TechQA.

Execute block of code in terraform if name of sentinel alert is equal to specific alert name rule

89 views Asked by At 
resource "azurerm_sentinel_alert_rule_scheduled" "alert_rule_scheduled_templated" {
  depends_on                 = [time_sleep.sleep_60_sec]
  for_each                   = toset(var.templated_alert_rule_templates)
  log_analytics_workspace_id = data.azurerm_log_analytics_workspace.log_analytics.id
  name                       = each.key
  display_name               = each.key
  severity                   = data.azurerm_sentinel_alert_rule_template.alert_rule_templates[each.key].scheduled_template.0.severity
  query                      = data.azurerm_sentinel_alert_rule_template.alert_rule_templates[each.key].scheduled_template.0.query
  query_frequency            = data.azurerm_sentinel_alert_rule_template.alert_rule_templates[each.key].scheduled_template.0.query_frequency
  query_period               = data.azurerm_sentinel_alert_rule_template.alert_rule_templates[each.key].scheduled_template.0.query_period
  tactics                    = data.azurerm_sentinel_alert_rule_template.alert_rule_templates[each.key].scheduled_template.0.tactics
  trigger_operator           = data.azurerm_sentinel_alert_rule_template.alert_rule_templates[each.key].scheduled_template.0.trigger_operator
  trigger_threshold          = data.azurerm_sentinel_alert_rule_template.alert_rule_templates[each.key].scheduled_template.0.trigger_threshold
}

Those properties exists in all templates. I want to add custom properties that are not from templates. I have a variable that I want to use to do something similar to this: if each.key in loc.alert_names: loc.rule_map[each.key] I am thinking of alert names that look like this:

rule_map = {
  "rule_1" = {
    entity_type = "Host"
    field_mappings = [
      {
        identifier  = "HostName"
        column_name = "Computer"
      },
      {
        identifier  = "NTDomain"
        column_name = "DomainName"
      }
    ]
  },
  "rule_2" = {
    entity_type = "AnotherEntityType"
    field_mappings = [
      # Another set of field mappings
    ]
  }
}
}

I tried to find a way to add properties in custom way in hcl. I am new to this and I am trying to find some way to use pythonlike if statements or some workaround.

azure terraform hcl azure-sentinel
Original Q&A
1

There are 1 answers

2
Roelof On

If I understand correctly you want to supply flexible values to the 'severity', 'query' etc values.

One way to do it would be to create a module of the 'azurerm_sentinel_alert_rule_scheduled' resource and pass it different templates.

That way you can loop over the templates and keep the logic for reading out the variables inside the module. Here an example with null resources just to show the structure.

The logic for setting custom values in the templates then has to happen inside the "locals" block. The 'mock_data_value2' would for your code then be filled with values from data resources.

Another way would be to use the 'count' argument and determine if you want to call the module based on an input variable (see example 5a+b)

(In order to experiment with this example change the trigger value so that it recreates the null resource module)

folder tree:

enter image description here

TF code, module:

variable "trigger" {
    type = string
}
variable "template" {
    type = object({
        var1 = string
        var2 = string
        var3 = string
    })
}


# a terraform null resource
resource "null_resource" "implemtation" {
    triggers = {
        trigger_value = var.trigger
    }
    
    # this is the code that will be executed when the resource is created
    provisioner "local-exec" {
        command = "echo ${var.template.var1}, ${var.template.var2}, ${var.template.var3}"
    }
}

TF code, in root, calling the module:

locals {
  mock_data_value1 = "mock_data_value1"
  mock_data_value2 = "mock_data_value1"

  templates = {
    template = {
      var1 = local.mock_data_value1 != local.mock_data_value2 ? "no-match" : "match"
      var2 = "value2"
      var3 = "value3"
    }
    template2 = {
      var1 = "temp2-1"
      var2 = "temp2-2"
      var3 = "temp2-3"
    }
  }
}

output "conditional-test" {
  value = local.templates.template.var1
}

# looping
module "example3" {
  for_each = local.templates
  source   = "./module"
  trigger  = "trigger_value1"
  template = each.value
}

# you can also call them individually
module "example4" {
  source   = "./module"
  trigger  = "trigger_value1"
  template = local.templates.template2
}

# Or you could call the module twice, both with a conditional and feed different templates
module "example5a" {
  count    = local.mock_data_value1 == "" ? 0 : 1  # create this resource if the mock value 1 is not empty
  source   = "./module"
  trigger  = "trigger_value1"
  template = local.templates.template2
}

module "example5b" {
  count    = local.mock_data_value2 == "" ? 0 : 1 # create this resource if the mock value 2 is not empty
  source   = "./module"
  trigger  = "trigger_value1"
  template = local.templates.template2
}

looped OUT

module.example3["template2"].null_resource.implemtation (local-exec): temp2-1, temp2-2, temp2-3 module.example3["template"].null_resource.implemtation (local-exec): value1, value2, value3

single example OUT

module.example4.null_resource.implemtation (local-exec): temp2-1, temp2-2, temp2-3

Related Questions in AZURE

Related Questions in TERRAFORM

Related Questions in HCL

Related Questions in AZURE-SENTINEL

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions