Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

security_center_subscription_pricing_resource: refactor disabled extensions logic #22997

Conversation

Ihab-Zhaika
Copy link
Contributor

@Ihab-Zhaika Ihab-Zhaika commented Aug 17, 2023

Change the order of the extension statuses

@Ihab-Zhaika Ihab-Zhaika force-pushed the feature/ihabzhaika/pricing_extension_logic_correction branch 4 times, most recently from 1be1ddc to 3a8d168 Compare August 17, 2023 13:27
@Ihab-Zhaika Ihab-Zhaika force-pushed the feature/ihabzhaika/pricing_extension_logic_correction branch from 3a8d168 to 475bcd7 Compare August 20, 2023 12:36
@Ihab-Zhaika

This comment was marked as off-topic.

@Ihab-Zhaika Ihab-Zhaika changed the title security_center_subscription_pricing_resource: Fix disabled extensions logic security_center_subscription_pricing_resource: refactor disabled extensions logic Aug 20, 2023
@Ihab-Zhaika

This comment was marked as off-topic.

@catriona-m catriona-m self-assigned this Aug 22, 2023
@Ihab-Zhaika

This comment was marked as off-topic.

Copy link
Member

@catriona-m catriona-m left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @Ihab-Zhaika, I ran the acceptance tests for this and it looks like it is failing:

=== RUN   TestAccSecurityCenterSubscriptionPricing_cloudPostureExtension
    testcase.go:120: Step 1/5 error: After applying this test step and performing a `terraform refresh`, the plan was not empty.
        stdout
        Terraform used the selected providers to generate the following execution
        plan. Resource actions are indicated with the following symbols:
          ~ update in-place
        Terraform will perform the following actions:
          # azurerm_security_center_subscription_pricing.test will be updated in-place
          ~ resource "azurerm_security_center_subscription_pricing" "test" {
                id            = "/subscriptions/*******/providers/Microsoft.Security/pricings/CloudPosture"
                # (2 unchanged attributes hidden)
              - extension {
                  - additional_extension_properties = {} -> null
                  - name                            = "AgentlessDiscoveryForKubernetes" -> null
                }
              - extension {
                  - additional_extension_properties = {} -> null
                  - name                            = "ContainerRegistriesVulnerabilityAssessments" -> null
                }
                # (2 unchanged blocks hidden)
            }
        Plan: 0 to add, 1 to change, 0 to destroy.
--- FAIL: TestAccSecurityCenterSubscriptionPricing_cloudPostureExtension (43.86s)
FAIL```

@Ihab-Zhaika
Copy link
Contributor Author

~ update in-place

Weird, I will check

Wanted to ask, If we have a critical need to put the "enabled" flag again, can we add it ?

@github-actions github-actions bot added size/S and removed size/XS labels Aug 23, 2023
@Ihab-Zhaika
Copy link
Contributor Author

Hi @Ihab-Zhaika, I ran the acceptance tests for this and it looks like it is failing:

=== RUN   TestAccSecurityCenterSubscriptionPricing_cloudPostureExtension
    testcase.go:120: Step 1/5 error: After applying this test step and performing a `terraform refresh`, the plan was not empty.
        stdout
        Terraform used the selected providers to generate the following execution
        plan. Resource actions are indicated with the following symbols:
          ~ update in-place
        Terraform will perform the following actions:
          # azurerm_security_center_subscription_pricing.test will be updated in-place
          ~ resource "azurerm_security_center_subscription_pricing" "test" {
                id            = "/subscriptions/*******/providers/Microsoft.Security/pricings/CloudPosture"
                # (2 unchanged attributes hidden)
              - extension {
                  - additional_extension_properties = {} -> null
                  - name                            = "AgentlessDiscoveryForKubernetes" -> null
                }
              - extension {
                  - additional_extension_properties = {} -> null
                  - name                            = "ContainerRegistriesVulnerabilityAssessments" -> null
                }
                # (2 unchanged blocks hidden)
            }
        Plan: 0 to add, 1 to change, 0 to destroy.
--- FAIL: TestAccSecurityCenterSubscriptionPricing_cloudPostureExtension (43.86s)
FAIL```

