Policy types for @turbot/azure-sql
- Azure > SQL > Approved Regions [Default]
- Azure > SQL > Database > Active
- Azure > SQL > Database > Active > Age
- Azure > SQL > Database > Active > Last Modified
- Azure > SQL > Database > Advanced Data Security
- Azure > SQL > Database > Advanced Data Security > Threat Protection
- Azure > SQL > Database > Advanced Data Security > Threat Protection > Email Addresses
- Azure > SQL > Database > Advanced Data Security > Threat Protection > Notify Admins
- Azure > SQL > Database > Advanced Data Security > Threat Protection > Types
- Azure > SQL > Database > Advanced Data Security > Vulnerability Assessment
- Azure > SQL > Database > Advanced Data Security > Vulnerability Assessment > Periodic Scans
- Azure > SQL > Database > Advanced Data Security > Vulnerability Assessment > Periodic Scans > Email Addresses
- Azure > SQL > Database > Advanced Data Security > Vulnerability Assessment > Periodic Scans > Notify Admins
- Azure > SQL > Database > Advanced Data Security > Vulnerability Assessment > Storage Account
- Azure > SQL > Database > Approved
- Azure > SQL > Database > Approved > Custom
- Azure > SQL > Database > Approved > Regions
- Azure > SQL > Database > Approved > Usage
- Azure > SQL > Database > Auditing
- Azure > SQL > Database > Auditing > Retention Days
- Azure > SQL > Database > Auditing > Storage Account
- Azure > SQL > Database > CMDB
- Azure > SQL > Database > Encryption at Rest
- Azure > SQL > Database > Regions
- Azure > SQL > Database > Tags
- Azure > SQL > Database > Tags > Template
- Azure > SQL > Elastic Pool > Active
- Azure > SQL > Elastic Pool > Active > Age
- Azure > SQL > Elastic Pool > Active > Last Modified
- Azure > SQL > Elastic Pool > Approved
- Azure > SQL > Elastic Pool > Approved > Custom
- Azure > SQL > Elastic Pool > Approved > Regions
- Azure > SQL > Elastic Pool > Approved > Usage
- Azure > SQL > Elastic Pool > CMDB
- Azure > SQL > Elastic Pool > Regions
- Azure > SQL > Elastic Pool > Tags
- Azure > SQL > Elastic Pool > Tags > Template
- Azure > SQL > Enabled
- Azure > SQL > Permissions
- Azure > SQL > Permissions > Levels
- Azure > SQL > Permissions > Levels > Modifiers
- Azure > SQL > Regions
- Azure > SQL > Server > Active
- Azure > SQL > Server > Active > Age
- Azure > SQL > Server > Active > Last Modified
- Azure > SQL > Server > Active Directory Administrator
- Azure > SQL > Server > Active Directory Administrator > Name
- Azure > SQL > Server > Advanced Data Security
- Azure > SQL > Server > Advanced Data Security > Threat Protection
- Azure > SQL > Server > Advanced Data Security > Threat Protection > Email Addresses
- Azure > SQL > Server > Advanced Data Security > Threat Protection > Notify Admins
- Azure > SQL > Server > Advanced Data Security > Threat Protection > Types
- Azure > SQL > Server > Advanced Data Security > Vulnerability Assessment
- Azure > SQL > Server > Advanced Data Security > Vulnerability Assessment > Periodic Scans
- Azure > SQL > Server > Advanced Data Security > Vulnerability Assessment > Periodic Scans > Email Addresses
- Azure > SQL > Server > Advanced Data Security > Vulnerability Assessment > Periodic Scans > Notify Admins
- Azure > SQL > Server > Advanced Data Security > Vulnerability Assessment > Storage Account
- Azure > SQL > Server > Approved
- Azure > SQL > Server > Approved > Custom
- Azure > SQL > Server > Approved > Regions
- Azure > SQL > Server > Approved > Usage
- Azure > SQL > Server > Auditing
- Azure > SQL > Server > Auditing > Retention Days
- Azure > SQL > Server > Auditing > Storage Account
- Azure > SQL > Server > CMDB
- Azure > SQL > Server > Firewall
- Azure > SQL > Server > Firewall > IP Ranges
- Azure > SQL > Server > Firewall > IP Ranges > Approved
- Azure > SQL > Server > Firewall > IP Ranges > Approved > Compiled Rules
- Azure > SQL > Server > Firewall > IP Ranges > Approved > IP Addresses
- Azure > SQL > Server > Firewall > IP Ranges > Approved > Rules
- Azure > SQL > Server > Regions
- Azure > SQL > Server > Tags
- Azure > SQL > Server > Tags > Template
- Azure > SQL > Tags Template [Default]
- Azure > Turbot > Permissions > Compiled > Levels > @turbot/azure-sql
- Azure > Turbot > Permissions > Compiled > Service Permissions > @turbot/azure-sql
Azure > SQL > Approved Regions [Default]
A list of Azure regions in which Azure SQL resources are approved for use.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
This policy is the default value for all Azure SQL resources' Approved > Regions policies.
tmod:@turbot/azure-sql#/policy/types/sqlApprovedRegionsDefault
"{\n regions: policyValue(uri:\"tmod:@turbot/azure#/policy/types/approvedRegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
Azure > SQL > Database > Active
Determine the action to take when an Azure SQL database, based on the Azure > SQL > Database > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (Azure > SQL > Database > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note: In contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/azure-sql#/policy/types/databaseActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
Azure > SQL > Database > Active > Age
The age after which the Azure SQL database
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (Azure > SQL > Database > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note In contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/azure-sql#/policy/types/databaseActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
Azure > SQL > Database > Active > Last Modified
The number of days since the Azure SQL database was last modified before it is considered
inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (Azure > SQL > Database > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note In contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
tmod:@turbot/azure-sql#/policy/types/databaseActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
Azure > SQL > Database > Advanced Data Security
Define the advanced data security settings required for Azure > SQL > Database
.
Advanced data security for SQL Database includes functionality for surfacing and mitigating potential database
vulnerabilities and detecting anomalous activities that could indicate a threat to your database. The Advanced
data security package provides administrators with a single go-to location for discovering and classifying data,
assessing and addressing potential database vulnerabilities, and visibility into anomalous and potentially
malicious activity that is taking place.
Data security can be defined for a specific database or as a default server policy. A server policy
applies to all existing and newly created databases on the server. Azure recommends to enable only server-level
data security and leave the database-level data security disabled for all databases.
