feat: prep for sentinel onboarding API, fixes for AMA permissions

locals.management.tf

@@ -66,3 +66,11 @@ locals {
     if resource.managed_by_module
   }
 }
+
+locals {
+  azapi_sentinel_onboarding = {
+    for resource in module.management_resources.configuration.azapi_sentinel_onboarding :
+    resource.resource_id => resource
+    if resource.managed_by_module
+  }
+}

locals.role_assignments.tf

@@ -44,4 +44,5 @@ locals {
 
 locals {
   connectivity_mg_exists = length([for k, v in local.es_landing_zones_map : v if(v.id == "${var.root_id}-connectivity")]) > 0
-}
+  platform_mg_exists     = length([for k, v in local.es_landing_zones_map : v if(v.id == "${var.root_id}-platform")]) > 0
+}

modules/management/locals.tf

@@ -54,10 +54,10 @@ locals {
   deploy_log_analytics_linked_service = local.deploy_monitoring_resources && local.link_log_analytics_to_automation_account
   deploy_automation_account           = local.deploy_monitoring_resources && local.existing_automation_account_resource_id == local.empty_string
   deploy_azure_monitor_solutions = {
-    SecurityInsights  = local.deploy_monitoring_resources && local.settings.log_analytics.config.enable_sentinel
     ChangeTracking    = local.deploy_monitoring_resources && local.settings.log_analytics.config.enable_change_tracking
     VMInsights        = local.deploy_monitoring_resources && local.settings.log_analytics.config.enable_solution_for_vm_insights
     ContainerInsights = local.deploy_monitoring_resources && local.settings.log_analytics.config.enable_solution_for_container_insights
+    SecurityInsights  = local.deploy_monitoring_resources && local.settings.log_analytics.config.enable_sentinel
   }
   deploy_security_settings                              = local.settings.security_center.enabled
   deploy_defender_for_app_services                      = local.settings.security_center.config.enable_defender_for_app_services
@@ -93,7 +93,6 @@ locals {
   }
 }
 
-
 # Configuration settings for resource type:
 #  - azurerm_log_analytics_workspace
 locals {
@@ -679,6 +678,21 @@ locals {
   }
 }
 
+# Sentinel onboarding
+locals {
+  azapi_sentinel_onboarding_resource_id = "${local.log_analytics_workspace_resource_id}/Microsoft.SecurityInsights/onboardingStates/default"
+  azapi_sentinel_onboarding = {
+    type = "Microsoft.SecurityInsights/onboardingStates@2024-03-01"
+    body = {
+      properties = {
+        customerManagedKey = try(local.settings.log_analytics.config.sentinel_customer_managed_key_enabled, false)
+      }
+    }
+    name      = "default"
+    parent_id = local.log_analytics_workspace_resource_id
+  }
+}
+
 # Template file variable outputs
 locals {
   template_file_variables = {
@@ -802,6 +816,18 @@ locals {
         managed_by_module = local.deploy_mdfc_defender_for_sql_dcr
       }
     ]
+    azapi_sentinel_onboarding = [
+      {
+        resource_id   = local.azapi_sentinel_onboarding_resource_id
+        resource_name = basename(local.azapi_sentinel_onboarding_resource_id)
+        template = {
+          for key, value in local.azapi_sentinel_onboarding :
+          key => value
+          if local.deploy_azure_monitor_solutions.SecurityInsights
+        }
+        managed_by_module = local.deploy_azure_monitor_solutions.SecurityInsights
+      }
+    ]
     archetype_config_overrides = local.archetype_config_overrides
     template_file_variables    = local.template_file_variables
   }

modules/management/variables.tf

@@ -60,6 +60,7 @@ variable "settings" {
         enable_change_tracking                 = optional(bool, true)
         enable_solution_for_vm_insights        = optional(bool, true)
         enable_solution_for_container_insights = optional(bool, true)
+        sentinel_customer_managed_key_enabled  = optional(bool, false)
       }), {})
     }), {})
     security_center = optional(object({

resources.management.tf

@@ -167,3 +167,20 @@ resource "azapi_resource" "data_collection_rule" {
 
   depends_on = [azurerm_log_analytics_workspace.management]
 }
+
+# Delaying until next major release as this will be a breaking change requiring state manipulation
+# as the old LA solution will have to be removed from state, but we cannot use the removed block as
+# it does not support interpolation for map keys.
+#
+# resource "azapi_resource" "sentinel_onboarding" {
+#   for_each  = local.azapi_sentinel_onboarding
+#   name      = each.value.template.name
+#   parent_id = each.value.template.parent_id
+#   type      = each.value.template.type
+#   body      = each.value.template.body
+
+#   depends_on = [
+#     azurerm_log_analytics_workspace.management,
+#     azurerm_log_analytics_solution.management,
+#   ]
+# }

resources.role_assignments.tf

@@ -55,7 +55,7 @@ module "role_assignments_for_policy" {
 
 # The data source will retrieve the principalId of a user msi
 # used for the policy assignment
-# 
+#
 data "azapi_resource" "user_msi" {
   for_each = {
     for ik, iv in local.es_role_assignments_by_policy_assignment : ik => iv
@@ -114,4 +114,32 @@ resource "azurerm_role_assignment" "private_dns_zone_contributor_connectivity" {
     time_sleep.after_azurerm_policy_assignment,
     azurerm_role_assignment.policy_assignment,
   ]
-}
+}
+
+resource "azurerm_role_assignment" "ama_reader" {
+  for_each             = local.platform_mg_exists ? { for k, v in azurerm_management_group_policy_assignment.enterprise_scale : k => v if endswith(k, "Deploy-VM-Monitoring") } : {}
+  role_definition_name = "Reader"
+  scope                = "/providers/Microsoft.Management/managementGroups/${var.root_id}-platform"
+  principal_id         = each.value.identity[0].principal_id
+  depends_on = [
+    time_sleep.after_azurerm_management_group,
+    time_sleep.after_azurerm_policy_definition,
+    time_sleep.after_azurerm_policy_set_definition,
+    time_sleep.after_azurerm_policy_assignment,
+    azurerm_role_assignment.policy_assignment,
+  ]
+}
+
+resource "azurerm_role_assignment" "ama_managed_identity_operator" {
+  for_each             = local.platform_mg_exists ? { for k, v in azurerm_management_group_policy_assignment.enterprise_scale : k => v if endswith(k, "Deploy-VM-Monitoring") } : {}
+  role_definition_name = "Managed Identity Operator"
+  scope                = "/providers/Microsoft.Management/managementGroups/${var.root_id}-platform"
+  principal_id         = each.value.identity[0].principal_id
+  depends_on = [
+    time_sleep.after_azurerm_management_group,
+    time_sleep.after_azurerm_policy_definition,
+    time_sleep.after_azurerm_policy_set_definition,
+    time_sleep.after_azurerm_policy_assignment,
+    azurerm_role_assignment.policy_assignment,
+  ]
+}

variables.tf

@@ -92,6 +92,7 @@ variable "configure_management_resources" {
           enable_change_tracking                 = optional(bool, true)
           enable_solution_for_vm_insights        = optional(bool, true)
           enable_solution_for_container_insights = optional(bool, true)
+          sentinel_customer_managed_key_enabled  = optional(bool, false) # not used at this time
         }), {})
       }), {})
       security_center = optional(object({