-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
security_center_subscription_pricing_resource: refactor disabled extensions logic #22997
security_center_subscription_pricing_resource: refactor disabled extensions logic #22997
Conversation
1be1ddc
to
3a8d168
Compare
…s logic Signed-off-by: Ihab Zhaika <[email protected]>
3a8d168
to
475bcd7
Compare
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @Ihab-Zhaika, I ran the acceptance tests for this and it looks like it is failing:
=== RUN TestAccSecurityCenterSubscriptionPricing_cloudPostureExtension
testcase.go:120: Step 1/5 error: After applying this test step and performing a `terraform refresh`, the plan was not empty.
stdout
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
~ update in-place
Terraform will perform the following actions:
# azurerm_security_center_subscription_pricing.test will be updated in-place
~ resource "azurerm_security_center_subscription_pricing" "test" {
id = "/subscriptions/*******/providers/Microsoft.Security/pricings/CloudPosture"
# (2 unchanged attributes hidden)
- extension {
- additional_extension_properties = {} -> null
- name = "AgentlessDiscoveryForKubernetes" -> null
}
- extension {
- additional_extension_properties = {} -> null
- name = "ContainerRegistriesVulnerabilityAssessments" -> null
}
# (2 unchanged blocks hidden)
}
Plan: 0 to add, 1 to change, 0 to destroy.
--- FAIL: TestAccSecurityCenterSubscriptionPricing_cloudPostureExtension (43.86s)
FAIL```
Weird, I will check Wanted to ask, If we have a critical need to put the "enabled" flag again, can we add it ? |
Signed-off-by: Ihab Zhaika <[email protected]>
@catriona-m can you rerun the tests please |
@catriona-m |
Hi @Ihab-Zhaika. If the user has set
Otherwise, if there are no changes, we shouldn't need to do anything. Can you explain a bit more why we would need to know the difference in this case so we can work out the best way to resolve this? Thank you! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have ran the acceptance tests again and it looks like there is a failure in another test now related to extension
------- Stdout: -------
=== RUN TestAccSecurityCenterSubscriptionPricing_storageAccountSubplan
testcase.go:120: Step 1/2 error: Error running apply: exit status 1
Error: setting Pricing (Subscription: "*******"
Pricing Name: "StorageAccounts"): pricings.PricingsClient#Update: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="InvalidInputJson" Message="Extension with name 'OnUploadMalwareScanning' is not supported for 'StorageAccounts' plan and 'PerStorageAccount' SubPlan"
with azurerm_security_center_subscription_pricing.test,
on terraform_plugin_test.tf line 21, in resource "azurerm_security_center_subscription_pricing" "test":
21: resource "azurerm_security_center_subscription_pricing" "test" {
--- FAIL: TestAccSecurityCenterSubscriptionPricing_storageAccountSubplan (18.99s)
FAIL
Hey @catriona-m I have the following condition that on it I change the extensions [Line 165 in the PR] So what I want to achieve is the following:
if the extensions are empty [no in ignore], I want to keep all of them off In our backend the default behavior is to have all the extensions on if the customer did not specify any since this is additional data to an object and not resource by it self, when I changed the code to comply with the removal of "enabled" it became hard to achieve this easily, so in the above case if the extension is empty or if it is in ignore_changes In the code I have currently no way to distinguish between those case(d.HasChange("extension") is false and d.GetOk("extension") returns empty), I can of course add new bool argument for example called "turn_on_default_extensions" which will ignore the content of the extension and turn all of them. So what do you think that we can solve this issue ? |
c747610
to
8c8b3b5
Compare
@catriona-m |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for making the additional changes @Ihab-Zhaika - I have tested this and it looks like it's working well now.
During testing, I did notice one further change we should implement. In the case where we are changing from Standard -> Free we are currently silently removing the extensions. Instead, in cases where the tier is Free and extensions are enabled in the config, we should raise an error indicating that extensions can only be enabled when the tier is Standard.
Once that is done, this should be good to merge! Thanks!
db09ea1
to
6b68e42
Compare
Signed-off-by: Ihab Zhaika <[email protected]>
6b68e42
to
dafc3f7
Compare
@catriona-m Done, tests pass also |
internal/services/securitycenter/security_center_subscription_pricing_resource.go
Outdated
Show resolved
Hide resolved
internal/services/securitycenter/security_center_subscription_pricing_resource.go
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Review changes
@catriona-m applied you suggestions |
Hi @Ihab-Zhaika , I had another look at this, but I can't see the new commit here yet? |
review changes Co-authored-by: catriona-m <[email protected]>
@catriona-m indeed.., now it is applied |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for making the additional changes @Ihab-Zhaika - I had another look through and this LGTM! Thanks!
<Actions> <action id="4a39167e811ac038e4a588362092472c27cfbe9e4929ae61d035f708a093a669"> <h3>Bump Terraform `azurerm` provider version</h3> <details id="1d9343c012f5434ac9fe8a98135bae3667b399259be16d9b14302ea3bd424a24"> <summary>Update Terraform lock file</summary> <p>"hashicorp/azurerm" updated from "3.74.0" to "3.75.0" in file ".terraform.lock.hcl"</p> <details> <summary>3.75.0</summary> <pre>Changelog retrieved from:
	https://github.com/hashicorp/terraform-provider-azurerm/releases/tag/v3.75.0
FEATURES:

