Security Center Automation and Continuous Export is not working as expected #9975
Comments
|
Connection string of an eventhub (not namespace) contains all the necessary information, so potentially that's the one you need to pass? |
|
@favoretti Thankyou for your response. From the documentation page, I see that the connection string of the namespace to be passed :
also, in the example snippet, it's mentioned : connection_string = azurerm_eventhub_namespace.example.default_primary_connection_stringAm I missing something here? Please advise. |
|
I would assume it's a docs thingy. The SDK itself has: So I'd say what you can try here is:
Also if it doesn't work with passing namespace resource id for the |
|
Thank you.. I tried adding EventHub to my TF Code; it got executed successfully but I still do not see it in Azure Portal.. My updated script: provider "azurerm" {
features {}
}
data "azurerm_client_config" "current" {}
resource "azurerm_resource_group" "example" {
name = "example-resources"
location = "southeastasia"
}
resource "azurerm_eventhub_namespace" "example" {
name = "example-namespace12345"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
sku = "Standard"
capacity = 2
}
resource "azurerm_eventhub" "example" {
name = "acceptanceTestEventHub"
namespace_name = azurerm_eventhub_namespace.example.name
resource_group_name = azurerm_resource_group.example.name
partition_count = 2
message_retention = 1
}
resource "azurerm_eventhub_authorization_rule" "example" {
name = "navi"
namespace_name = azurerm_eventhub_namespace.example.name
eventhub_name = azurerm_eventhub.example.name
resource_group_name = azurerm_resource_group.example.name
listen = true
send = true
manage = false
}
resource "azurerm_security_center_automation" "example" {
name = "example-automation"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
action {
type = "EventHub"
resource_id = azurerm_eventhub.example.id
connection_string = azurerm_eventhub_authorization_rule.example.primary_connection_string
}
source {
event_source = "Assessments"
rule_set {
rule {
property_path = "properties.metadata.severity"
operator = "Equals"
expected_value = "High"
property_type = "String"
}
}
}
scopes = ["/subscriptions/${data.azurerm_client_config.current.subscription_id}"]
} |
|
Team, just checking, any update on this item? If anything else needs to be tried, please let me know. Thank you. |
|
@favoretti @benhurjoel I also tried the permutations you are recommending. TF code applies with no errors but the settings are not set in the security center UI. Tests cases I followed - https://github.com/terraform-providers/terraform-provider-azurerm/blob/5a81ac99e139d3df2f4a8bca0883c7b798b2c4d7/azurerm/internal/services/securitycenter/security_center_automation_resource_test.go#L480 |
|
I’ll try to look into it next week if no one from HC (or elsewhere) beats
me to it.
…On Thu, 7 Jan 2021 at 11:58, lolorol ***@***.***> wrote:
@favoretti <https://github.com/favoretti> @benhurjoel
<https://github.com/benhurjoel> I also tried the permutations you are
recommending. TF code applies with no errors but the settings are not set
in the security center UI.
I am facing the same issue.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#9975 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAGERNSCWMU7TBNKJSBS4B3SYWHWVANCNFSM4VFBOI3A>
.
|
Hi @benhurjoel, I had an investigation of data export, and you are right, this is the correct TF script. The acctest example is not right, though it could success. I will submit a PR to fix it soon. As for not visible from azure portal, I have read throught the doc, there might be two reasons:
If we only create the resource with name "exportToEventHub" and limit the features to what the portal have, you could find the portal could show it. For example: The conclusion is: don't be confused by the portal, your TF script is total right |
|
Thank you @njuCZ . I will test it out again and looking forward to the updated documentation. Appreciate it! |
|
This has been released in version 2.43.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example: provider "azurerm" {
version = "~> 2.43.0"
}
# ... other configuration ... |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 hashibot-feedback@hashicorp.com. Thanks! |
ghost
locked as resolved and limited conversation to collaborators
Community Note
Terraform (and AzureRM Provider) Version
Terraform v0.13.4azurerm v2.40.0Affected Resource(s)
azurerm_security_center_automationTerraform Configuration Files
Debug Output
https://gist.github.com/benhurjoel/57bad9b2b5cb7410a1bb5005389962e0
Expected Behaviour
Continuous export should be visible on the Azure Portal post deployment. Tried both with EventHub and LogAnalytics type
Actual Behaviour
I notice that Eventhub name and Auth Roles names are required to set up continuous export (For EventHub type). I tried setting up Continuous Export on Azure Portal manually and I have to choose the following attributes :
But, I do not see a way to specify them using the Terraform resource. Only EventHub Namespace is available to specify.
The available options using Terraform :
Steps to Reproduce
terraform applyReferences
https://docs.microsoft.com/en-us/azure/security-center/continuous-export?tabs=azure-portal
The text was updated successfully, but these errors were encountered: