azure.sqlserver¶
SQL Server Resource
- example
This policy will find all SQL servers with average DTU consumption under 10 percent over the last 72 hours
policies:
- name: sqlserver-under-utilized
resource: azure.sqlserver
filters:
- type: metric
metric: dtu_consumption_percent
op: lt
aggregation: average
threshold: 10
timeframe: 72
filter: "ElasticPoolResourceId eq '*'"
no_data_action: include
- example
This policy will find all SQL servers without any firewall rules defined.
policies:
- name: find-sqlserver-without-firewall-rules
resource: azure.sqlserver
filters:
- type: firewall-rules
equal: []
- example
This policy will find all SQL servers allowing traffic from 1.2.2.128/25 CIDR.
policies:
- name: find-sqlserver-allowing-subnet
resource: azure.sqlserver
filters:
- type: firewall-rules
include: ['1.2.2.128/25']
Filters¶
firewall-bypass¶
Filters resources by the firewall bypass rules.
- example
This policy will find all SQL Servers with enabled Azure Services bypass rules
policies:
- name: sqlserver-bypass
resource: azure.sqlserver
filters:
- type: firewall-bypass
mode: equal
list:
- AzureServices
properties:
list:
items:
enum:
- AzureServices
type: array
mode:
enum:
- include
- equal
- any
- only
type:
enum:
- firewall-bypass
required:
- mode
- list
- type
Actions¶
set-firewall-rules¶
Set Firewall Rules Action
Updates SQL Server Firewall configuration.
By default the firewall rules are replaced with the new values. The append
flag can be used to force merging the new rules with the existing ones on
the resource.
You may also reference azure public cloud Service Tags by name in place of
an IP address. Use ServiceTags.
followed by the name
of any group
from https://www.microsoft.com/en-us/download/details.aspx?id=56519.
- type: set-firewall-rules
bypass-rules:
- AzureServices
ip-rules:
- 11.12.13.0/16
- ServiceTags.AppService.CentralUS
- example
Configure firewall to allow: - Azure Services - Two IP ranges
policies:
- name: add-sql-server-firewall
resource: azure.sqlserver
actions:
- type: set-firewall-rules
bypass-rules:
- AzureServices
ip-rules:
- 11.12.13.0/16
- 21.22.23.24
properties:
append:
default: true
type: boolean
bypass-rules:
items:
enum:
- AzureServices
type: array
ip-rules:
items:
type: string
type: array
prefix:
maxLength: 91
type: string
type:
enum:
- set-firewall-rules
virtual-network-rules:
items:
type: string
type: array
required:
- type