@catriona-m can you rerun the tests please

@Ihab-Zhaika
Copy link
Contributor Author

Ihab-Zhaika commented Aug 23, 2023

@catriona-m
I need advise regards the following
How I can know if d.HasChange(KEY) returns false because the Key is empty from the first place or because the key has the ignore_changes attribute ?
I need this differentiation

@catriona-m
Copy link
Member

@catriona-m I need advise regards the following How I can know if d.HasChange(KEY) returns false because the Key is empty from the first place or because the key has the ignore_changes attribute ? I need this differentiation

Hi @Ihab-Zhaika. If the user has set ignore_changes on the field in the config (see below) we don't need the logic inside has.Changes() because we are ignoring the changes.

  lifecycle {
    ignore_changes = [extension]
  }

Otherwise, if there are no changes, we shouldn't need to do anything. Can you explain a bit more why we would need to know the difference in this case so we can work out the best way to resolve this? Thank you!

Copy link
Member

@catriona-m catriona-m left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have ran the acceptance tests again and it looks like there is a failure in another test now related to extension

------- Stdout: -------
=== RUN   TestAccSecurityCenterSubscriptionPricing_storageAccountSubplan
    testcase.go:120: Step 1/2 error: Error running apply: exit status 1
        Error: setting Pricing (Subscription: "*******"
        Pricing Name: "StorageAccounts"): pricings.PricingsClient#Update: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="InvalidInputJson" Message="Extension with name 'OnUploadMalwareScanning' is not supported for 'StorageAccounts' plan and 'PerStorageAccount' SubPlan"
          with azurerm_security_center_subscription_pricing.test,
          on terraform_plugin_test.tf line 21, in resource "azurerm_security_center_subscription_pricing" "test":
          21: resource "azurerm_security_center_subscription_pricing" "test" {
--- FAIL: TestAccSecurityCenterSubscriptionPricing_storageAccountSubplan (18.99s)
FAIL

@Ihab-Zhaika
Copy link
Contributor Author

@catriona-m I need advise regards the following How I can know if d.HasChange(KEY) returns false because the Key is empty from the first place or because the key has the ignore_changes attribute ? I need this differentiation

Hi @Ihab-Zhaika. If the user has set ignore_changes on the field in the config (see below) we don't need the logic inside has.Changes() because we are ignoring the changes.

  lifecycle {
    ignore_changes = [extension]
  }

Otherwise, if there are no changes, we shouldn't need to do anything. Can you explain a bit more why we would need to know the difference in this case so we can work out the best way to resolve this? Thank you!

Hey @catriona-m

I have the following condition that on it I change the extensions [Line 165 in the PR]
if d.HasChange("extension") || d.IsNewResource() || isCurrentlyInFree

So what I want to achieve is the following:
When I am moving from Free to standard: => isCurrentlyInFree is true in this case
If extension is in ignore => I want to turn on all the extensions since in the docs we have the following

~> NOTE: If an extension is not defined, it will not be enabled. Use ignore_changes on the extension field if you want to use the default extensions.
This is the default behavior

if the extensions are empty [no in ignore], I want to keep all of them off

In our backend the default behavior is to have all the extensions on if the customer did not specify any since this is additional data to an object and not resource by it self, when I changed the code to comply with the removal of "enabled" it became hard to achieve this easily, so in the above case if the extension is empty or if it is in ignore_changes In the code I have currently no way to distinguish between those case(d.HasChange("extension") is false and d.GetOk("extension") returns empty), I can of course add new bool argument for example called "turn_on_default_extensions" which will ignore the content of the extension and turn all of them.

So what do you think that we can solve this issue ?

