-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New resource: azurerm_security_center_storage_defender
#23242
Conversation
2061200
to
b749bf8
Compare
Signed-off-by: ziyeqf <[email protected]>
b749bf8
to
de375a8
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this @ziyeqf.
A couple of things need to be fixed up before we can merge this. Please take a look at the comments left in-line. Thanks!
internal/provider/services.go
Outdated
@@ -199,6 +199,7 @@ func SupportedTypedServices() []sdk.TypedServiceRegistration { | |||
vmware.Registration{}, | |||
voiceservices.Registration{}, | |||
web.Registration{}, | |||
securitycenter.Registration{}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Alphabetical ordering
go.mod
Outdated
@@ -15,7 +15,7 @@ require ( | |||
github.com/google/go-cmp v0.5.9 | |||
github.com/google/uuid v1.3.1 | |||
github.com/hashicorp/go-azure-helpers v0.59.0 | |||
github.com/hashicorp/go-azure-sdk v0.20230907.1113401 | |||
github.com/hashicorp/go-azure-sdk v0.20230911.1163300 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For future reference these have to go into their own PR to avoid conflicts. So can you please revert this and also do a rebase since the go-azure-sdk
has already been updated since the opening of this PR.
"enabled": { | ||
Type: pluginsdk.TypeBool, | ||
Required: true, | ||
}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We don't expose the enabled
field as explained in the contributor docs.
This field should be controlled purely by the creation of it enabled = true
and the deletion of it enabled = false
.
"malware_scanning_on_upload_cap_gb_per_month": { | ||
Type: pluginsdk.TypeInt, | ||
Optional: true, | ||
Default: -1, | ||
ValidateFunc: func(i interface{}, s string) (warnings []string, errors []error) { | ||
// it requires -1 or greater than 0 | ||
v, ok := i.(int) | ||
if !ok { | ||
errors = append(errors, fmt.Errorf("expected type of %s to be integer", s)) | ||
return warnings, errors | ||
} | ||
|
||
if v == -1 { | ||
return warnings, errors | ||
} | ||
|
||
return validation.IntAtLeast(-1)(i, s) | ||
}, | ||
}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What does -1
mean in this case? Also what would 0
mean?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the service does not accept 0, and -1 means no limit on that cap. Do we need to map user input 0
to payload -1
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this can be more clearly/simply achieved with:
"malware_scanning_on_upload_cap_gb_per_month": { | |
Type: pluginsdk.TypeInt, | |
Optional: true, | |
Default: -1, | |
ValidateFunc: func(i interface{}, s string) (warnings []string, errors []error) { | |
// it requires -1 or greater than 0 | |
v, ok := i.(int) | |
if !ok { | |
errors = append(errors, fmt.Errorf("expected type of %s to be integer", s)) | |
return warnings, errors | |
} | |
if v == -1 { | |
return warnings, errors | |
} | |
return validation.IntAtLeast(-1)(i, s) | |
}, | |
}, | |
"malware_scanning_on_upload_cap_gb_per_month": { | |
Type: pluginsdk.TypeInt, | |
Optional: true, | |
Default: -1, | |
ValidateFunc: validation.Any( | |
validation.IntAtLeast(1), | |
validation.IntInSlice([]int{-1}), | |
), | |
}, |
|
||
func (s StorageDefenderResource) Create() sdk.ResourceFunc { | ||
return sdk.ResourceFunc{ | ||
Timeout: 10 * time.Minute, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we bump this up to 30
, with such short timeouts we run the risk of being affected by rate limiting by the API.
|
||
if model := resp.Model; model != nil { | ||
if prop := model.Properties; prop != nil { | ||
state.Enabled = pointer.From(prop.IsEnabled) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here we should check if it's disabled, and if so then mark the resource as gone.
state := StorageDefenderModel{ | ||
StorageAccountId: id.ID(), | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since this is a scoped ID, we need to parse the scope part of id
as a storage account ID
state := StorageDefenderModel{ | |
StorageAccountId: id.ID(), | |
} | |
storageAccountId, err := commonids.ParseStorageAccountID(id.Scope) | |
if err != nil { | |
return err | |
} | |
state := StorageDefenderModel{ | |
StorageAccountId: storageAccountId.ID(), | |
} |
if err != nil { | ||
if !response.WasNotFound(resp.HttpResponse) { | ||
return fmt.Errorf("reading %+v", err) | ||
} | ||
} | ||
// if the resource has never been created, it returns 404. | ||
// once created, it could only be set to disable. | ||
if response.WasNotFound(resp.HttpResponse) { | ||
return nil | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If the resource doesn't exist (or in this case disabled) when the delete is run we should raise an error instead of returning nil
if err != nil { | |
if !response.WasNotFound(resp.HttpResponse) { | |
return fmt.Errorf("reading %+v", err) | |
} | |
} | |
// if the resource has never been created, it returns 404. | |
// once created, it could only be set to disable. | |
if response.WasNotFound(resp.HttpResponse) { | |
return nil | |
} | |
if err != nil { | |
return fmt.Errorf("retrieving %s: %+v", id, err) | |
} |
|
||
_, err = client.Create(ctx, *id, input) | ||
if err != nil { | ||
return fmt.Errorf("deleting %+v", err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return fmt.Errorf("deleting %+v", err) | |
return fmt.Errorf("deleting %s: %+v", id, err) |
var _ sdk.ResourceWithUpdate = StorageDefenderResource{} | ||
|
||
func (s StorageDefenderResource) IDValidationFunc() pluginsdk.SchemaValidateFunc { | ||
return commonids.ValidateScopeID |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we extend this to parse the Scope
part of the id as a storage account ID
Signed-off-by: ziyeqf <[email protected]>
Signed-off-by: ziyeqf <[email protected]>
Signed-off-by: ziyeqf <[email protected]>
Signed-off-by: ziyeqf <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for making the changes @ziyeqf. Tests are passing and this LGTM.
<Actions> <action id="4a39167e811ac038e4a588362092472c27cfbe9e4929ae61d035f708a093a669"> <h3>Bump Terraform `azurerm` provider version</h3> <details id="1d9343c012f5434ac9fe8a98135bae3667b399259be16d9b14302ea3bd424a24"> <summary>Update Terraform lock file</summary> <p>"hashicorp/azurerm" updated from "3.74.0" to "3.75.0" in file ".terraform.lock.hcl"</p> <details> <summary>3.75.0</summary> <pre>Changelog retrieved from:
	https://github.com/hashicorp/terraform-provider-azurerm/releases/tag/v3.75.0
FEATURES:

