terraform-provider-azurerm
terraform-provider-azurerm copied to clipboard
hashicorp
Specify the Vulnerability Assessment solution through the AzureRM provider to Microsoft Defender for Cloud (aka Azure Security Center)
Is there an existing issue for this?
- [X] I have searched the existing issues
Community Note
- Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Description
We need to be able to specify the Vulnerability Assessment (VA) solution in the AzureRM Terraform provider for Microsoft defender for Cloud (previously called Azure Security Center).
We now have two VA solutions- Qualys and Threat and Vulnerability Management (TVM). Currently in AzureRM, we only see it possible to set up VA using Qualys, and not also TVM, so can we also get TVM added as an option (as well as keeping Qualys)?
New or Affected Resource(s)/Data Source(s)
azurerm/azurerm_security_center_server_vulnerability_assessment_virtual_machine
Potential Terraform Configuration
resource "azurerm_security_center_server_TVM_vulnerability_assessment_virtual_machine" "example" {
virtual_machine_id = azurerm_TVM_linux_virtual_machine.example.id
}
References
https://docs.microsoft.com/en-us/azure/defender-for-cloud/deploy-vulnerability-assessment-tvm#:~:text=Microsoft%27s%20threat%20and%20vulnerability%20management%20is%20a%20built-in,the%20threat%20landscape%20and%20detections%20in%20your%20organization
@LianaT Thank you for posting this issue here. Currently, the terraform provider could not support this feature since the Azure API used by terrafrom provider does not support it. It only supports the "default" (Qualys) one.
@sinbai Actually, when using the REST API, if you create a Microsoft.Security/serverVulnerabilityAssessments sub-resource under a Virtual Machine resource and give it the MdeTvm name, that VM will be using the MDE vulnerability assessment solution. However, the Terraform provider is currently not supporting the name property that would allow for that.
Similarly -- the azurerm provider could / should offer parity for deploying the vulnerability solutions are the Resource Group similar to the PowerShell script: https://github.com/Azure/Microsoft-Defender-for-Cloud/blob/main/Powershell%20scripts/Vulnerability%20Solution/New-ASCVASolution.ps1#L137
And, if supported, for other scopes (Subscription, Management Group)
I have this in my code:
resource "azurerm_security_center_server_vulnerability_assessments_setting" "mdetvm" {
vulnerability_assessment_provider = "MdeTvm"
}
resource "azurerm_security_center_server_vulnerability_assessment_virtual_machine" "vm_vuln_assessment" {
virtual_machine_id = azurerm_virtual_machine.vm.id
depends_on = [
azurerm_virtual_machine_extension.gc_linux,
azurerm_security_center_server_vulnerability_assessments_setting.mdetvm,
]
}
but it still fails with:
security.ServerVulnerabilityAssessmentClient#CreateOrUpdate: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="BuiltInQualysDeprecation" Message="The Default (built-in Qualys) VA type is deprecated. Please use the MdeTvm VA type instead."
with azurerm_security_center_server_vulnerability_assessment_virtual_machine.vm_vuln_assessment,
│ on virtual_machines.tf line 200, in resource "azurerm_security_center_server_vulnerability_assessment_virtual_machine" "vm_vuln_assessment":
│ 200: resource "azurerm_security_center_server_vulnerability_assessment_virtual_machine" "vm_vuln_assessment" {
Is the suggested resource going to fix this?
Actually looks like you can just remove azurerm_security_center_server_vulnerability_assessment_virtual_machine. It automigrated to mdetvm version or agentless.