* New Resource: `azurerm_application_load_balancer` ([#22517](hashicorp/terraform-provider-azurerm#22517 New Resource: `azurerm_resource_management_private_link` ([#23098](https://github.com/hashicorp/terraform-provider-azurerm/issues/23098))

ENHANCEMENTS:

* dependencies: `firewall` migrated to `hashicorp/go-azure-sdk` ([#22863](hashicorp/terraform-provider-azurerm#22863 `azurerm_bot_service_azure_bot` - add support for the `icon_url` property ([#23114](hashicorp/terraform-provider-azurerm#23114 `azurerm_cognitive_deployment` - `capacity` property is now updateable ([#23251](hashicorp/terraform-provider-azurerm#23251 `azurerm_container_group` - added support for `key_vault_user_identity_id` ([#23332](hashicorp/terraform-provider-azurerm#23332 `azurerm_data_factory` - added support for the `publish_enabled` property ([#2334](hashicorp/terraform-provider-azurerm#2334 `azurerm_firewall_policy_rule_collection_group` - add support for the `description` property ([#23354](hashicorp/terraform-provider-azurerm#23354 `azurerm_kubernetes_cluster` - `network_profile.network_policy` can be migrated to `cilium` ([#23342](hashicorp/terraform-provider-azurerm#23342 `azurerm_log_analytics_workspace` - add support for the `data_collection_rule_id` property ([#23347](hashicorp/terraform-provider-azurerm#23347 `azurerm_mysql_flexible_server` - add support for the `io_scaling_enabled` property ([#23329](https://github.com/hashicorp/terraform-provider-azurerm/issues/23329))

BUG FIXES:

* `azurerm_api_management_api` - fix importing `openapi` format content file issue ([#23348](hashicorp/terraform-provider-azurerm#23348 `azurerm_cdn_frontdoor_rule` - allow a `cache_duration` of `00:00:00` ([#23384](hashicorp/terraform-provider-azurerm#23384 `azurerm_cosmosdb_cassandra_datacenter` - `sku_name` is now updatable ([#23419](hashicorp/terraform-provider-azurerm#23419 `azurerm_key_vault_certificate` - fix a bug that prevented soft-deleted certificates from being recovered ([#23204](hashicorp/terraform-provider-azurerm#23204 `azurerm_log_analytics_solution` - fix create and update lifecycle of resource by splitting methods ([#23333](hashicorp/terraform-provider-azurerm#23333 `azurerm_management_group_subscription_association` - mark resource as gone correctly if not found when retrieving ([#23335](hashicorp/terraform-provider-azurerm#23335 `azurerm_management_lock` - add polling after create and delete to check for RP propagation ([#23345](hashicorp/terraform-provider-azurerm#23345 `azurerm_monitor_diagnostic_setting` - added validation to ensure at least one of `category` or `category_group` is supplied ([#23308](hashicorp/terraform-provider-azurerm#23308 `azurerm_palo_alto_local_rulestack_prefix_list` - fix rulestack not being committed on delete ([#23362](hashicorp/terraform-provider-azurerm#23362 `azurerm_palo_alto_local_rulestack_fqdn_list` - fix rulestack not being committed on delete ([#23362](hashicorp/terraform-provider-azurerm#23362 `security_center_subscription_pricing_resource` - disabled extensions logic now works as expected ([#22997](https://github.com/hashicorp/terraform-provider-azurerm/issues/22997))



