security_center_subscription_pricing_resource: add extensions support

[Ihab-Zhaika]

This PR contains changes to the azurerm_security_center_subscription_pricing resource which adds the extension block to the resource schema, to support for Defender for Cloud Pricing Advanced configuration.

Closes: #16217

[Ihab-Zhaika]

Need to solve │ * resource azurerm_security_center_subscription_pricing: extensions: Elem must be set for lists

[catriona-m]

Thanks for this @Ihab-Zhaika - could we include a test for this new property to ensure that it works as expected? Thanks!

[catriona-m]

Hi @Ihab-Zhaika, thanks for taking the time to work on this! I left a few comments/suggestions inline but once those are addressed I can take another look at this. Thanks!

[Ihab-Zhaika]

@tombuildsstuff All changes are done, can you please check if it can be approved ?

[Ihab-Zhaika]

@catriona-m can you please run the final checks, we are on rush

[Ihab-Zhaika]

@catriona-m can you please run the final checks, we are on rush

@catriona-m can you please run once again the checks

[Ihab-Zhaika]

@catriona-m can you please run the final checks, we are on rush

@catriona-m can you please run once again the checks

@catriona-m Thanks for running the checks, all passed, can it be merged ?

[catriona-m]

Hi @Ihab-Zhaika thanks for making the additional changes to this. I ran the test locally and found that it is currently failing with this error:

=== RUN   TestAccSecurityCenterSubscriptionPricing_cloudPostureExtension
    testcase.go:120: Step 1/2 error: After applying this test step and performing a `terraform refresh`, the plan was not empty.
        stdout
        
        
        Terraform used the selected providers to generate the following execution
        plan. Resource actions are indicated with the following symbols:
          ~ update in-place
        
        Terraform will perform the following actions:
        
          # azurerm_security_center_subscription_pricing.test will be updated in-place
          ~ resource "azurerm_security_center_subscription_pricing" "test" {
                id            = "/subscriptions/xxxx/providers/Microsoft.Security/pricings/CloudPosture"
                # (2 unchanged attributes hidden)
        
              - extension {
                  - additional_extension_properties = {} -> null
                  - name                            = "AgentlessDiscoveryForKubernetes" -> null
                }
              - extension {
                  - additional_extension_properties = {} -> null
                  - name                            = "ContainerRegistriesVulnerabilityAssessments" -> null
                }
        
                # (2 unchanged blocks hidden)
            }
        
        Plan: 0 to add, 1 to change, 0 to destroy.
--- FAIL: TestAccSecurityCenterSubscriptionPricing_cloudPostureExtension (35.25s)

FAIL

If you are happy for me to push changes to the PR, I can take a look at fixing this tomorrow and adding the additional test steps we need.

Thanks!

[Ihab-Zhaika]

Hi @Ihab-Zhaika thanks for making the additional changes to this. I ran the test locally and found that it is currently failing with this error:

=== RUN   TestAccSecurityCenterSubscriptionPricing_cloudPostureExtension
    testcase.go:120: Step 1/2 error: After applying this test step and performing a `terraform refresh`, the plan was not empty.
        stdout
        
        
        Terraform used the selected providers to generate the following execution
        plan. Resource actions are indicated with the following symbols:
          ~ update in-place
        
        Terraform will perform the following actions:
        
          # azurerm_security_center_subscription_pricing.test will be updated in-place
          ~ resource "azurerm_security_center_subscription_pricing" "test" {
                id            = "/subscriptions/xxxx/providers/Microsoft.Security/pricings/CloudPosture"
                # (2 unchanged attributes hidden)
        
              - extension {
                  - additional_extension_properties = {} -> null
                  - name                            = "AgentlessDiscoveryForKubernetes" -> null
                }
              - extension {
                  - additional_extension_properties = {} -> null
                  - name                            = "ContainerRegistriesVulnerabilityAssessments" -> null
                }
        
                # (2 unchanged blocks hidden)
            }
        
        Plan: 0 to add, 1 to change, 0 to destroy.
--- FAIL: TestAccSecurityCenterSubscriptionPricing_cloudPostureExtension (35.25s)

FAIL

If you are happy for me to push changes to the PR, I can take a look at fixing this tomorrow and adding the additional test steps we need.

Thanks!

@catriona-m
Sure, I would be happy to

[Ihab-Zhaika]

Seems good

[Ihab-Zhaika]

Seems good

@catriona-m Thanks for adding those improvements, when it can be merged ?

[catriona-m]

Seems good

@catriona-m Thanks for adding those improvements, when it can be merged ?

@Ihab-Zhaika I am waiting on the tests completing, then we can request another review and hopefully this should be good to merge soon 👍

[Ihab-Zhaika]

(2 unchanged blocks hidden)

Sure, @catriona-m I see all tests passed

[catriona-m]

(2 unchanged blocks hidden)

Sure, @catriona-m I see all tests passed

Apologies @Ihab-Zhaika , I meant the acceptance tests. Going to merge this now! Thanks!

[Ihab-Zhaika]

@tombuildsstuff @catriona-m

I want to discuss something, Is there a slack or something or just via comments ?

This PR is already completed so not for it but for next PR:

in the extensions, you mentioned that if the "extension" appear then it is enabled and if not exist in the template then it is off, this is "required" behavior or something that I can change in the upcoming PRS ?

Since for example we want that if the customer did not specify any extension that by default turn all of them for him, which conflicts with the approach of specifying the required extensions one by one
Now I understand that IsChanged can help drive this approach, but as we know lot of customers won't be aware about it, so what do you suggest ?
Is it Ok for example to have similar case

tf apply
tf apply

without changing the template and the second apply would do some changes ?

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.