Skip to content

Commit

Permalink
azurerm_sentinel_alert_rule_nrt - support block event_grouping (#…
Browse files Browse the repository at this point in the history 
…20231)

Co-authored-by: kt <[email protected]>
  • Loading branch information
@ziyeqf @katbyte
ziyeqf and katbyte authored Feb 7, 2023
1 parent 61c2b78 commit aa6245d
Show file tree
Hide file tree
Showing 3 changed files with 105 additions and 0 deletions.
27 changes: 27 additions & 0 deletions internal/services/sentinel/sentinel_alert_rule_nrt_resource.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ import (
"github.com/hashicorp/terraform-provider-azurerm/helpers/tf"
"github.com/hashicorp/terraform-provider-azurerm/helpers/validate"
"github.com/hashicorp/terraform-provider-azurerm/internal/clients"
"github.com/hashicorp/terraform-provider-azurerm/internal/features"
"github.com/hashicorp/terraform-provider-azurerm/internal/services/sentinel/parse"
"github.com/hashicorp/terraform-provider-azurerm/internal/tf/pluginsdk"
"github.com/hashicorp/terraform-provider-azurerm/internal/tf/validation"
Expand Down Expand Up @@ -97,6 +98,26 @@ func resourceSentinelAlertRuleNrt() *pluginsdk.Resource {
ValidateFunc: validation.StringIsNotEmpty,
},

"event_grouping": {
Type: pluginsdk.TypeList,
Required: features.FourPointOhBeta(),
Optional: !features.FourPointOhBeta(),
Computed: !features.FourPointOhBeta(), // the service will default it to `SingleAlert`.
MaxItems: 1,
Elem: &pluginsdk.Resource{
Schema: map[string]*pluginsdk.Schema{
"aggregation_method": {
Type: pluginsdk.TypeString,
Required: true,
ValidateFunc: validation.StringInSlice([]string{
string(securityinsight.EventGroupingAggregationKindAlertPerResult),
string(securityinsight.EventGroupingAggregationKindSingleAlert),
}, false),
},
},
},
},

"tactics": {
Type: pluginsdk.TypeSet,
Optional: true,
Expand Down Expand Up @@ -411,6 +432,9 @@ func resourceSentinelAlertRuleNrtCreateUpdate(d *pluginsdk.ResourceData, meta in
if v, ok := d.GetOk("alert_rule_template_version"); ok {
param.NrtAlertRuleProperties.TemplateVersion = utils.String(v.(string))
}
if v, ok := d.GetOk("event_grouping"); ok {
param.NrtAlertRuleProperties.EventGroupingSettings = expandAlertRuleScheduledEventGroupingSetting(v.([]interface{}))
}
if v, ok := d.GetOk("alert_details_override"); ok {
param.NrtAlertRuleProperties.AlertDetailsOverride = expandAlertRuleAlertDetailsOverride(v.([]interface{}))
}
Expand Down Expand Up @@ -508,6 +532,9 @@ func resourceSentinelAlertRuleNrtRead(d *pluginsdk.ResourceData, meta interface{
d.Set("alert_rule_template_guid", prop.AlertRuleTemplateName)
d.Set("alert_rule_template_version", prop.TemplateVersion)

if err := d.Set("event_grouping", flattenAlertRuleScheduledEventGroupingSetting(prop.EventGroupingSettings)); err != nil {
return fmt.Errorf("setting `event_grouping`: %+v", err)
}
if err := d.Set("alert_details_override", flattenAlertRuleAlertDetailsOverride(prop.AlertDetailsOverride)); err != nil {
return fmt.Errorf("setting `alert_details_override`: %+v", err)
}
Expand Down
68 changes: 68 additions & 0 deletions internal/services/sentinel/sentinel_alert_rule_nrt_resource_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,28 @@ func TestAccSentinelAlertRuleNrt_withAlertRuleTemplateGuid(t *testing.T) {
})
}

