new resource: azurerm_advanced_threat_protection (#4848)

Moves storage ATP into its own resource. Also will work for cosmos fixing #4614
hashicorp · Dec 18, 2019 · 2b6e03f · 2b6e03f
1 parent 07c5fd5
commit 2b6e03f
Show file tree

Hide file tree

Showing 9 changed files with 552 additions and 5 deletions.
diff --git a/azurerm/helpers/azure/resourceid.go b/azurerm/helpers/azure/resourceid.go
@@ -61,7 +61,7 @@ func ParseAzureResourceID(id string) (*ResourceID, error) {
 		}
 	}
 
-	// Build up a ResourceID from the map
+	// Build up a TargetResourceID from the map
 	idObj := &ResourceID{}
 	idObj.Path = componentMap
 

diff --git a/azurerm/internal/services/securitycenter/advanced_threat_protection.go b/azurerm/internal/services/securitycenter/advanced_threat_protection.go
@@ -0,0 +1,31 @@
+package securitycenter
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/azure"
+)
+
+type AdvancedThreatProtectionResourceID struct {
+	Base azure.ResourceID
+
+	TargetResourceID string
+}
+
+func ParseAdvancedThreatProtectionID(input string) (*AdvancedThreatProtectionResourceID, error) {
+	id, err := azure.ParseAzureResourceID(input)
+	if err != nil {
+		return nil, fmt.Errorf("[ERROR] Unable to parse Advanced Threat Protection Set ID %q: %+v", input, err)
+	}
+
+	parts := strings.Split(input, "/providers/Microsoft.Security/advancedThreatProtectionSettings/")
+	if len(parts) != 2 {
+		return nil, fmt.Errorf("Error determining target resource ID, resource ID in unexpected format: %q", id)
+	}
+
+	return &AdvancedThreatProtectionResourceID{
+		Base:             *id,
+		TargetResourceID: parts[0],
+	}, nil
+}
diff --git a/azurerm/provider.go b/azurerm/provider.go
@@ -159,6 +159,7 @@ func Provider() terraform.ResourceProvider {
 	}
 
 	resources := map[string]*schema.Resource{
+		"azurerm_advanced_threat_protection":                            resourceArmAdvancedThreatProtection(),
 		"azurerm_analysis_services_server":                              resourceArmAnalysisServicesServer(),
 		"azurerm_api_management":                                        resourceArmApiManagementService(),
 		"azurerm_api_management_api":                                    resourceArmApiManagementApi(),

