π§ Azure SQL Database allows ingress from 0.0.0.0/0 (ANY IP) - prod.logic.yaml π’
- Contextual name: π§ prod.logic.yaml π’
- ID:
/ce/ca/azure/sql-database/disable-database-allows-ingress-from-any-ip-rule/prod.logic.yaml - Located in: π Azure SQL Database allows ingress from 0.0.0.0/0 (ANY IP) π’
Flagsβ
- π’ Logic test success
- π’ Logic with extracts
- π’ Logic with test data
Input Typeβ
| Type | API Name | Extracts | Extract Files | Logic Files | |
|---|---|---|---|---|---|
| π | π Azure SQL Server | CA10__CaAzureSqlServer__c | 9 | 1 | 6 |
Usesβ
Test Results π’β
Generated at: 2025-04-24T23:45:46.113662248Z Open
| Result | Id | Condition Index | Condition Text | Runtime Error |
|---|---|---|---|---|
| π’ | test1 | βοΈ 99 | βοΈ isDisappeared(CA10__disappearanceTime__c) | βοΈ null |
| π’ | test2 | βοΈ 299 | βοΈ extract('caJsonFrom__firewallRulesJson__c').jsonQueryText('length([? properties.startIpAddress == \'0.0.0.0\' && (properties.endIpAddress == \'0.0.0.0\' || properties.endIpAddress == \'255.255.255.255\')])') > number(0.0) | βοΈ null |
| π’ | test3 | βοΈ 199 | βοΈ extract('caJsonFrom__firewallRulesJson__c').jsonQueryText('[? name == \'AllowAllWindowsAzureIps\'].name | [0]') == 'AllowAllWindowsAzureIps' | βοΈ null |
| π’ | test4 | βοΈ 299 | βοΈ extract('caJsonFrom__firewallRulesJson__c').jsonQueryText('length([? properties.startIpAddress == \'0.0.0.0\' && (properties.endIpAddress == \'0.0.0.0\' || properties.endIpAddress == \'255.255.255.255\')])') > number(0.0) | βοΈ null |
| π’ | test5 | βοΈ 400 | βοΈ otherwise | βοΈ null |
| π’ | test6 | βοΈ 400 | βοΈ otherwise | βοΈ null |
| π’ | test7 | βοΈ 400 | βοΈ otherwise | βοΈ null |
| π’ | test8 | βοΈ 400 | βοΈ otherwise | βοΈ null |
| π’ | test9 | βοΈ 101 | βοΈ CA10__firewallRulesJson__c.delegatedTo(CA10__firewallRulesJson__c).isEmpty() | βοΈ null |
Generationβ
| File | MD5 | |
|---|---|---|
| Open | /ce/ca/azure/sql-database/disable-database-allows-ingress-from-any-ip-rule/policy.yaml | 7A0A9175654937E55C7DF7A50BDCEFA5 |
| Open | /ce/ca/azure/sql-database/disable-database-allows-ingress-from-any-ip-rule/prod.logic.yaml | EE5252204BD9144C8C4F2C4CCC2C5440 |
| Open | /types/CA10__CaAzureSqlServer__c/object.extracts.yaml | E77808BBEDF31D54E009EEA59AC5EF4B |
| Open | /ce/ca/azure/sql-database/disable-database-allows-ingress-from-any-ip-rule/test-data.json | 6797079708A7644D13B8854DA81CDA70 |
Generate FULL scriptβ
java -jar repo-manager.jar policies generate FULL /ce/ca/azure/sql-database/disable-database-allows-ingress-from-any-ip-rule/prod.logic.yaml
Generate DEBUG scriptβ
java -jar repo-manager.jar policies generate DEBUG /ce/ca/azure/sql-database/disable-database-allows-ingress-from-any-ip-rule/prod.logic.yaml
Generate CAPTURE_TEST_DATA scriptβ
java -jar repo-manager.jar policies generate CAPTURE_TEST_DATA /ce/ca/azure/sql-database/disable-database-allows-ingress-from-any-ip-rule/prod.logic.yaml
Generate TESTS scriptβ
java -jar repo-manager.jar policies generate TESTS /ce/ca/azure/sql-database/disable-database-allows-ingress-from-any-ip-rule/prod.logic.yaml
Execute testsβ
java -jar repo-manager.jar policies test /ce/ca/azure/sql-database/disable-database-allows-ingress-from-any-ip-rule/prod.logic.yaml
Contentβ
---
inputType: "CA10__CaAzureSqlServer__c"
testData:
- file: "test-data.json"
importExtracts:
- file: "/types/CA10__CaAzureSqlServer__c/object.extracts.yaml"
conditions:
- status: "INCOMPLIANT"
currentStateMessage: "SQL Database Server Firewall Rules contain AllowAllWindowsAzureIps rule allowing ingress from 0.0.0.0/0 (ANY IP)."
remediationMessage: "Consider removing or disabling the overly permissive rule."
check:
# searches for the rule with the name AllowAllWindowsAzureIps
IS_EQUAL:
left:
JSON_QUERY_TEXT:
arg:
EXTRACT: "caJsonFrom__firewallRulesJson__c"
expression: "[? name == 'AllowAllWindowsAzureIps'].name | [0]"
undeterminedIf:
evaluationError: "The JSON query has failed."
resultTypeMismatch: "The JSON query did not return text type."
right:
TEXT: "AllowAllWindowsAzureIps"
- status: "INCOMPLIANT"
currentStateMessage: "SQL Database Server Firewall Rules contain a rule allowing ingress from 0.0.0.0/0 (ANY IP)."
remediationMessage: "Consider removing or disabling the overly permissive rule."
check:
# number of rules with start and end IPs as 0.0.0.0
GREATER_THAN:
left:
JSON_QUERY_NUMBER:
arg:
EXTRACT: "caJsonFrom__firewallRulesJson__c"
expression: "length([? properties.startIpAddress == '0.0.0.0' && (properties.endIpAddress == '0.0.0.0' || properties.endIpAddress == '255.255.255.255')])"
undeterminedIf:
evaluationError: "The JSON query has failed."
resultTypeMismatch: "The JSON query did not return number type."
right:
NUMBER: 0.0
- status: "COMPLIANT"
currentStateMessage: "SQL Database Server doesn't have any Firewall Rules."
check:
IS_EMPTY:
arg:
EXTRACT: "CA10__firewallRulesJson__c"
otherwise:
status: "COMPLIANT"
currentStateMessage: "SQL Database Server Firewall Rules do not have a rule allowing ingress from 0.0.0.0/0 (ANY IP)."