Skip to content

databases

Sample rules

A few rules that use objects from this package:

non_car_azure_database_public_access 
from typing import Dict, List

from cloudrail.knowledge.context.azure.azure_environment_context import AzureEnvironmentContext
from cloudrail.knowledge.rules.azure.azure_base_rule import AzureBaseRule
from cloudrail.knowledge.rules.base_rule import Issue
from cloudrail.knowledge.rules.rule_parameters.base_paramerter import ParameterType


class PublicAccessSqlDatabaseRule(AzureBaseRule):

    def get_id(self) -> str:
        return 'non_car_azure_database_public_access'

    def execute(self, env_context: AzureEnvironmentContext, parameters: Dict[ParameterType, any]) -> List[Issue]:
        issues: List[Issue] = []
        for sql_server in env_context.sql_servers:
            if sql_server.public_network_access_enabled:
                issues.append(
                    Issue(
                        f'~{sql_server.get_type()}~. '
                        f'{sql_server.get_type()} with database name `{sql_server.get_friendly_name()}` is exposed to the internet',
                        sql_server,
                        sql_server))
        return issues

    def should_run_rule(self, environment_context: AzureEnvironmentContext) -> bool:
        return bool(environment_context.sql_servers)
non_car_sql_servers_auditing_enabled 
from typing import Dict, List

from cloudrail.knowledge.context.azure.azure_environment_context import AzureEnvironmentContext
from cloudrail.knowledge.rules.azure.azure_base_rule import AzureBaseRule
from cloudrail.knowledge.rules.base_rule import Issue
from cloudrail.knowledge.rules.rule_parameters.base_paramerter import ParameterType


class EnsureSqlServerAuditEnabledRule(AzureBaseRule):

    def get_id(self) -> str:
        return 'non_car_sql_servers_auditing_enabled'

    def execute(self, env_context: AzureEnvironmentContext, parameters: Dict[ParameterType, any]) -> List[Issue]:
        issues: List[Issue] = []
        for sql_server in env_context.sql_servers:
            if not sql_server.extended_auditing_policy or not sql_server.extended_auditing_policy.log_monitoring_enabled:
                issues.append(
                    Issue(
                        f'The {sql_server.get_type()} `{sql_server.get_friendly_name()}` does not have auditing enabled',
                        sql_server,
                        sql_server))
            elif sql_server.extended_auditing_policy and sql_server.extended_auditing_policy.log_monitoring_enabled \
                and 0 < sql_server.extended_auditing_policy.retention_in_days <= 90:
                issues.append(
                Issue(
                    f'The {sql_server.get_type()} `{sql_server.get_friendly_name()}` has auditing enabled, but for less than 90 days of retention',
                    sql_server,
                    sql_server))
        return issues

    def should_run_rule(self, environment_context: AzureEnvironmentContext) -> bool:
        return bool(environment_context.sql_servers)
non_car_mysql_server_enforcing_ssl 
from typing import List, Dict
from cloudrail.knowledge.context.azure.azure_environment_context import AzureEnvironmentContext
from cloudrail.knowledge.rules.azure.azure_base_rule import AzureBaseRule
from cloudrail.knowledge.rules.base_rule import Issue
from cloudrail.knowledge.rules.rule_parameters.base_paramerter import ParameterType


class MySqlServerEnforcingSslRule(AzureBaseRule):

    def get_id(self) -> str:
        return 'non_car_mysql_server_enforcing_ssl'

    def execute(self, env_context: AzureEnvironmentContext, parameters: Dict[ParameterType, any]) -> List[Issue]:
        issues: List[Issue] = []
        for server in env_context.my_sql_servers:
            if not server.ssl_enforcement_enabled:
                issues.append(
                    Issue(
                        f'The {server.get_type()} `{server.get_friendly_name()}` is not enforcing SSL connections.', server, server))
        return issues

    def should_run_rule(self, environment_context: AzureEnvironmentContext) -> bool:
        return bool(environment_context.my_sql_servers)
non_car_postgresql_server_enforcing_ssl 
from typing import List, Dict

from cloudrail.knowledge.context.azure.azure_environment_context import AzureEnvironmentContext
from cloudrail.knowledge.rules.azure.azure_base_rule import AzureBaseRule
from cloudrail.knowledge.rules.base_rule import Issue
from cloudrail.knowledge.rules.rule_parameters.base_paramerter import ParameterType


class PostgreSqlServerEnforceSslRule(AzureBaseRule):

    def get_id(self) -> str:
        return 'non_car_postgresql_server_enforcing_ssl'

    def execute(self, env_context: AzureEnvironmentContext, parameters: Dict[ParameterType, any]) -> List[Issue]:
        issues: List[Issue] = []

        for server in env_context.postgresql_servers:
            if not server.ssl_enforcement_enabled:
                issues.append(
                    Issue(
                        f'The {server.get_type()} `{server.get_friendly_name()}` is not enforcing SSL connections.', server, server))
        return issues

    def should_run_rule(self, environment_context: AzureEnvironmentContext) -> bool:
        return bool(environment_context.postgresql_servers)

