Azure Defender for Data Services settings are not supported on resources of type flexibleServers

[TBeijen]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

1.5.7

AzureRM Provider Version

3.110.0

Affected Resource(s)/Data Source(s)

azurerm_advanced_threat_protection

Terraform Configuration Files

resource "azurerm_postgresql_flexible_server" "flexible" {
# ...
}

resource "azurerm_advanced_threat_protection" "flexible" {
  target_resource_id = azurerm_postgresql_flexible_server.flexible.id
  enabled            = true
}

Debug Output/Panic Output

Error: checking for presence of existing Advanced Threat Protection for "/subscriptions/NNN-MMM/resourceGroups/rg-tibo-misc/providers/Microsoft.DBforPostgreSQL/flexibleServers/psql-sb-poc-0001": security.AdvancedThreatProtectionClient#Get: Failure responding to request: StatusCode=400 -- Original Error: autorest/azure: Service returned an error. Status=400 Code="Not Supported" Message="Azure Defender for Data Services settings are not supported on resources of type flexibleServers"

Expected Behaviour

Advanced threat protection being enabled on postgres flexible, similar as can be done using azure CLI.

This resource, and its documentation, seems generic enough to support various resource types when attempting to enable Defender. Also it uses the same vocabulary ("advanced threat protection") as does the CLI, which works without a problem.

Azure CLI example:

# setting
az postgres flexible-server advanced-threat-protection-setting update --state=Enabled --ids "/subscriptions/NNN-MMM/resourceGroups/rg-tibo-misc/providers/Microsoft.DBforPostgreSQL/flexibleServers/psql-sb-poc-0001"

# reading
az postgres flexible-server advanced-threat-protection-setting show --ids "/subscriptions/NNN-MMM/resourceGroups/rg-tibo-misc/providers/Microsoft.DBforPostgreSQL/flexibleServers/psql-sb-poc-0001"

Actual Behaviour

Error. Probably because of provider using incorrect API endpoint.

Comparing provider debug logs and azure CLI debug logs, a difference can be observed:

# Provider. Gives 400
GET //subscriptions/NNN-MMM/resourceGroups/rg-tibo-misc/providers/Microsoft.DBforPostgreSQL/flexibleServers/psql-sb-poc-0001/providers/Microsoft.Security/advancedThreatProtectionSettings/current?api-version=2019-01-01

# CLI. Gives 200
GET /subscriptions/NNN-MMM/resourceGroups/rg-tibo-misc/providers/Microsoft.DBforPostgreSQL/flexibleServers/psql-sb-poc-0001/advancedThreatProtectionSettings/Default?api-version=2023-12-01-preview

Steps to Reproduce

terraform apply

Important Factoids

No response

References

• Atp settings are not supported on resources of type servers (PostgreSQL) #6610
• Advanced threat protection cannot be set for SQLServer (Not Supported) #13902
• Azure Defender for Data Services settings are not supported on resources of type vaults  #18683

Urls seem to be constructed in this file:

terraform-provider-azurerm/internal/services/securitycenter/parse/advanced_threat_protection.go

Line 29 in 24c0009

fmtString := "%s/providers/Microsoft.Security/advancedThreatProtectionSettings/%s"