@Ihab-Zhaika Ihab-Zhaika force-pushed the feature/ihabzhaika/pricing_extension_logic_correction branch from c747610 to 8c8b3b5 Compare September 10, 2023 09:20
@Ihab-Zhaika
Copy link
Contributor Author

To achieve this we will need to make a couple of changes to expandSecurityCenterSubscriptionPricingExtensions and

so the users will not able to use default values anymore? I'm a bit concerned about that.. And it's different with the best practice document?

@ziyeqf where a resource provisions nested items under it, such as in this case, any nested items should be removed during creation - since in this case these extensions are being enabled by default, these should be removed at the end of the Terraform run. For an example see API Management, which provisions APIs and some other items at initial creation, as such Terraform clears those up before marking the resource as provisioned - such that the users Terraform configuration matches the state of the resource in Azure.

@catriona-m
Updated it to what asked,
Acc tests tests
image
image

Copy link
Member

@catriona-m catriona-m left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for making the additional changes @Ihab-Zhaika - I have tested this and it looks like it's working well now.

During testing, I did notice one further change we should implement. In the case where we are changing from Standard -> Free we are currently silently removing the extensions. Instead, in cases where the tier is Free and extensions are enabled in the config, we should raise an error indicating that extensions can only be enabled when the tier is Standard.

Once that is done, this should be good to merge! Thanks!

@Ihab-Zhaika Ihab-Zhaika force-pushed the feature/ihabzhaika/pricing_extension_logic_correction branch from db09ea1 to 6b68e42 Compare September 12, 2023 15:43
@Ihab-Zhaika Ihab-Zhaika force-pushed the feature/ihabzhaika/pricing_extension_logic_correction branch from 6b68e42 to dafc3f7 Compare September 12, 2023 16:07
@Ihab-Zhaika
Copy link
Contributor Author

Thanks for making the additional changes @Ihab-Zhaika - I have tested this and it looks like it's working well now.

During testing, I did notice one further change we should implement. In the case where we are changing from Standard -> Free we are currently silently removing the extensions. Instead, in cases where the tier is Free and extensions are enabled in the config, we should raise an error indicating that extensions can only be enabled when the tier is Standard.

Once that is done, this should be good to merge! Thanks!

@catriona-m Done, tests pass also
image

Copy link
Contributor Author

@Ihab-Zhaika Ihab-Zhaika left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review changes

@Ihab-Zhaika
Copy link
Contributor Author

Review changes

@catriona-m applied you suggestions

@catriona-m
Copy link
Member

Review changes

@catriona-m applied you suggestions

Hi @Ihab-Zhaika , I had another look at this, but I can't see the new commit here yet?

review changes

Co-authored-by: catriona-m <[email protected]>
@Ihab-Zhaika
Copy link
Contributor Author

Review changes

@catriona-m applied you suggestions

Hi @Ihab-Zhaika , I had another look at this, but I can't see the new commit here yet?

@catriona-m indeed.., now it is applied

Copy link
Member

@catriona-m catriona-m left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for making the additional changes @Ihab-Zhaika - I had another look through and this LGTM! Thanks!

