azure.sql-server¶
SQL Server Resource
- example
This policy will find all SQL servers with average DTU consumption under 10 percent over the last 72 hours
policies:
- name: sqlserver-under-utilized
resource: azure.sqlserver
filters:
- type: metric
metric: dtu_consumption_percent
op: lt
aggregation: average
threshold: 10
timeframe: 72
filter: "ElasticPoolResourceId eq '*'"
no_data_action: include
- example
This policy will find all SQL servers without any firewall rules defined.
policies:
- name: find-sqlserver-without-firewall-rules
resource: azure.sqlserver
filters:
- type: firewall-rules
equal: []
- example
This policy will find all SQL servers allowing traffic from 1.2.2.128/25 CIDR.
policies:
- name: find-sqlserver-allowing-subnet
resource: azure.sqlserver
filters:
- type: firewall-rules
include: ['1.2.2.128/25']
Filters¶
auditing¶
Filter by the current auditing policy for this sql server.
- example
Find SQL servers with auditing disabled
policies:
- name: sql-database-no-auditing
resource: azure.sql-server
filters:
- type: auditing
enabled: false
properties:
enabled:
type: boolean
type:
enum:
- auditing
required:
- type
- enabled
- type
firewall-bypass¶
Filters resources by the firewall bypass rules.
- example
This policy will find all SQL Servers with enabled Azure Services bypass rules
policies:
- name: sqlserver-bypass
resource: azure.sqlserver
filters:
- type: firewall-bypass
mode: equal
list:
- AzureServices
properties:
list:
items:
enum:
- AzureServices
type: array
mode:
enum:
- include
- equal
- any
- only
type:
enum:
- firewall-bypass
required:
- mode
- list
- type
Actions¶
set-firewall-rules¶
Set Firewall Rules Action
Updates SQL Server Firewall configuration.
By default the firewall rules are replaced with the new values. The append
flag can be used to force merging the new rules with the existing ones on
the resource.
You may also reference azure public cloud Service Tags by name in place of
an IP address. Use ServiceTags.
followed by the name
of any group
from https://www.microsoft.com/en-us/download/details.aspx?id=56519.
- type: set-firewall-rules
bypass-rules:
- AzureServices
ip-rules:
- 11.12.13.0/16
- ServiceTags.AppService.CentralUS
- example
Configure firewall to allow: - Azure Services - Two IP ranges
policies:
- name: add-sql-server-firewall
resource: azure.sqlserver
actions:
- type: set-firewall-rules
bypass-rules:
- AzureServices
ip-rules:
- 11.12.13.0/16
- 21.22.23.24
properties:
append:
default: true
type: boolean
bypass-rules:
items:
enum:
- AzureServices
type: array
ip-rules:
items:
type: string
type: array
prefix:
maxLength: 91
type: string
type:
enum:
- set-firewall-rules
virtual-network-rules:
items:
type: string
type: array
required:
- type