azure.cosmosdb¶
CosmosDB Account Resource
- example:
This policy will find all CosmosDB with 1000 or less total requests over the last 72 hours
policies:
- name: cosmosdb-inactive
resource: azure.cosmosdb
filters:
- type: metric
metric: TotalRequests
op: le
aggregation: total
threshold: 1000
timeframe: 72
Filters¶
advisor-recommendation¶
Filter resources by Azure Advisor Recommendations
Select all categories with ‘all’
- example:
policies:
- name: disks-with-cost-recommendations
resource: azure.disk
filters:
- type: advisor-recommendation
category: Cost
key: '[].properties.recommendationTypeId'
op: contains
value: '48eda464-1485-4dcf-a674-d0905df5054a'
properties:
category:
type: string
default:
type: object
key:
type: string
op:
enum:
- eq
- equal
- ne
- not-equal
- gt
- greater-than
- ge
- gte
- le
- lte
- lt
- less-than
- glob
- regex
- regex-case
- in
- ni
- not-in
- contains
- difference
- intersect
type:
enum:
- advisor-recommendation
value:
oneOf:
- type: array
- type: string
- type: boolean
- type: number
- type: 'null'
value_from:
additionalProperties: 'False'
properties:
expr:
oneOf:
- type: integer
- type: string
format:
enum:
- csv
- json
- txt
- csv2dict
headers:
patternProperties:
? ''
: type: string
type: object
url:
type: string
required:
- url
type: object
value_path:
type: string
value_regex:
type: string
value_type:
enum:
- age
- integer
- expiration
- normalize
- size
- cidr
- cidr_size
- swap
- resource_count
- expr
- unique_size
- date
- version
- float
required:
- category
- type
firewall-bypass¶
Filters resources by the firewall bypass rules.
- example:
This policy will find all CosmosDB with enabled Azure Portal and Azure AzureCloud bypass rules
policies:
- name: cosmosdb-bypass
resource: azure.cosmosdb
filters:
- type: firewall-bypass
mode: equal
list:
- AzureCloud
- Portal
properties:
list:
items:
enum:
- AzureCloud
- Portal
type: array
mode:
enum:
- include
- equal
- any
- only
type:
enum:
- firewall-bypass
required:
- mode
- list
- type
Actions¶
set-firewall-rules¶
Set Firewall Rules Action
Updates CosmosDB Firewall settings. Learn about the firewall at: https://docs.microsoft.com/en-us/azure/cosmos-db/firewall-support
By default the firewall rules are appended with the new values. The append: False
flag can be used to replace the old rules with the new ones on
the resource.
You may also reference azure public cloud Service Tags by name in place of
an IP address. Use ServiceTags. followed by the name of any group
from https://www.microsoft.com/en-us/download/details.aspx?id=56519.
Note that there are firewall rule number limits. The limit for CosmosDB is 1000 rules (maximum tested rule count).
- type: set-firewall-rules
ip-rules:
- 11.12.13.0/16
- ServiceTags.AppService.CentralUS
- example:
Find CosmosDB accounts without any firewall rules.
Enable the firewall and allow: - All Azure Cloud IP space - All Portal UI IP space - Two additional external IP ranges
append: True (default) ensures we only add to the existing configuration.
policies:
- name: cosmos-firewall
resource: azure.cosmosdb
filters:
# The firewall is disabled
- type: value
key: properties.ipRangeFilter
value: empty
actions:
- type: set-firewall-rules
append: True
bypass-rules:
- AzureCloud
- Portal
ip-rules:
- 19.0.0.0/16
- 20.0.1.2
Cosmos firewalls are disabled by simply configuring them with empty values.
We can do this by passing an empty array with append: False
policies:
- name: cosmos-firewall-clear
resource: azure.cosmosdb
filters:
# The firewall is enabled
- not:
- type: value
key: properties.ipRangeFilter
value: empty
actions:
- type: set-firewall-rules
append: False
ip-rules: []
properties:
append:
default: true
type: boolean
bypass-rules:
items:
enum:
- Portal
- AzureCloud
type: array
ip-rules:
items:
type: string
type: array
type:
enum:
- set-firewall-rules
virtual-network-rules:
items:
type: string
type: array
required:
- type