New resource: azurerm_security_center_storage_defender
#23242
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ziyeqf
force-pushed
the
tengzh/storage_defender
branch
from
2061200
to
b749bf8
Compare
Signed-off-by: ziyeqf <51212351+ziyeqf@users.noreply.github.com>
ziyeqf
force-pushed
the
tengzh/storage_defender
branch
from
b749bf8
to
de375a8
Compare
stephybun
requested changes
Sep 21, 2023
internal/provider/services.go
Outdated
| @@ -199,6 +199,7 @@ func SupportedTypedServices() []sdk.TypedServiceRegistration { | |||
| vmware.Registration{}, | |||
| voiceservices.Registration{}, | |||
| web.Registration{}, | |||
| securitycenter.Registration{}, | |||
go.mod
Outdated
| @@ -15,7 +15,7 @@ require ( | |||
| github.com/google/go-cmp v0.5.9 | |||
| github.com/google/uuid v1.3.1 | |||
| github.com/hashicorp/go-azure-helpers v0.59.0 | |||
| github.com/hashicorp/go-azure-sdk v0.20230907.1113401 | |||
| github.com/hashicorp/go-azure-sdk v0.20230911.1163300 | |||
There was a problem hiding this comment.
For future reference these have to go into their own PR to avoid conflicts. So can you please revert this and also do a rebase since the go-azure-sdk has already been updated since the opening of this PR.
Comment on lines
53
to
56
| "enabled": { | ||
| Type: pluginsdk.TypeBool, | ||
| Required: true, | ||
| }, |
There was a problem hiding this comment.
We don't expose the enabled field as explained in the contributor docs.
This field should be controlled purely by the creation of it enabled = true and the deletion of it enabled = false.
Comment on lines
70
to
88
| "malware_scanning_on_upload_cap_gb_per_month": { | ||
| Type: pluginsdk.TypeInt, | ||
| Optional: true, | ||
| Default: -1, | ||
| ValidateFunc: func(i interface{}, s string) (warnings []string, errors []error) { | ||
| // it requires -1 or greater than 0 | ||
| v, ok := i.(int) | ||
| if !ok { | ||
| errors = append(errors, fmt.Errorf("expected type of %s to be integer", s)) | ||
| return warnings, errors | ||
| } | ||
|
|
||
| if v == -1 { | ||
| return warnings, errors | ||
| } | ||
|
|
||
| return validation.IntAtLeast(-1)(i, s) | ||
| }, | ||
| }, |
There was a problem hiding this comment.
What does -1 mean in this case? Also what would 0 mean?
There was a problem hiding this comment.
the service does not accept 0, and -1 means no limit on that cap. Do we need to map user input 0 to payload -1?
There was a problem hiding this comment.
I think this can be more clearly/simply achieved with:
Suggested change
| "malware_scanning_on_upload_cap_gb_per_month": { | |
| Type: pluginsdk.TypeInt, | |
| Optional: true, | |
| Default: -1, | |
| ValidateFunc: func(i interface{}, s string) (warnings []string, errors []error) { | |
| // it requires -1 or greater than 0 | |
| v, ok := i.(int) | |
| if !ok { | |
| errors = append(errors, fmt.Errorf("expected type of %s to be integer", s)) | |
| return warnings, errors | |
| } | |
| if v == -1 { | |
| return warnings, errors | |
| } | |
| return validation.IntAtLeast(-1)(i, s) | |
| }, | |
| }, | |
| "malware_scanning_on_upload_cap_gb_per_month": { | |
| Type: pluginsdk.TypeInt, | |
| Optional: true, | |
| Default: -1, | |
| ValidateFunc: validation.Any( | |
| validation.IntAtLeast(1), | |
| validation.IntInSlice([]int{-1}), | |
| ), | |
| }, |
|
|
||
| func (s StorageDefenderResource) Create() sdk.ResourceFunc { | ||
| return sdk.ResourceFunc{ | ||
| Timeout: 10 * time.Minute, |
There was a problem hiding this comment.
Can we bump this up to 30, with such short timeouts we run the risk of being affected by rate limiting by the API.
