feat: MSDFC pricing plan and subplan

[LaurentLesle]

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Some security center resource type like virtual machines or storage account can be customised with a subplan to adjust the pricing of that service.

As of today the following subplan are supported:

• Storage accounts ("PerStorageAccount")
• VirtualMachines ("P1" or "P2")

In the current implementation there is a boolean value to enable or disable the service.

 // Management resources
  deploy_management_resources = true
  configure_management_resources = {
    advanced = null
    location = ""
    settings = {
      log_analytics = {
        # removed for clarity
      }
      security_center = {
        config = {
          email_security_contact             = "email@domain.com"
          enable_defender_for_app_services   = true
          enable_defender_for_arm            = true
          enable_defender_for_containers     = true
          enable_defender_for_dns            = true
          enable_defender_for_key_vault      = true
          enable_defender_for_oss_databases  = true
          enable_defender_for_servers        = true
          enable_defender_for_sql_server_vms = true
          enable_defender_for_sql_servers    = true
          enable_defender_for_storage        = true
        }
        enabled = true
      }
    }
    tags = null
  }

Describe the solution you'd like

Customise the pricing at the platform landingzone level Customise the pricing at the landingzone or sub-level

Additional context

[LaurentLesle]

wrong repo

[LaurentLesle]

Reopened as per conversions with @krowlandson

[krowlandson]

Adding cross-reference to related conversation:

• https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/issues/551#issuecomment-1348870369

As this is a per-Subscription setting, suggestion is to use the azurerm_security_center_subscription_pricing resource to enable this as part of lz-vending process. We will look at policy options in the caf-enterprise-scale module.

[matt-FFFFFF]

Thanks both. We will add it to the backlog!

[LeegacySystem]

As the azurerm_security_center_subscription_pricing does not take the subscription ID as an argument I would assume that something like this would have to be done with the azapi provider rather than azurerm?

I did consider having Defender for cloud be configured via a new 'Defender' submodule as part of the LZ vending machine. The only thing putting me off that idea is that I'm not as familiar with the azapi terraform provider so I'm not sure if that is the best approach and what challenges it might bring.

Even if I could be pointed in the right direction I might be able to get something working and contribute back here.