Control: Cosmos DB should use a virtual network service endpoint
Description
This policy audits any Cosmos DB not configured to use a virtual network service endpoint.
Usage
Run the control in your terminal:
powerpipe control run azure_compliance.control.cosmosdb_use_virtual_service_endpointSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_compliance.control.cosmosdb_use_virtual_service_endpoint --shareSQL
This control uses a named query:
with cosmosdb_with_virtual_network as ( select distinct a.id from azure_cosmosdb_account as a, jsonb_array_elements(virtual_network_rules) as rule where rule ->> 'id' is not null)select a.id as resource, case when c.id is null then 'alarm' else 'ok' end as status, case when c.id is null then a.name || ' not configured with virtual network service endpoint.' else a.name || ' configured with virtual network service endpoint.' end as reason , a.resource_group as resource_group , sub.display_name as subscriptionfrom azure_cosmosdb_account as a left join cosmosdb_with_virtual_network as c on c.id = a.id, azure_subscription as subwhere sub.subscription_id = a.subscription_id;