Added validation for alert notification set without email or RBAC rol…

…e provided

README.md

@@ -402,26 +402,25 @@ Default: `""`
 
 Description: Microsoft Defender for Cloud (DFC) contact and notification configurations
 
-### Security Contact Information
+### Security Contact Information - Determines who'll get email notifications from Defender for Cloud
 
-- `emails`: List of email addresses which will get notifications from Microsoft Defender for Cloud. [optional - default empty]
-- `phone`: The security contact's phone number. [optional - default empty]  
-Multiple emails can be provided in a ; separated list. Example: "[email protected];[email protected]"
+- `notifications_by_role`: All users with these specific RBAC roles on the subscription will get email notifications.  [optional - allowed values are: `AccountAdmin`, `ServiceAdmin`, `Owner` and `Contributor` - default empty]"
+- `emails`: List of additional email addresses which will get notifications. Multiple emails can be provided in a ; separated list. Example: "[email protected];[email protected]". [optional - default empty]
+- `phone`: The security contact's phone number. [optional - default empty]
+> **Note**: At least one role or email address must be provided to enable alert notification.
 
-### Notifications
+### Alert Notifications
 
-- `alert_notifications`: Defines the minimal alert severity which will be sent as email notifications. [optional - allowed values are: `Off`, `High`, `Medium` or `Low` - default `Off`]
-- `notifications_by_role`: Defines whether to send email notifications from Microsoft Defender for Cloud to persons with specific RBAC roles on the subscription. [optional - allowed values are: `AccountAdmin`, `ServiceAdmin`, `Owner` and `Contributor` - default empty]"
-> **Note**: Either an email address or at least one role must be set to receive notification alerts.
+- `alert_notifications`: Enables email notifications and defines the minimal alert severity. [optional - allowed values are: `Off`, `High`, `Medium` or `Low` - default `Off`]
 
 Type:
 
 ```hcl
 object({
+    notifications_by_role = optional(list(string), [])
     emails                = optional(string, "")
     phone                 = optional(string, "")
     alert_notifications   = optional(string, "Off")
-    notifications_by_role = optional(list(string), [])
   })
 ```
 

modules/subscription/README.md

@@ -27,10 +27,10 @@ module "subscription" {
   subscription_alias_management_group_id = "mymg"
   subscription_dfc_contact_enabled       = true
   subscription_dfc_contact = {
+    notifications_by_role = ["Owner", "Contributor"]
     emails                = "[email protected];[email protected]"
     phone                 = "+1-555-555-5555"
     alert_notifications   = "Medium"
-    notifications_by_role = ["Owner", "Contributor"]
   }
 }
 ```
@@ -126,26 +126,25 @@ Default: `""`
 
 Description: Microsoft Defender for Cloud (DFC) contact and notification configurations
 
-### Security Contact Information
+### Security Contact Information - Determines who'll get email notifications from Defender for Cloud
 
-- `emails`: List of email addresses which will get notifications from Microsoft Defender for Cloud. [optional - default empty]
-- `phone`: The security contact's phone number. [optional - default empty]  
-Multiple emails can be provided in a ; separated list. Example: "[email protected];[email protected]"
+- `notifications_by_role`: All users with these specific RBAC roles on the subscription will get email notifications.  [optional - allowed values are: `AccountAdmin`, `ServiceAdmin`, `Owner` and `Contributor` - default empty]"
+- `emails`: List of additional email addresses which will get notifications. Multiple emails can be provided in a ; separated list. Example: "[email protected];[email protected]". [optional - default empty]
+- `phone`: The security contact's phone number. [optional - default empty]
+> **Note**: At least one role or email address must be provided to enable alert notification.
 
-### Notifications
+### Alert Notifications
 
-- `alert_notifications`: Defines the minimal alert severity which will be sent as email notifications. [optional - allowed values are: `Off`, `High`, `Medium` or `Low` - default `Off`]
-- `notifications_by_role`: Defines whether to send email notifications from Microsoft Defender for Cloud to persons with specific RBAC roles on the subscription. [optional - allowed values are: `AccountAdmin`, `ServiceAdmin`, `Owner` and `Contributor` - default empty]"
-> **Note**: Either an email address or at least one role must be set to receive notification alerts.
+- `alert_notifications`: Enables email notifications and defines the minimal alert severity. [optional - allowed values are: `Off`, `High`, `Medium` or `Low` - default `Off`]
 
 Type:
 
 ```hcl
 object({
+    notifications_by_role = optional(list(string), [])
     emails                = optional(string, "")
     phone                 = optional(string, "")
     alert_notifications   = optional(string, "Off")
-    notifications_by_role = optional(list(string), [])
   })
 ```
 

modules/subscription/header.md

@@ -26,10 +26,10 @@ module "subscription" {
   subscription_alias_management_group_id = "mymg"
   subscription_dfc_contact_enabled       = true
   subscription_dfc_contact = {
+    notifications_by_role = ["Owner", "Contributor"]
     emails                = "[email protected];[email protected]"
     phone                 = "+1-555-555-5555"
     alert_notifications   = "Medium"
-    notifications_by_role = ["Owner", "Contributor"]
   }
 }
 ```

modules/subscription/main.tf

@@ -135,13 +135,12 @@ resource "azapi_resource" "subscription_dfc_contact" {
 
       alertNotifications = {
         state           = var.subscription_dfc_contact.alert_notifications == "Off" ? var.subscription_dfc_contact.alert_notifications : "On"
-        minimalSeverity = var.subscription_dfc_contact.alert_notifications == "Off" ? "Low" : var.subscription_dfc_contact.alert_notifications
+        minimalSeverity = var.subscription_dfc_contact.alert_notifications == "Off" ? "" : var.subscription_dfc_contact.alert_notifications
       }
 
-      // Either an email address or at least one role must be set to receive notification alerts.
       notificationsByRole = {
-        state = var.subscription_dfc_contact.emails == "" || length(var.subscription_dfc_contact.notifications_by_role) > 0 ? "On" : "Off"
-        roles = var.subscription_dfc_contact.emails == "" && length(var.subscription_dfc_contact.notifications_by_role) == 0 ? ["Owner"] : var.subscription_dfc_contact.notifications_by_role
+        state = length(var.subscription_dfc_contact.notifications_by_role) > 0 ? "On" : "Off"
+        roles = var.subscription_dfc_contact.notifications_by_role
       }
     }
   })

modules/subscription/variables.tf

@@ -208,26 +208,26 @@ DESCRIPTION
 
 variable "subscription_dfc_contact" {
   type = object({
+    notifications_by_role = optional(list(string), [])
     emails                = optional(string, "")
     phone                 = optional(string, "")
     alert_notifications   = optional(string, "Off")
-    notifications_by_role = optional(list(string), [])
   })
   default     = {}
   description = <<DESCRIPTION
 Microsoft Defender for Cloud (DFC) contact and notification configurations
 
-### Security Contact Information
+### Security Contact Information - Determines who'll get email notifications from Defender for Cloud 
 
-- `emails`: List of email addresses which will get notifications from Microsoft Defender for Cloud. [optional - default empty]
+- `notifications_by_role`: All users with these specific RBAC roles on the subscription will get email notifications. [optional - allowed values are: `AccountAdmin`, `ServiceAdmin`, `Owner` and `Contributor` - default empty]"
+- `emails`: List of additional email addresses which will get notifications. Multiple emails can be provided in a ; separated list. Example: "[email protected];[email protected]". [optional - default empty]
 - `phone`: The security contact's phone number. [optional - default empty]
-Multiple emails can be provided in a ; separated list. Example: "[email protected];[email protected]"
+> **Note**: At least one role or email address must be provided to enable alert notification.
 
-### Notifications
+### Alert Notifications
+
+- `alert_notifications`: Enables email notifications and defines the minimal alert severity. [optional - allowed values are: `Off`, `High`, `Medium` or `Low` - default `Off`]
 
-- `alert_notifications`: Defines the minimal alert severity which will be sent as email notifications. [optional - allowed values are: `Off`, `High`, `Medium` or `Low` - default `Off`]
-- `notifications_by_role`: Defines whether to send email notifications from Microsoft Defender for Cloud to persons with specific RBAC roles on the subscription. [optional - allowed values are: `AccountAdmin`, `ServiceAdmin`, `Owner` and `Contributor` - default empty]"
-> **Note**: Either an email address or at least one role must be set to receive notification alerts.
 DESCRIPTION
 
   # validate email addresses
@@ -253,4 +253,11 @@ DESCRIPTION
     condition     = alltrue([for role in var.subscription_dfc_contact.notifications_by_role : contains(["Owner", "AccountAdmin", "Contributor", "ServiceAdmin"], role)])
     error_message = "Invalid notifications_by_role. The supported RBAC roles are: AccountAdmin, ServiceAdmin, Owner, Contributor."
   }
+
+  # validate that when alert notifications are enabled, an email or role is also provided 
+  validation {
+    condition     = (var.subscription_dfc_contact.alert_notifications == "Off" ? true : var.subscription_dfc_contact.emails != "" || length(var.subscription_dfc_contact.notifications_by_role) > 0)
+    error_message = "To enable alert notifications, either an email address or role must be provided."
+  }
+
 }

variables.subscription.tf

@@ -209,26 +209,26 @@ DESCRIPTION
 
 variable "subscription_dfc_contact" {
   type = object({
+    notifications_by_role = optional(list(string), [])
     emails                = optional(string, "")
     phone                 = optional(string, "")
     alert_notifications   = optional(string, "Off")
-    notifications_by_role = optional(list(string), [])
   })
   nullable    = false
   default     = {}
   description = <<DESCRIPTION
 Microsoft Defender for Cloud (DFC) contact and notification configurations
 
-### Security Contact Information
+### Security Contact Information - Determines who'll get email notifications from Defender for Cloud 
 
-- `emails`: List of email addresses which will get notifications from Microsoft Defender for Cloud. [optional - default empty]
+- `notifications_by_role`: All users with these specific RBAC roles on the subscription will get email notifications. [optional - allowed values are: `AccountAdmin`, `ServiceAdmin`, `Owner` and `Contributor` - default empty]"
+- `emails`: List of additional email addresses which will get notifications. Multiple emails can be provided in a ; separated list. Example: "[email protected];[email protected]". [optional - default empty]
 - `phone`: The security contact's phone number. [optional - default empty]
-Multiple emails can be provided in a ; separated list. Example: "[email protected];[email protected]"
+> **Note**: At least one role or email address must be provided to enable alert notification.
+
+### Alert Notifications
 
-### Notifications
+- `alert_notifications`: Enables email notifications and defines the minimal alert severity. [optional - allowed values are: `Off`, `High`, `Medium` or `Low` - default `Off`]
 
-- `alert_notifications`: Defines the minimal alert severity which will be sent as email notifications. [optional - allowed values are: `Off`, `High`, `Medium` or `Low` - default `Off`]
-- `notifications_by_role`: Defines whether to send email notifications from Microsoft Defender for Cloud to persons with specific RBAC roles on the subscription. [optional - allowed values are: `AccountAdmin`, `ServiceAdmin`, `Owner` and `Contributor` - default empty]"
-> **Note**: Either an email address or at least one role must be set to receive notification alerts.
 DESCRIPTION
 }