New Resource - sentinel_automation_rule
#11502
Conversation
ghost
added
|
The test for |
|
@magodo - can we fix logic app trigger so we can test this before merge? |
|
From the following tests I did it seems a few things need to be tweaked:
See results of defining Manual3 playbook with the following params (had to zoom out here): Possibly the distiniction between action_incident and action_playbook is doing this? Surely would make more sense to have playbook definition inside action_incident rather than seperating the two. In expandAutomationRuleActions, seems the copy function is just taking the later result in this instance and nulls the second part of the object? I'm a complete Golang newbie here in fairness.
|
|
azurerm/internal/services/sentinel/sentinel_automation_rule_resource.go
Outdated
Show resolved
Hide resolved
azurerm/internal/services/sentinel/sentinel_automation_rule_resource_test.go
Outdated
Show resolved
Hide resolved
|
@kaovd Thank you so much for testing this and finding the bugs! Also many thanks to providing the template here to work around the lack of web connection in Terraform! |
azurerm/internal/services/sentinel/sentinel_automation_rule_resource_test.go
Outdated
Show resolved
Hide resolved
|
Reping @katbyte |
azurerm/internal/services/sentinel/sentinel_automation_rule_resource.go
Outdated
Show resolved
Hide resolved
azurerm/internal/services/sentinel/sentinel_automation_rule_resource.go
Outdated
Show resolved
Hide resolved
|
Just noticed that enabled wasnt an option, added it in see above recent comment @magodo |
|
I did this intentionally. I didn't see too much value that users will want to define multiple disabled automation rules in the config. Whilst each way is reasonable, tbh. |
Ah, surely wouldnt hurt to add in? As a user I just want the ability to toggle off rules while doing change management before deleting them fully. Can always define an impossible condition but this is a bit neater. |
|
Maybe move this from blocked to https://github.com/terraform-providers/terraform-provider-azurerm/milestone/126 as its not blocked anymore? Providing we can make that, just pending on that review. |
|
@katbyte Would you please take another look at this PR? |
There was a problem hiding this comment.
Latest AzureRm master pulled that SDK in (#12263), Enums are correct now on the latest rebase. This would fix it for the merge
> $ TF_TRACE=1 TF_ACC=1 go test -v -timeout=2h ./azurerm/internal/services/sentinel -run="TestAccSentinelAutomationRule_basic" [±sentinel_automation_rule ●▴]
2021/06/20 11:24:07 [DEBUG] not using binary driver name, it's no longer needed
2021/06/20 11:24:07 [DEBUG] not using binary driver name, it's no longer needed
=== RUN TestAccSentinelAutomationRule_basic
=== PAUSE TestAccSentinelAutomationRule_basic
=== CONT TestAccSentinelAutomationRule_basic
--- PASS: TestAccSentinelAutomationRule_basic (263.33s)
PASS
ok github.com/terraform-providers/terraform-provider-azurerm/azurerm/internal/services/sentinel 264.023s
azurerm/internal/services/sentinel/sentinel_automation_rule_resource.go
Outdated
Show resolved
Hide resolved
azurerm/internal/services/sentinel/sentinel_automation_rule_resource.go
Outdated
Show resolved
Hide resolved
|
@kaovd I've merged with the master branch and made the changes. Thank you! |
Great! Still waiting on that review though :/ |
|
@kaovd I'll reach to the teams and see anything we can do to make it merged. |
There was a problem hiding this comment.
Thanks for the PR @magodo - sorry its taken so long to review but i have a couple of concerns. Mainly that it appears we need some new resources so support all the added properties without using arm templates in the test. as well it needs a merge master and the build fixed:
[Step 4/5] in directory: /opt/teamcity-agent/work/a73be106926a7472/azurerm/internal/services/sentinel
[04:39:46] [Step 4/5] sentinel_automation_rule_resource.go:22:2: cannot find package "." in:
[04:39:46] [Step 4/5] /opt/teamcity-agent/work/a73be106926a7472/vendor/github.com/hashicorp/terraform-plugin-sdk/helper/schema
[04:39:46] [Step 4/5] sentinel_automation_rule_resource.go:15:2: cannot find package "." in:
[04:39:46] [Step 4/5] /opt/teamcity-agent/work/a73be106926a7472/vendor/github.com/hashicorp/terraform-plugin-sdk/helper/validation
[04:39:46] [Step 4/5] Process exited with code 1
azurerm/internal/services/sentinel/sentinel_automation_rule_resource.go
Outdated
Show resolved
Hide resolved
azurerm/internal/services/sentinel/sentinel_automation_rule_resource.go
Outdated
Show resolved
Hide resolved
| principal_id = data.azuread_service_principal.securityinsights.object_id | ||
| } | ||
|
|
||
| resource "azurerm_template_deployment" "testconnection" { |
There was a problem hiding this comment.
is there a reason we are not implementing a resource for this? we try our best to never do ARM deployments in acctests
There was a problem hiding this comment.
This is currently tracked by #1691, which is blocked by lacks of Go SDK support.
| TEMPLATE | ||
| } | ||
|
|
||
| resource "azurerm_template_deployment" "testlogicapp" { |
There was a problem hiding this comment.
