Firewall - Update CosmosDB Rules¶
In this example we identify Cosmos DB accounts that either have no firewall configured or which have one configured which is allowing access outside of expected ranges.
We then reconfigure that firewall to known-safe defaults which include a bypass for all of the Azure Cloud as well as additional space in our data center.
Virtual network rules are not specified so they will not be modified.
policies: - name: cosmos-firewall-enable description: | Find all incorrect firewalls and enable with a set of defaults resource: azure.cosmosdb filters: - or: - type: value key: properties.ipRangeFilter value: empty # The firewall is disabled - not: - type: firewall-rules only: # Should *only* allow access within the specified maximums here - 188.8.131.52/16 - 184.108.40.206 - ServiceTags.AzureCloud actions: - type: set-firewall-rules append: False bypass-rules: # Enable firewall and allow all Azure Cloud - AzureCloud - Portal ip-rules: # and some external IP space - 220.127.116.11/16 - 18.104.22.168