/security_center/server_vulnerability_assessment/output.tf deleted file mode 100644 index 501cd67758..0000000000 --- a/modules/security/security_center/server_vulnerability_assessment/output.tf +++ /dev/null @@ -1,3 +0,0 @@ -output "vulnerability_assessment_resource_id" { - value = azurerm_security_center_server_vulnerability_assessment_virtual_machine.vuln.id -} diff --git a/modules/security/security_center/server_vulnerability_assessment/variables.tf b/modules/security/security_center/server_vulnerability_assessment/variables.tf deleted file mode 100644 index 46d2f89647..0000000000 --- a/modules/security/security_center/server_vulnerability_assessment/variables.tf +++ /dev/null @@ -1 +0,0 @@ -variable "virtual_machine_id" {} From 001d61363a03c7c0931601c41d1ceacb15135af0 Mon Sep 17 00:00:00 2001 From: shanoor <17402800+shanoor@users.noreply.github.com> Date: Fri, 11 Oct 2024 10:17:01 +0200 Subject: [PATCH 11/11] added example --- .github/workflows/standalone-scenarios.json | 1 + .../configuration.tfvars | 22 +++++++++++++++++++ .../subscription_pricing/main.tf | 22 +++++-------------- 3 files changed, 28 insertions(+), 17 deletions(-) create mode 100644 examples/security_center/101-subscription_pricing/configuration.tfvars diff --git a/.github/workflows/standalone-scenarios.json b/.github/workflows/standalone-scenarios.json index e455ea1396..35fe46ece4 100644 --- a/.github/workflows/standalone-scenarios.json +++ b/.github/workflows/standalone-scenarios.json @@ -110,6 +110,7 @@ "search_service/100-search-service-both-apikeys-and-azuread", "search_service/101-search-service-only-api-keys", "search_service/102-search-service-only-azuread", + "security_center/101-subscription_pricing", "sentinel/101-automation_rule", "sentinel/104-ar_fusion", "sentinel/105-ar_ml_behavior_analytics", diff --git a/examples/security_center/101-subscription_pricing/configuration.tfvars b/examples/security_center/101-subscription_pricing/configuration.tfvars new file mode 100644 index 0000000000..12c8f4e46f --- /dev/null +++ b/examples/security_center/101-subscription_pricing/configuration.tfvars @@ -0,0 +1,22 @@ +security = { + security_center_subscription_pricings = { + vm = { + # Free or Standard + tier = "Standard" + # Depends on the resource_type + subplan = "P2" + # can be one of: Api, AppServices, Arm, CloudPosture, ContainerRegistry, Containers, CosmosDbs, Dns, KeyVaults, KubernetesService, OpenSourceRelationalDatabases, SqlServers, SqlServerVirtualMachines, StorageAccounts, VirtualMachines + resource_type = "VirtualMachines" + # extensions list : https://learn.microsoft.com/en-us/rest/api/defenderforcloud/pricings/get?view=rest-defenderforcloud-2024-01-01&tabs=HTTP#extension + extensions = { + agent_less_scan = { + name = "AgentlessVmScanning" + } + } + } + kv = { + tier = "Standard" + resource_type = "KeyVaults" + } + } +} diff --git a/modules/security/security_center/subscription_pricing/main.tf b/modules/security/security_center/subscription_pricing/main.tf index aba7277404..6e5be2718f 100644 --- a/modules/security/security_center/subscription_pricing/main.tf +++ b/modules/security/security_center/subscription_pricing/main.tf @@ -1,22 +1,10 @@ resource "azurerm_security_center_subscription_pricing" "pricing" { - tier = var.tier - subplan = try(var.subplan, null) + # Free or Standard + tier = var.tier + # Depends on the resource_type + subplan = try(var.subplan, null) + # can be one of: Api, AppServices, Arm, CloudPosture, ContainerRegistry, Containers, CosmosDbs, Dns, KeyVaults, KubernetesService, OpenSourceRelationalDatabases, SqlServers, SqlServerVirtualMachines, StorageAccounts, VirtualMachines resource_type = var.resource_type - # Api - # AppServices - # Arm - # CloudPosture - # ContainerRegistry - # Containers - # CosmosDbs - # Dns - # KeyVaults - # KubernetesService - # OpenSourceRelationalDatabases - # SqlServers - # SqlServerVirtualMachines - # StorageAccounts - # VirtualMachines # extensions list : https://learn.microsoft.com/en-us/rest/api/defenderforcloud/pricings/get?view=rest-defenderforcloud-2024-01-01&tabs=HTTP#extension dynamic "extension" {