From bac84fe5f29c837afa5cc93326deae6db97c2628 Mon Sep 17 00:00:00 2001
From: ziyeqf <zyqf16@gmail.com>
Date: Tue, 31 Jan 2023 13:09:52 +0800
Subject: [PATCH 1/2] `azurerm_sentinel_alert_rule_nrt` - support
 `event_grouping`

---
 .../sentinel_alert_rule_nrt_resource.go       | 24 +++++++
 .../sentinel_alert_rule_nrt_resource_test.go  | 68 +++++++++++++++++++
 .../r/sentinel_alert_rule_nrt.html.markdown   |  8 +++
 3 files changed, 100 insertions(+)

diff --git a/internal/services/sentinel/sentinel_alert_rule_nrt_resource.go b/internal/services/sentinel/sentinel_alert_rule_nrt_resource.go
index eeeeb9a60498..85d423f17521 100644
--- a/internal/services/sentinel/sentinel_alert_rule_nrt_resource.go
+++ b/internal/services/sentinel/sentinel_alert_rule_nrt_resource.go
@@ -96,6 +96,24 @@ func resourceSentinelAlertRuleNrt() *pluginsdk.Resource {
 				ValidateFunc: validation.StringIsNotEmpty,
 			},
 
+			"event_grouping": {
+				Type:     pluginsdk.TypeList,
+				Optional: true,
+				MaxItems: 1,
+				Elem: &pluginsdk.Resource{
+					Schema: map[string]*pluginsdk.Schema{
+						"aggregation_method": {
+							Type:     pluginsdk.TypeString,
+							Required: true,
+							ValidateFunc: validation.StringInSlice([]string{
+								string(securityinsight.EventGroupingAggregationKindAlertPerResult),
+								string(securityinsight.EventGroupingAggregationKindSingleAlert),
+							}, false),
+						},
+					},
+				},
+			},
+
 			"tactics": {
 				Type:     pluginsdk.TypeSet,
 				Optional: true,
@@ -367,6 +385,9 @@ func resourceSentinelAlertRuleNrtCreateUpdate(d *pluginsdk.ResourceData, meta in
 	if v, ok := d.GetOk("alert_rule_template_version"); ok {
 		param.NrtAlertRuleProperties.TemplateVersion = utils.String(v.(string))
 	}
+	if v, ok := d.GetOk("event_grouping"); ok {
+		param.NrtAlertRuleProperties.EventGroupingSettings = expandAlertRuleScheduledEventGroupingSetting(v.([]interface{}))
+	}
 	if v, ok := d.GetOk("alert_details_override"); ok {
 		param.NrtAlertRuleProperties.AlertDetailsOverride = expandAlertRuleAlertDetailsOverride(v.([]interface{}))
 	}
@@ -451,6 +472,9 @@ func resourceSentinelAlertRuleNrtRead(d *pluginsdk.ResourceData, meta interface{
 		d.Set("alert_rule_template_guid", prop.AlertRuleTemplateName)
 		d.Set("alert_rule_template_version", prop.TemplateVersion)
 
+		if err := d.Set("event_grouping", flattenAlertRuleScheduledEventGroupingSetting(prop.EventGroupingSettings)); err != nil {
+			return fmt.Errorf("setting `event_grouping`: %+v", err)
+		}
 		if err := d.Set("alert_details_override", flattenAlertRuleAlertDetailsOverride(prop.AlertDetailsOverride)); err != nil {
 			return fmt.Errorf("setting `alert_details_override`: %+v", err)
 		}
diff --git a/internal/services/sentinel/sentinel_alert_rule_nrt_resource_test.go b/internal/services/sentinel/sentinel_alert_rule_nrt_resource_test.go
index e3d3244d7b7e..685be3460ebf 100644
--- a/internal/services/sentinel/sentinel_alert_rule_nrt_resource_test.go
+++ b/internal/services/sentinel/sentinel_alert_rule_nrt_resource_test.go
@@ -105,6 +105,28 @@ func TestAccSentinelAlertRuleNrt_withAlertRuleTemplateGuid(t *testing.T) {
 	})
 }
 
+func TestAccSentinelAlertRuleNrt_updateEventGroupingSetting(t *testing.T) {
+	data := acceptance.BuildTestData(t, "azurerm_sentinel_alert_rule_nrt", "test")
+	r := SentinelAlertRuleNrtResource{}
+
+	data.ResourceTest(t, r, []acceptance.TestStep{
+		{
+			Config: r.eventGroupingSetting(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+		{
+			Config: r.updateEventGroupingSetting(data),
+			Check: acceptance.ComposeTestCheckFunc(
+				check.That(data.ResourceName).ExistsInAzure(r),
+			),
+		},
+		data.ImportStep(),
+	})
+}
+
 func (t SentinelAlertRuleNrtResource) Exists(ctx context.Context, clients *clients.Client, state *pluginsdk.InstanceState) (*bool, error) {
 	id, err := parse.AlertRuleID(state.ID)
 	if err != nil {
@@ -251,6 +273,52 @@ resource "azurerm_sentinel_alert_rule_nrt" "test" {
 `, r.template(data), data.RandomInteger)
 }
 
