azurerm_security_center_storage_defender Support for explicitly setting is_enabled

[audunsolemdal]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Description

My org currently deploys Defender for Storage at multiple subscriptions via Azure Policy using the MDFC classic per transaction storage plan. The classic plan will be unsupported for new subscriptions in a few months, and the new plan costs $10 minimum per month. Ideally we would have preferred a per-transaction model, but I am now planning to disable MDFC for specific storage accounts.

From what I can tell the current logic of azurerm_security_center_storage_defender is implicit when it comes to setting the IsEnabled property. I believe it is implicitly set true when created, and implicitly set to false when the resource is removed(?)

For my use case it would be optimal to support setting both these settings at the same time

        "isEnabled": false,
        "overrideSubscriptionLevelSettings": true

New or Affected Resource(s)/Data Source(s)

azurerm_security_center_storage_defender

Potential Terraform Configuration

resource "azurerm_security_center_storage_defender" "example" {
  storage_account_id = azurerm_storage_account.example.id
  override_subscription_settings_enabled = true
  is_enabled = false
}

References

https://learn.microsoft.com/en-us/azure/defender-for-cloud/advanced-configurations-for-malware-scanning#override-defender-for-storage-subscription-level-settings
https://learn.microsoft.com/en-us/azure/defender-for-cloud/advanced-configurations-for-malware-scanning#rest-api

https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-storage-classic-migrate#impact-on-the-defender-for-storage-classic-per-transaction-plan

[sinbai]

Hi @audunsolemdal thanks for opening this issue. I would like to explain that Terraform performs CRUD management on Azure resources through the Azure rest API. For the behavior of this API, once isEnabled = false is set, the Get API returns 404. his means that the resource cannot be found when deleting the resource. Because of this API behavior, Terraform implements deletion by setting isEnabled = false. Please refer to the code for details.

Therefore, for your case, could you try to remove the resource azurerm_security_center_storage_defender of the specific storage accounts to solve it?

[audunsolemdal]

once isEnabled = false is set, the Get API returns 404. his means that the resource cannot be found when deleting the resource.

Ok, important detail, thanks.

Therefore, for your case, could you try to remove the resource azurerm_security_center_storage_defender of the specific storage accounts to solve it?

I could, but this sounds like a hassle to do reliably at scale since I don't use this resource already. I think I will rather try using the azapi_update_resource or perhaps a script is better suited given the 404 behavior.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.