π§ Azure PostgreSQL Flexible Server Firewall Rules allow access to Azure services - prod.logic.yamlπ’
- Contextual name: π§ prod.logic.yamlπ’
- ID:
/ce/ca/azure/postgresql-database/disable-flexible-server-allows-access-to-azure-services/prod.logic.yaml - Tags:
- π’ Logic test success
- π’ Logic with extracts
- π’ Logic with test data
Usesβ
- π Azure PostgreSQL Server
- π Azure PostgreSQL Server - object.extracts.yaml
- π§ͺ test-data.json
Test Results π’β
Generated at: 2026-02-10T22:33:32.715575805Z Open
| Result | Id | Condition Index | Condition Text | Runtime Error |
|---|---|---|---|---|
| π’ | test1 | βοΈ 99 | βοΈ isDisappeared(CA10Z1__disappearanceTime__c) | βοΈ null |
| π’ | test2 | βοΈ 399 | βοΈ extract('caJsonFrom__firewallRules__c').jsonQueryText('length([? properties.startIpAddress == \'0.0.0.0\' && (properties.endIpAddress == \'0.0.0.0\' || properties.endIpAddress == \'255.255.255.255\')])') > number(0.0) | βοΈ null |
| π’ | test3 | βοΈ 299 | βοΈ extract('caJsonFrom__firewallRules__c').jsonQueryText('length([? starts_with(name, \'AllowAllAzureServicesAndResourcesWithinAzureIps\')])') > number(0.0) | βοΈ null |
| π’ | test4 | βοΈ 399 | βοΈ extract('caJsonFrom__firewallRules__c').jsonQueryText('length([? properties.startIpAddress == \'0.0.0.0\' && (properties.endIpAddress == \'0.0.0.0\' || properties.endIpAddress == \'255.255.255.255\')])') > number(0.0) | βοΈ null |
| π’ | test5 | βοΈ 500 | βοΈ otherwise | βοΈ null |
| π’ | test6 | βοΈ 500 | βοΈ otherwise | βοΈ null |
| π’ | test7 | βοΈ 204 | βοΈ extract('caJsonFrom__firewallRules__c').jsonQueryText('length([? starts_with(name, \'AllowAllAzureServicesAndResourcesWithinAzureIps\')])').isEvaluationFailed() | βοΈ TypeError: starts_with() expected argument 1 to be type 2 but received type 7 instead. |
| π’ | test8 | βοΈ 500 | βοΈ otherwise | βοΈ null |
| π’ | test9 | βοΈ 201 | βοΈ CA10Z1__firewallRules__c.delegatedTo(CA10Z1__firewallRules__c).isEmpty() | βοΈ null |
| π’ | test10 | βοΈ 199 | βοΈ extract('CA10Z1__deploymentMode__c') != 'Flexible' | βοΈ null |
Generation Bundleβ
| File | MD5 | |
|---|---|---|
| Open | /ce/ca/azure/postgresql-database/disable-flexible-server-allows-access-to-azure-services/policy.yaml | 36E75FE441963552505613F88F297027 |
| Open | /ce/ca/azure/postgresql-database/disable-flexible-server-allows-access-to-azure-services/prod.logic.yaml | 346B846366A7B1DE85EB1883AAB784C2 |
| Open | /ce/ca/azure/postgresql-database/disable-flexible-server-allows-access-to-azure-services/test-data.json | D368F0DE994691DB4F945A6D5306C790 |
| Open | /types/CA10Z1__CaAzurePostgreSqlServer__c/object.extracts.yaml | 57EE11B2A1C370B47B2D4FE4AF22C8D0 |
Available Commandsβ
repo-manager policies generate FULL /ce/ca/azure/postgresql-database/disable-flexible-server-allows-access-to-azure-services/prod.logic.yaml
repo-manager policies generate DEBUG /ce/ca/azure/postgresql-database/disable-flexible-server-allows-access-to-azure-services/prod.logic.yaml
repo-manager policies generate CAPTURE_TEST_DATA /ce/ca/azure/postgresql-database/disable-flexible-server-allows-access-to-azure-services/prod.logic.yaml
repo-manager policies generate TESTS /ce/ca/azure/postgresql-database/disable-flexible-server-allows-access-to-azure-services/prod.logic.yaml
# Execute tests
repo-manager policies test /ce/ca/azure/postgresql-database/disable-flexible-server-allows-access-to-azure-services/prod.logic.yaml
Contentβ
---
inputType: "CA10Z1__CaAzurePostgreSqlServer__c"
testData:
- file: "test-data.json"
importExtracts:
- file: "/types/CA10Z1__CaAzurePostgreSqlServer__c/object.extracts.yaml"
conditions:
- status: "INAPPLICABLE"
currentStateMessage: "This is not the flexible server deployment mode."
check:
NOT_EQUAL:
left:
EXTRACT: "CA10Z1__deploymentMode__c"
right:
TEXT: "Flexible"
- status: "INCOMPLIANT"
currentStateMessage: "PostgreSQL server firewall rules allow ingress from 0.0.0.0/0 (ANY IP) via the AllowAllWindowsAzureIps rule."
remediationMessage: "Remove or disable the overly permissive rule."
check:
# returns the number of rules which names start with AllowAllAzureServicesAndResourcesWithinAzureIps
GREATER_THAN:
left:
JSON_QUERY_NUMBER:
arg:
EXTRACT: "caJsonFrom__firewallRules__c"
expression: "length([? starts_with(name, 'AllowAllAzureServicesAndResourcesWithinAzureIps')])"
undeterminedIf:
evaluationError: "The JSON query has failed."
resultTypeMismatch: "The JSON query did not return number type."
right:
NUMBER: 0.0
- status: "INCOMPLIANT"
currentStateMessage: "PostgreSQL server firewall rules allow ingress from 0.0.0.0/0 (ANY IP)."
remediationMessage: "Remove or disable the overly permissive rule."
check:
# number of rules with start and end IPs as 0.0.0.0
GREATER_THAN:
left:
JSON_QUERY_NUMBER:
arg:
EXTRACT: "caJsonFrom__firewallRules__c"
expression: "length([? properties.startIpAddress == '0.0.0.0' && (properties.endIpAddress == '0.0.0.0' || properties.endIpAddress == '255.255.255.255')])"
undeterminedIf:
evaluationError: "The JSON query has failed."
resultTypeMismatch: "The JSON query did not return number type."
right:
NUMBER: 0.0
- status: "COMPLIANT"
currentStateMessage: "PostgreSQL server firewall rules are not defined."
check:
IS_EMPTY:
arg:
EXTRACT: "CA10Z1__firewallRules__c"
otherwise:
status: "COMPLIANT"
currentStateMessage: "PostgreSQL server firewall rules do not allow ingress from 0.0.0.0/0 (ANY IP)."