The Advanced data security control compares the vulnerability assessment and threat protection settings against
the advanced data security policies for the resource (Azue > SQL > Database > Advanced Data Security > *),
raises an alarm, and takes the defined enforcement action
tmod:@turbot/azure-sql#/policy/types/databaseDataSecurity
[ "Skip", "Check: Disabled", "Check: Enabled", "Enforce: Disabled", "Enforce: Enabled"]
{ "type": "string", "enum": [ "Skip", "Check: Disabled", "Check: Enabled", "Enforce: Disabled", "Enforce: Enabled" ], "example": [ "Skip" ], "default": "Skip"}
Azure > SQL > Database > Advanced Data Security > Threat Protection
tmod:@turbot/azure-sql#/policy/types/databaseThreatProtection
Azure > SQL > Database > Advanced Data Security > Threat Protection > Email Addresses
Define the email addresses to receive an email notification upon detection of anomalous database activities.
The email provides information on the suspicious security event including the nature of the anomalous activities,
database name, server name, application name, and the event time. In addition, the email provides information on
possible causes and recommended actions to investigate and mitigate the potential threat to the database.
tmod:@turbot/azure-sql#/policy/types/databaseThreatProtectionEmailAddresses
{ "type": "array", "items": { "type": "string", "pattern": "[^\\s@]+@[^\\s@]+\\.[^\\s@]+$", "minLength": 6, "maxLength": 254 }, "default": []}
Azure > SQL > Database > Advanced Data Security > Threat Protection > Notify Admins
Notify account administrators upon detection of anomalous database activities. The email provides information on the suspicious
security event including the nature of the anomalous activities, database name, server name, application name,
and the event time. In addition, the email provides information on possible causes and recommended actions to
investigate and mitigate the potential threat to the database.
tmod:@turbot/azure-sql#/policy/types/databaseThreatProtectionNotifyAdmins
[ "Disabled", "Enabled"]
{ "type": "string", "enum": [ "Disabled", "Enabled" ], "default": "Enabled"}
Azure > SQL > Database > Advanced Data Security > Threat Protection > Types
Define the threat protection types for Azure SQL database. Advanced threat protection for the Azure SQL database detects
anomalous activities indicating unusual and potentially harmful attempts to access or exploit databases and it can
trigger the following alerts.
tmod:@turbot/azure-sql#/policy/types/databaseThreatProtectionTypes
{ "type": "array", "items": { "type": "string", "enum": [ "SQL Injection", "SQL Injection Vulnerability", "Data Exfiltration", "Unsafe Action", "Access Anomaly", "Brute Force" ] }, "default": [ "SQL Injection", "SQL Injection Vulnerability", "Data Exfiltration", "Unsafe Action", "Access Anomaly", "Brute Force" ]}
Azure > SQL > Database > Advanced Data Security > Vulnerability Assessment
tmod:@turbot/azure-sql#/policy/types/databaseVulnerabilityAssessment
Azure > SQL > Database > Advanced Data Security > Vulnerability Assessment > Periodic Scans
Periodic recurring scan setting configures vulnerability assessment to automatically run a scan on your database once per week.
tmod:@turbot/azure-sql#/policy/types/databaseVulnerabilityAssessmentPeriodicScans
[ "Disabled", "Enabled"]
{ "type": "string", "enum": [ "Disabled", "Enabled" ], "default": "Disabled"}
Azure > SQL > Database > Advanced Data Security > Vulnerability Assessment > Periodic Scans > Email Addresses
Define the email addresses to receive an email notification of scan result summary.
tmod:@turbot/azure-sql#/policy/types/databaseVulnerabilityAssessmentEmailAddresses
{ "type": "array", "items": { "type": "string", "pattern": "[^\\s@]+@[^\\s@]+\\.[^\\s@]+$", "minLength": 6, "maxLength": 254 }, "default": []}
Azure > SQL > Database > Advanced Data Security > Vulnerability Assessment > Periodic Scans > Notify Admins
Define if the schedule scan notification will be sent to the subscription administrators.
tmod:@turbot/azure-sql#/policy/types/databaseVulnerabilityAssessmentNotifyAdmins
[ "Disabled", "Enabled"]
{ "type": "string", "enum": [ "Disabled", "Enabled" ], "default": "Disabled"}
Azure > SQL > Database > Advanced Data Security > Vulnerability Assessment > Storage Account
Define the storage account where scan results for database will be stored.
The storage account name is required.
If the container name is not specified, then vulnerability-assessment
is taken as default.
example:<br /> - teststorageaccount<br /> - teststorageaccount/containername<br /><br />
Note: To avoid cross-region reads/writes of audit records, Azure highly recommends to use storage and server located in the same region.
tmod:@turbot/azure-sql#/policy/types/databaseVulnerabilityAssessmentStorageAccount
{ "type": "string", "pattern": "^(^)([a-z0-9]{3,24})\\/([a-z0-9-]{3,24})|(^)([([a-z0-9]{3,24})$", "example": "teststorageaccount/container-name", "default": "", "tests": [ { "input": "teststorageaccount/container-name" }, { "input": "teststorageaccount/containername" }, { "input": "teststorageaccount" } ]}
Azure > SQL > Database > Approved
Determine the action to take when an Azure SQL database is not approved based on Azure > SQL > Database > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/azure-sql#/policy/types/databaseApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
Azure > SQL > Database > Approved > Custom
Determine whether the Azure SQL database is allowed to exist.
This policy will be evaluated by the Approved control. If an Azure SQL database is not approved, it will be subject to the action specified in the Azure > SQL > Database > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/azure-sql#/policy/types/databaseApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
Azure > SQL > Database > Approved > Regions
A list of Azure regions in which Azure SQL databases are approved for use.
The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.
This policy will be evaluated by the Approved control. If an Azure SQL database is created in a region that is not in the approved list, it will be subject to the action specified in the Azure > SQL > Database > Approved
policy.
See Approved for more information.
tmod:@turbot/azure-sql#/policy/types/databaseApprovedRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/azure-sql#/policy/types/sqlApprovedRegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
Azure > SQL > Database > Approved > Usage
Determine whether the Azure SQL database is allowed to exist.
This policy will be evaluated by the Approved control. If an Azure SQL database is not approved, it will be subject to the action specified in the Azure > SQL > Database > Approved
policy.