|
|
||
| if model := resp.Model; model != nil { | ||
| if prop := model.Properties; prop != nil { | ||
| state.Enabled = pointer.From(prop.IsEnabled) |
There was a problem hiding this comment.
Here we should check if it's disabled, and if so then mark the resource as gone.
Comment on lines
250
to
252
| state := StorageDefenderModel{ | ||
| StorageAccountId: id.ID(), | ||
| } |
There was a problem hiding this comment.
Since this is a scoped ID, we need to parse the scope part of id as a storage account ID
Suggested change
| state := StorageDefenderModel{ | |
| StorageAccountId: id.ID(), | |
| } | |
| storageAccountId, err := commonids.ParseStorageAccountID(id.Scope) | |
| if err != nil { | |
| return err | |
| } | |
| state := StorageDefenderModel{ | |
| StorageAccountId: storageAccountId.ID(), | |
| } |
Comment on lines
289
to
298
| if err != nil { | ||
| if !response.WasNotFound(resp.HttpResponse) { | ||
| return fmt.Errorf("reading %+v", err) | ||
| } | ||
| } | ||
| // if the resource has never been created, it returns 404. | ||
| // once created, it could only be set to disable. | ||
| if response.WasNotFound(resp.HttpResponse) { | ||
| return nil | ||
| } |
There was a problem hiding this comment.
If the resource doesn't exist (or in this case disabled) when the delete is run we should raise an error instead of returning nil
Suggested change
| if err != nil { | |
| if !response.WasNotFound(resp.HttpResponse) { | |
| return fmt.Errorf("reading %+v", err) | |
| } | |
| } | |
| // if the resource has never been created, it returns 404. | |
| // once created, it could only be set to disable. | |
| if response.WasNotFound(resp.HttpResponse) { | |
| return nil | |
| } | |
| if err != nil { | |
| return fmt.Errorf("retrieving %s: %+v", id, err) | |
| } |
|
|
||
| _, err = client.Create(ctx, *id, input) | ||
| if err != nil { | ||
| return fmt.Errorf("deleting %+v", err) |
There was a problem hiding this comment.
Suggested change
| return fmt.Errorf("deleting %+v", err) | |
| return fmt.Errorf("deleting %s: %+v", id, err) |
| var _ sdk.ResourceWithUpdate = StorageDefenderResource{} | ||
|
|
||
| func (s StorageDefenderResource) IDValidationFunc() pluginsdk.SchemaValidateFunc { | ||
| return commonids.ValidateScopeID |
There was a problem hiding this comment.
Can we extend this to parse the Scope part of the id as a storage account ID
Signed-off-by: ziyeqf <51212351+ziyeqf@users.noreply.github.com>
Signed-off-by: ziyeqf <51212351+ziyeqf@users.noreply.github.com>
Signed-off-by: ziyeqf <51212351+ziyeqf@users.noreply.github.com>
Signed-off-by: ziyeqf <51212351+ziyeqf@users.noreply.github.com>
manicminer
approved these changes
Oct 12, 2023
There was a problem hiding this comment.
Thanks for making the changes @ziyeqf. Tests are passing and this LGTM.
manicminer
added a commit
that referenced
this pull request
Oct 12, 2023
dduportal
added a commit
to jenkins-infra/azure
that referenced
this pull request
Oct 16, 2023
<Actions>
<action
id="4a39167e811ac038e4a588362092472c27cfbe9e4929ae61d035f708a093a669">
<h3>Bump Terraform `azurerm` provider version</h3>
<details
id="1d9343c012f5434ac9fe8a98135bae3667b399259be16d9b14302ea3bd424a24">
<summary>Update Terraform lock file</summary>
<p>"hashicorp/azurerm" updated from "3.74.0" to
"3.75.0" in file ".terraform.lock.hcl"</p>
<details>
<summary>3.75.0</summary>
<pre>Changelog retrieved
from:
	https://github.com/hashicorp/terraform-provider-azurerm/releases/tag/v3.75.0
FEATURES:

