azure.sql-server

SQL Server Resource

example

This policy will find all SQL servers with average DTU consumption under 10 percent over the last 72 hours

policies:
  - name: sqlserver-under-utilized
    resource: azure.sqlserver
    filters:
      - type: metric
        metric: dtu_consumption_percent
        op: lt
        aggregation: average
        threshold: 10
        timeframe: 72
        filter: "ElasticPoolResourceId eq '*'"
        no_data_action: include

example

This policy will find all SQL servers without any firewall rules defined.

policies:
  - name: find-sqlserver-without-firewall-rules
    resource: azure.sqlserver
    filters:
      - type: firewall-rules
        equal: []

example

This policy will find all SQL servers allowing traffic from 1.2.2.128/25 CIDR.

policies:
  - name: find-sqlserver-allowing-subnet
    resource: azure.sqlserver
    filters:
      - type: firewall-rules
        include: ['1.2.2.128/25']

Filters

• auditing

• azure-ad-administrators

• cost

• diagnostic-settings

• event

• firewall-bypass

• firewall-rules

• marked-for-op

• metric

• offhour

• onhour

• policy-compliant

• reduce

• resource-lock

• value

• vulnerability-assessment

auditing

Filter by the current auditing policy for this sql server.

example

Find SQL servers with auditing disabled

policies:
  - name: sql-database-no-auditing
    resource: azure.sql-server
    filters:
      - type: auditing
        enabled: false

properties:
  enabled:
    type: boolean
  type:
    enum:
    - auditing
required:
- type
- enabled
- type

firewall-bypass

Filters resources by the firewall bypass rules.

example

This policy will find all SQL Servers with enabled Azure Services bypass rules

policies:
  - name: sqlserver-bypass
    resource: azure.sqlserver
    filters:
      - type: firewall-bypass
        mode: equal
        list:
            - AzureServices

properties:
  list:
    items:
      enum:
      - AzureServices
    type: array
  mode:
    enum:
    - include
    - equal
    - any
    - only
  type:
    enum:
    - firewall-bypass
required:
- mode
- list
- type

Actions

• auto-tag-date

• auto-tag-user

• delete

• lock

• logic-app

• mark-for-op

• notify

• set-firewall-rules

• tag

• tag-trim

• untag

• webhook

set-firewall-rules

Set Firewall Rules Action

Updates SQL Server Firewall configuration.

By default the firewall rules are replaced with the new values. The append flag can be used to force merging the new rules with the existing ones on the resource.

You may also reference azure public cloud Service Tags by name in place of an IP address. Use ServiceTags. followed by the name of any group from https://www.microsoft.com/en-us/download/details.aspx?id=56519.

- type: set-firewall-rules
      bypass-rules:
          - AzureServices
      ip-rules:
          - 11.12.13.0/16
          - ServiceTags.AppService.CentralUS

example

Configure firewall to allow: - Azure Services - Two IP ranges

policies:
    - name: add-sql-server-firewall
      resource: azure.sqlserver
      actions:
        - type: set-firewall-rules
          bypass-rules:
              - AzureServices
          ip-rules:
              - 11.12.13.0/16
              - 21.22.23.24

properties:
  append:
    default: true
    type: boolean
  bypass-rules:
    items:
      enum:
      - AzureServices
    type: array
  ip-rules:
    items:
      type: string
    type: array
  prefix:
    maxLength: 91
    type: string
  type:
    enum:
    - set-firewall-rules
  virtual-network-rules:
    items:
      type: string
    type: array
required:
- type