New resource: azurerm_sentinel_watchlist
#14258
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds a new resource
azurerm_sentinel_watchlist
.Currently, this is only an empty watchlist. If users want to add watchlist items into it, they need to use other approaches outside of Terraform. While we can add support for this, but I didn't figure out a very good way to do so.
My first attempt to do so is to adding a
raw_content
to this resource, which allows users to specify the content of a csv file, where each line represents an item. This won't work because the API behavior related to therawContent
is monotonous. This means you can only add new items to the list, but can't remove them. For example, if you send aPUT
request on the watchlist, withrawContent
set to(item1)
. Later you change it to be(item2)
and send aPUT
again, it ends up with both(item1)
and(item2)
.Another way we can proceed to add supports for the items is to create a new resource:
azurerm_sentinel_watchlist_item
, where each instance represents an item. There is item related API, which means it should work. However, from the UX point of view, this asks users to name each item with a UUID, which brings unnecessary burdens. Also a typical usage of the watchlist is to update the items in batch, which makes such kind of granularity not makes sense.Due to above situation, this PR only allows users to create an empty watchlist.
Test
Reference
https://docs.microsoft.com/en-us/azure/sentinel/watchlists