*
New Resource: `azurerm_application_load_balancer`
([#22517](https://github.com/hashicorp/terraform-provider-azurerm/issues/22517))
*
New Resource: `azurerm_resource_management_private_link`
([#23098](https://github.com/hashicorp/terraform-provider-azurerm/issues/23098))

ENHANCEMENTS:

*
dependencies: `firewall` migrated to `hashicorp/go-azure-sdk`
([#22863](https://github.com/hashicorp/terraform-provider-azurerm/issues/22863))
*
`azurerm_bot_service_azure_bot` - add support for the `icon_url`
property
([#23114](https://github.com/hashicorp/terraform-provider-azurerm/issues/23114))
*
`azurerm_cognitive_deployment` - `capacity` property is now updateable
([#23251](https://github.com/hashicorp/terraform-provider-azurerm/issues/23251))
*
`azurerm_container_group` - added support for
`key_vault_user_identity_id`
([#23332](https://github.com/hashicorp/terraform-provider-azurerm/issues/23332))
*
`azurerm_data_factory` - added support for the `publish_enabled`
property
([#2334](https://github.com/hashicorp/terraform-provider-azurerm/issues/2334))
*
`azurerm_firewall_policy_rule_collection_group` - add support for the
`description` property
([#23354](https://github.com/hashicorp/terraform-provider-azurerm/issues/23354))
*
`azurerm_kubernetes_cluster` - `network_profile.network_policy` can be
migrated to `cilium`
([#23342](https://github.com/hashicorp/terraform-provider-azurerm/issues/23342))
*
`azurerm_log_analytics_workspace` - add support for the
`data_collection_rule_id` property
([#23347](https://github.com/hashicorp/terraform-provider-azurerm/issues/23347))
*
`azurerm_mysql_flexible_server` - add support for the
`io_scaling_enabled` property
([#23329](https://github.com/hashicorp/terraform-provider-azurerm/issues/23329))

BUG
FIXES:

* `azurerm_api_management_api` - fix importing `openapi`
format content file issue
([#23348](https://github.com/hashicorp/terraform-provider-azurerm/issues/23348))
*
`azurerm_cdn_frontdoor_rule` - allow a `cache_duration` of `00:00:00`
([#23384](https://github.com/hashicorp/terraform-provider-azurerm/issues/23384))
*
`azurerm_cosmosdb_cassandra_datacenter` - `sku_name` is now updatable
([#23419](https://github.com/hashicorp/terraform-provider-azurerm/issues/23419))
*
`azurerm_key_vault_certificate` - fix a bug that prevented soft-deleted
certificates from being recovered
([#23204](https://github.com/hashicorp/terraform-provider-azurerm/issues/23204))
*
`azurerm_log_analytics_solution` - fix create and update lifecycle of
resource by splitting methods
([#23333](https://github.com/hashicorp/terraform-provider-azurerm/issues/23333))
*
`azurerm_management_group_subscription_association` - mark resource as
gone correctly if not found when retrieving
([#23335](https://github.com/hashicorp/terraform-provider-azurerm/issues/23335))
*
`azurerm_management_lock` - add polling after create and delete to check
for RP propagation
([#23345](https://github.com/hashicorp/terraform-provider-azurerm/issues/23345))
*
`azurerm_monitor_diagnostic_setting` - added validation to ensure at
least one of `category` or `category_group` is supplied
([#23308](https://github.com/hashicorp/terraform-provider-azurerm/issues/23308))
*
`azurerm_palo_alto_local_rulestack_prefix_list` - fix rulestack not
being committed on delete
([#23362](https://github.com/hashicorp/terraform-provider-azurerm/issues/23362))
*
`azurerm_palo_alto_local_rulestack_fqdn_list` - fix rulestack not being
committed on delete
([#23362](https://github.com/hashicorp/terraform-provider-azurerm/issues/23362))
*
`security_center_subscription_pricing_resource` - disabled extensions
logic now works as expected
([#22997](https://github.com/hashicorp/terraform-provider-azurerm/issues/22997))



</pre>
</details>
<details>
<summary>3.76.0</summary>
<pre>Changelog retrieved
from:
	https://github.com/hashicorp/terraform-provider-azurerm/releases/tag/v3.76.0
FEATURES:

*
New Resource: `azurerm_security_center_storage_defender`
([#23242](https://github.com/hashicorp/terraform-provider-azurerm/issues/23242))
*
New Resource:
`azurerm_spring_cloud_application_insights_application_performance_monitoring`
([#23107](https://github.com/hashicorp/terraform-provider-azurerm/issues/23107))

ENHANCEMENTS:

*
provider: updating to build using Go `1.21.3`
([#23514](https://github.com/hashicorp/terraform-provider-azurerm/issues/23514))
*
provider: the `roll_instances_when_required` provider feature in the
`virtual_machine_scale_set` block is now optional
([#22976](https://github.com/hashicorp/terraform-provider-azurerm/issues/22976))
*
dependencies: updating to `v0.20231012.1141427` of
`github.com/hashicorp/go-azure-sdk`
([#23534](https://github.com/hashicorp/terraform-provider-azurerm/issues/23534))
*
Data Source: `azurerm_application_gateway` - support for
`backend_http_settings`, `global`, `gateway_ip_configuration` and
additional attributes
([#23318](https://github.com/hashicorp/terraform-provider-azurerm/issues/23318))
*
Data Source: `azurerm_network_service_tags` - export the `name`
attribute
([#23382](https://github.com/hashicorp/terraform-provider-azurerm/issues/23382))
*
`azurerm_cosmosdb_postgresql_cluster` - add support for `sql_version` of
`16` and `citus_version` of `12.1`
([#23476](https://github.com/hashicorp/terraform-provider-azurerm/issues/23476))
*
`azurerm_palo_alto_local_rulestack` - correctly normalize the `location`
property
([#23483](https://github.com/hashicorp/terraform-provider-azurerm/issues/23483))
*
`azurerm_static_site` - add support for `app_settings`
([#23421](https://github.com/hashicorp/terraform-provider-azurerm/issues/23421))

BUG
FIXES:

* `azurerm_automation_schedule` - fix a bug when
updating `start_time`
([#23494](https://github.com/hashicorp/terraform-provider-azurerm/issues/23494))
*
`azurerm_eventhub` - remove ForceNew and check `partition_count` is not
decreased
([#23499](https://github.com/hashicorp/terraform-provider-azurerm/issues/23499))
*
`azurerm_managed_lustre_file_system` - update validation for
`storage_capacity_in_tb` according to `sku_name` in use
([#23428](https://github.com/hashicorp/terraform-provider-azurerm/issues/23428))
*
`azurerm_virtual_machine` - fix a crash when the API response for the
`os_profile` block contains nil properties
([#23535](https://github.com/hashicorp/terraform-provider-azurerm/issues/23535))


</pre>
</details>
</details>
</action>
</Actions>
---
<table>
<tr>
<td width="77">
<img src="https://www.updatecli.io/images/updatecli.png" alt="Updatecli
logo" width="50" height="50">
</td>
<td>
<p>
Created automatically by <a
href="https://www.updatecli.io/">Updatecli</a>
</p>
<details><summary>Options:</summary>
<br />
<p>Most of Updatecli configuration is done via <a
href="https://www.updatecli.io/docs/prologue/quick-start/">its
manifest(s)</a>.</p>
<ul>
<li>If you close this pull request, Updatecli will automatically reopen
it, the next time it runs.</li>
<li>If you close this pull request and delete the base branch, Updatecli
will automatically recreate it, erasing all previous commits made.</li>
</ul>
<p>
Feel free to report any issues at <a
href="https://github.com/updatecli/updatecli/issues">github.com/updatecli/updatecli</a>.<br
/>
If you find this tool useful, do not hesitate to star <a
href="https://github.com/updatecli/updatecli/stargazers">our GitHub
repository</a> as a sign of appreciation, and/or to tell us directly on
our <a
href="https://matrix.to/#/#Updatecli_community:gitter.im">chat</a>!
</p>
</details>
</td>
</tr>
</table>
---------
Co-authored-by: Jenkins Infra Bot (updatecli) <60776566+jenkins-infra-bot@users.noreply.github.com>
Co-authored-by: Damien Duportal <damien.duportal@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
test
There are two design questions:
Shall we reset every value to default during
delete?Since it could only be disabled but can not be deleted, these values will be kept if we dont do the reset.
Shall we use the scope id as the resource id in terraform?
The ID defined in Swagger was
/{resourceId}/providers/Microsoft.Security/defenderForStorageSettings/{settingName}, while thesettingNamecould only becurrentfor now. I'm bit concerned to use the storageAccountId/scopeId as the id of the defender. While the generatedgo-azure-sdkdoes not contains an id defenition for it but only scope id.