This piece of template is to provision a azurerm_logic_app_workflow with azurerm_logic_app_trigger_custom embedded. It looks like we can do the same by using these existing resources as below:
resource "azurerm_logic_app_workflow" "test" {
name = "testworkflow1"
location = azurerm_resource_group.test.location
resource_group_name = azurerm_resource_group.test.name
}
resource "azurerm_logic_app_trigger_custom" "test" {
name = "When_Azure_Sentinel_incident_creation_rule_was_triggered"
logic_app_id = azurerm_logic_app_workflow.test.id
body = <<BODY
{og
"type": "ApiConnectionWebhook",
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "/subscriptions/${data.azurerm_client_config.current.subscription_id}/resourceGroups/${azurerm_resource_group.test.name}/providers/Microsoft.Web/connections/azuresentinel"
}
},
"path": "/incident-creation"
}
}
BODY
depends_on = [azurerm_template_deployment.testconnection]
}However, this ends up with a logic app workflow non-functional (which is greyed out in the logic app designer interface, and has a red mark complaining Connector not found). By comparing the template (logic app code), the difference might be the format, where the logic app might ask for the certain parameter to be declared and defined. Then it means we will need customized parameter definition for the azurerm_logc_app_workflow resource, which should be resolved by #12314.
There was a problem hiding this comment.
The non-functional one
code view
{
"definition": {
"$schema": "https://pluginsdk.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"actions": {},
"contentVersion": "1.0.0.0",
"triggers": {
"When_Azure_Sentinel_incident_creation_rule_was_triggered": {
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "/subscriptions/****/resourceGroups/acctestRG-sentinel-999/providers/Microsoft.Web/connections/azuresentinel"
}
},
"path": "/incident-creation"
},
"type": "ApiConnectionWebhook"
}
}
},
"parameters": {}
}
THe functional one
code view
{
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"outputs": {},
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
"triggers": {
"When_Azure_Sentinel_incident_creation_rule_was_triggered": {
"inputs": {
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"host": {
"connection": {
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
}
},
"path": "/incident-creation"
},
"type": "ApiConnectionWebhook"
}
}
},
"parameters": {
"$connections": {
"value": {
"azuresentinel": {
"connectionId": "/subscriptions/****/resourceGroups/acctestRG-sentinel-888/providers/Microsoft.Web/connections/azuresentinel",
"connectionName": "azuresentinel",
"id": "/subscriptions/****/providers/Microsoft.Web/locations/westeurope/managedApis/azuresentinel"
}
}
}
}
}
There was a problem hiding this comment.
Correct above findings, the reason why the former doesn't work is because of the setting inside the triggers.When***.inputs.host.connection, it should be set into @parameters('$connections')['azuresentinel']['connectionId'], rather than the evaluated value, I have no idea why thoug 😂
|
|
||
| action_playbook { | ||
| order = 5 | ||
| logic_app_id = "/subscriptions/${data.azurerm_client_config.current.subscription_id}/resourceGroups/${azurerm_resource_group.test.name}/providers/Microsoft.Logic/workflows/Test" |
There was a problem hiding this comment.
given we don't yet have resources to support this maybe we remove these properties until they exist?
There was a problem hiding this comment.
Now that it works actually, which means the functionality of this property (block) has no problem. Also some customers (e.g. @kaovd) exactly want this.
There was a problem hiding this comment.
Agree with this, while current workaround may use an arm template to test this, it works fully. Having this feature is an absolute game changer for everyone with sentinel deployments. I dont see why we should throw this out the window just because of how tests are implemented
|
Any further updates post the changes you requested @katbyte ? Just want to know if this is acceptable as a PR as everything is working - if the rm template in the tests is going to completely block this from a standards point then can just fork this functionality instead |
magodo
force-pushed
the
sentinel_automation_rule
branch
from
996a899 to
4b76bd7
Compare
|
Can we just remove the logic app trigger so we can do without templates in the tests if thats going to be the conditon rather than having the whole resource blocked, can probably just use a script prov on create / destroy to deal with the rest for now as seems ms are going to take a lot of pushing to action bugfixes on logic api upstream @magodo @katbyte |
|
@katbyte I've removed the arm template usage from the test cases, which only affects one property of the automation rule resourc, the |
| _, err = client.CreateOrUpdate(ctx, id.ResourceGroup, OperationalInsightsResourceProvider, id.WorkspaceName, id.Name, params) | ||
| if err != nil { |
There was a problem hiding this comment.
| _, err = client.CreateOrUpdate(ctx, id.ResourceGroup, OperationalInsightsResourceProvider, id.WorkspaceName, id.Name, params) | |
| if err != nil { | |
| if _, err = client.CreateOrUpdate(ctx, id.ResourceGroup, OperationalInsightsResourceProvider, id.WorkspaceName, id.Name, params); err != nil { |
|
@katbyte Thank you !!!! |
|
This functionality has been released in v2.83.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you! |
|
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions. |
This PR implements a new sentinel resource called Automation Rule. This fixes: #10960.
Reference
Test Result