Support for AssessmentsSnapshot and SubAssessmentsSnapshot in azurerm_security_center_automation

[BasLangenberg]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

We'd like to have support to add continuous exports from Defender for Cloud for the AssessmentSnapshot and SubAssessmentSnapshot type. I tried to implement this myself, but I was blocked by the azure-sdk-for-go module.

$ make
==> Checking that code complies with gofmt requirements...                                                                                                                                  
==> Checking that Custom Timeouts are used...                                                                                                                                               
==> Checking that acceptance test packages are used...                                                                                                                                      
go generate ./internal/services/...                                                                                                                                                         
go generate ./internal/provider/                                                                                                                                                            
# github.com/hashicorp/terraform-provider-azurerm/internal/services/securitycenter                                                                                                          
../services/securitycenter/security_center_automation_resource.go:137:25: undefined: security.EventSourceAssessmentsSnapshot                                                                
../services/securitycenter/security_center_automation_resource.go:145:25: undefined: 
security.EventSourceSubAssessmentsSnapshot                                                             internal/provider/services.go:114: running 
"go": exit status 2                                                                                                                              make: *** [GNUmakefile:49: 
generate] Error 1                                                                                                                                                zsh: exit 2     make                                                                                                                                                                        

$ go test internal/services/securitycenter/security_center_automation_resource_test.go                                                                                                      
# github.com/hashicorp/terraform-provider-azurerm/internal/services/securitycenter
internal/services/securitycenter/security_center_automation_resource.go:137:25: undefined: security.EventSourceAssessmentsSnapshot
internal/services/securitycenter/security_center_automation_resource.go:145:25: undefined: security.EventSourceSubAssessmentsSnapshot
FAIL    command-line-arguments [build failed]
FAIL

I've checked the upstream branch and could not find the references for these 2 types implemented there. I assume we need to get them to do the actual work, but I'm logging this issue with this repository anyway because I want to make sure I understand the issue correctly, and people here might have better ways to get this resolved in the azure sdk repo by regenerating the service files there using autorest. (Which I have never done)

New or Affected Resource(s)/Data Source(s)

azurerm_security_center_automation

Potential Terraform Configuration

resource "azurerm_security_center_automation" "security_center_automation" {
  name                = var.security_center_automation_name
  location            = data.azurerm_resource_group.security_center_automation_resource_group.location
  resource_group_name = data.azurerm_resource_group.security_center_automation_resource_group.name
  scopes              = ["/subscriptions/${var.security_center_automation_scope_subscription_id}"]
  action {
    type        = var.security_center_automation_action_type
    resource_id = data.azurerm_log_analytics_workspace.workspace.id
  }


  source {
    event_source = "Alerts"
    rule_set {
      rule {
        property_path  = "Severity"
        property_type  = "String"
        expected_value = "low"
        operator       = "Equals"
      }
      rule {
        property_path  = "Severity"
        property_type  = "String"
        expected_value = "medium"
        operator       = "Equals"
      }
      rule {
        property_path  = "Severity"
        property_type  = "String"
        expected_value = "high"
        operator       = "Equals"
      }
      rule {
        property_path  = "Severity"
        property_type  = "String"
        expected_value = "informational"
        operator       = "Equals"
      }
    }
  }

  source {
    event_source = "Assessments"
    rule_set {
      rule {
        property_path  = "type"
        property_type  = "String"
        expected_value = "Microsoft.Security/assessments"
        operator       = "Contains"
      }
    }
  }

  source {
    event_source = "AssessmentsSnapshot"
    rule_set {
      rule {
        property_path  = "type"
        property_type  = "String"
        expected_value = "Microsoft.Security/assessments"
        operator       = "Contains"
      }
    }
  }

  source {
    event_source = "SubAssessments"
  }


  source {
    event_source = "SubAssessmentsSnapshot"
  }

  source {
    event_source = "SecureScores"
  }

  source {
    event_source = "SecureScoresSnapshot"
  }

  source {
    event_source = "SecureScoreControls"
  }

  source {
    event_source = "SecureScoreControlsSnapshot"
  }

  source {
    event_source = "RegulatoryComplianceAssessment"
  }

  source {
    event_source = "RegulatoryComplianceAssessmentSnapshot"
  }

}

References

I noticed this PR containing the references was not merged.
https://github.com/Azure/azure-sdk-for-go/pull/17559/files#diff-6a6b4f45d5baa543d107ab6d37aa122b30c56dd06f97c1b35ec94340ddc98b07L4989

[BasLangenberg]

Just for other people having the same problem an stumbling on this issue, we fixed it by using the AzApi module.

resource "azapi_resource" "continuous_export" {
  type      = "Microsoft.Security/automations@2019-01-01-preview"
  name      = "ExportToWorkspace"
  parent_id = data.azurerm_resource_group.security_center_automation_resource_group.id

  location = data.azurerm_resource_group.security_center_automation_resource_group.location
  body = jsonencode({
    properties = {
      description = "",
      isEnabled   = true,
      scopes = [
        {
          description = "Security Export for the subscription",
          scopePath   = data.azurerm_resource_group.security_center_automation_resource_group.id
        }
      ],
      sources = [
        {
          eventSource = "Assessments",
          ruleSets = [
            {
              rules = [
                {
                  propertyJPath = "type",
                  propertyType  = "String",
                  expectedValue = "Microsoft.Security/assessments",
                  operator      = "Contains"
                }
              ]
            }
          ]
        },
        {
          eventSource = "AssessmentsSnapshot",
          ruleSets = [
            {
              rules = [
                {
                  propertyJPath = "type",
                  propertyType  = "String",
                  expectedValue = "Microsoft.Security/assessments",
                  operator      = "Contains"
                }
              ]
            }
          ]
        },
        {
          eventSource = "SubAssessments"
        },
        {
          eventSource = "SubAssessmentsSnapshot"
        },
        {
          eventSource = "Alerts",
          ruleSets = [
            {
              rules = [
                {
                  propertyJPath = "Severity",
                  propertyType  = "String",
                  expectedValue = "low",
                  operator      = "Equals"
                }
              ]
            },
            {
              rules = [
                {
                  propertyJPath = "Severity",
                  propertyType  = "String",
                  expectedValue = "medium",
                  operator      = "Equals"
                }
              ]
            },
            {
              rules = [
                {
                  propertyJPath = "Severity",
                  propertyType  = "String",
                  expectedValue = "high",
                  operator      = "Equals"
                }
              ]
            },
            {
              rules = [
                {
                  propertyJPath = "Severity",
                  propertyType  = "String",
                  expectedValue = "informational",
                  operator      = "Equals"
                }
              ]
            }
          ]
        },
        {
          eventSource = "SecureScores"
        },
        {
          eventSource = "SecureScoresSnapshot"
        },
        {
          eventSource = "SecureScoreControls"
        },
        {
          eventSource = "SecureScoreControlsSnapshot"
        },
        {
          eventSource = "RegulatoryComplianceAssessment"
        },
        {
          eventSource = "RegulatoryComplianceAssessmentSnapshot"
        }
      ],
      actions = [
        {
          workspaceResourceId = data.azurerm_log_analytics_workspace.workspace.id
          actionType          = "Workspace"
        }
      ]
    }
  })
}