From f394a614d8adad9eda21880566b97780a7a5a109 Mon Sep 17 00:00:00 2001 From: felipebbc Date: Sat, 2 Mar 2024 20:09:59 -0500 Subject: [PATCH] Added validation for alert notification set without email or RBAC role provided --- README.md | 17 ++++++++--------- modules/subscription/README.md | 19 +++++++++---------- modules/subscription/header.md | 2 +- modules/subscription/main.tf | 7 +++---- modules/subscription/variables.tf | 23 +++++++++++++++-------- variables.subscription.tf | 16 ++++++++-------- 6 files changed, 44 insertions(+), 40 deletions(-) diff --git a/README.md b/README.md index cac7f534..e96f5d0a 100644 --- a/README.md +++ b/README.md @@ -402,26 +402,25 @@ Default: `""` Description: Microsoft Defender for Cloud (DFC) contact and notification configurations -### Security Contact Information +### Security Contact Information - Determines who'll get email notifications from Defender for Cloud -- `emails`: List of email addresses which will get notifications from Microsoft Defender for Cloud. [optional - default empty] -- `phone`: The security contact's phone number. [optional - default empty] -Multiple emails can be provided in a ; separated list. Example: "john@microsoft.com;jane@microsoft.com" +- `notifications_by_role`: All users with these specific RBAC roles on the subscription will get email notifications. [optional - allowed values are: `AccountAdmin`, `ServiceAdmin`, `Owner` and `Contributor` - default empty]" +- `emails`: List of additional email addresses which will get notifications. Multiple emails can be provided in a ; separated list. Example: "john@microsoft.com;jane@microsoft.com". [optional - default empty] +- `phone`: The security contact's phone number. [optional - default empty] +> **Note**: At least one role or email address must be provided to enable alert notification. -### Notifications +### Alert Notifications -- `alert_notifications`: Defines the minimal alert severity which will be sent as email notifications. [optional - allowed values are: `Off`, `High`, `Medium` or `Low` - default `Off`] -- `notifications_by_role`: Defines whether to send email notifications from Microsoft Defender for Cloud to persons with specific RBAC roles on the subscription. [optional - allowed values are: `AccountAdmin`, `ServiceAdmin`, `Owner` and `Contributor` - default empty]" -> **Note**: Either an email address or at least one role must be set to receive notification alerts. +- `alert_notifications`: Enables email notifications and defines the minimal alert severity. [optional - allowed values are: `Off`, `High`, `Medium` or `Low` - default `Off`] Type: ```hcl object({ + notifications_by_role = optional(list(string), []) emails = optional(string, "") phone = optional(string, "") alert_notifications = optional(string, "Off") - notifications_by_role = optional(list(string), []) }) ``` diff --git a/modules/subscription/README.md b/modules/subscription/README.md index ee98b9ec..f360f25e 100644 --- a/modules/subscription/README.md +++ b/modules/subscription/README.md @@ -27,10 +27,10 @@ module "subscription" { subscription_alias_management_group_id = "mymg" subscription_dfc_contact_enabled = true subscription_dfc_contact = { + notifications_by_role = ["Owner", "Contributor"] emails = "john@microsoft.com;jane@microsoft.com" phone = "+1-555-555-5555" alert_notifications = "Medium" - notifications_by_role = ["Owner", "Contributor"] } } ``` @@ -126,26 +126,25 @@ Default: `""` Description: Microsoft Defender for Cloud (DFC) contact and notification configurations -### Security Contact Information +### Security Contact Information - Determines who'll get email notifications from Defender for Cloud -- `emails`: List of email addresses which will get notifications from Microsoft Defender for Cloud. [optional - default empty] -- `phone`: The security contact's phone number. [optional - default empty] -Multiple emails can be provided in a ; separated list. Example: "john@microsoft.com;jane@microsoft.com" +- `notifications_by_role`: All users with these specific RBAC roles on the subscription will get email notifications. [optional - allowed values are: `AccountAdmin`, `ServiceAdmin`, `Owner` and `Contributor` - default empty]" +- `emails`: List of additional email addresses which will get notifications. Multiple emails can be provided in a ; separated list. Example: "john@microsoft.com;jane@microsoft.com". [optional - default empty] +- `phone`: The security contact's phone number. [optional - default empty] +> **Note**: At least one role or email address must be provided to enable alert notification. -### Notifications +### Alert Notifications -- `alert_notifications`: Defines the minimal alert severity which will be sent as email notifications. [optional - allowed values are: `Off`, `High`, `Medium` or `Low` - default `Off`] -- `notifications_by_role`: Defines whether to send email notifications from Microsoft Defender for Cloud to persons with specific RBAC roles on the subscription. [optional - allowed values are: `AccountAdmin`, `ServiceAdmin`, `Owner` and `Contributor` - default empty]" -> **Note**: Either an email address or at least one role must be set to receive notification alerts. +- `alert_notifications`: Enables email notifications and defines the minimal alert severity. [optional - allowed values are: `Off`, `High`, `Medium` or `Low` - default `Off`] Type: ```hcl object({ + notifications_by_role = optional(list(string), []) emails = optional(string, "") phone = optional(string, "") alert_notifications = optional(string, "Off") - notifications_by_role = optional(list(string), []) }) ``` diff --git a/modules/subscription/header.md b/modules/subscription/header.md index 0e43c4f6..48ca03a1 100644 --- a/modules/subscription/header.md +++ b/modules/subscription/header.md @@ -26,10 +26,10 @@ module "subscription" { subscription_alias_management_group_id = "mymg" subscription_dfc_contact_enabled = true subscription_dfc_contact = { + notifications_by_role = ["Owner", "Contributor"] emails = "john@microsoft.com;jane@microsoft.com" phone = "+1-555-555-5555" alert_notifications = "Medium" - notifications_by_role = ["Owner", "Contributor"] } } ``` diff --git a/modules/subscription/main.tf b/modules/subscription/main.tf index 18e0554e..c1d73ea1 100644 --- a/modules/subscription/main.tf +++ b/modules/subscription/main.tf @@ -135,13 +135,12 @@ resource "azapi_resource" "subscription_dfc_contact" { alertNotifications = { state = var.subscription_dfc_contact.alert_notifications == "Off" ? var.subscription_dfc_contact.alert_notifications : "On" - minimalSeverity = var.subscription_dfc_contact.alert_notifications == "Off" ? "Low" : var.subscription_dfc_contact.alert_notifications + minimalSeverity = var.subscription_dfc_contact.alert_notifications == "Off" ? "" : var.subscription_dfc_contact.alert_notifications } - // Either an email address or at least one role must be set to receive notification alerts. notificationsByRole = { - state = var.subscription_dfc_contact.emails == "" || length(var.subscription_dfc_contact.notifications_by_role) > 0 ? "On" : "Off" - roles = var.subscription_dfc_contact.emails == "" && length(var.subscription_dfc_contact.notifications_by_role) == 0 ? ["Owner"] : var.subscription_dfc_contact.notifications_by_role + state = length(var.subscription_dfc_contact.notifications_by_role) > 0 ? "On" : "Off" + roles = var.subscription_dfc_contact.notifications_by_role } } }) diff --git a/modules/subscription/variables.tf b/modules/subscription/variables.tf index 3e38feae..87ab1967 100644 --- a/modules/subscription/variables.tf +++ b/modules/subscription/variables.tf @@ -208,26 +208,26 @@ DESCRIPTION variable "subscription_dfc_contact" { type = object({ + notifications_by_role = optional(list(string), []) emails = optional(string, "") phone = optional(string, "") alert_notifications = optional(string, "Off") - notifications_by_role = optional(list(string), []) }) default = {} description = < **Note**: At least one role or email address must be provided to enable alert notification. -### Notifications +### Alert Notifications + +- `alert_notifications`: Enables email notifications and defines the minimal alert severity. [optional - allowed values are: `Off`, `High`, `Medium` or `Low` - default `Off`] -- `alert_notifications`: Defines the minimal alert severity which will be sent as email notifications. [optional - allowed values are: `Off`, `High`, `Medium` or `Low` - default `Off`] -- `notifications_by_role`: Defines whether to send email notifications from Microsoft Defender for Cloud to persons with specific RBAC roles on the subscription. [optional - allowed values are: `AccountAdmin`, `ServiceAdmin`, `Owner` and `Contributor` - default empty]" -> **Note**: Either an email address or at least one role must be set to receive notification alerts. DESCRIPTION # validate email addresses @@ -253,4 +253,11 @@ DESCRIPTION condition = alltrue([for role in var.subscription_dfc_contact.notifications_by_role : contains(["Owner", "AccountAdmin", "Contributor", "ServiceAdmin"], role)]) error_message = "Invalid notifications_by_role. The supported RBAC roles are: AccountAdmin, ServiceAdmin, Owner, Contributor." } + + # validate that when alert notifications are enabled, an email or role is also provided + validation { + condition = (var.subscription_dfc_contact.alert_notifications == "Off" ? true : var.subscription_dfc_contact.emails != "" || length(var.subscription_dfc_contact.notifications_by_role) > 0) + error_message = "To enable alert notifications, either an email address or role must be provided." + } + } diff --git a/variables.subscription.tf b/variables.subscription.tf index cd2a5088..e084a418 100644 --- a/variables.subscription.tf +++ b/variables.subscription.tf @@ -209,26 +209,26 @@ DESCRIPTION variable "subscription_dfc_contact" { type = object({ + notifications_by_role = optional(list(string), []) emails = optional(string, "") phone = optional(string, "") alert_notifications = optional(string, "Off") - notifications_by_role = optional(list(string), []) }) nullable = false default = {} description = < **Note**: At least one role or email address must be provided to enable alert notification. + +### Alert Notifications -### Notifications +- `alert_notifications`: Enables email notifications and defines the minimal alert severity. [optional - allowed values are: `Off`, `High`, `Medium` or `Low` - default `Off`] -- `alert_notifications`: Defines the minimal alert severity which will be sent as email notifications. [optional - allowed values are: `Off`, `High`, `Medium` or `Low` - default `Off`] -- `notifications_by_role`: Defines whether to send email notifications from Microsoft Defender for Cloud to persons with specific RBAC roles on the subscription. [optional - allowed values are: `AccountAdmin`, `ServiceAdmin`, `Owner` and `Contributor` - default empty]" -> **Note**: Either an email address or at least one role must be set to receive notification alerts. DESCRIPTION }