AzureSqlServer (AzureResource, IManagedIdentityResource)

Attributes:

Name Type Description
server_name str

The name of the SQL server
azuread_administrator_list Optional[List[MsSqlServerAzureAdAdministrator]]

A list (only 1 element supported) of AD Administrator for this server.
identity_list

A list of identities (only 1 element supported) to be used by this server.
minimum_tls_version Optional[MsSqlServerMinimumTLSVersion]

The Minimum TLS Version for all SQL Database and SQL Data Warehouse databases associated with the server.
public_network_access_enabled bool

Whether public network access is allowed for this server.
primary_user_assigned_identity_id Optional[str]

Specifies the primary user managed identity id.
public_network_access_enabled bool

An indication on if public network access is enabled.
managed_identities List[AzureManagedIdentity]

All managed identities associate with the SQL server.
user_assigned_identity_ids List[str]

List of User Assigned Identity IDs, if any associated with the SQL server.

custom_invalidation(self) inherited

A list of manual reasons why this resource should be invalidated

exclude_from_invalidation(self) inherited

A list of attributes that should be excluded from the invalidation process

MsSqlServerAzureAdAdministrator dataclass

Attributes:

Name Type Description
login_username str

The login username of the Azure AD Administrator of this SQL Server.
object_id str

The object id of the Azure AD Administrator of this SQL Server.
tenant_id str

The tenant id of the Azure AD Administrator of this SQL Server.
azuread_authentication_only bool

Specifies whether only AD Users and administrators can be used to login or also local database users.

MsSqlServerConnectionPolicy (str, Enum)

An enumeration.

MsSqlServerMinimumTLSVersion (str, Enum)

An enumeration.

MsSqlServerVersion (str, Enum)

An enumeration.

AzureMySqlServer (AzureResource)

Attributes:

Name Type Description
server_name str

The name of the SQL server
ssl_enforcement_enabled bool

An indication on if ssl enforcement is enabled.

custom_invalidation(self) inherited

A list of manual reasons why this resource should be invalidated

exclude_from_invalidation(self) inherited

A list of attributes that should be excluded from the invalidation process

AzureSqlServerExtendedAuditingPolicy (AzureResource)

Attributes:

Name Type Description
retention_in_days int

The number of days to retain logs for in the storage account.
log_monitoring_enabled bool

An indication if audit events is enabled.
server_id str

The ID of the SQL server in which to associate the audit policy.

custom_invalidation(self) inherited

A list of manual reasons why this resource should be invalidated

exclude_from_invalidation(self) inherited

A list of attributes that should be excluded from the invalidation process

AzurePostgreSqlServer (AzureResource)

Attributes:

Name Type Description
server_name

The name of the PostgreSQL Server.
sku_name str

The SKU name for this PostgreSQL Server.
version PostgreSqlServerVersion

The version of PostgreSQL to use.
administrator_login Optional[str]

The Administrator Login for the PostgreSQL Server.
auto_grow_enabled bool

Enable/Disable auto-growing of the storage.
backup_retention_days Optional[int]

Backup retention days for the server.
geo_redundant_backup_enabled Optional[bool]

Turn Geo-redundant server backups on/off.
identity Optional[PostgreSqlServerIdentity]

The identity used for the PostgreSQL server.
infrastructure_encryption_enabled bool

Whether or not infrastructure is encrypted for this server.
public_network_access_enabled bool

Whether or not public network access is allowed for this server.
ssl_enforcement_enabled bool

Specifies if SSL should be enforced on connections.
ssl_minimal_tls_version_enforced str

The mimimun TLS version to support on the sever.
storage_mb Optional[int]

Max storage allowed for a server.

custom_invalidation(self) inherited

A list of manual reasons why this resource should be invalidated

exclude_from_invalidation(self) inherited

A list of attributes that should be excluded from the invalidation process

PostgreSqlServerIdentity dataclass

Attributes:

Name Type Description
type PostgreSqlServerIdentityType

The type of identity used for the PostgreSQL server.

PostgreSqlServerIdentityType (Enum)

An enumeration.

PostgreSqlServerVersion (Enum)

An enumeration.