@catriona-m catriona-m merged commit f782378 into hashicorp:main Sep 26, 2023
23 checks passed
@github-actions github-actions bot added this to the v3.75.0 milestone Sep 26, 2023
catriona-m added a commit that referenced this pull request Sep 26, 2023
dduportal referenced this pull request in jenkins-infra/azure Oct 16, 2023
<Actions>
<action
id="4a39167e811ac038e4a588362092472c27cfbe9e4929ae61d035f708a093a669">
        <h3>Bump Terraform `azurerm` provider version</h3>
<details
id="1d9343c012f5434ac9fe8a98135bae3667b399259be16d9b14302ea3bd424a24">
            <summary>Update Terraform lock file</summary>
<p>&#34;hashicorp/azurerm&#34; updated from &#34;3.74.0&#34; to
&#34;3.75.0&#34; in file &#34;.terraform.lock.hcl&#34;</p>
            <details>
                <summary>3.75.0</summary>
<pre>Changelog retrieved
from:&#xA;&#x9;https://github.com/hashicorp/terraform-provider-azurerm/releases/tag/v3.75.0&#xA;FEATURES:&#xA;&#xA;*
New Resource: `azurerm_application_load_balancer`
([#22517](hashicorp/terraform-provider-azurerm#22517
New Resource: `azurerm_resource_management_private_link`
([#23098](https://github.com/hashicorp/terraform-provider-azurerm/issues/23098))&#xA;&#xA;ENHANCEMENTS:&#xA;&#xA;*
dependencies: `firewall` migrated to `hashicorp/go-azure-sdk`
([#22863](hashicorp/terraform-provider-azurerm#22863
`azurerm_bot_service_azure_bot` - add support for the `icon_url`
property
([#23114](hashicorp/terraform-provider-azurerm#23114
`azurerm_cognitive_deployment` - `capacity` property is now updateable
([#23251](hashicorp/terraform-provider-azurerm#23251
`azurerm_container_group` - added support for
`key_vault_user_identity_id`
([#23332](hashicorp/terraform-provider-azurerm#23332
`azurerm_data_factory` - added support for the `publish_enabled`
property
([#2334](hashicorp/terraform-provider-azurerm#2334
`azurerm_firewall_policy_rule_collection_group` - add support for the
`description` property
([#23354](hashicorp/terraform-provider-azurerm#23354
`azurerm_kubernetes_cluster` - `network_profile.network_policy` can be
migrated to `cilium`
([#23342](hashicorp/terraform-provider-azurerm#23342
`azurerm_log_analytics_workspace` - add support for the
`data_collection_rule_id` property
([#23347](hashicorp/terraform-provider-azurerm#23347
`azurerm_mysql_flexible_server` - add support for the
`io_scaling_enabled` property
([#23329](https://github.com/hashicorp/terraform-provider-azurerm/issues/23329))&#xA;&#xA;BUG
FIXES:&#xA;&#xA;* `azurerm_api_management_api` - fix importing `openapi`
format content file issue
([#23348](hashicorp/terraform-provider-azurerm#23348
`azurerm_cdn_frontdoor_rule` - allow a `cache_duration` of `00:00:00`
([#23384](hashicorp/terraform-provider-azurerm#23384
`azurerm_cosmosdb_cassandra_datacenter` - `sku_name` is now updatable
([#23419](hashicorp/terraform-provider-azurerm#23419
`azurerm_key_vault_certificate` - fix a bug that prevented soft-deleted
certificates from being recovered
([#23204](hashicorp/terraform-provider-azurerm#23204
`azurerm_log_analytics_solution` - fix create and update lifecycle of
resource by splitting methods
([#23333](hashicorp/terraform-provider-azurerm#23333
`azurerm_management_group_subscription_association` - mark resource as
gone correctly if not found when retrieving
([#23335](hashicorp/terraform-provider-azurerm#23335
`azurerm_management_lock` - add polling after create and delete to check
for RP propagation
([#23345](hashicorp/terraform-provider-azurerm#23345
`azurerm_monitor_diagnostic_setting` - added validation to ensure at
least one of `category` or `category_group` is supplied
([#23308](hashicorp/terraform-provider-azurerm#23308
`azurerm_palo_alto_local_rulestack_prefix_list` - fix rulestack not
being committed on delete
([#23362](hashicorp/terraform-provider-azurerm#23362
`azurerm_palo_alto_local_rulestack_fqdn_list` - fix rulestack not being
committed on delete
([#23362](hashicorp/terraform-provider-azurerm#23362
`security_center_subscription_pricing_resource` - disabled extensions
logic now works as expected
([#22997](https://github.com/hashicorp/terraform-provider-azurerm/issues/22997))&#xA;&#xA;&#xA;&#xA;</pre>
            </details>
            <details>
                <summary>3.76.0</summary>
<pre>Changelog retrieved
from:&#xA;&#x9;https://github.com/hashicorp/terraform-provider-azurerm/releases/tag/v3.76.0&#xA;FEATURES:&#xA;&#xA;*
New Resource: `azurerm_security_center_storage_defender`
([#23242](hashicorp/terraform-provider-azurerm#23242
New Resource:
`azurerm_spring_cloud_application_insights_application_performance_monitoring`
([#23107](https://github.com/hashicorp/terraform-provider-azurerm/issues/23107))&#xA;&#xA;ENHANCEMENTS:&#xA;&#xA;*
provider: updating to build using Go `1.21.3`
([#23514](hashicorp/terraform-provider-azurerm#23514
provider: the `roll_instances_when_required` provider feature in the
`virtual_machine_scale_set` block is now optional
([#22976](hashicorp/terraform-provider-azurerm#22976
dependencies: updating to `v0.20231012.1141427` of
`github.com/hashicorp/go-azure-sdk`
([#23534](hashicorp/terraform-provider-azurerm#23534
Data Source: `azurerm_application_gateway` - support for
`backend_http_settings`, `global`, `gateway_ip_configuration` and
additional attributes
([#23318](hashicorp/terraform-provider-azurerm#23318
Data Source: `azurerm_network_service_tags` - export the `name`
attribute
([#23382](hashicorp/terraform-provider-azurerm#23382
`azurerm_cosmosdb_postgresql_cluster` - add support for `sql_version` of
`16` and `citus_version` of `12.1`
([#23476](hashicorp/terraform-provider-azurerm#23476
`azurerm_palo_alto_local_rulestack` - correctly normalize the `location`
property
([#23483](hashicorp/terraform-provider-azurerm#23483
`azurerm_static_site` - add support for `app_settings`
([#23421](https://github.com/hashicorp/terraform-provider-azurerm/issues/23421))&#xA;&#xA;BUG
FIXES:&#xA;&#xA;* `azurerm_automation_schedule` - fix a bug when
updating `start_time`
([#23494](hashicorp/terraform-provider-azurerm#23494
`azurerm_eventhub` - remove ForceNew and check `partition_count` is not
decreased
([#23499](hashicorp/terraform-provider-azurerm#23499
`azurerm_managed_lustre_file_system` - update validation for
`storage_capacity_in_tb` according to `sku_name` in use
([#23428](hashicorp/terraform-provider-azurerm#23428
`azurerm_virtual_machine` - fix a crash when the API response for the
`os_profile` block contains nil properties
([#23535](https://github.com/hashicorp/terraform-provider-azurerm/issues/23535))&#xA;&#xA;&#xA;</pre>
            </details>
        </details>
    </action>
</Actions>