diff --git a/azurerm/resource_arm_advanced_threat_protection.go b/azurerm/resource_arm_advanced_threat_protection.go
@@ -0,0 +1,142 @@
+package azurerm
+
+import (
+	"fmt"
+	"log"
+	"time"
+
+	"github.com/Azure/azure-sdk-for-go/services/preview/security/mgmt/v1.0/security"
+	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/azure"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/helpers/tf"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/features"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/services/securitycenter"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/timeouts"
+	"github.com/terraform-providers/terraform-provider-azurerm/azurerm/utils"
+)
+
+func resourceArmAdvancedThreatProtection() *schema.Resource {
+	return &schema.Resource{
+		Create: resourceArmAdvancedThreatProtectionCreateUpdate,
+		Read:   resourceArmAdvancedThreatProtectionRead,
+		Update: resourceArmAdvancedThreatProtectionCreateUpdate,
+		Delete: resourceArmAdvancedThreatProtectionDelete,
+
+		Importer: &schema.ResourceImporter{
+			State: schema.ImportStatePassthrough,
+		},
+
+		Timeouts: &schema.ResourceTimeout{
+			Create: schema.DefaultTimeout(30 * time.Minute),
+			Read:   schema.DefaultTimeout(5 * time.Minute),
+			Update: schema.DefaultTimeout(30 * time.Minute),
+			Delete: schema.DefaultTimeout(30 * time.Minute),
+		},
+
+		Schema: map[string]*schema.Schema{
+			"target_resource_id": {
+				Type:         schema.TypeString,
+				Required:     true,
+				ForceNew:     true,
+				ValidateFunc: azure.ValidateResourceID,
+			},
+
+			"enabled": {
+				Type:     schema.TypeBool,
+				Required: true,
+			},
+		},
+	}
+}
+
+func resourceArmAdvancedThreatProtectionCreateUpdate(d *schema.ResourceData, meta interface{}) error {
+	client := meta.(*ArmClient).SecurityCenter.AdvancedThreatProtectionClient
+	ctx, cancel := timeouts.ForCreateUpdate(meta.(*ArmClient).StopContext, d)
+	defer cancel()
+
+	resourceID := d.Get("target_resource_id").(string)
+
+	if features.ShouldResourcesBeImported() && d.IsNewResource() {
+		server, err := client.Get(ctx, resourceID)
+		if err != nil {
+			if !utils.ResponseWasNotFound(server.Response) {
+				return fmt.Errorf("Error checking for presence of existing Advanced Threat Protection for resource %q: %+v", resourceID, err)
+			}
+		}
+
+		if server.ID != nil && *server.ID != "" && server.IsEnabled != nil && *server.IsEnabled {
+			return tf.ImportAsExistsError("azurerm_advanced_threat_protection", *server.ID)
+		}
+	}
+
+	setting := security.AdvancedThreatProtectionSetting{
+		AdvancedThreatProtectionProperties: &security.AdvancedThreatProtectionProperties{
+			IsEnabled: utils.Bool(d.Get("enabled").(bool)),
+		},
+	}
+
+	resp, err := client.Create(ctx, resourceID, setting)
+	if err != nil {
+		return fmt.Errorf("Error updating Advanced Threat protection for resource %q: %+v", resourceID, err)
+	}
+
+	if resp.ID == nil {
+		return fmt.Errorf("Cannot read ID for Advanced Threat Protection for resource %q ", resourceID)
+	}
+	d.SetId(*resp.ID)
+
+	return resourceArmAdvancedThreatProtectionRead(d, meta)
+}
+
+func resourceArmAdvancedThreatProtectionRead(d *schema.ResourceData, meta interface{}) error {
+	client := meta.(*ArmClient).SecurityCenter.AdvancedThreatProtectionClient
+	ctx, cancel := timeouts.ForRead(meta.(*ArmClient).StopContext, d)
+	defer cancel()
+
+	id, err := securitycenter.ParseAdvancedThreatProtectionID(d.Id())
+	if err != nil {
+		return err
+	}
+
+	resp, err := client.Get(ctx, id.TargetResourceID)
+	if err != nil {
+		if utils.ResponseWasNotFound(resp.Response) {
+			log.Printf("Advanced Threat Protection was not found for resource %q: %+v", id.TargetResourceID, err)
+			d.SetId("")
+			return nil
+		}
+
+		return fmt.Errorf("Error reading Advanced Threat protection for resource %q: %+v", id.TargetResourceID, err)
+	}
+
+	d.Set("target_resource_id", id.TargetResourceID)
+	if atpp := resp.AdvancedThreatProtectionProperties; atpp != nil {
+		d.Set("enabled", resp.IsEnabled)
+	}
+
+	return nil
+}
+
+func resourceArmAdvancedThreatProtectionDelete(d *schema.ResourceData, meta interface{}) error {
+	client := meta.(*ArmClient).SecurityCenter.AdvancedThreatProtectionClient
+	ctx, cancel := timeouts.ForDelete(meta.(*ArmClient).StopContext, d)
+	defer cancel()
+
+	id, err := securitycenter.ParseAdvancedThreatProtectionID(d.Id())
+	if err != nil {
+		return err
+	}
+
+	// there is no delete.. so lets just do best effort and set it to false?
+	setting := security.AdvancedThreatProtectionSetting{
+		AdvancedThreatProtectionProperties: &security.AdvancedThreatProtectionProperties{
+			IsEnabled: utils.Bool(false),
+		},
+	}
+
+	if _, err := client.Create(ctx, id.TargetResourceID, setting); err != nil {
+		return fmt.Errorf("Error resetting Advanced Threat protection to false for resource %q: %+v", id.TargetResourceID, err)
+	}
+
+	return nil
+}