Is there a way to change the Playbook Settings in Microsoft Sentinel through Terraform

Question

I have a Microsoft Sentinel solution that I deployed using Terraform. I want to deploy an automation rule again using Terraform but it requires the Sentinel Solution to have the Playbook permissions configured to deploy the automation rule. Is there any way that I can do that part also in my Terraform script?

Current Terraform code for the log_analytics_solution is as follows;

resource "azurerm_log_analytics_solution" "log_analytics_solution_sentinel" {
  solution_name         = "SecurityInsights"
  location              = var.location
  resource_group_name   = module.resource-group.resource_group_name
  workspace_resource_id = module.log_analytics_workspace.log_analytics_workspace_id
  workspace_name        = module.log_analytics_workspace.log_analytics_workspace_name
  plan {
    publisher = "Microsoft"
    product   = "OMSGallery/SecurityInsights"
  }
  depends_on = [module.log_analytics_workspace]
  tags       = local.default_tags
}

variables and other modules are in the complete TF file, just pasted the log_analytics_solution part here.

This is the setting I want to add in the TF code.

Answer 1

Check the following code :

 terraform {
      backend "azurerm" {
        resource_group_name  = "XXX"
        storage_account_name = "remotestatekavstr231"
        container_name       = "terraform"
        key                  = "terraform.tfstate"
      }
    }
    

resource "azurerm_log_analytics_workspace" "rgcore-management-la" {
  name                = "la-example-utv-weu"
 location                    = data.azurerm_resource_group.example.location
  resource_group_name         = data.azurerm_resource_group.example.name
  sku                 = "PerGB2018"
  retention_in_days   = 90
}


resource "azurerm_log_analytics_solution" "log_analytics_solution_sentinel" {
  solution_name         = "SecurityInsights"
 location                    = data.azurerm_resource_group.example.location
  resource_group_name         = data.azurerm_resource_group.example.name
  workspace_resource_id = azurerm_log_analytics_workspace.rgcore-management-la.id
  workspace_name        = azurerm_log_analytics_workspace.rgcore-management-la.name
  plan {
    publisher = "Microsoft"
    product   = "OMSGallery/SecurityInsights"
  }
  depends_on = [azurerm_log_analytics_workspace.rgcore-management-la]

}




resource "azurerm_sentinel_alert_rule_ms_security_incident" "example" {
name = "examplesentinelaler"
log_analytics_workspace_id = azurerm_log_analytics_workspace.rgcore-management-la.id
product_filter = "Microsoft Cloud App Security"
display_name = "example rule"
severity_filter = ["High"]
}

resource "azurerm_sentinel_alert_rule_scheduled" "example" {
name = "examplekaalertrule"
log_analytics_workspace_id = azurerm_log_analytics_workspace.rgcore-management-la.id
display_name = "examplesentielrule"
severity = "High"
query = <<QUERY
AzureActivity |
where OperationName == "Create or Update Virtual Machine" or OperationName =="Create Deployment" |
where ActivityStatus == "Succeeded" |
make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller
QUERY
}

resource "azurerm_sentinel_automation_rule" "example" {
  name                       = "56094f72-ac3f-40e7-a0c0-47bd95f70336"
  log_analytics_workspace_id = azurerm_log_analytics_workspace.rgcore-management-la.id
  display_name               = "automation_rule1"
  order                      = 1
  action_incident {
    order  = 1
    status = "Active"
  }
}

You need to have Microsoft Sentinel Automation Contributor role assigned to the resource where the sentinal workspace is goint to be created

resource "azurerm_role_assignment" "sentinel_contributor" {
  scope              = "/subscriptions/8xxx8-xxxaa16/resourceGroups/xxx"
 // role_definition_id = azurerm_role_definition.sentinel_contributor.id
 // role_definition_name = "Azure Sentinel Contributor"
  principal_id       =  "3367a746-xxx18686"#this is azure security insights app objectId or you can use current user/servicepincipal data.azurerm_client_config.current.object_id
}

}

In the above principal_id "3367a746-xxx18686" is azure security insights app objectId or you can use current user/servicepincipal data.azurerm_client_config.current.object_id.

Or else custom role can be created using

resource "azurerm_role_definition" "sentinel_contributor" {
  name        = "Azure Sentinel Contributor"
  description = "Can manage Azure Sentinel resources."
  permissions {
    actions = [
      "Microsoft.Devices/IotHubs/read",
      "Microsoft.Devices/IotHubs/devices/read",
      "Microsoft.Devices/IotHubs/devices/write",
      "Microsoft.Devices/DeviceProvisioningServices/enrollments/write",
      "Microsoft.Devices/OperationsMonitoring/read",
      "Microsoft.Insights/alertRules/*",
      "Microsoft.Insights/diagnosticSettings/*",
      "Microsoft.SecurityInsights/*"
    ]
    not_actions = []
  }
  assignable_scopes = [
    "/subscriptions/${var.subscription_id}"
  ]
}




 resource "azurerm_role_assignment" "sentinel_contributor" {
      scope              = "/subscriptions/${var.subscription_id}/resourceGroups/${var.resource_group_name}"
      role_definition_id = azurerm_role_definition.sentinel_contributor.id
      principal_id       = var.principal_id
    }

Assign these roles to the resource group or security insights that contains the Microsoft Sentinel workspace

Automation rule can be created .