* New Resource: `azurerm_application_load_balancer` ([#22517](hashicorp/terraform-provider-azurerm#22517 New Resource: `azurerm_resource_management_private_link` ([#23098](https://github.com/hashicorp/terraform-provider-azurerm/issues/23098))

ENHANCEMENTS:

* dependencies: `firewall` migrated to `hashicorp/go-azure-sdk` ([#22863](hashicorp/terraform-provider-azurerm#22863 `azurerm_bot_service_azure_bot` - add support for the `icon_url` property ([#23114](hashicorp/terraform-provider-azurerm#23114 `azurerm_cognitive_deployment` - `capacity` property is now updateable ([#23251](hashicorp/terraform-provider-azurerm#23251 `azurerm_container_group` - added support for `key_vault_user_identity_id` ([#23332](hashicorp/terraform-provider-azurerm#23332 `azurerm_data_factory` - added support for the `publish_enabled` property ([#2334](hashicorp/terraform-provider-azurerm#2334 `azurerm_firewall_policy_rule_collection_group` - add support for the `description` property ([#23354](hashicorp/terraform-provider-azurerm#23354 `azurerm_kubernetes_cluster` - `network_profile.network_policy` can be migrated to `cilium` ([#23342](hashicorp/terraform-provider-azurerm#23342 `azurerm_log_analytics_workspace` - add support for the `data_collection_rule_id` property ([#23347](hashicorp/terraform-provider-azurerm#23347 `azurerm_mysql_flexible_server` - add support for the `io_scaling_enabled` property ([#23329](https://github.com/hashicorp/terraform-provider-azurerm/issues/23329))

BUG FIXES:

* `azurerm_api_management_api` - fix importing `openapi` format content file issue ([#23348](hashicorp/terraform-provider-azurerm#23348 `azurerm_cdn_frontdoor_rule` - allow a `cache_duration` of `00:00:00` ([#23384](hashicorp/terraform-provider-azurerm#23384 `azurerm_cosmosdb_cassandra_datacenter` - `sku_name` is now updatable ([#23419](hashicorp/terraform-provider-azurerm#23419 `azurerm_key_vault_certificate` - fix a bug that prevented soft-deleted certificates from being recovered ([#23204](hashicorp/terraform-provider-azurerm#23204 `azurerm_log_analytics_solution` - fix create and update lifecycle of resource by splitting methods ([#23333](hashicorp/terraform-provider-azurerm#23333 `azurerm_management_group_subscription_association` - mark resource as gone correctly if not found when retrieving ([#23335](hashicorp/terraform-provider-azurerm#23335 `azurerm_management_lock` - add polling after create and delete to check for RP propagation ([#23345](hashicorp/terraform-provider-azurerm#23345 `azurerm_monitor_diagnostic_setting` - added validation to ensure at least one of `category` or `category_group` is supplied ([#23308](hashicorp/terraform-provider-azurerm#23308 `azurerm_palo_alto_local_rulestack_prefix_list` - fix rulestack not being committed on delete ([#23362](hashicorp/terraform-provider-azurerm#23362 `azurerm_palo_alto_local_rulestack_fqdn_list` - fix rulestack not being committed on delete ([#23362](hashicorp/terraform-provider-azurerm#23362 `security_center_subscription_pricing_resource` - disabled extensions logic now works as expected ([#22997](https://github.com/hashicorp/terraform-provider-azurerm/issues/22997))