See Approved for more information.
tmod:@turbot/azure-sql#/policy/types/databaseApprovedUsage
[ "Not approved", "Approved", "Approved if Azure > SQL > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if Azure > SQL > Enabled" ], "example": [ "Not approved" ], "default": "Approved if Azure > SQL > Enabled"}
Azure > SQL > Database > Auditing
Define the Auditing settings required for Azure > SQL > Database
.
Auditing for Azure SQL Database tracks database events and writes them to an audit log
in your Azure Storage account, Log Analytics workspace or Event Hubs. This control
determines whether the resource auditing is set to your desired Azure Storage account with desired
retention days.
An auditing policy can be defined for a specific database or as a default server policy. A server policy
applies to all existing and newly created databases on the server. Azure recommends to enable only server-level
blob auditing and leave the database-level auditing disabled for all databases.
The Auditing control compares the auditing settings against the auditing policies for the resource
(Azue > SQL > Database > Auditing > *), raises an alarm, and takes the defined enforcement action
tmod:@turbot/azure-sql#/policy/types/databaseAuditing
[ "Skip", "Check: Disabled", "Check: Enabled", "Enforce: Disabled", "Enforce: Enabled"]
{ "type": "string", "enum": [ "Skip", "Check: Disabled", "Check: Enabled", "Enforce: Disabled", "Enforce: Enabled" ], "example": [ "Skip" ], "default": "Skip"}
Azure > SQL > Database > Auditing > Retention Days
Define the number of days to keep in the audit logs in the storage account.
Note: Setting the policy to 0
will set the retention to infinity.
tmod:@turbot/azure-sql#/policy/types/databaseAuditingRetentionDays
{ "type": "number", "minimum": 0, "maximum": 3285, "default": 90}
Azure > SQL > Database > Auditing > Storage Account
Define the storage account for database audit logs.
The storage account name or primary blob endpoint is required.
Premium storage and hierarchical namespace for Azure Data Lake Storage Gen2
storage account is currently not supported.
any of these examples are valid:<br /> teststorageaccount<br /> https://teststorageaccount.blob.core.windows.net/<br /> https://teststorageaccount.blob.core.usgovcloudapi.net/<br /> https://teststorageaccount.blob.core.chinacloudapi.cn/<br />
Note: To avoid cross-region reads/writes of audit records, Azure highly recommends to use storage and server located in the same region.
tmod:@turbot/azure-sql#/policy/types/databaseAuditingStorageAccount
{ "type": "string", "pattern": "^(https://[a-z0-9]{3,24}\\.blob\\.core\\.windows\\.net/|https://[a-z0-9]{3,24}\\.blob\\.core\\.usgovcloudapi\\.net/|https://[a-z0-9]{3,24}\\.blob\\.core\\.chinacloudapi\\.cn/|[a-z0-9]{3,24})$", "example": "https://sqlva5njk5n7qwh4my.blob.core.windows.net/", "default": ""}
Azure > SQL > Database > CMDB
Configure whether to record and synchronize details for the Azure SQL database into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in Azure > SQL > Database > Regions
policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/azure-sql#/policy/types/databaseCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Enabled if SQL provider is Registered", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Enabled if SQL provider is Registered", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled if SQL provider is Registered"}
Azure > SQL > Database > Encryption at Rest
Define the Encryption at Rest settings required for Azure > SQL > Database
.
Encryption at Rest refers specifically to the encryption of data when written
to an underlying storage system. This control determines whether the resource
is encrypted at rest, and sets encryption.
The Encryption at Rest control compares the encryption settings against the
encryption policies for the resource
(Azure > SQL > Database > Encryption at Rest
),
raises an alarm, and takes the defined enforcement action.
tmod:@turbot/azure-sql#/policy/types/databaseEncryptionAtRest
[ "Skip", "Check: Enabled", "Check: Disabled", "Enforce: Enabled", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Check: Enabled", "Check: Disabled", "Enforce: Enabled", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Skip"}
Azure > SQL > Database > Regions
A list of Azure regions in which Azure SQL databases are supported for use.
Any databases in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/azure-sql#/policy/types/databaseRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/azure-sql#/policy/types/sqlRegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
Azure > SQL > Database > Tags
Determine the action to take when an Azure SQL database tags are not updated based on the Azure > SQL > Database > Tags > *
policies.
The control ensure Azure SQL database tags include tags defined in Azure > SQL > Database > Tags > Template
.
Tags not defined in Database Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/azure-sql#/policy/types/databaseTags
[ "Skip", "Check: Tags are correct", "Enforce: Set tags"]
{ "type": "string", "enum": [ "Skip", "Check: Tags are correct", "Enforce: Set tags" ], "example": [ "Check: Tags are correct" ], "default": "Skip"}
Azure > SQL > Database > Tags > Template
The template is used to generate the keys and values for Azure SQL database.
Tags not defined in Database Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/azure-sql#/policy/types/databaseTagsTemplate
[ "{\n subscription {\n turbot {\n id\n }\n }\n}\n", "{\n defaultTags: policyValue(uri:\"tmod:@turbot/azure-sql#/policy/types/sqlTagsTemplate\" resourceId: \"{{ $.subscription.turbot.id }}\") {\n value\n }\n}\n"]
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"
Azure > SQL > Elastic Pool > Active
Determine the action to take when an Azure SQL elastic pool, based on the Azure > SQL > Elastic Pool > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (Azure > SQL > Elastic Pool > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note: In contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/azure-sql#/policy/types/elasticPoolActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
Azure > SQL > Elastic Pool > Active > Age
The age after which the Azure SQL elastic pool
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (Azure > SQL > Elastic Pool > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note In contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/azure-sql#/policy/types/elasticPoolActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
Azure > SQL > Elastic Pool > Active > Last Modified
The number of days since the Azure SQL elastic pool was last modified before it is considered
inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (Azure > SQL > Elastic Pool > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note In contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
tmod:@turbot/azure-sql#/policy/types/elasticPoolActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
Azure > SQL > Elastic Pool > Approved
Determine the action to take when an Azure SQL elastic pool is not approved based on Azure > SQL > Elastic Pool > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/azure-sql#/policy/types/elasticPoolApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
Azure > SQL > Elastic Pool > Approved > Custom
Determine whether the Azure SQL elastic pool is allowed to exist.
This policy will be evaluated by the Approved control. If an Azure SQL elastic pool is not approved, it will be subject to the action specified in the Azure > SQL > Elastic Pool > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/azure-sql#/policy/types/elasticPoolApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
Azure > SQL > Elastic Pool > Approved > Regions
A list of Azure regions in which Azure SQL elastic pools are approved for use.
