terraform-azurerm-caf-enterprise-scale icon indicating copy to clipboard operation
terraform-azurerm-caf-enterprise-scale copied to clipboard

Published 20 hours ago verified publisher icon Azure

Allow selecting Sentinel SKU

Open vaclaond opened this issue 3 years ago • 6 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Is your feature request related to a problem?

Azure Sentinel SKU (CapacityReservation) is always replaced by PerGB on each update, which results in significant costs increase.

Describe the solution you'd like

Add a parameter to select proper SKU for Azure Sentinel (properties of SecurityInsights solution). 

    "plan": {
        "name": "SecurityInsights(-----)",
        "publisher": "Microsoft",
        "promotionCode": "",
        "product": "OMSGallery/SecurityInsights"
    },
    "properties": {
        "workspaceResourceId": "------",
        "provisioningState": "Succeeded",
        "creationTime": "Sun, 06 Jun 2021 16:21:40 GMT",
        "sku": {
            "name": "CapacityReservation",
            "capacityReservationLevel": 100,
            "lastSkuUpdate": "Mon, 06 Dec 2021 09:38:48 GMT"
        },
        "lastModifiedTime": "Mon, 06 Dec 2021 09:38:48 GMT",
        "containedResources": [],
        "workbookTemplates": []
    },

Additional context

vaclaond avatar Dec 06 '21 10:12 vaclaond

Thank you for logging this issue @vaclaond

If I've understood this query correctly, the intent is to update the SKU of the azurerm_log_analytics_workspace to manage costs associated with data storage for the OMSGallery/SecurityInsights Log Analytics solution?

To do this, you can use the advanced configuration in your configure_management_resources value.

Add the following values and hopefully this will hopefully resolve your issue:

  configure_management_resources = {
    # (3 attributes hidden)
    advanced = {
      custom_settings_by_resource_type = {
        azurerm_log_analytics_workspace= {
          management = {
            sku                               = "CapacityReservation"
            reservation_capcity_in_gb_per_day = 100
          }
        }
      }
    }
  }

Note the incorrect spelling in reservation_capcity_in_gb_per_day which is from the provider.

Please let me know how you get on with this.

krowlandson avatar Dec 06 '21 12:12 krowlandson

@krowlandson Actually these are two different things. One is reserved capacity for Log Analytics (15% discount on 100GB) and the other one is for Sentinel (50% discount on 100GB). However figured out the SKU property for azurerm_log_analytics_solution is not supported in azurerm provider, so probably cannot be resolved in enterprise scale module.

vaclaond avatar Dec 10 '21 11:12 vaclaond

Understood, thank you for confirming that @vaclaond... as you say, this is something the Azure provider for Terraform doesn't currently support.

To help with this, I will look into whether this is a simple feature request and we can raise an Issue on the Azure provider repository to see if we can get this added on that side, we can then provide this feature in the module on a future release.

I will also look into whether we can use lifecycle { ignore_changes = [] } block on the resource in the module, so it won't revert manual changes to this value outside the module.

If you need to do something ahead of this, I think your best option would be to disable this individual solution in the configure_management_resources input variable by setting enable_sentinel = false and deploy it outside of Terraform. This would give you the ability to set this value without Terraform trying to revert the setting on each run.

NOTE: Setting enable_sentinel = false will disable both the Security and SecurityInsights solutions. No other resource configuration will be impacted.

krowlandson avatar Dec 10 '21 13:12 krowlandson

Just a quick update on this. I have tried to handle this using the lifecycle { ignore_changes = [] } block but this is not a tracked property on this resource type so results in an error.

As such I suspect this is a bug with the provider so I will log this on the provider issues and link back to this conversation.

I will also remove this from the next release milestone as we cannot do anything on our side, beyond the above guidance.

krowlandson avatar Apr 08 '22 07:04 krowlandson

Trigger ADO Sync

jtracey93 avatar Sep 09 '22 15:09 jtracey93

Trigger ADO Sync

krowlandson avatar Oct 14 '22 07:10 krowlandson

Just re-visiting this @vaclaond.

I see you raised an issue relating to this on the provider which has unfortunately not gained traction due to the "missing" API. I will look into whether this API is really "missing" but I also wanted to check back with you on this issue.

Now the provider has had a few updates to improve state tracking, I have re-tested and don't seem to be able to re-produce this problem. As such, I believe this has now been resolved.

I am going to close this issue, but would ask you to confirm from your side and re-open if you are still facing this problem.

Thank you

krowlandson avatar Oct 28 '22 14:10 krowlandson