azurerm_security_center_subscription_pricing auto-enables OnUploadMalwareScanning extension with DefenderForStorageV2 subplan

[PeterBennink]

Is there an existing issue for this?

• [X] I have searched the existing issues

Community Note

• Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.5.7

AzureRM Provider Version

3.114.0

Affected Resource(s)/Data Source(s)

azurerm_security_center_subscription_pricing

Terraform Configuration Files

resource "azurerm_security_center_subscription_pricing" "ms_defender" {
  tier          = "Standard"
  resource_type = "StorageAccounts"
  subplan       = "DefenderForStorageV2"

  extension {
    name = "SensitiveDataDiscovery"
  }
}

Debug Output/Panic Output

n/a, they apply succeeds

Expected Behaviour

I would expect my subscription to be set to the new Defender for Storage plan, with SensitiveDataDiscovery enabled

Actual Behaviour

My subscription gets set to the new Defender for Storage plan, with SensitiveDataDiscovery and OnUploadMalwareScanning enabled. I don't want to use this feature, but I don't really have a way to disable it, because I can't explicitly disable it in Terraform, if I add it as an extension block it will also get enabled, at that point I can only tweak CapGBPerMonthPerStorageAccount.

Steps to Reproduce

Nothing to add to above information.

Important Factoids

No response

References

https://registry.terraform.io/providers/hashicorp/azurerm/3.114.0/docs/resources/security_center_subscription_pricing

[neil-yechenwei]

Thanks for raising this issue. TF doesn't set OnUploadMalwareScanning in the request payload. Seems service API would automatically set it when creating this kind of security center subscription pricing. Suggest filing Azure Support Ticket for this issue.

[phil-holden]

@neil-yechenwei, is this the API call you're referring to? https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-storage-rest-api-enablement?tabs=enable-subscription

If yes, the request payload needs to explicitly set the extensions enabled property to False otherwise the API will enable the extension.

{
  "properties": {
    "pricingTier": "Standard",
    "subPlan": "DefenderForStorageV2",
    "extensions": [
      {
        "name": "OnUploadMalwareScanning",
        "isEnabled": "False"
      }
    ]
  }
}

I agree this seems to be an issue with the defaults set by the Azure API, but is there something that could be done at the provider level to allow the enabled flag to be set on extensions?

[phil-holden]

To follow up with the response from Microsoft...

===== Would like to clarify that if no extensions are specified in your API request, both the OnUploadMalwareScanning and SensitiveDataDiscovery extensions are enabled by default. This is designed to ensure that key security features are active unless explicitly disabled.

To disable these extensions, you need to include them in your API request with isEnabled set to False.

=====

[PeterBennink]

So to summarise the possible ways of solving this, either the API endpoint needs to be changed so that these extensions don't get enabled by default (opt-in vs opt-out, effectively), or the API call Terraform needs to by default include these two extensions with isEnabled set to false. Unless I'm mistaken at least, I don't think this can be changed by just changing the Terraform resource as I defined it in the original issue.

It doesn't seem like Microsoft has any intention of changing the API endpoint, their message indicates that this was done by design. So can the TF provider then be changed so it adds these extensions (with isEnabled=false) to the request by default?