The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.
This policy will be evaluated by the Approved control. If an Azure SQL elastic pool is created in a region that is not in the approved list, it will be subject to the action specified in the Azure > SQL > Elastic Pool > Approved
policy.
See Approved for more information.
tmod:@turbot/azure-sql#/policy/types/elasticPoolApprovedRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/azure-sql#/policy/types/sqlApprovedRegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
Azure > SQL > Elastic Pool > Approved > Usage
Determine whether the Azure SQL elastic pool is allowed to exist.
This policy will be evaluated by the Approved control. If an Azure SQL elastic pool is not approved, it will be subject to the action specified in the Azure > SQL > Elastic Pool > Approved
policy.
See Approved for more information.
tmod:@turbot/azure-sql#/policy/types/elasticPoolApprovedUsage
[ "Not approved", "Approved", "Approved if Azure > SQL > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if Azure > SQL > Enabled" ], "example": [ "Not approved" ], "default": "Approved if Azure > SQL > Enabled"}
Azure > SQL > Elastic Pool > CMDB
Configure whether to record and synchronize details for the Azure SQL elastic pool into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in Azure > SQL > Elastic Pool > Regions
policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/azure-sql#/policy/types/elasticPoolCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Enabled if SQL provider is Registered", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Enabled if SQL provider is Registered", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled if SQL provider is Registered"}
Azure > SQL > Elastic Pool > Regions
A list of Azure regions in which Azure SQL elastic pools are supported for use.
Any elastic pools in a region not listed here will not be recorded in CMDB.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
tmod:@turbot/azure-sql#/policy/types/elasticPoolRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/azure-sql#/policy/types/sqlRegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
Azure > SQL > Elastic Pool > Tags
Determine the action to take when an Azure SQL elastic pool tags are not updated based on the Azure > SQL > Elastic Pool > Tags > *
policies.
The control ensure Azure SQL elastic pool tags include tags defined in Azure > SQL > Elastic Pool > Tags > Template
.
Tags not defined in Elastic Pool Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/azure-sql#/policy/types/elasticPoolTags
[ "Skip", "Check: Tags are correct", "Enforce: Set tags"]
{ "type": "string", "enum": [ "Skip", "Check: Tags are correct", "Enforce: Set tags" ], "example": [ "Check: Tags are correct" ], "default": "Skip"}
Azure > SQL > Elastic Pool > Tags > Template
The template is used to generate the keys and values for Azure SQL elastic pool.
Tags not defined in Elastic Pool Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/azure-sql#/policy/types/elasticPoolTagsTemplate
[ "{\n subscription {\n turbot {\n id\n }\n }\n}\n", "{\n defaultTags: policyValue(uri:\"tmod:@turbot/azure-sql#/policy/types/sqlTagsTemplate\" resourceId: \"{{ $.subscription.turbot.id }}\") {\n value\n }\n}\n"]
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"
Azure > SQL > Enabled
Enable Azure SQL service.
tmod:@turbot/azure-sql#/policy/types/sqlEnabled
[ "Enabled", "Enabled: Metadata Only", "Disabled"]
{ "type": "string", "enum": [ "Enabled", "Enabled: Metadata Only", "Disabled" ], "example": [ "Enabled" ], "default": "Disabled"}
Azure > SQL > Permissions
Configure whether permissions policies are in effect for Azure SQL
This setting does not affect Subscription level permissions (Azure/Admin, Azure/Owner, etc)
tmod:@turbot/azure-sql#/policy/types/sqlPermissions
[ "Enabled", "Disabled", "Enabled if Azure > SQL > Enabled"]
{ "type": "string", "enum": [ "Enabled", "Disabled", "Enabled if Azure > SQL > Enabled" ], "example": [ "Enabled" ], "default": "Enabled if Azure > SQL > Enabled"}
Azure > SQL > Permissions > Levels
Define the permissions levels that can be used to grant access to Storage an
Azure Subscription. Permissions levels defined will appear in the UI to assign
access to Guardrails users.
tmod:@turbot/azure-sql#/policy/types/sqlPermissionsLevels
[ "{\n item: subscription {\n turbot{\n id\n }\n }\n}\n", "{\n availableLevels: policyValues(filter:\"policyTypeLevel:self resourceId:{{ $.item.turbot.id }} policyTypeId:'tmod:@turbot/azure-iam#/policy/types/permissionsLevelsDefault'\") {\n items {\n value\n }\n }\n}\n"]
"{% if $.availableLevels.items[0].value | length == 0 %} [] {% endif %}{% for item in $.availableLevels.items[0].value %}- {{ item }}\n{% endfor %}"
{ "type": "array", "items": { "type": "string", "enum": [ "User", "Metadata", "ReadOnly", "Operator", "Admin", "Owner" ] }}
Azure > SQL > Permissions > Levels > Modifiers
A map of Azure API to Guardrails Permission Level used to customize Guardrails'
standard permissions. You can add, remove or redefine the mapping of
Azure API operations to Guardrails permissions levels here.<br />example:<br /> - "Microsoft.SQL/SQL/delete": operator<br /> - "Microsoft.SQL/SQL/write": admin<br /> - "Microsoft.SQL/SQL/read": readonly<br />
tmod:@turbot/azure-sql#/policy/types/sqlPermissionsLevelsModifiers
Azure > SQL > Regions
A list of Azure regions in which Azure SQL resources are supported for use.
The expected format is an array of regions names. You may use the '*' and
'?' wildcard characters.
This policy is the default value for all Azure SQL resources' Regions policies.
tmod:@turbot/azure-sql#/policy/types/sqlRegionsDefault
"{\n regions: policyValue(uri:\"tmod:@turbot/azure#/policy/types/regionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
Azure > SQL > Server > Active
Determine the action to take when an Azure SQL server, based on the Azure > SQL > Server > Active > *
policies.