+func (r SentinelAlertRuleNrtResource) eventGroupingSetting(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+%s
+
+resource "azurerm_sentinel_alert_rule_nrt" "test" {
+  name                       = "acctest-SentinelAlertRule-NRT-%d"
+  log_analytics_workspace_id = azurerm_log_analytics_solution.test.workspace_resource_id
+  display_name               = "Some Rule"
+  severity                   = "High"
+  query                      = <<QUERY
+AzureActivity |
+  where OperationName == "Create or Update Virtual Machine" or OperationName =="Create Deployment" |
+  where ActivityStatus == "Succeeded" |
+  make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
+QUERY
+
+  event_grouping {
+    aggregation_method = "SingleAlert"
+  }
+}
+`, r.template(data), data.RandomInteger)
+}
+
+func (r SentinelAlertRuleNrtResource) updateEventGroupingSetting(data acceptance.TestData) string {
+	return fmt.Sprintf(`
+%s
+
+resource "azurerm_sentinel_alert_rule_nrt" "test" {
+  name                       = "acctest-SentinelAlertRule-NRT-%d"
+  log_analytics_workspace_id = azurerm_log_analytics_solution.test.workspace_resource_id
+  display_name               = "Some Rule"
+  severity                   = "High"
+  query                      = <<QUERY
+AzureActivity |
+  where OperationName == "Create or Update Virtual Machine" or OperationName =="Create Deployment" |
+  where ActivityStatus == "Succeeded" |
+  make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
+QUERY
+
+  event_grouping {
+    aggregation_method = "AlertPerResult"
+  }
+}
+`, r.template(data), data.RandomInteger)
+}
+
 func (SentinelAlertRuleNrtResource) template(data acceptance.TestData) string {
 	return fmt.Sprintf(`
 provider "azurerm" {
diff --git a/website/docs/r/sentinel_alert_rule_nrt.html.markdown b/website/docs/r/sentinel_alert_rule_nrt.html.markdown
index 4779e5b9015e..e55519b6f0b9 100644
--- a/website/docs/r/sentinel_alert_rule_nrt.html.markdown
+++ b/website/docs/r/sentinel_alert_rule_nrt.html.markdown
@@ -86,6 +86,8 @@ The following arguments are supported:
 
 * `entity_mapping` - (Optional) A list of `entity_mapping` blocks as defined below.
 
+* `event_grouping` - (Optional) A `event_grouping` block as defined below.
+
 * `incident` - (Optional) A `incident` block as defined below.
 
 * `suppression_duration` - (Optional) If `suppression_enabled` is `true`, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to `PT5H`.
@@ -118,6 +120,12 @@ An `entity_mapping` block supports the following:
 
 ---
 
+A `event_grouping` block supports the following:
+
+* `aggregation_method` - (Required) The aggregation type of grouping the events. Possible values are `AlertPerResult` and `SingleAlert`.
+
+---
+
 A `field_mapping` block supports the following:
 
 * `identifier` - (Required) The identifier of the entity.

From ac1c9c30db5eb54696ceb6e2655a87f7bf3c1fd1 Mon Sep 17 00:00:00 2001
From: ziyeqf <zyqf16@gmail.com>
Date: Tue, 31 Jan 2023 13:24:44 +0800
Subject: [PATCH 2/2] add default value.

---
 .../services/sentinel/sentinel_alert_rule_nrt_resource.go    | 5 ++++-
 website/docs/r/sentinel_alert_rule_nrt.html.markdown         | 2 ++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/internal/services/sentinel/sentinel_alert_rule_nrt_resource.go b/internal/services/sentinel/sentinel_alert_rule_nrt_resource.go
index 85d423f17521..2b3c4d645925 100644
--- a/internal/services/sentinel/sentinel_alert_rule_nrt_resource.go
+++ b/internal/services/sentinel/sentinel_alert_rule_nrt_resource.go
@@ -9,6 +9,7 @@ import (
 	"github.com/hashicorp/terraform-provider-azurerm/helpers/tf"
 	"github.com/hashicorp/terraform-provider-azurerm/helpers/validate"
 	"github.com/hashicorp/terraform-provider-azurerm/internal/clients"
+	"github.com/hashicorp/terraform-provider-azurerm/internal/features"
 	"github.com/hashicorp/terraform-provider-azurerm/internal/services/sentinel/parse"
 	"github.com/hashicorp/terraform-provider-azurerm/internal/tf/pluginsdk"
 	"github.com/hashicorp/terraform-provider-azurerm/internal/tf/validation"
@@ -98,7 +99,9 @@ func resourceSentinelAlertRuleNrt() *pluginsdk.Resource {
 
 			"event_grouping": {
 				Type:     pluginsdk.TypeList,
-				Optional: true,
+				Required: features.FourPointOhBeta(),
+				Optional: !features.FourPointOhBeta(),
+				Computed: !features.FourPointOhBeta(), // the service will default it to `SingleAlert`.
 				MaxItems: 1,
 				Elem: &pluginsdk.Resource{
 					Schema: map[string]*pluginsdk.Schema{
diff --git a/website/docs/r/sentinel_alert_rule_nrt.html.markdown b/website/docs/r/sentinel_alert_rule_nrt.html.markdown
index e55519b6f0b9..44dcb2f848fc 100644
--- a/website/docs/r/sentinel_alert_rule_nrt.html.markdown
+++ b/website/docs/r/sentinel_alert_rule_nrt.html.markdown
@@ -88,6 +88,8 @@ The following arguments are supported:
 
 * `event_grouping` - (Optional) A `event_grouping` block as defined below.
 
+-> **NOTE:** `event_grouping` will be required in the next major version of the AzureRM Provider.
+
 * `incident` - (Optional) A `incident` block as defined below.
 
 * `suppression_duration` - (Optional) If `suppression_enabled` is `true`, this is ISO 8601 timespan duration, which specifies the amount of time the query should stop running after alert is generated. Defaults to `PT5H`.