Azure CosmosDB - Policy to stop IP, VNET, Replication zone changes due to RBAC missing

on

CosmosDB is popular No-SQL PaaS service.

  • Being Data-at-rest needs a treatment to stop any random IP address,VNET allowed in your PaaS Resource. 
  • Similarly due to data sovereignty, there also needs to be a treatment to stop adding other non-AUS regions.


Problem:

-----------

Currently there is no RBAC to stop clients fiddling with these important settings.

https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftdocumentdb  


Solution:

------------

Azure Policy to rescue :)



{

  "properties": {

    "displayName": "CosmosDB Deny Firewall and Location",

    "policyType": "Custom",

    "mode": "All",

    "description": "Cosmos DB cannot have Firewall IP & VNET i.e service endpoints enabled without secuirty appoval.\nCosmos DB can only be deployed in Australia regions",

    "metadata": {

      "category": "Cosmos DB",

      "createdBy": "",

      "createdOn": "",

      "updatedBy": "",

      "updatedOn": ""

    },

    "parameters": {

      "allowedLocations": {

        "type": "Array",

        "metadata": {

          "displayName": "Allowed locations",

          "description": "The list of allowed locations for resources.",

          "strongType": "location"

        }

      }

    },

    "policyRule": {

      "if": {

        "allOf": [

          {

            "field": "type",

            "equals": "Microsoft.DocumentDB/databaseAccounts"

          },

          {

            "anyOf": [

              {

                "allOf": [

                  {

                    "field": "Microsoft.DocumentDB/databaseAccounts/ipRangeFilter",

                    "exists": "true"

                  },

                  {

                    "field": "Microsoft.DocumentDB/databaseAccounts/ipRangeFilter",

                    "notEquals": ""

                  }

                ]

              },

              {

                "count": {

                  "field": "Microsoft.DocumentDB/databaseAccounts/ipRules[*]"

                },

                "notEquals": 0

              },

              {

                "count": {

                  "field": "Microsoft.DocumentDB/databaseAccounts/virtualNetworkRules[*]"

                },

                "notEquals": 0

              },

              {

                "count": {

                  "field": "Microsoft.DocumentDB/databaseAccounts/Locations[*]",

                  "where": {

                    "value": "[replace(toLower(first(field('Microsoft.DocumentDB/databaseAccounts/Locations[*].locationName'))), ' ', '')]",

                    "in": "[parameters('allowedLocations')]"

                  }

                },

                "notEquals": "[length(field('Microsoft.DocumentDB/databaseAccounts/Locations[*]'))]"

              }

            ]

          }

        ]

      },

      "then": {

        "effect": "deny"

      }

    }

  },

  "id": "/",

  "type": "Microsoft.Authorization/policyDefinitions",

  "name": ""

}


Comments

Post a Comment