last sync: 2020-Oct-30 14:31:57 UTC

Azure Policy definition

Azure Cosmos DB accounts should have firewall rules

Name Azure Cosmos DB accounts should have firewall rules
Azure Portal
Id 862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb
Version 1.0.0
details on versioning
Category Cosmos DB
Microsoft docs
Description Audit or deny resources that do not have any IP rules configured and allow all networks by default. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant.
Mode All
Type BuiltIn
Preview FALSE
Deprecated FALSE
Effect Default: Deny
Allowed: (Audit, Deny, Disabled)
Used RBAC Role none
History
Date/Time (UTC ymd) (i) Change type Change detail
2020-06-23 16:03:25 add 862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb
Used in Initiatives none
Json
{
  "properties": {
    "displayName": "Azure Cosmos DB accounts should have firewall rules",
    "policyType": "BuiltIn",
    "mode": "All",
    "description": "Audit or deny resources that do not have any IP rules configured and allow all networks by default. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant.",
    "metadata": {
      "version": "1.0.0",
      "category": "Cosmos DB"
    },
    "parameters": {
      "effect": {
        "type": "String",
        "metadata": {
          "displayName": "Policy Effect",
          "description": "The desired effect of the policy."
        },
        "allowedValues": [
          "Audit",
          "Deny",
          "Disabled"
        ],
        "defaultValue": "Deny"
      }
    },
    "policyRule": {
      "if": {
        "allOf": [
          {
            "field": "type",
            "equals": "Microsoft.DocumentDB/databaseAccounts"
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.DocumentDB/databaseAccounts/publicNetworkAccess",
                "exists": "false"
              },
              {
                "field": "Microsoft.DocumentDB/databaseAccounts/publicNetworkAccess",
                "equals": "Enabled"
              }
            ]
          },
          {
            "anyOf": [
              {
                "field": "Microsoft.DocumentDB/databaseAccounts/isVirtualNetworkFilterEnabled",
                "exists": "false"
              },
              {
                "field": "Microsoft.DocumentDB/databaseAccounts/isVirtualNetworkFilterEnabled",
                "equals": "false"
              },
              {
                "allOf": [
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.DocumentDB/databaseAccounts/ipRules",
                        "exists": "false"
                      },
                      {
                        "count": {
                        "field": "Microsoft.DocumentDB/databaseAccounts/ipRules[*]"
                        },
                        "equals": 0
                      }
                    ]
                  },
                  {
                    "anyOf": [
                      {
                        "field": "Microsoft.DocumentDB/databaseAccounts/ipRangeFilter",
                        "exists": "false"
                      },
                      {
                        "field": "Microsoft.DocumentDB/databaseAccounts/ipRangeFilter",
                        "equals": ""
                      }
                    ]
                  }
                ]
              }
            ]
          }
        ]
      },
      "then": {
      "effect": "[parameters('effect')]"
      }
    }
  },
  "id": "/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb",
  "type": "Microsoft.Authorization/policyDefinitions",
  "name": "862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb"
}