我的任务是部署从Sentinel导出的ARM模板。看起来像这样:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6db8cd19-9b27-4bf0-84f3-2111204460b9')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6db8cd19-9b27-4bf0-84f3-2111204460b9')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01-preview",
"properties": {
"displayName": "Informational rule 1",
"description": "Rule to test ARM template deployment",
"severity": "Medium",
"enabled": true,
"query": "AzureActivity\r\n| where OperationName == \"Create or Update Virtual Machine\" or OperationName ==\"Create Deployment\"\r\n| where ActivityStatus == \"Succeeded\"\r\n| make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller",
"queryFrequency": "PT5H",
"queryPeriod": "PT5H",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"startTimeUtc": null,
"tactics": [],
"techniques": [],
"alertRuleTemplateName": null,
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"reopenClosedIncident": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"groupByEntities": [],
"groupByAlertDetails": [],
"groupByCustomDetails": []
}
},
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"alertDetailsOverride": null,
"customDetails": null,
"entityMappings": null,
"sentinelEntitiesMappings": null,
"templateVersion": null
}
}
]
}
我尝试使用 azurerm 模板:
resource "azurerm_template_deployment" "template" {
name = "template-deploy"
resource_group_name = var.resource_group_name
template_body = file("${path.module}/ARM_rule_templates/example_rule.json")
deployment_mode = "Incremental"
parameters =jsonencode({
"workspace" = {value = data.azurerm_log_analytics_workspace.log_analytics.name}
})
}
是否有可能从 azure devops 部署该模板而不添加任何内容?您有什么想法如何继续前进吗?我此刻已经没有希望了。 问候, 米哈尔
我尝试部署通过使用文件 URL 调用导出的 ARM 模板,并且能够成功配置要求。
要部署使用 Azure DevOps 从 Azure Sentinel 导出的 ARM 模板,需要执行几个关键步骤和注意事项。您提供的 ARM 模板专门用于在 Azure Sentinel 中部署警报规则。
查询中提到的方法是可能的,但使用的模板即,
resource "azurerm_template_deployment"
是折旧资源模块,它无助于配置您正在寻找的要求。资源resource "azurerm_resource_group_template_deployment"
会有所帮助。
但是,查询中共享的 JSON 缺少某些参数,我们无法实现要求,因此我使用了一个演示示例 JSON 来演示其工作原理。
我的演示用 JSON 文件:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"storageAccountType": {
"type": "string",
"defaultValue": "Standard_LRS",
"allowedValues": [
"Standard_LRS",
"Standard_GRS",
"Standard_ZRS"
],
"metadata": {
"description": "Storage Account type"
}
}
},
"variables": {
"location": "[resourceGroup().location]",
"storageAccountName": "[concat(uniquestring(resourceGroup().id), 'storage')]",
"publicIPAddressName": "[concat('myPublicIp', uniquestring(resourceGroup().id))]",
"publicIPAddressType": "Dynamic",
"apiVersion": "2015-06-15",
"dnsLabelPrefix": "terraform-acctest"
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"name": "[variables('storageAccountName')]",
"apiVersion": "[variables('apiVersion')]",
"location": "[variables('location')]",
"properties": {
"accountType": "[parameters('storageAccountType')]"
}
},
{
"type": "Microsoft.Network/publicIPAddresses",
"apiVersion": "[variables('apiVersion')]",
"name": "[variables('publicIPAddressName')]",
"location": "[variables('location')]",
"properties": {
"publicIPAllocationMethod": "[variables('publicIPAddressType')]",
"dnsSettings": {
"domainNameLabel": "[variables('dnsLabelPrefix')]"
}
}
}
],
"outputs": {
"storageAccountName": {
"type": "string",
"value": "[variables('storageAccountName')]"
}
}
}
我的 Terraform 配置:
provider "azurerm" {
features {}
}
data "azurerm_client_config" "core" {}
resource "azurerm_resource_group" "example" {
name = "demovkr-rg" # Update this to your desired resource group name
location = "east us"
}
resource "azurerm_log_analytics_workspace" "example" {
name = "demovk-workspace" # Update this to your desired workspace name
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
sku = "PerGB2018" # Choose an appropriate SKU
}
resource "azurerm_resource_group_template_deployment" "template" {
name = "template-deploy"
resource_group_name = azurerm_resource_group.example.name
template_content = file("/home/bolli/demo/demo.json")
deployment_mode = "Incremental"
parameters_content = jsonencode({
"storageAccountType" = { value = "Standard_LRS" } // Example parameter, adjust as needed
})
}
输出: