class StorageFirewallBypassFilter(FirewallBypassFilter):
"""
Filters resources by the firewall bypass rules.
:example:
This policy will find all Storage Accounts with enabled Azure Services, Metrics and Logging
bypass rules
.. code-block:: yaml
policies:
- name: storage-bypass
resource: azure.storage
filters:
- type: firewall-bypass
mode: equal
list:
- AzureServices
- Metrics
- Logging
"""
schema = FirewallBypassFilter.schema(
['AzureServices', 'Metrics', 'Logging'])
def _query_bypass(self, resource):
# Remove spaces from the string for the comparision
if resource['properties']['networkAcls']['defaultAction'] == 'Allow':
return ['AzureServices', 'Metrics', 'Logging']
bypass_string = resource['properties']['networkAcls'].get(
'bypass', '').replace(' ', '')
return list(filter(None, bypass_string.split(',')))
class SqlServerFirewallBypassFilter(FirewallBypassFilter):
"""
Filters resources by the firewall bypass rules.
:example:
This policy will find all SQL Servers with enabled Azure Services bypass rules
.. code-block:: yaml
policies:
- name: sqlserver-bypass
resource: azure.sqlserver
filters:
- type: firewall-bypass
mode: equal
list:
- AzureServices
"""
schema = FirewallBypassFilter.schema(['AzureServices'])
def _query_bypass(self, resource):
# Remove spaces from the string for the comparision
query = self.client.firewall_rules.list_by_server(
resource['resourceGroup'], resource['name'])
for r in query:
if r.start_ip_address == '0.0.0.0' and r.end_ip_address == '0.0.0.0':
return ['AzureServices']
return []
class CosmosFirewallBypassFilter(FirewallBypassFilter):
"""
Filters resources by the firewall bypass rules.
:example:
This policy will find all CosmosDB with enabled Azure Portal and Azure AzureCloud bypass rules
.. code-block:: yaml
policies:
- name: cosmosdb-bypass
resource: azure.cosmosdb
filters:
- type: firewall-bypass
mode: equal
list:
- AzureCloud
- Portal
"""
schema = FirewallBypassFilter.schema(['AzureCloud', 'Portal'])
def _query_bypass(self, resource):
ip_rules = resource['properties'].get('ipRules', [])
is_virtual_network_filter_enabled = resource['properties'][
'isVirtualNetworkFilterEnabled']
if ip_rules == []:
if is_virtual_network_filter_enabled:
return []
else:
return ['AzureCloud', 'Portal']
parts = set([ipRule['ipAddressOrRange'] for ipRule in ip_rules])
result = []
if set(AZURE_CLOUD_IPS).issubset(parts):
result.append('AzureCloud')
if set(PORTAL_IPS).issubset(parts):
result.append('Portal')
return result
class KeyVaultFirewallBypassFilter(FirewallBypassFilter):
"""
Filters resources by the firewall bypass rules.
:example:
This policy will find all KeyVaults with enabled Azure Services bypass rules
.. code-block:: yaml
policies:
- name: keyvault-bypass
resource: azure.keyvault
filters:
- type: firewall-bypass
mode: equal
list:
- AzureServices
"""
schema = FirewallBypassFilter.schema(['AzureServices'])
def _query_bypass(self, resource):
if 'properties' not in resource:
vault = self.client.vaults.get(resource['resourceGroup'],
resource['name'])
resource['properties'] = vault.properties.serialize()
# Remove spaces from the string for the comparision
if 'networkAcls' not in resource['properties']:
return []
if resource['properties']['networkAcls']['defaultAction'] == 'Allow':
return ['AzureServices']
bypass_string = resource['properties']['networkAcls'].get(
'bypass', '').replace(' ', '')
return list(filter(None, bypass_string.split(',')))