The control determines whether the resource is in active use, and if not,
has the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (Azure > SQL > Server > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note: In contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
See Active for more information.
tmod:@turbot/azure-sql#/policy/types/serverActive
[ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning"]
{ "type": "string", "enum": [ "Skip", "Check: Active", "Enforce: Delete inactive with 1 day warning", "Enforce: Delete inactive with 3 days warning", "Enforce: Delete inactive with 7 days warning", "Enforce: Delete inactive with 14 days warning", "Enforce: Delete inactive with 30 days warning", "Enforce: Delete inactive with 60 days warning", "Enforce: Delete inactive with 90 days warning", "Enforce: Delete inactive with 180 days warning", "Enforce: Delete inactive with 365 days warning" ], "example": [ "Check: Active" ], "default": "Skip"}
Azure > SQL > Server > Active > Age
The age after which the Azure SQL server
is no longer considered active. If a create time is unavailable, the time Guardrails discovered the resource is used.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (Azure > SQL > Server > Active > *
),
raises an alarm, and takes the defined enforcement action. Each Active
sub-policy can calculate a status of active, inactive or skipped. Generally,
if the resource appears to be Active for any reason it will be considered Active.
Note In contrast with Approved, where if the resource appears to be Unapproved
for any reason it will be considered Unapproved.
See Active for more information.
tmod:@turbot/azure-sql#/policy/types/serverActiveAge
[ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days"]
{ "type": "string", "enum": [ "Skip", "Force inactive if age > 1 day", "Force inactive if age > 3 days", "Force inactive if age > 7 days", "Force inactive if age > 14 days", "Force inactive if age > 30 days", "Force inactive if age > 60 days", "Force inactive if age > 90 days", "Force inactive if age > 180 days", "Force inactive if age > 365 days" ], "example": [ "Force inactive if age > 90 days" ], "default": "Skip"}
Azure > SQL > Server > Active > Last Modified
The number of days since the Azure SQL server was last modified before it is considered
inactive.
The Active
control determines whether the resource is in active use, and if not, has
the ability to delete / cleanup the resource. When running an automated
compliance environment, it's common to end up with a wide range of alarms
that are difficult and time consuming to clear. The Active control brings
automated, well-defined control to this process.
The Active control checks the status of all defined Active policies for the
resource (Azure > SQL > Server > Active > *
), raises an alarm, and takes the defined enforcement
action. Each Active sub-policy can calculate a status of active, inactive
or skipped. Generally, if the resource appears to be Active for any reason
it will be considered Active.
Note In contrast with Approved, where if the
resource appears to be Unapproved for any reason it will be considered
Unapproved.
tmod:@turbot/azure-sql#/policy/types/serverActiveLastModified
[ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days"]
{ "type": "string", "enum": [ "Skip", "Active if last modified <= 1 day", "Active if last modified <= 3 days", "Active if last modified <= 7 days", "Active if last modified <= 14 days", "Active if last modified <= 30 days", "Active if last modified <= 60 days", "Active if last modified <= 90 days", "Active if last modified <= 180 days", "Active if last modified <= 365 days", "Force active if last modified <= 1 day", "Force active if last modified <= 3 days", "Force active if last modified <= 7 days", "Force active if last modified <= 14 days", "Force active if last modified <= 30 days", "Force active if last modified <= 60 days", "Force active if last modified <= 90 days", "Force active if last modified <= 180 days", "Force active if last modified <= 365 days" ], "example": [ "Active if last modified <= 90 days" ], "default": "Skip"}
Azure > SQL > Server > Active Directory Administrator
Define the Active Directory Administrator settings required for Azure > SQL > Server
.
The Active Directory Administrator policy determines what should be the active directory authentication value set for Azure SQL Server.
Enabling active directory authentication on a SQL server permits you to centrally manage identity and access Azure SQL Database.
tmod:@turbot/azure-sql#/policy/types/serverActiveDirectoryAdministrator
[ "Skip", "Check: Disabled", "Check: Enabled", "Check: Enabled to Active Directory Administrator > Name", "Enforce: Disabled", "Enforce: Enabled to Active Directory Administrator > Name"]
{ "type": "string", "enum": [ "Skip", "Check: Disabled", "Check: Enabled", "Check: Enabled to Active Directory Administrator > Name", "Enforce: Disabled", "Enforce: Enabled to Active Directory Administrator > Name" ], "example": [ "Skip" ], "default": "Skip"}
Azure > SQL > Server > Active Directory Administrator > Name
Define the Azure Active Directory resource display name or object ID for Azure > SQL > Server > Active Directory Administrator
policy.
Active Directory Authentication for SQL Server supports Active Directory User, Application, Group any one of them at a time.
Please make sure the value given is the valid Display Name or the ObjectID of the desired resource you want to use.<br />example:<br /> ddc06e04-ce5f-4995-c758-c2b6c510e8fd<br /> d8831d9d-8756-4dd9-83e0-d8ce58525496<br /> organizationuser@organizationwebsite.onmicrosoft.com<br /> azureAD-dev-application<br /> projectDevelopersGroup<br />
tmod:@turbot/azure-sql#/policy/types/serverActiveDirectoryAdministratorName
{ "type": "string", "example": "turbotadmin@turbotad.onmicrosoft.com", "default": ""}
Azure > SQL > Server > Advanced Data Security
Define the advanced data security settings required for Azure > SQL > Server
.
Advanced data security for SQL Server includes functionality for surfacing and mitigating potential database
vulnerabilities and detecting anomalous activities that could indicate a threat to your server. The Advanced
data security package provides administrators with a single go-to location for discovering and classifying data,
assessing and addressing potential database vulnerabilities, and visibility into anomalous and potentially malicious
activity that is taking place.
Advanced data security can be defined for a specific database or as a default server policy. A server policy
applies to all existing and newly created databases on the server. Azure recommends to enable only server-level
data security and leave the database-level data security disabled for all databases.
The Advanced data security control compares the vulnerability assessment and threat protection settings against
the advanced data security policies for the resource (Azue > SQL > Server > Advanced Data Security > *),
raises an alarm, and takes the defined enforcement action.
tmod:@turbot/azure-sql#/policy/types/serverDataSecurity
[ "Skip", "Check: Disabled", "Check: Enabled", "Enforce: Disabled", "Enforce: Enabled"]
{ "type": "string", "enum": [ "Skip", "Check: Disabled", "Check: Enabled", "Enforce: Disabled", "Enforce: Enabled" ], "example": [ "Skip" ], "default": "Skip"}
Azure > SQL > Server > Advanced Data Security > Threat Protection
tmod:@turbot/azure-sql#/policy/types/serverThreatProtection
Azure > SQL > Server > Advanced Data Security > Threat Protection > Email Addresses
Define the email addresses to receive an email notification upon detection of anomalous database activities.
