Sentinel Threat Ingelligence Data Connector failing due to weird value introduced in tipLookbackPeriod

[alfredomagallon]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.1.5

AzureRM Provider Version

3.35.0

Affected Resource(s)/Data Source(s)

azurerm_sentinel_data_connector_threat_intelligence

Terraform Configuration Files

resource "azurerm_sentinel_data_connector_threat_intelligence" "threat_intelligence" {
  name                       = "threat_intelligence_connector"
  log_analytics_workspace_id = azurerm_log_analytics_solution.log_analytics_workspace_solution.workspace_resource_id
  lifecycle {
    ignore_changes = [
      log_analytics_workspace_id
    ]
  }
}

Debug Output/Panic Output

│ Error: retrieving Data Connector: (Name "threat_intelligence_connector" / Workspace Name "<workspace-name>" / Resource Group "<rg-name>"): securityinsight.DataConnectorsClient#Get: Failure responding to request: StatusCode=200 -- Original Error: Error occurred unmarshalling JSON - Error = 'parsing time "\"1/1/0001 12:00:00 AM +00:00\"" as "\"200***-01-02T15:04:05.999999999Z07:00\"": cannot parse "0001 12:00:00 AM +00:00\"" as "200***"' JSON = '***"id":"/subscriptions/***/resourceGroups/<rg-name>/providers/Microsoft.OperationalInsights/workspaces<roskapce-name>/providers/Microsoft.SecurityInsights/dataConnectors/threat_intelligence_connector","name":"threat_intelligence_connector","etag":"<etag>","type":"Microsoft.SecurityInsights/dataConnectors","kind":"ThreatIntelligence","properties":***"tipLookbackPeriod":"1/1/0001 12:00:00 AM +00:00","dataTypes":***"indicators":***"state":"enabled"***,"tenantId":"***"***'

Expected Behaviour

As the data connector is already setup and running, the terraform code should have just pass without doing nothing.

Actual Behaviour

It errored with the message above

Steps to Reproduce

Seems like the problem is that the field tipLookbackPeriod in the data connector changed from value null to value 1/1/0001 12:00:00 AM +00:00 and the provider is not able to cope with that value.

We reproduce it with any of our sentinels that have this Data Connector connected with the simple code above (that creates the resource if it does not exist and just should pass when it already exists)

Important Factoids

No response

References

No response

[alfredomagallon]

az sentinel data-connector list -g <rg-name> -w <workspace-name> ...

  {
    "dataTypes": {
      "indicators": {
        "state": "enabled"
      }
    },
    "etag": "<etag>",
    "id": "/subscriptions/<sub-id>/resourceGroups/<rg-name>/providers/Microsoft.OperationalInsights/workspaces/<workspace-name>/providers/Microsoft.SecurityInsights/dataConnectors/threat_intelligence_connector",
    "kind": "ThreatIntelligence",
    "name": "threat_intelligence_connector",
    "resourceGroup": "<rg-name>",
    "tenantId": "<tenant-id>",
    **"tipLookbackPeriod": "1/1/0001 12:00:00 AM +00:00",**
    "type": "Microsoft.SecurityInsights/dataConnectors"
  },

[ziyeqf]

Hi @alfredomagallon, sorry for my late reply.

It is because it get a date not well formatted, there is an issue on azure-rest-api-specs (https://github.com/Azure/azure-rest-api-specs/issues/21487).

For any further questions, please leave comments.

Thanks.

[ziyeqf]

Hi @alfredomagallon

A PR (#20390) has been submitted to add workaround for this, once it merged & released it will be available.

Thanks!

[github-actions[bot]]

This functionality has been released in v3.43.0 of the Terraform Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

[github-actions[bot]]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.