class StorageFirewallBypassFilter(FirewallBypassFilter): """ Filters resources by the firewall bypass rules. :example: This policy will find all Storage Accounts with enabled Azure Services, Metrics and Logging bypass rules .. code-block:: yaml policies: - name: storage-bypass resource: azure.storage filters: - type: firewall-bypass mode: equal list: - AzureServices - Metrics - Logging """ schema = FirewallBypassFilter.schema( ['AzureServices', 'Metrics', 'Logging']) def _query_bypass(self, resource): # Remove spaces from the string for the comparision if resource['properties']['networkAcls']['defaultAction'] == 'Allow': return ['AzureServices', 'Metrics', 'Logging'] bypass_string = resource['properties']['networkAcls'].get( 'bypass', '').replace(' ', '') return list(filter(None, bypass_string.split(',')))
class SqlServerFirewallBypassFilter(FirewallBypassFilter): """ Filters resources by the firewall bypass rules. :example: This policy will find all SQL Servers with enabled Azure Services bypass rules .. code-block:: yaml policies: - name: sqlserver-bypass resource: azure.sqlserver filters: - type: firewall-bypass mode: equal list: - AzureServices """ schema = FirewallBypassFilter.schema(['AzureServices']) def _query_bypass(self, resource): # Remove spaces from the string for the comparision query = self.client.firewall_rules.list_by_server( resource['resourceGroup'], resource['name']) for r in query: if r.start_ip_address == '0.0.0.0' and r.end_ip_address == '0.0.0.0': return ['AzureServices'] return []
class CosmosFirewallBypassFilter(FirewallBypassFilter): """ Filters resources by the firewall bypass rules. :example: This policy will find all CosmosDB with enabled Azure Portal and Azure AzureCloud bypass rules .. code-block:: yaml policies: - name: cosmosdb-bypass resource: azure.cosmosdb filters: - type: firewall-bypass mode: equal list: - AzureCloud - Portal """ schema = FirewallBypassFilter.schema(['AzureCloud', 'Portal']) def _query_bypass(self, resource): ip_rules = resource['properties'].get('ipRules', []) is_virtual_network_filter_enabled = resource['properties'][ 'isVirtualNetworkFilterEnabled'] if ip_rules == []: if is_virtual_network_filter_enabled: return [] else: return ['AzureCloud', 'Portal'] parts = set([ipRule['ipAddressOrRange'] for ipRule in ip_rules]) result = [] if set(AZURE_CLOUD_IPS).issubset(parts): result.append('AzureCloud') if set(PORTAL_IPS).issubset(parts): result.append('Portal') return result
class KeyVaultFirewallBypassFilter(FirewallBypassFilter): """ Filters resources by the firewall bypass rules. :example: This policy will find all KeyVaults with enabled Azure Services bypass rules .. code-block:: yaml policies: - name: keyvault-bypass resource: azure.keyvault filters: - type: firewall-bypass mode: equal list: - AzureServices """ schema = FirewallBypassFilter.schema(['AzureServices']) def _query_bypass(self, resource): if 'properties' not in resource: vault = self.client.vaults.get(resource['resourceGroup'], resource['name']) resource['properties'] = vault.properties.serialize() # Remove spaces from the string for the comparision if 'networkAcls' not in resource['properties']: return [] if resource['properties']['networkAcls']['defaultAction'] == 'Allow': return ['AzureServices'] bypass_string = resource['properties']['networkAcls'].get( 'bypass', '').replace(' ', '') return list(filter(None, bypass_string.split(',')))