Added support for enabling security center per resource type at subscription level

.github/workflows/standalone-scenarios.json

@@ -103,6 +103,7 @@
     "search_service/100-search-service-both-apikeys-and-azuread",
     "search_service/101-search-service-only-api-keys",
     "search_service/102-search-service-only-azuread",
+    "security_center/101-subscription_pricing",
     "sentinel/101-automation_rule",
     "sentinel/104-ar_fusion",
     "sentinel/105-ar_ml_behavior_analytics",

examples/azuread/107-azuread-application-with-single-page-application/configuration.tfvars

@@ -56,8 +56,8 @@ azuread_applications = {
           admin_consent_description  = "Allow to administer app2."
           admin_consent_display_name = "Administer app2"
           enabled                    = true
-          type  = "Admin"
-          value = "app2"
+          type                       = "Admin"
+          value                      = "app2"
         }
       ]
     }

examples/security_center/101-subscription_pricing/configuration.tfvars

@@ -0,0 +1,22 @@
+security = {
+  security_center_subscription_pricings = {
+    vm = {
+      # Free or Standard
+      tier = "Standard"
+      # Depends on the resource_type
+      subplan = "P2"
+      # can be one of: Api, AppServices, Arm, CloudPosture, ContainerRegistry, Containers, CosmosDbs, Dns, KeyVaults, KubernetesService, OpenSourceRelationalDatabases, SqlServers, SqlServerVirtualMachines, StorageAccounts, VirtualMachines
+      resource_type = "VirtualMachines"
+      # extensions list : https://learn.microsoft.com/en-us/rest/api/defenderforcloud/pricings/get?view=rest-defenderforcloud-2024-01-01&tabs=HTTP#extension
+      extensions = {
+        agent_less_scan = {
+          name = "AgentlessVmScanning"
+        }
+      }
+    }
+    kv = {
+      tier          = "Standard"
+      resource_type = "KeyVaults"
+    }
+  }
+}

locals.tf

@@ -354,28 +354,29 @@ locals {
   object_id = coalesce(var.logged_user_objectId, var.logged_aad_app_objectId, try(data.azuread_client_config.current.object_id, null), try(data.azuread_service_principal.logged_in_app[0].object_id, null))
 
