ServiceNow CMDB CI relationship sync: faster, more complete →
Policy Packs
Azure CIS v2.0.0 - Section 4 - Database Services

Policy Setting: Azure > PostgreSQL > Server > Approved > Custom

Policies

This policy setting is dependent on the following policy types:

Source

resource "turbot_policy_setting" "azure_postgresql_server_approved_custom" {
resource = turbot_policy_pack.main.id
type = "tmod:@turbot/azure-postgresql#/policy/types/serverApprovedCustom"
note = "Azure CIS v2.0.0 - Control: 4.3.7 and 4.3.8"
template_input = <<-EOT
{
resource {
infrastructureEncryption: get(path:"infrastructureEncryption"),
firewallRulesName: get(path:"firewallRules.name"),
startIpAddress: get(path:"firewallRules.startIpAddress"),
endIpAddress: get(path:"firewallRules.endIpAddress"),
}
}
EOT
template = <<-EOT
{%- set results = [] -%}
{%- if $.resource.infra_encryption and $.resource.infra_encryption == "Disabled" -%}
{%- set data = {
"title": "Infrastructure Encryption",
"result": "Not approved",
"message": "Infrastructure encryption is disabled"
} -%}
{%- elif $.resource.infra_encryption and $.resource.infra_encryption == "Enabled" -%}
{%- set data = {
"title": "Infrastructure Encryption",
"result": "Approved",
"message": "Infrastructure encryption is enabled"
} -%}
{%- else -%}
{%- set data = {
"title": "Infrastructure Encryption",
"result": "Skip",
"message": "No data for infrastructure encryption yet"
} -%}
{%- endif -%}
{%- set results = results.concat(data) -%}
{%- if $.resource.firewallRulesName == "AllowAllWindowsAzureIps" -%}
{%- set data = {
"title": "Allow access to Azure services",
"result": "Not approved",
"message": "Allow access to Azure services is enabled"
} -%}
{%- elif $.resource.startIpAddress == "0.0.0.0" and $.resource.endIpAddress == "0.0.0.0" -%}
{%- set data = {
"title": "Allow access to Azure services",
"result": "Not approved",
"message": "Allow access to Azure services is enabled"
} -%}
{%- else -%}
{%- set data = {
"title": "Allow access to Azure services",
"result": "Approved",
"message": "Allow access to Azure services is disabled"
} -%}
{%- endif -%}
{%- set results = results.concat(data) -%}
{{ results | json }}
EOT
}