Control: Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP)
Description
Ensure no SQL Databases allow ingress 0.0.0.0/0 (ANY IP). SQL Server includes a firewall to block access to unauthorized connections. More granular IP addresses can be defined by referencing the range of addresses available from specific datacenters.
Usage
Run the control in your terminal:
powerpipe control run terraform_azure_compliance.control.sql_database_allow_internet_accessSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run terraform_azure_compliance.control.sql_database_allow_internet_access --shareSQL
This control uses a named query:
select address as resource, case when coalesce(trim(attributes_std ->> 'start_ip_address'), '') = '' or coalesce(trim(attributes_std ->> 'end_ip_address'), '') = '' or (attributes_std ->> 'end_ip_address' = '0.0.0.0' and attributes_std ->> 'start_ip_address' = '0.0.0.0') or (attributes_std ->> 'end_ip_address' = '0.0.0.0' and attributes_std ->> 'start_ip_address' = '255.255.255.255') then 'alarm' else 'ok' end status, split_part(address, '.', 2) || case when coalesce(trim(attributes_std ->> 'start_ip_address'), '') = '' then ' ''start_ip_address'' is not defined.' when coalesce(trim(attributes_std ->> 'end_ip_address'), '') = '' then ' ''end_ip_address'' is not defined.' when (attributes_std ->> 'end_ip_address' = '0.0.0.0' and attributes_std ->> 'start_ip_address' = '0.0.0.0') or (attributes_std ->> 'end_ip_address' = '0.0.0.0' and attributes_std ->> 'start_ip_address' = '255.255.255.255') then ' allows ingress 0.0.0.0/0 or any ip over internet' else ' does not allow ingress 0.0.0.0/0 or any ip over internet' end || '.' reason , path || ':' || start_linefrom terraform_resourcewhere type = 'azurerm_sql_firewall_rule';