func TestAccSentinelAlertRuleNrt_updateEventGroupingSetting(t *testing.T) {
data := acceptance.BuildTestData(t, "azurerm_sentinel_alert_rule_nrt", "test")
r := SentinelAlertRuleNrtResource{}

data.ResourceTest(t, r, []acceptance.TestStep{
{
Config: r.eventGroupingSetting(data),
Check: acceptance.ComposeTestCheckFunc(
check.That(data.ResourceName).ExistsInAzure(r),
),
},
data.ImportStep(),
{
Config: r.updateEventGroupingSetting(data),
Check: acceptance.ComposeTestCheckFunc(
check.That(data.ResourceName).ExistsInAzure(r),
),
},
data.ImportStep(),
})
}

func (t SentinelAlertRuleNrtResource) Exists(ctx context.Context, clients *clients.Client, state *pluginsdk.InstanceState) (*bool, error) {
id, err := parse.AlertRuleID(state.ID)
if err != nil {
Expand Down Expand Up @@ -258,6 +280,52 @@ resource "azurerm_sentinel_alert_rule_nrt" "test" {
`, r.template(data), data.RandomInteger)
}

func (r SentinelAlertRuleNrtResource) eventGroupingSetting(data acceptance.TestData) string {
return fmt.Sprintf(`
%s
resource "azurerm_sentinel_alert_rule_nrt" "test" {
name = "acctest-SentinelAlertRule-NRT-%d"
log_analytics_workspace_id = azurerm_log_analytics_solution.test.workspace_resource_id
display_name = "Some Rule"
severity = "High"
query = <<QUERY
AzureActivity |
where OperationName == "Create or Update Virtual Machine" or OperationName =="Create Deployment" |
where ActivityStatus == "Succeeded" |
make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
QUERY
event_grouping {
aggregation_method = "SingleAlert"
}
}
`, r.template(data), data.RandomInteger)
}

func (r SentinelAlertRuleNrtResource) updateEventGroupingSetting(data acceptance.TestData) string {
return fmt.Sprintf(`
%s
resource "azurerm_sentinel_alert_rule_nrt" "test" {
name = "acctest-SentinelAlertRule-NRT-%d"
log_analytics_workspace_id = azurerm_log_analytics_solution.test.workspace_resource_id
display_name = "Some Rule"
severity = "High"
query = <<QUERY
AzureActivity |
where OperationName == "Create or Update Virtual Machine" or OperationName =="Create Deployment" |
where ActivityStatus == "Succeeded" |
make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
QUERY
event_grouping {
aggregation_method = "AlertPerResult"
}
}
`, r.template(data), data.RandomInteger)
}

func (SentinelAlertRuleNrtResource) template(data acceptance.TestData) string {
return fmt.Sprintf(`
provider "azurerm" {
Expand Down
10 changes: 10 additions & 0 deletions website/docs/r/sentinel_alert_rule_nrt.html.markdown
View file
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,10 @@ The following arguments are supported:

* `entity_mapping` - (Optional) A list of `entity_mapping` blocks as defined below.

* `event_grouping` - (Optional) A `event_grouping` block as defined below.

-> **NOTE:** `event_grouping` will be required in the next major version of the AzureRM Provider.

* `sentinel_entity_mapping` - (Optional) A list of `sentinel_entity_mapping` blocks as defined below.

-> **NOTE:** `entity_mapping` and `sentinel_entity_mapping` together can't exceed 5.
Expand Down Expand Up @@ -132,6 +136,12 @@ An `entity_mapping` block supports the following:

---

A `event_grouping` block supports the following:

* `aggregation_method` - (Required) The aggregation type of grouping the events. Possible values are `AlertPerResult` and `SingleAlert`.

---

A `sentinel_entity_mapping` block supports the following:

* `column_name` - (Required) The column name to be mapped to the identifier.
Expand Down

0 comments on commit aa6245d

Please sign in to comment.