---

<table>
  <tr>
    <td width="77">
<img src="https://www.updatecli.io/images/updatecli.png" alt="Updatecli
logo" width="50" height="50">
    </td>
    <td>
      <p>
Created automatically by <a
href="https://www.updatecli.io/">Updatecli</a>
      </p>
      <details><summary>Options:</summary>
        <br />
<p>Most of Updatecli configuration is done via <a
href="https://www.updatecli.io/docs/prologue/quick-start/">its
manifest(s)</a>.</p>
        <ul>
<li>If you close this pull request, Updatecli will automatically reopen
it, the next time it runs.</li>
<li>If you close this pull request and delete the base branch, Updatecli
will automatically recreate it, erasing all previous commits made.</li>
        </ul>
        <p>
Feel free to report any issues at <a
href="https://github.com/updatecli/updatecli/issues">github.com/updatecli/updatecli</a>.<br
/>
If you find this tool useful, do not hesitate to star <a
href="https://github.com/updatecli/updatecli/stargazers">our GitHub
repository</a> as a sign of appreciation, and/or to tell us directly on
our <a
href="https://matrix.to/#/#Updatecli_community:gitter.im">chat</a>!
        </p>
      </details>
    </td>
  </tr>
</table>

---------

Co-authored-by: Jenkins Infra Bot (updatecli) <[email protected]>
Co-authored-by: Damien Duportal <[email protected]>
Copy link

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 13, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants