azurerm_sentinel_alert_rule_scheduled allows too few entity_mapping blocks

[Vilsepi]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.7.5

AzureRM Provider Version

4.6.0

Affected Resource(s)/Data Source(s)

azurerm_sentinel_alert_rule_scheduled

Terraform Configuration Files

resource "azurerm_resource_group" "this" {
  name     = "rg-test"
  location = "North Europe"
}

resource "azurerm_log_analytics_workspace" "this" {
  name                = "test"
  resource_group_name = azurerm_resource_group.this.name
  location            = azurerm_resource_group.this.location
  sku                 = "PerGB2018"
}

resource "azurerm_sentinel_log_analytics_workspace_onboarding" "this" {
  depends_on = [ azurerm_log_analytics_workspace.this ]
  workspace_id = azurerm_log_analytics_workspace.this.id
}

resource "azurerm_sentinel_alert_rule_scheduled" "test" {
  log_analytics_workspace_id = azurerm_log_analytics_workspace.this.id

  name         = "azurerm entity_mapping test"
  display_name = "azurerm entity_mapping test"
  query        = "CommonSecurityLog"
  severity     = "Informational"

  entity_mapping {
    entity_type = "Account"
    field_mapping {
      identifier  = "FullName"
      column_name = "TimeGenerated"
    }
  }

  entity_mapping {
    entity_type = "Account"
    field_mapping {
      identifier  = "Sid"
      column_name = "TimeGenerated"
    }
  }

  entity_mapping {
    entity_type = "Account"
    field_mapping {
      identifier  = "Name"
      column_name = "TimeGenerated"
    }
  }

  entity_mapping {
    entity_type = "Account"
    field_mapping {
      identifier  = "AadUserId"
      column_name = "TimeGenerated"
    }
  }

  entity_mapping {
    entity_type = "Account"
    field_mapping {
      identifier  = "PUID"
      column_name = "TimeGenerated"
    }
  }

  entity_mapping {
    entity_type = "Account"
    field_mapping {
      identifier  = "ObjectGuid"
      column_name = "TimeGenerated"
    }
  }

}

Debug Output/Panic Output

│ Error: Too many entity_mapping blocks
│ No more than 5 "entity_mapping" blocks are allowed

Expected Behaviour

Terraform should allow up to 10 entity_mapping blocks. According to Microsoft, "you can define up to ten entity mappings in a single analytics rule", and that can be done successfully for example via the Azure Web UI.

https://learn.microsoft.com/en-us/azure/sentinel/map-data-fields-to-entities?tabs=azure

Actual Behaviour

When adding more than 5 entity_mapping blocks, Terraform fails to create the resource and throws an error.

Steps to Reproduce

1. terraform validate

Important Factoids

No response

References

No response

[ziyeqf]

Hi @Vilsepi , thanks for reporting.

Just submitted a PR(#27832) for this, you can subscribe it to keep track.