The email provides information on the suspicious security event including the nature of the anomalous activities,
database name, server name, application name, and the event time. In addition, the email provides information on
possible causes and recommended actions to investigate and mitigate the potential threat to the database.
tmod:@turbot/azure-sql#/policy/types/serverThreatProtectionEmailAddresses
{ "type": "array", "items": { "type": "string", "pattern": "[^\\s@]+@[^\\s@]+\\.[^\\s@]+$", "minLength": 6, "maxLength": 254 }, "default": []}
Azure > SQL > Server > Advanced Data Security > Threat Protection > Notify Admins
Notify account administrators upon detection of anomalous database activities.
The email provides information on the suspicious security event including the nature of the anomalous activities,
database name, server name, application name, and the event time. In addition, the email provides information
on possible causes and recommended actions to investigate and mitigate the potential threat to the database.
tmod:@turbot/azure-sql#/policy/types/serverThreatProtectionNotifyAdmins
[ "Disabled", "Enabled"]
{ "type": "string", "enum": [ "Disabled", "Enabled" ], "default": "Enabled"}
Azure > SQL > Server > Advanced Data Security > Threat Protection > Types
Define the threat protection types for Azure SQL server.
Advanced threat protection for the Azure SQL server detects anomalous activities
indicating unusual and potentially harmful attempts to access or exploit databases and it can
trigger the following alerts.
tmod:@turbot/azure-sql#/policy/types/serverThreatProtectionTypes
{ "type": "array", "items": { "type": "string", "enum": [ "SQL Injection", "SQL Injection Vulnerability", "Data Exfiltration", "Unsafe Action", "Access Anomaly", "Brute Force" ] }, "default": [ "SQL Injection", "SQL Injection Vulnerability", "Data Exfiltration", "Unsafe Action", "Access Anomaly", "Brute Force" ]}
Azure > SQL > Server > Advanced Data Security > Vulnerability Assessment
tmod:@turbot/azure-sql#/policy/types/serverVulnerabilityAssessment
Azure > SQL > Server > Advanced Data Security > Vulnerability Assessment > Periodic Scans
Periodic recurring scan setting configures vulnerability assessment to automatically run a scan on your database once per week.
tmod:@turbot/azure-sql#/policy/types/serverVulnerabilityAssessmentPeriodicScans
[ "Disabled", "Enabled"]
{ "type": "string", "enum": [ "Disabled", "Enabled" ], "default": "Disabled"}
Azure > SQL > Server > Advanced Data Security > Vulnerability Assessment > Periodic Scans > Email Addresses
Define the email addresses to receive an email notification of scan result summary.
tmod:@turbot/azure-sql#/policy/types/serverVulnerabilityAssessmentEmailAddresses
{ "type": "array", "items": { "type": "string", "pattern": "[^\\s@]+@[^\\s@]+\\.[^\\s@]+$", "minLength": 6, "maxLength": 254 }, "default": []}
Azure > SQL > Server > Advanced Data Security > Vulnerability Assessment > Periodic Scans > Notify Admins
Define if the schedule scan notification will be sent to the subscription administrators and owners.
tmod:@turbot/azure-sql#/policy/types/serverVulnerabilityAssessmentNotifyAdmins
[ "Disabled", "Enabled"]
{ "type": "string", "enum": [ "Disabled", "Enabled" ], "default": "Disabled"}
Azure > SQL > Server > Advanced Data Security > Vulnerability Assessment > Storage Account
Define the storage account where scan results for all databases on the server will be stored.
The storage account name is required.
If the container name is not specified, then vulnerability-assessment
is taken as default.
example:<br /> - teststorageaccount<br /> - teststorageaccount/containername<br /><br />
Note: To avoid cross-region reads/writes of audit records, Azure highly recommends to use storage and server located in the same region.
tmod:@turbot/azure-sql#/policy/types/serverVulnerabilityAssessmentStorageAccount
{ "type": "string", "pattern": "^(^)([a-z0-9]{3,24})\\/([a-z0-9-]{3,24})|(^)([([a-z0-9]{3,24})$", "example": "teststorageaccount/container-name", "default": "", "tests": [ { "input": "teststorageaccount/container-name" }, { "input": "teststorageaccount/containername" }, { "input": "teststorageaccount" } ]}
Azure > SQL > Server > Approved
Determine the action to take when an Azure SQL server is not approved based on Azure > SQL > Server > Approved > *
policies.
The Approved control checks the status of the defined Approved sub-policies for the resource. If the resource is not approved according to any of these policies, this control raises an alarm and takes the defined enforcement action.
For any enforcement actions that specify if new
, e.g., Enforce: Delete unapproved if new
, this control will only take the enforcement actions for resources created within the last 60 minutes.
See Approved for more information.
tmod:@turbot/azure-sql#/policy/types/serverApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved if new"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved if new" ], "example": [ "Check: Approved" ], "default": "Skip"}
Azure > SQL > Server > Approved > Custom
Determine whether the Azure SQL server is allowed to exist.
This policy will be evaluated by the Approved control. If an Azure SQL server is not approved, it will be subject to the action specified in the Azure > SQL > Server > Approved
policy.
See Approved for more information.
Note: The policy value must be a string with a value of Approved
, Not approved
or Skip
, or in the form of YAML objects. The object(s) must contain the key result
with its value as Approved
or Not approved
. A custom title and message can also be added using the keys title
and message
respectively.
tmod:@turbot/azure-sql#/policy/types/serverApprovedCustom
{ "example": [ "Approved", "Not approved", "Skip", { "result": "Approved" }, { "title": "string", "result": "Not approved" }, { "title": "string", "result": "Approved", "message": "string" }, [ { "title": "string", "result": "Approved", "message": "string" }, { "title": "string", "result": "Not approved", "message": "string" } ] ], "anyOf": [ { "type": "array", "items": { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false } }, { "type": "object", "properties": { "title": { "type": "string", "pattern": "^[\\W\\w]{1,32}$" }, "message": { "type": "string", "pattern": "^[\\W\\w]{1,128}$" }, "result": { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } }, "required": [ "result" ], "additionalProperties": false }, { "type": "string", "pattern": "^(Approved|Not approved|Skip)$" } ], "default": "Skip"}
Azure > SQL > Server > Approved > Regions
A list of Azure regions in which Azure SQL servers are approved for use.
The expected format is an array of regions names. You may use the '*' and '?' wildcard characters.
This policy will be evaluated by the Approved control. If an Azure SQL server is created in a region that is not in the approved list, it will be subject to the action specified in the Azure > SQL > Server > Approved
policy.
See Approved for more information.
tmod:@turbot/azure-sql#/policy/types/serverApprovedRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/azure-sql#/policy/types/sqlApprovedRegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
Azure > SQL > Server > Approved > Usage
Determine whether the Azure SQL server is allowed to exist.
This policy will be evaluated by the Approved control. If an Azure SQL server is not approved, it will be subject to the action specified in the Azure > SQL > Server > Approved
policy.
See Approved for more information.
tmod:@turbot/azure-sql#/policy/types/serverApprovedUsage
[ "Not approved", "Approved", "Approved if Azure > SQL > Enabled"]
{ "type": "string", "enum": [ "Not approved", "Approved", "Approved if Azure > SQL > Enabled" ], "example": [ "Not approved" ], "default": "Approved if Azure > SQL > Enabled"}
Azure > SQL > Server > Auditing
Define the auditing settings required for Azure > SQL > Server
.
Auditing for Azure SQL Server tracks server events and writes them to an audit log
in your Azure Storage account, Log Analytics workspace or Event Hubs. This control
determines whether the resource auditing is set to your desired Azure Storage account with desired
retention days.
An auditing policy can be defined for a specific database or as a default server policy. A server policy
applies to all existing and newly created databases on the server. Azure recommends to enable only server-level
blob auditing and leave the database-level auditing disabled for all databases.
The Auditing control compares the auditing settings against the auditing policies for the resource
(Azue > SQL > Server > Auditing > *), raises an alarm, and takes the defined enforcement action
tmod:@turbot/azure-sql#/policy/types/serverAuditing
[ "Skip", "Check: Disabled", "Check: Enabled", "Enforce: Disabled", "Enforce: Enabled"]
{ "type": "string", "enum": [ "Skip", "Check: Disabled", "Check: Enabled", "Enforce: Disabled", "Enforce: Enabled" ], "example": [ "Skip" ], "default": "Skip"}
Azure > SQL > Server > Auditing > Retention Days
Define the number of days to keep in the audit logs in the storage account.
Note: Setting the policy to 0
will set the retention to infinity.
tmod:@turbot/azure-sql#/policy/types/serverAuditingRetentionDays
{ "type": "number", "minimum": 0, "maximum": 3285, "default": 90}
Azure > SQL > Server > Auditing > Storage Account
Define the storage account for server audit logs.
The storage account name or primary blob endpoint is required.
Premium storage and hierarchical namespace for Azure Data Lake Storage Gen2
storage account is currently not supported.
any of these examples are valid:<br /> teststorageaccount<br /> https://teststorageaccount.blob.core.windows.net/<br /> https://teststorageaccount.blob.core.usgovcloudapi.net/<br /> https://teststorageaccount.blob.core.chinacloudapi.cn/<br />
Note: To avoid cross-region reads/writes of audit records, Azure highly recommends to use storage and server located in the same region.
tmod:@turbot/azure-sql#/policy/types/serverAuditingStorageAccount
{ "type": "string", "pattern": "^(https://[a-z0-9]{3,24}\\.blob\\.core\\.windows\\.net/|https://[a-z0-9]{3,24}\\.blob\\.core\\.usgovcloudapi\\.net/|https://[a-z0-9]{3,24}\\.blob\\.core\\.chinacloudapi\\.cn/|[a-z0-9]{3,24})$", "example": "https://sqlva5njk5n7qwh4my.blob.core.windows.net/", "default": ""}
Azure > SQL > Server > CMDB
Configure whether to record and synchronize details for the Azure SQL server into the CMDB.
The CMDB control is responsible for populating and updating all the attributes for that resource type in the Guardrails CMDB.
All policies and controls in Guardrails are based around the resource, so usually the CMDB policy is set to "Enforce: Enabled".
If set to Skip then all changes to the CMDB are paused - no new resources will be discovered, no updates will be made and deleted resources will not be removed.
To cleanup resources and stop tracking changes, set this policy to "Enforce: Disabled".
CMDB controls also use the Regions policy associated with the resource. If region is not in Azure > SQL > Server > Regions
policy, the CMDB control will delete the resource from the CMDB.
(Note: Setting CMDB to "Skip" will also pause these changes.)
tmod:@turbot/azure-sql#/policy/types/serverCmdb
[ "Skip", "Enforce: Enabled", "Enforce: Enabled if SQL provider is Registered", "Enforce: Disabled"]
{ "type": "string", "enum": [ "Skip", "Enforce: Enabled", "Enforce: Enabled if SQL provider is Registered", "Enforce: Disabled" ], "example": [ "Skip" ], "default": "Enforce: Enabled if SQL provider is Registered"}
Azure > SQL > Server > Firewall
tmod:@turbot/azure-sql#/policy/types/serverFirewall
Azure > SQL > Server > Firewall > IP Ranges
tmod:@turbot/azure-sql#/policy/types/serverFirewallIpRanges
Azure > SQL > Server > Firewall > IP Ranges > Approved
Configure firewall IP address range checking. This policy defines whether
to verify the firewall IP address ranges are approved, as well as the
subsequent action to take on unapproved items. Rules for all Approved
policies will be compiled in Approved > Compiled Rules
and then
evaluated.
If set to Enforce: Delete unapproved
, any unapproved IP address ranges
will be deleted from the firewall.
tmod:@turbot/azure-sql#/policy/types/serverFirewallIpRangesApproved
[ "Skip", "Check: Approved", "Enforce: Delete unapproved"]
{ "type": "string", "enum": [ "Skip", "Check: Approved", "Enforce: Delete unapproved" ], "default": "Skip"}
Azure > SQL > Server > Firewall > IP Ranges > Approved > Compiled Rules
A read-only Object Control List (OCL) to approve or reject IP addresses
for a server firewall. This list is compiled from specified approved IP addresses
and additional filtering rules.
This policy is generated by Guardrails and is designed to ensure that only
approved IP addresses are allowed access, aligning with security and compliance standards.
tmod:@turbot/azure-sql#/policy/types/serverFirewallIpRangesApprovedCompiledRules
{ "type": "string"}
Azure > SQL > Server > Firewall > IP Ranges > Approved > IP Addresses
Configure SQL server to allow access from specific internet IP addresses.
This configuration grants access to specific internet-based services and on-premises networks,
and blocks general internet traffic.
Provide allowed internet IP addresses in the form of individual startIpAddress and endIpAddress like in the below example.
