azurermSecurityCenterAutomation
Manages Security Center Automation and Continuous Export. This resource supports three types of destination in the action
, Logic Apps, Log Analytics and Event Hubs
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
this,
"example",
{
location: "West Europe",
name: "example-resources",
}
);
const dataAzurermClientConfigCurrent =
new azurerm.dataAzurermClientConfig.DataAzurermClientConfig(
this,
"current",
{}
);
const azurermEventhubNamespaceExample =
new azurerm.eventhubNamespace.EventhubNamespace(this, "example_2", {
capacity: 2,
location: azurermResourceGroupExample.location,
name: "example-namespace",
resource_group_name: azurermResourceGroupExample.name,
sku: "Standard",
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermEventhubNamespaceExample.overrideLogicalId("example");
const azurermEventhubExample = new azurerm.eventhub.Eventhub(
this,
"example_3",
{
message_retention: 2,
name: "acceptanceTestEventHub",
namespace_name: azurermEventhubNamespaceExample.name,
partition_count: 2,
resource_group_name: azurermResourceGroupExample.name,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermEventhubExample.overrideLogicalId("example");
const azurermEventhubAuthorizationRuleExample =
new azurerm.eventhubAuthorizationRule.EventhubAuthorizationRule(
this,
"example_4",
{
eventhub_name: azurermEventhubExample.name,
listen: true,
manage: false,
name: "example-rule",
namespace_name: azurermEventhubNamespaceExample.name,
resource_group_name: azurermResourceGroupExample.name,
send: false,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermEventhubAuthorizationRuleExample.overrideLogicalId("example");
const azurermSecurityCenterAutomationExample =
new azurerm.securityCenterAutomation.SecurityCenterAutomation(
this,
"example_5",
{
action: [
{
connection_string:
azurermEventhubAuthorizationRuleExample.primaryConnectionString,
resource_id: azurermEventhubExample.id,
type: "EventHub",
},
],
location: azurermResourceGroupExample.location,
name: "example-automation",
resource_group_name: azurermResourceGroupExample.name,
scopes: [
`/subscriptions/\${${dataAzurermClientConfigCurrent.subscriptionId}}`,
],
source: [
{
event_source: "Alerts",
rule_set: [
{
rule: [
{
expected_value: "High",
operator: "Equals",
property_path: "properties.metadata.severity",
property_type: "String",
},
],
},
],
},
],
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSecurityCenterAutomationExample.overrideLogicalId("example");
Arguments Reference
The following arguments are supported:
-
location
- (Required) The Azure Region where the Security Center Automation should exist. Changing this forces a new Security Center Automation to be created. -
name
- (Required) The name which should be used for this Security Center Automation. Changing this forces a new Security Center Automation to be created. -
resourceGroupName
- (Required) The name of the Resource Group where the Security Center Automation should exist. Changing this forces a new Security Center Automation to be created. -
scopes
- (Required) A list of scopes on which the automation logic is applied, at least one is required. Supported scopes are a subscription (in this format/subscriptions/00000000000000000000000000000000
) or a resource group under that subscription (in the format/subscriptions/00000000000000000000000000000000/resourceGroups/example
). The automation will only apply on defined scopes. -
source
- (Required) One or moresource
blocks as defined below. Asource
defines what data types will be processed and a set of rules to filter that data. -
action
- (Required) One or moreaction
blocks as defined below. Anaction
tells this automation where the data is to be sent to upon being evaluated by the rules in thesource
.
-
description
- (Optional) Specifies the description for the Security Center Automation. -
enabled
- (Optional) Boolean to enable or disable this Security Center Automation. Defaults totrue
. -
tags
- (Optional) A mapping of tags assigned to the resource.
A action
block defines where the data will be exported and sent to, it supports the following:
-
type
- (Required) Type of Azure resource to send data to. Must be set to one of:logicApp
,eventHub
orlogAnalytics
. -
resourceId
- (Required) The resource id of the target Logic App, Event Hub namespace or Log Analytics workspace. -
connectionString
- (Optional) (Optional, but required whentype
iseventHub
) A connection string to send data to the target Event Hub namespace, this should include a key with send permissions. -
triggerUrl
- (Optional) (Optional, but required whentype
islogicApp
) The callback URL to trigger the Logic App that will receive and process data sent by this automation. This can be found in the Azure Portal under "See trigger history"
A source
block defines the source data in Security Center to be exported, supports the following:
-
eventSource
- (Required) Type of data that will trigger this automation. Must be one ofalerts
,assessments
,assessmentsSnapshot
,regulatoryComplianceAssessment
,regulatoryComplianceAssessmentSnapshot
,secureScoreControls
,secureScoreControlsSnapshot
,secureScores
,secureScoresSnapshot
,subAssessments
orsubAssessmentsSnapshot
. Note. assessments are also referred to as recommendations -
ruleSet
- (Optional) A set of rules which evaluate upon event and data interception. This is defined in one or moreruleSet
blocks as defined below.
\~> NOTE: When multiple ruleSet
block are provided, a logical 'OR' is applied to the evaluation of them.
A ruleSet
block supports the following:
rule
- (Required) One or morerule
blocks as defined below.
\~> NOTE: This automation will trigger when all of the rule
s in this ruleSet
are evaluated as 'true'. This is equivalent to a logical 'AND'.
A rule
block supports the following:
-
expectedValue
- (Required) A value that will be compared with the value inpropertyPath
. -
operator
- (Required) The comparison operator to use, must be one of:contains
,endsWith
,equals
,greaterThan
,greaterThanOrEqualTo
,lesserThan
,lesserThanOrEqualTo
,notEquals
,startsWith
-
propertyPath
- (Required) The JPath of the entity model property that should be checked. -
propertyType
- (Required) The data type of the compared operands, must be one of:integer
,string
,boolean
ornumber
.
\~> NOTE: The schema for Security Center alerts (when eventSource
is "Alerts") can be found here
Attributes Reference
In addition to the Arguments listed above - the following Attributes are exported:
id
- The ID of the Security Center Automation.
Timeouts
The timeouts
block allows you to specify timeouts for certain actions:
create
- (Defaults to 30 minutes) Used when creating the Security Center Automation.read
- (Defaults to 5 minutes) Used when retrieving the Security Center Automation.update
- (Defaults to 30 minutes) Used when updating the Security Center Automation.delete
- (Defaults to 30 minutes) Used when deleting the Security Center Automation.
Import
Security Center Automations can be imported using the resourceId
, e.g.