Defender for Cloud and new plans

endreigesund commented 1 year ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

New plans available in Defender for Cloud:

We use policies / settings from the module to enable MDFC on subscriptions. Using the parameters for configuring management resources: https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/blob/main/README.md#-configure_management_resources.

Is there any plan on when/if you will switch the policies to use new plans?

Would it be possible to have all available plans in the input parameter for configuring management resources? enable_defender_for_storage_oldplan = optional(bool, true) enable_defender_for_storage_newplan = optional(bool, false)

Additional context

I have checked and can confirm that builtin policy definitions exists for both plans:

JefferyMitchell commented 1 year ago

@Springstone Can you take a look at this one.

SteveBurkettNZ commented 11 months ago

Defender for Storage is an annoying one. The new plan (priced per storage account) can be 10x more expensive than the classic plan (price based on transactions) for small low-usage storage accounts (Cloud Shell is a good case!). It'd be nice to still maintain that option to pick and choose between.

eehret commented 5 months ago

We are actively trying to find a way to basically revert what was done in https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/blob/997225947299e1b130555ee29a1b60d1ad32b3e0/modules/archetypes/lib/policy_set_definitions/policy_set_definition_es_deploy_mdfc_config.tmpl.json#L297 due to a concern about the cost of the newer plan.

It seems like the most straightforward way for me to do that right now, barring some other way to configure this in the future, would be to set 'enable_defender_for_storage' to false in custom management settings and then extend the root archetype to include a 'policy_assignment' for the classic policy instead.

I'm not a guru with this stuff by any means, so really hoping someone more experienced could let me know if what I'm thinking of doing makes sense :)

Azure / terraform-azurerm-caf-enterprise-scale