azure.cosmosdb

CosmosDB Account Resource

example:

This policy will find all CosmosDB with 1000 or less total requests over the last 72 hours

policies:
  - name: cosmosdb-inactive
    resource: azure.cosmosdb
    filters:
      - type: metric
        metric: TotalRequests
        op: le
        aggregation: total
        threshold: 1000
        timeframe: 72

Filters

advisor-recommendation

Filter resources by Azure Advisor Recommendations

Select all categories with ‘all’

example:

policies:
  - name: disks-with-cost-recommendations
    resource: azure.disk
    filters:
      - type: advisor-recommendation
        category: Cost
        key: '[].properties.recommendationTypeId'
        op: contains
        value: '48eda464-1485-4dcf-a674-d0905df5054a'
properties:
  category:
    type: string
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
    - mod
  type:
    enum:
    - advisor-recommendation
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- category
- type

firewall-bypass

Filters resources by the firewall bypass rules.

example:

This policy will find all CosmosDB with enabled Azure Portal and Azure AzureCloud bypass rules

policies:
  - name: cosmosdb-bypass
    resource: azure.cosmosdb
    filters:
      - type: firewall-bypass
        mode: equal
        list:
            - AzureCloud
            - Portal
properties:
  list:
    items:
      enum:
      - AzureCloud
      - Portal
    type: array
  mode:
    enum:
    - include
    - equal
    - any
    - only
  type:
    enum:
    - firewall-bypass
required:
- mode
- list
- type

Actions

set-firewall-rules

Set Firewall Rules Action

Updates CosmosDB Firewall settings. Learn about the firewall at: https://docs.microsoft.com/en-us/azure/cosmos-db/firewall-support

By default the firewall rules are appended with the new values. The append: False flag can be used to replace the old rules with the new ones on the resource.

You may also reference azure public cloud Service Tags by name in place of an IP address. Use ServiceTags. followed by the name of any group from https://www.microsoft.com/en-us/download/details.aspx?id=56519.

Note that there are firewall rule number limits. The limit for CosmosDB is 1000 rules (maximum tested rule count).

- type: set-firewall-rules
      ip-rules:
          - 11.12.13.0/16
          - ServiceTags.AppService.CentralUS
example:

Find CosmosDB accounts without any firewall rules.

Enable the firewall and allow: - All Azure Cloud IP space - All Portal UI IP space - Two additional external IP ranges

append: True (default) ensures we only add to the existing configuration.

policies:
  - name: cosmos-firewall
    resource: azure.cosmosdb
    filters:
      # The firewall is disabled
      - type: value
        key: properties.ipRangeFilter
        value: empty
    actions:
      - type: set-firewall-rules
        append: True
        bypass-rules:
          - AzureCloud
          - Portal
        ip-rules:
          - 19.0.0.0/16
          - 20.0.1.2

Cosmos firewalls are disabled by simply configuring them with empty values. We can do this by passing an empty array with append: False

policies:
  - name: cosmos-firewall-clear
    resource: azure.cosmosdb
    filters:
      # The firewall is enabled
      - not:
        - type: value
          key: properties.ipRangeFilter
          value: empty
    actions:
      - type: set-firewall-rules
        append: False
        ip-rules: []
properties:
  append:
    default: true
    type: boolean
  bypass-rules:
    items:
      enum:
      - Portal
      - AzureCloud
    type: array
  ip-rules:
    items:
      type: string
    type: array
  type:
    enum:
    - set-firewall-rules
  virtual-network-rules:
    items:
      type: string
    type: array
required:
- type