</pre> </details> <details> <summary>3.76.0</summary> <pre>Changelog retrieved from:
	https://github.com/hashicorp/terraform-provider-azurerm/releases/tag/v3.76.0
FEATURES:

* New Resource: `azurerm_security_center_storage_defender` ([#23242](hashicorp/terraform-provider-azurerm#23242 New Resource: `azurerm_spring_cloud_application_insights_application_performance_monitoring` ([#23107](https://github.com/hashicorp/terraform-provider-azurerm/issues/23107))

ENHANCEMENTS:

* provider: updating to build using Go `1.21.3` ([#23514](hashicorp/terraform-provider-azurerm#23514 provider: the `roll_instances_when_required` provider feature in the `virtual_machine_scale_set` block is now optional ([#22976](hashicorp/terraform-provider-azurerm#22976 dependencies: updating to `v0.20231012.1141427` of `github.com/hashicorp/go-azure-sdk` ([#23534](hashicorp/terraform-provider-azurerm#23534 Data Source: `azurerm_application_gateway` - support for `backend_http_settings`, `global`, `gateway_ip_configuration` and additional attributes ([#23318](hashicorp/terraform-provider-azurerm#23318 Data Source: `azurerm_network_service_tags` - export the `name` attribute ([#23382](hashicorp/terraform-provider-azurerm#23382 `azurerm_cosmosdb_postgresql_cluster` - add support for `sql_version` of `16` and `citus_version` of `12.1` ([#23476](hashicorp/terraform-provider-azurerm#23476 `azurerm_palo_alto_local_rulestack` - correctly normalize the `location` property ([#23483](hashicorp/terraform-provider-azurerm#23483 `azurerm_static_site` - add support for `app_settings` ([#23421](https://github.com/hashicorp/terraform-provider-azurerm/issues/23421))

BUG FIXES:

* `azurerm_automation_schedule` - fix a bug when updating `start_time` ([#23494](hashicorp/terraform-provider-azurerm#23494 `azurerm_eventhub` - remove ForceNew and check `partition_count` is not decreased ([#23499](hashicorp/terraform-provider-azurerm#23499 `azurerm_managed_lustre_file_system` - update validation for `storage_capacity_in_tb` according to `sku_name` in use ([#23428](hashicorp/terraform-provider-azurerm#23428 `azurerm_virtual_machine` - fix a crash when the API response for the `os_profile` block contains nil properties ([#23535](https://github.com/hashicorp/terraform-provider-azurerm/issues/23535))


</pre> </details> </details> </action> </Actions> --- <table> <tr> <td width="77"> <img src="https://www.updatecli.io/images/updatecli.png" alt="Updatecli logo" width="50" height="50"> </td> <td> <p> Created automatically by <a href="https://www.updatecli.io/">Updatecli</a> </p> <details><summary>Options:</summary> <br /> <p>Most of Updatecli configuration is done via <a href="https://www.updatecli.io/docs/prologue/quick-start/">its manifest(s)</a>.</p> <ul> <li>If you close this pull request, Updatecli will automatically reopen it, the next time it runs.</li> <li>If you close this pull request and delete the base branch, Updatecli will automatically recreate it, erasing all previous commits made.</li> </ul> <p> Feel free to report any issues at <a href="https://github.com/updatecli/updatecli/issues">github.com/updatecli/updatecli</a>.<br /> If you find this tool useful, do not hesitate to star <a href="https://github.com/updatecli/updatecli/stargazers">our GitHub repository</a> as a sign of appreciation, and/or to tell us directly on our <a href="https://matrix.to/#/#Updatecli_community:gitter.im">chat</a>! </p> </details> </td> </tr> </table> --------- Co-authored-by: Jenkins Infra Bot (updatecli) <[email protected]> Co-authored-by: Damien Duportal <[email protected]>
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions. |
Change the order of the extension statuses