Example:
- startIpAddress: 203.0.113.5 <br />
endIpAddress: 203.0.113.5
tmod:@turbot/azure-sql#/policy/types/serverFirewallIpRangesApprovedIpAddresses
{ "example": [ [ { "startIpAddress": "203.0.113.5", "endIpAddress": "203.0.113.5" } ] ], "type": "array", "items": { "type": "object", "properties": { "startIpAddress": { "type": "string", "pattern": "\\b(?!(?:10\\.|172\\.(?:1[6-9]|2[0-9]|3[0-2])\\.|192\\.168\\.))((?:(?:2(?:[0-4][0-9]|5[0-5])|[0-1]?[0-9]?[0-9])\\.){3}(?:(?:2(?:[0-4][0-9]|5[0-5])|[0-1]?[0-9]?[0-9])))($|/([0-9]|[1-2][0-9]|3[0])$)\\b", "tests": [ { "input": "90.123.233.2/30" }, { "input": "34.192.235.43" }, { "input": "127.0.0.11" }, { "description": "Invalid - Not a valid IP address", "input": "267.32.0.12", "expected": false }, { "description": "Invalid - Private IP", "input": "192.168.1.0", "expected": false }, { "description": "Invalid - prefix must be smaller than or equal to 30.", "input": "182.168.0.0/31", "expected": false } ], ".turbot": { "uri": "tmod:@turbot/azure-sql#/definitions/firewallIp", "modUri": "tmod:@turbot/azure-sql" } }, "endIpAddress": { "type": "string", "pattern": "\\b(?!(?:10\\.|172\\.(?:1[6-9]|2[0-9]|3[0-2])\\.|192\\.168\\.))((?:(?:2(?:[0-4][0-9]|5[0-5])|[0-1]?[0-9]?[0-9])\\.){3}(?:(?:2(?:[0-4][0-9]|5[0-5])|[0-1]?[0-9]?[0-9])))($|/([0-9]|[1-2][0-9]|3[0])$)\\b", "tests": [ { "input": "90.123.233.2/30" }, { "input": "34.192.235.43" }, { "input": "127.0.0.11" }, { "description": "Invalid - Not a valid IP address", "input": "267.32.0.12", "expected": false }, { "description": "Invalid - Private IP", "input": "192.168.1.0", "expected": false }, { "description": "Invalid - prefix must be smaller than or equal to 30.", "input": "182.168.0.0/31", "expected": false } ], ".turbot": { "uri": "tmod:@turbot/azure-sql#/definitions/firewallIp", "modUri": "tmod:@turbot/azure-sql" } } }, "tests": [ { "input": { "startIpAddress": "45.127.45.223", "endIpAddress": "45.64.0.0" } } ], ".turbot": { "uri": "tmod:@turbot/azure-sql#/definitions/firewallIpRange", "modUri": "tmod:@turbot/azure-sql" } }, "default": []}
Azure > SQL > Server > Firewall > IP Ranges > Approved > Rules
An Object Control List (OCL) with a list of filter rules
to approve or reject IP ranges for a SQL server firewall.
Note that the Approved control does not operate directly from this policy,
but from the Approved > Compiled Rules
. The rules are processed in order,
and any built-in Guardrails rules will appear first in the list of compiled
rules.
tmod:@turbot/azure-sql#/policy/types/serverFirewallIpRangesApprovedRules
{ "type": "string", "default": "APPROVE *", "x-schema-form": { "type": "textarea" }}
Azure > SQL > Server > Regions
Regions where Azure supports SQL Server. Guardrails updates this option as Azure expands their regional support. Unless there is an explicit requirement (e.g. accelerated regional support), it should not be set by Guardrails Administrators.
tmod:@turbot/azure-sql#/policy/types/serverRegions
"{\n regions: policyValue(uri:\"tmod:@turbot/azure-sql#/policy/types/sqlRegionsDefault\") {\n value\n }\n}\n"
"{% if $.regions.value | length == 0 %} [] {% endif %}{% for item in $.regions.value %}- '{{ item }}'\n{% endfor %}"
Azure > SQL > Server > Tags
Determine the action to take when an Azure SQL server tags are not updated based on the Azure > SQL > Server > Tags > *
policies.
The control ensure Azure SQL server tags include tags defined in Azure > SQL > Server > Tags > Template
.
Tags not defined in Server Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/azure-sql#/policy/types/serverTags
[ "Skip", "Check: Tags are correct", "Enforce: Set tags"]
{ "type": "string", "enum": [ "Skip", "Check: Tags are correct", "Enforce: Set tags" ], "example": [ "Check: Tags are correct" ], "default": "Skip"}
Azure > SQL > Server > Tags > Template
The template is used to generate the keys and values for Azure SQL server.
Tags not defined in Server Tags Template will not be modified or deleted. Setting a tag value to undefined
will result in the tag being deleted.
See Tags for more information.
tmod:@turbot/azure-sql#/policy/types/serverTagsTemplate
[ "{\n subscription {\n turbot {\n id\n }\n }\n}\n", "{\n defaultTags: policyValue(uri:\"tmod:@turbot/azure-sql#/policy/types/sqlTagsTemplate\" resourceId: \"{{ $.subscription.turbot.id }}\") {\n value\n }\n}\n"]
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"
Azure > SQL > Tags Template [Default]
A template used to generate the keys and values for Azure SQL resources.
By default, all SQL resource Tags > Template policies will use this value.
tmod:@turbot/azure-sql#/policy/types/sqlTagsTemplate
"{\n defaultTags: policyValue(uri:\"tmod:@turbot/azure#/policy/types/defaultTagsTemplate\") {\n value\n }\n}\n"
"{%- if $.defaultTags.value | length == 0 %} [] {%- elif $.defaultTags.value != undefined %}{{ $.defaultTags.value | dump | safe }}{%- else %}{% for item in $.defaultTags.value %}- {{ item }}{% endfor %}{% endif %}"
Azure > Turbot > Permissions > Compiled > Levels > @turbot/azure-sql
A calculated policy that Guardrails uses to create a compiled list of ALL
permission levels for Azure SQL that is used as input to the
stack that manages the Guardrails IAM permissions objects.
tmod:@turbot/azure-sql#/policy/types/azureLevelsCompiled
Azure > Turbot > Permissions > Compiled > Service Permissions > @turbot/azure-sql
A calculated policy that Guardrails uses to create a compiled list of ALL
permissions for Azure SQL that is used as input to the control that manages
the IAM stack.
tmod:@turbot/azure-sql#/policy/types/azureCompiledServicePermissions