--- inputType: "CA10Z1__CaAzurePostgreSqlServer__c" testData: - file: "test-data.json" importExtracts: - file: "/types/CA10Z1__CaAzurePostgreSqlServer__c/object.extracts.yaml" conditions: - status: "INAPPLICABLE" currentStateMessage: "This is not the flexible server deployment mode." check: NOT_EQUAL: left: EXTRACT: "CA10Z1__deploymentMode__c" right: TEXT: "Flexible" - status: "INCOMPLIANT" currentStateMessage: "PostgreSQL server firewall rules allow ingress from 0.0.0.0/0 (ANY IP) via the AllowAllWindowsAzureIps rule." remediationMessage: "Remove or disable the overly permissive rule." check: # returns the number of rules which names start with AllowAllAzureServicesAndResourcesWithinAzureIps GREATER_THAN: left: JSON_QUERY_NUMBER: arg: EXTRACT: "caJsonFrom__firewallRules__c" expression: "length([? starts_with(name, 'AllowAllAzureServicesAndResourcesWithinAzureIps')])" undeterminedIf: evaluationError: "The JSON query has failed." resultTypeMismatch: "The JSON query did not return number type." right: NUMBER: 0.0 - status: "INCOMPLIANT" currentStateMessage: "PostgreSQL server firewall rules allow ingress from 0.0.0.0/0 (ANY IP)." remediationMessage: "Remove or disable the overly permissive rule." check: # number of rules with start and end IPs as 0.0.0.0 GREATER_THAN: left: JSON_QUERY_NUMBER: arg: EXTRACT: "caJsonFrom__firewallRules__c" expression: "length([? properties.startIpAddress == '0.0.0.0' && (properties.endIpAddress == '0.0.0.0' || properties.endIpAddress == '255.255.255.255')])" undeterminedIf: evaluationError: "The JSON query has failed." resultTypeMismatch: "The JSON query did not return number type." right: NUMBER: 0.0 - status: "COMPLIANT" currentStateMessage: "PostgreSQL server firewall rules are not defined." check: IS_EMPTY: arg: EXTRACT: "CA10Z1__firewallRules__c" otherwise: status: "COMPLIANT" currentStateMessage: "PostgreSQL server firewall rules do not allow ingress from 0.0.0.0/0 (ANY IP)."