</pre> </details> <details> <summary>3.76.0</summary> <pre>Changelog retrieved from:
	https://github.com/hashicorp/terraform-provider-azurerm/releases/tag/v3.76.0
FEATURES:

* New Resource: `azurerm_security_center_storage_defender` ([#23242](hashicorp/terraform-provider-azurerm#23242 New Resource: `azurerm_spring_cloud_application_insights_application_performance_monitoring` ([#23107](https://github.com/hashicorp/terraform-provider-azurerm/issues/23107))

ENHANCEMENTS:

* provider: updating to build using Go `1.21.3` ([#23514](hashicorp/terraform-provider-azurerm#23514 provider: the `roll_instances_when_required` provider feature in the `virtual_machine_scale_set` block is now optional ([#22976](hashicorp/terraform-provider-azurerm#22976 dependencies: updating to `v0.20231012.1141427` of `github.com/hashicorp/go-azure-sdk` ([#23534](hashicorp/terraform-provider-azurerm#23534 Data Source: `azurerm_application_gateway` - support for `backend_http_settings`, `global`, `gateway_ip_configuration` and additional attributes ([#23318](hashicorp/terraform-provider-azurerm#23318 Data Source: `azurerm_network_service_tags` - export the `name` attribute ([#23382](hashicorp/terraform-provider-azurerm#23382 `azurerm_cosmosdb_postgresql_cluster` - add support for `sql_version` of `16` and `citus_version` of `12.1` ([#23476](hashicorp/terraform-provider-azurerm#23476 `azurerm_palo_alto_local_rulestack` - correctly normalize the `location` property ([#23483](hashicorp/terraform-provider-azurerm#23483 `azurerm_static_site` - add support for `app_settings` ([#23421](https://github.com/hashicorp/terraform-provider-azurerm/issues/23421))

BUG FIXES:

* `azurerm_automation_schedule` - fix a bug when updating `start_time` ([#23494](hashicorp/terraform-provider-azurerm#23494 `azurerm_eventhub` - remove ForceNew and check `partition_count` is not decreased ([#23499](hashicorp/terraform-provider-azurerm#23499 `azurerm_managed_lustre_file_system` - update validation for `storage_capacity_in_tb` according to `sku_name` in use ([#23428](hashicorp/terraform-provider-azurerm#23428 `azurerm_virtual_machine` - fix a crash when the API response for the `os_profile` block contains nil properties ([#23535](https://github.com/hashicorp/terraform-provider-azurerm/issues/23535))


</pre> </details> </details> </action> </Actions> --- <table> <tr> <td width="77"> <img src="https://www.updatecli.io/images/updatecli.png" alt="Updatecli logo" width="50" height="50"> </td> <td> <p> Created automatically by <a href="https://www.updatecli.io/">Updatecli</a> </p> <details><summary>Options:</summary> <br /> <p>Most of Updatecli configuration is done via <a href="https://www.updatecli.io/docs/prologue/quick-start/">its manifest(s)</a>.</p> <ul> <li>If you close this pull request, Updatecli will automatically reopen it, the next time it runs.</li> <li>If you close this pull request and delete the base branch, Updatecli will automatically recreate it, erasing all previous commits made.</li> </ul> <p> Feel free to report any issues at <a href="https://github.com/updatecli/updatecli/issues">github.com/updatecli/updatecli</a>.<br /> If you find this tool useful, do not hesitate to star <a href="https://github.com/updatecli/updatecli/stargazers">our GitHub repository</a> as a sign of appreciation, and/or to tell us directly on our <a href="https://matrix.to/#/#Updatecli_community:gitter.im">chat</a>! </p> </details> </td> </tr> </table> --------- Co-authored-by: Jenkins Infra Bot (updatecli) <[email protected]> Co-authored-by: Damien Duportal <[email protected]>
I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions. |
test
There are two design questions:
Shall we reset every value to default during
delete
?Since it could only be disabled but can not be deleted, these values will be kept if we dont do the reset.
Shall we use the scope id as the resource id in terraform?
The ID defined in Swagger was
/{resourceId}/providers/Microsoft.Security/defenderForStorageSettings/{settingName}
, while thesettingName
could only becurrent
for now. I'm bit concerned to use the storageAccountId/scopeId as the id of the defender. While the generatedgo-azure-sdk
does not contains an id defenition for it but only scope id.