   security = {
-    disk_encryption_sets                = try(var.security.disk_encryption_sets, {})
-    dynamic_keyvault_secrets            = try(var.security.dynamic_keyvault_secrets, {})
-    keyvault_certificate_issuers        = try(var.security.keyvault_certificate_issuers, {})
-    keyvault_certificate_requests       = try(var.security.keyvault_certificate_requests, {})
-    keyvault_certificates               = try(var.security.keyvault_certificates, {})
-    keyvault_keys                       = try(var.security.keyvault_keys, {})
-    lighthouse_definitions              = try(var.security.lighthouse_definitions, {})
-    sentinel_automation_rules           = try(var.security.sentinel_automation_rules, {})
-    sentinel_watchlists                 = try(var.security.sentinel_watchlists, {})
-    sentinel_watchlist_items            = try(var.security.sentinel_watchlist_items, {})
-    sentinel_ar_fusions                 = try(var.security.sentinel_ar_fusions, {})
-    sentinel_ar_ml_behavior_analytics   = try(var.security.sentinel_ar_ml_behavior_analytics, {})
-    sentinel_ar_ms_security_incidents   = try(var.security.sentinel_ar_ms_security_incidents, {})
-    sentinel_ar_scheduled               = try(var.security.sentinel_ar_scheduled, {})
-    sentinel_dc_aad                     = try(var.security.sentinel_dc_aad, {})
-    sentinel_dc_app_security            = try(var.security.sentinel_dc_app_security, {})
-    sentinel_dc_aws                     = try(var.security.sentinel_dc_aws, {})
-    sentinel_dc_azure_threat_protection = try(var.security.sentinel_dc_azure_threat_protection, {})
-    sentinel_dc_ms_threat_protection    = try(var.security.sentinel_dc_ms_threat_protection, {})
-    sentinel_dc_office_365              = try(var.security.sentinel_dc_office_365, {})
-    sentinel_dc_security_center         = try(var.security.sentinel_dc_security_center, {})
-    sentinel_dc_threat_intelligence     = try(var.security.sentinel_dc_threat_intelligence, {})
+    disk_encryption_sets                  = try(var.security.disk_encryption_sets, {})
+    dynamic_keyvault_secrets              = try(var.security.dynamic_keyvault_secrets, {})
+    keyvault_certificate_issuers          = try(var.security.keyvault_certificate_issuers, {})
+    keyvault_certificate_requests         = try(var.security.keyvault_certificate_requests, {})
+    keyvault_certificates                 = try(var.security.keyvault_certificates, {})
+    keyvault_keys                         = try(var.security.keyvault_keys, {})
+    lighthouse_definitions                = try(var.security.lighthouse_definitions, {})
+    security_center_subscription_pricings = try(var.security.security_center_subscription_pricings, {})
+    sentinel_automation_rules             = try(var.security.sentinel_automation_rules, {})
+    sentinel_watchlists                   = try(var.security.sentinel_watchlists, {})
+    sentinel_watchlist_items              = try(var.security.sentinel_watchlist_items, {})
+    sentinel_ar_fusions                   = try(var.security.sentinel_ar_fusions, {})
+    sentinel_ar_ml_behavior_analytics     = try(var.security.sentinel_ar_ml_behavior_analytics, {})
+    sentinel_ar_ms_security_incidents     = try(var.security.sentinel_ar_ms_security_incidents, {})
+    sentinel_ar_scheduled                 = try(var.security.sentinel_ar_scheduled, {})
+    sentinel_dc_aad                       = try(var.security.sentinel_dc_aad, {})
+    sentinel_dc_app_security              = try(var.security.sentinel_dc_app_security, {})
+    sentinel_dc_aws                       = try(var.security.sentinel_dc_aws, {})
+    sentinel_dc_azure_threat_protection   = try(var.security.sentinel_dc_azure_threat_protection, {})
+    sentinel_dc_ms_threat_protection      = try(var.security.sentinel_dc_ms_threat_protection, {})
+    sentinel_dc_office_365                = try(var.security.sentinel_dc_office_365, {})
+    sentinel_dc_security_center           = try(var.security.sentinel_dc_security_center, {})
+    sentinel_dc_threat_intelligence       = try(var.security.sentinel_dc_threat_intelligence, {})
   }
 
   shared_services = {

modules/security/security_center/subscription_pricing/main.tf

@@ -0,0 +1,17 @@
+resource "azurerm_security_center_subscription_pricing" "pricing" {
+  # Free or Standard
+  tier = var.tier
+  # Depends on the resource_type
+  subplan = try(var.subplan, null)
+  # can be one of: Api, AppServices, Arm, CloudPosture, ContainerRegistry, Containers, CosmosDbs, Dns, KeyVaults, KubernetesService, OpenSourceRelationalDatabases, SqlServers, SqlServerVirtualMachines, StorageAccounts, VirtualMachines
+  resource_type = var.resource_type
+
+  # extensions list : https://learn.microsoft.com/en-us/rest/api/defenderforcloud/pricings/get?view=rest-defenderforcloud-2024-01-01&tabs=HTTP#extension
+  dynamic "extension" {
+    for_each = coalesce(var.extensions, {})
+    content {
+      name                            = extension.value.name
+      additional_extension_properties = try(extension.value.additional_extension_properties, null)
+    }
+  }
+}

modules/security/security_center/subscription_pricing/output.tf

@@ -0,0 +1,3 @@
+output "id" {
+  value = azurerm_security_center_subscription_pricing.pricing.id
+}

modules/security/security_center/subscription_pricing/variables.tf

@@ -0,0 +1,6 @@
+variable "tier" {}
+variable "subplan" {}
+variable "resource_type" {}
+variable "extensions" {
+  default = null
+}

security_center_subscription_pricing.tf

@@ -0,0 +1,9 @@
+module "security_center_subscription_pricings" {
+  source   = "./modules/security/security_center/subscription_pricing"
+  for_each = try(local.security.security_center_subscription_pricings, {})
+
+  tier          = each.value.tier
+  subplan       = try(each.value.subplan, null)
+  resource_type = each.value.resource_type
+  extensions    = try(each.value.extensions, null)
+}