azurermSecurityCenterAutomation
Manages Security Center Automation and Continuous Export. This resource supports three types of destination in the action, Logic Apps, Log Analytics and Event Hubs
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
this,
"example",
{
location: "West Europe",
name: "example-resources",
}
);
const dataAzurermClientConfigCurrent =
new azurerm.dataAzurermClientConfig.DataAzurermClientConfig(
this,
"current",
{}
);
const azurermEventhubNamespaceExample =
new azurerm.eventhubNamespace.EventhubNamespace(this, "example_2", {
capacity: 2,
location: azurermResourceGroupExample.location,
name: "example-namespace",
resource_group_name: azurermResourceGroupExample.name,
sku: "Standard",
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermEventhubNamespaceExample.overrideLogicalId("example");
const azurermEventhubExample = new azurerm.eventhub.Eventhub(
this,
"example_3",
{
message_retention: 2,
name: "acceptanceTestEventHub",
namespace_name: azurermEventhubNamespaceExample.name,
partition_count: 2,
resource_group_name: azurermResourceGroupExample.name,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermEventhubExample.overrideLogicalId("example");
const azurermEventhubAuthorizationRuleExample =
new azurerm.eventhubAuthorizationRule.EventhubAuthorizationRule(
this,
"example_4",
{
eventhub_name: azurermEventhubExample.name,
listen: true,
manage: false,
name: "example-rule",
namespace_name: azurermEventhubNamespaceExample.name,
resource_group_name: azurermResourceGroupExample.name,
send: false,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermEventhubAuthorizationRuleExample.overrideLogicalId("example");
const azurermSecurityCenterAutomationExample =
new azurerm.securityCenterAutomation.SecurityCenterAutomation(
this,
"example_5",
{
action: [
{
connection_string:
azurermEventhubAuthorizationRuleExample.primaryConnectionString,
resource_id: azurermEventhubExample.id,
type: "EventHub",
},
],
location: azurermResourceGroupExample.location,
name: "example-automation",
resource_group_name: azurermResourceGroupExample.name,
scopes: [
`/subscriptions/\${${dataAzurermClientConfigCurrent.subscriptionId}}`,
],
source: [
{
event_source: "Alerts",
rule_set: [
{
rule: [
{
expected_value: "High",
operator: "Equals",
property_path: "properties.metadata.severity",
property_type: "String",
},
],
},
],
},
],
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSecurityCenterAutomationExample.overrideLogicalId("example");
Arguments Reference
The following arguments are supported:
-
location- (Required) The Azure Region where the Security Center Automation should exist. Changing this forces a new Security Center Automation to be created. -
name- (Required) The name which should be used for this Security Center Automation. Changing this forces a new Security Center Automation to be created. -
resourceGroupName- (Required) The name of the Resource Group where the Security Center Automation should exist. Changing this forces a new Security Center Automation to be created. -
scopes- (Required) A list of scopes on which the automation logic is applied, at least one is required. Supported scopes are a subscription (in this format/subscriptions/00000000000000000000000000000000) or a resource group under that subscription (in the format/subscriptions/00000000000000000000000000000000/resourceGroups/example). The automation will only apply on defined scopes. -
source- (Required) One or moresourceblocks as defined below. Asourcedefines what data types will be processed and a set of rules to filter that data. -
action- (Required) One or moreactionblocks as defined below. Anactiontells this automation where the data is to be sent to upon being evaluated by the rules in thesource.
-
description- (Optional) Specifies the description for the Security Center Automation. -
enabled- (Optional) Boolean to enable or disable this Security Center Automation. Defaults totrue. -
tags- (Optional) A mapping of tags assigned to the resource.
A action block defines where the data will be exported and sent to, it supports the following:
-
type- (Required) Type of Azure resource to send data to. Must be set to one of:logicApp,eventHuborlogAnalytics. -
resourceId- (Required) The resource id of the target Logic App, Event Hub namespace or Log Analytics workspace. -
connectionString- (Optional) (Optional, but required whentypeiseventHub) A connection string to send data to the target Event Hub namespace, this should include a key with send permissions. -
triggerUrl- (Optional) (Optional, but required whentypeislogicApp) The callback URL to trigger the Logic App that will receive and process data sent by this automation. This can be found in the Azure Portal under "See trigger history"
A source block defines the source data in Security Center to be exported, supports the following:
-
eventSource- (Required) Type of data that will trigger this automation. Must be one ofalerts,assessments,assessmentsSnapshot,regulatoryComplianceAssessment,regulatoryComplianceAssessmentSnapshot,secureScoreControls,secureScoreControlsSnapshot,secureScores,secureScoresSnapshot,subAssessmentsorsubAssessmentsSnapshot. Note. assessments are also referred to as recommendations -
ruleSet- (Optional) A set of rules which evaluate upon event and data interception. This is defined in one or moreruleSetblocks as defined below.
\~> NOTE: When multiple ruleSet block are provided, a logical 'OR' is applied to the evaluation of them.
A ruleSet block supports the following:
rule- (Required) One or moreruleblocks as defined below.
\~> NOTE: This automation will trigger when all of the rules in this ruleSet are evaluated as 'true'. This is equivalent to a logical 'AND'.
A rule block supports the following:
-
expectedValue- (Required) A value that will be compared with the value inpropertyPath. -
operator- (Required) The comparison operator to use, must be one of:contains,endsWith,equals,greaterThan,greaterThanOrEqualTo,lesserThan,lesserThanOrEqualTo,notEquals,startsWith -
propertyPath- (Required) The JPath of the entity model property that should be checked. -
propertyType- (Required) The data type of the compared operands, must be one of:integer,string,booleanornumber.
\~> NOTE: The schema for Security Center alerts (when eventSource is "Alerts") can be found here
Attributes Reference
In addition to the Arguments listed above - the following Attributes are exported:
id- The ID of the Security Center Automation.
Timeouts
The timeouts block allows you to specify timeouts for certain actions:
create- (Defaults to 30 minutes) Used when creating the Security Center Automation.read- (Defaults to 5 minutes) Used when retrieving the Security Center Automation.update- (Defaults to 30 minutes) Used when updating the Security Center Automation.delete- (Defaults to 30 minutes) Used when deleting the Security Center Automation.
Import
Security Center Automations can be imported using the resourceId, e.g.