azure.sql-server

SQL Server Resource

example:

This policy will find all SQL servers with average DTU consumption under 10 percent over the last 72 hours

policies:
  - name: sqlserver-under-utilized
    resource: azure.sqlserver
    filters:
      - type: metric
        metric: dtu_consumption_percent
        op: lt
        aggregation: average
        threshold: 10
        timeframe: 72
        filter: "ElasticPoolResourceId eq '*'"
        no_data_action: include
example:

This policy will find all SQL servers without any firewall rules defined.

policies:
  - name: find-sqlserver-without-firewall-rules
    resource: azure.sqlserver
    filters:
      - type: firewall-rules
        equal: []
example:

This policy will find all SQL servers allowing traffic from 1.2.2.128/25 CIDR.

policies:
  - name: find-sqlserver-allowing-subnet
    resource: azure.sqlserver
    filters:
      - type: firewall-rules
        include: ['1.2.2.128/25']

Filters

advisor-recommendation

Filter resources by Azure Advisor Recommendations

Select all categories with ‘all’

example:

policies:
  - name: disks-with-cost-recommendations
    resource: azure.disk
    filters:
      - type: advisor-recommendation
        category: Cost
        key: '[].properties.recommendationTypeId'
        op: contains
        value: '48eda464-1485-4dcf-a674-d0905df5054a'
properties:
  category:
    type: string
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
    - mod
  type:
    enum:
    - advisor-recommendation
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- category
- type

firewall-bypass

Filters resources by the firewall bypass rules.

example:

This policy will find all SQL Servers with enabled Azure Services bypass rules

policies:
  - name: sqlserver-bypass
    resource: azure.sqlserver
    filters:
      - type: firewall-bypass
        mode: equal
        list:
            - AzureServices
properties:
  list:
    items:
      enum:
      - AzureServices
    type: array
  mode:
    enum:
    - include
    - equal
    - any
    - only
  type:
    enum:
    - firewall-bypass
required:
- mode
- list
- type

transparent-data-encryption

Filter by the current Transparent Data Encryption configuration for this server.

example:

Find SQL Server with TDE details

policies:
  - name: sql-server-tde
    resource: azure.sql-server
    filters:
      - type: transparent-data-encryption
        key_type: CustomerManaged
properties:
  key_type:
    enum:
    - ServiceManaged
    - CustomerManaged
    type: string
  type:
    enum:
    - transparent-data-encryption
required:
- type
- key_type
- type

Actions

set-firewall-rules

Set Firewall Rules Action

Updates SQL Server Firewall configuration.

By default the firewall rules are replaced with the new values. The append flag can be used to force merging the new rules with the existing ones on the resource.

You may also reference azure public cloud Service Tags by name in place of an IP address. Use ServiceTags. followed by the name of any group from https://www.microsoft.com/en-us/download/details.aspx?id=56519.

- type: set-firewall-rules
      bypass-rules:
          - AzureServices
      ip-rules:
          - 11.12.13.0/16
          - ServiceTags.AppService.CentralUS
example:

Configure firewall to allow: - Azure Services - Two IP ranges

policies:
    - name: add-sql-server-firewall
      resource: azure.sqlserver
      actions:
        - type: set-firewall-rules
          bypass-rules:
              - AzureServices
          ip-rules:
              - 11.12.13.0/16
              - 21.22.23.24
properties:
  append:
    default: true
    type: boolean
  bypass-rules:
    items:
      enum:
      - AzureServices
    type: array
  ip-rules:
    items:
      type: string
    type: array
  prefix:
    maxLength: 91
    type: string
  type:
    enum:
    - set-firewall-rules
  virtual-network-rules:
    items:
      type: string
    type: array
required:
- type