I am trying to connect the MS Defender for Cloud to a logic app which will post the alerts to an URL. I could do the manual setup without any issue but I am struggling to find the appropriate terraform resources to do it in IaC way. Here is the current setup:
resource "azurerm_logic_app_workflow" "logic-app" {
location = var.location
name = "logic-app-from-tf"
resource_group_name = var.rg_name
}
resource "azurerm_logic_app_action_http" "action" {
logic_app_id = azurerm_logic_app_workflow.logic-app.id
method = "POST"
name = "alert-action"
uri = "<URL>"
}
resource "azurerm_logic_app_trigger_custom" "trigger" {
logic_app_id = azurerm_logic_app_workflow.logic-app.id
name = "When_an_Microsoft_Defender_for_Cloud_Alert_is_created_or_triggered"
body = jsonencode(
{
"type": "ApiConnectionWebhook",
"inputs": {
"host": {
"connection": {
"referenceName": "ascalert"
}
},
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"path": "/Microsoft.Security/Alert/subscribe"
}
}
)
}
resource "azurerm_security_center_automation" "workflow-automation" {
name = "workflow-from-tf"
location = var.location
resource_group_name = var.rg_name
action {
trigger_url = "<URL>"
resource_id = azurerm_logic_app_workflow.logic-app.id
type = "logicapp"
}
source {
event_source = "Alerts"
rule_set {
rule {
# this part also not working idk why ...
property_path = "properties.metadata.severity"
operator = "Equals"
expected_value = "High"
property_type = "String"
}
}
}
scopes = ["/subscriptions/${var.subscription_id}"]
}
This created the logic app, it also creates the workflow automation in the MS Defender but it fails to create the logic app workflow in the designer. I compared the generated code both from the manual setup and the terraform setup and here is what I found:
{
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"actions": {
"alert-action": {
"type": "Http",
"inputs": {
"uri": "<url>",
"method": "POST",
"headers": {},
"queries": {}
},
"runAfter": {}
}
},
"contentVersion": "1.0.0.0",
"outputs": {},
"triggers": {
"When_a_Microsoft_Defender_for_Cloud_alert_is_created_or_triggered": {
"type": "ApiConnectionWebhook",
"inputs": {
"host": {
"connection": {
"referenceName": "ascalert"
}
},
"body": {
"callback_url": "@{listCallbackUrl()}"
},
"path": "/Microsoft.Security/Alert/subscribe"
}
}
}
},
# This block is empty in the terraform generated code
"connectionReferences": {
"ascalert": {
"api": {
"id": "/subscriptions/<sub_id>/providers/Microsoft.Web/locations/centralus/managedApis/ascalert"
},
"connection": {
"id": "/subscriptions/<sub-id>/resourceGroups/<rg-name>/providers/Microsoft.Web/connections/ascalert"
},
"connectionName": "ascalert"
}
},
"parameters": {}
}
So the connectionReferences block is empty in the terraform generated code. I tried using the following resource but it did not change anything the block remains still empty.
resource "azurerm_api_connection" "connection" {
managed_api_id = "/subscriptions/<sub_id>/providers/Microsoft.Web/locations/centralus/managedApis/ascalert"
name = "ascalert"
resource_group_name = var.rg_name
}
Any ideas what am I doing wrong? Which resource should I use to have the connectionReferences?
I am using terraform 1.2.4 and azurerm provider 3.29.0
I found an answer in a github bug https://github.com/hashicorp/terraform-provider-azurerm/issues/21120
For me the following changes are working:
resource "azurerm_logic_app_workflow" "logic-app" {
location = var.location
name = "logic-app-from-tf"
resource_group_name = var.rg_name
workflow_parameters = {
"$connections" = jsonencode(
{
defaultValue = {}
type = "Object"
}
)
}
parameters = {
"$connections" = jsonencode({
"ascalert": {
"connectionId" = <connection_id>
"connectionName" = ascaler
"id" = <id>
}
})
}
}
This created the missing connection then the workflow was working as the manually created one.