Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

azurerm_security_center_storage_defender Support for explicitly setting is_enabled #27350

Closed
1 task done
audunsolemdal opened this issue Sep 11, 2024 · 3 comments · May be fixed by miljodir/terraform-azurerm-storage-account#13
Closed
1 task done

azurerm_security_center_storage_defender Support for explicitly setting is_enabled #27350

audunsolemdal opened this issue Sep 11, 2024 · 3 comments · May be fixed by miljodir/terraform-azurerm-storage-account#13
Labels
enhancement service/security-center

Comments

@audunsolemdal
Copy link
Contributor

Is there an existing issue for this?

  • I have searched the existing issues

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Description

My org currently deploys Defender for Storage at multiple subscriptions via Azure Policy using the MDFC classic per transaction storage plan. The classic plan will be unsupported for new subscriptions in a few months, and the new plan costs $10 minimum per month. Ideally we would have preferred a per-transaction model, but I am now planning to disable MDFC for specific storage accounts.

From what I can tell the current logic of azurerm_security_center_storage_defender is implicit when it comes to setting the IsEnabled property. I believe it is implicitly set true when created, and implicitly set to false when the resource is removed(?)

For my use case it would be optimal to support setting both these settings at the same time

        "isEnabled": false,
        "overrideSubscriptionLevelSettings": true

New or Affected Resource(s)/Data Source(s)

azurerm_security_center_storage_defender

Potential Terraform Configuration

resource "azurerm_security_center_storage_defender" "example" {
  storage_account_id = azurerm_storage_account.example.id
  override_subscription_settings_enabled = true
  is_enabled = false
}

References

https://learn.microsoft.com/en-us/azure/defender-for-cloud/advanced-configurations-for-malware-scanning#override-defender-for-storage-subscription-level-settings
https://learn.microsoft.com/en-us/azure/defender-for-cloud/advanced-configurations-for-malware-scanning#rest-api

https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-storage-classic-migrate#impact-on-the-defender-for-storage-classic-per-transaction-plan
@audunsolemdal audunsolemdal mentioned this issue Sep 11, 2024
Draft
@sinbai
Copy link
Contributor

sinbai commented Sep 11, 2024

Hi @audunsolemdal thanks for opening this issue. I would like to explain that Terraform performs CRUD management on Azure resources through the Azure rest API. For the behavior of this API, once isEnabled = false is set, the Get API returns 404. his means that the resource cannot be found when deleting the resource. Because of this API behavior, Terraform implements deletion by setting isEnabled = false. Please refer to the code for details.

Therefore, for your case, could you try to remove the resource azurerm_security_center_storage_defender of the specific storage accounts to solve it?

@audunsolemdal
Copy link
Contributor Author

once isEnabled = false is set, the Get API returns 404. his means that the resource cannot be found when deleting the resource.

Ok, important detail, thanks.

Therefore, for your case, could you try to remove the resource azurerm_security_center_storage_defender of the specific storage accounts to solve it?

I could, but this sounds like a hassle to do reliably at scale since I don't use this resource already. I think I will rather try using the azapi_update_resource or perhaps a script is better suited given the 404 behavior.

@audunsolemdal audunsolemdal closed this as not planned Won't fix, can't repro, duplicate, stale Sep 12, 2024
@github-actions GitHub Actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 13, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement service/security-center
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Outline for overriding MDFC settings miljodir/terraform-azurerm-storage-account
4 participants
@mybayern1974 @audunsolemdal @sinbai @rcskosir