SQL Server

Filters

  • Standard Value Filter (see Generic Filters)
  • ARM Resource Filters (see Generic Filters)
    • Metric Filter - Filter on metrics from Azure Monitor - (see SQL Server Supported Metrics)

    • Tag Filter - Filter on tag presence and/or values

    • Marked-For-Op Filter - Filter on tag that indicates a scheduled operation for a resource

  • firewall-rules Firewall Rules Filter

    Filter based on firewall rules. Rules can be specified as x.x.x.x-y.y.y.y or x.x.x.x or x.x.x.x/y.

    • include: the list of IP ranges or CIDR that firewall rules must include. The list must be a subset of the exact rules as is, the ranges will not be combined.

    • equal: the list of IP ranges or CIDR that firewall rules must match exactly.

    oneOf:
    - required:
      - type
      - include
    - required:
      - type
      - any
    - required:
      - type
      - only
    - required:
      - type
      - equal
    properties:
      any:
        items:
          type: string
        type: array
      equal:
        items:
          type: string
        type: array
      include:
        items:
          type: string
        type: array
      only:
        items:
          type: string
        type: array
      type:
        enum:
        - firewall-rules
    

Actions

Example Policies

This policy will find all SQL servers with average DTU consumption under 10 percent over the last 72 hours

policies:
  - name: sqlserver-under-utilized
    resource: azure.sqlserver
    filters:
      - type: metric
        metric: dtu_consumption_percent
        op: lt
        aggregation: average
        threshold: 10
        timeframe: 72
        filter: "ElasticPoolResourceId eq '*'"
        no_data_action: include

This policy will find all SQL servers without any firewall rules defined.

policies:
  - name: find-sqlserver-without-firewall-rules
    resource: azure.sqlserver
    filters:
      - type: firewall-rules
        equal: []

This policy will find all SQL servers allowing traffic from 1.2.2.128/25 CIDR.

policies:
  - name: find-sqlserver-allowing-subnet
    resource: azure.sqlserver
    filters:
      - type: firewall-rules
        include: ['1.2.2.128/25']