Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled

Error: PostgreSQL Database Server 'Allow access to Azure services' enabled

Bridgecrew Policy ID: BC_AZR_GENERAL_79
Checkov Check ID: CKV2_AZURE_6
Severity: LOW

PostgreSQL Database Server 'Allow access to Azure services' enabled

Description

When 'Allow access to Azure services' settings is enabled, PostgreSQL Database server will accept connections from all Azure resources including other subscription resources as well. It is recommended to use firewall rules or VNET rules to allow access from specific network ranges or virtual networks.

Fix - Runtime

In Azure Console

  1. Login to Azure console
  2. Navigate to 'Azure Database for PostgreSQL servers' dashboard
  3. Select the reported PostgreSQL server
  4. Go to 'Connection security' under 'Settings'
  5. Select 'No' for 'Allow access to Azure services' under 'Firewall rules'
  6. Click on 'Save'

Fix - Buildtime

Terraform

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_sql_server" "sql_server_good" {
  name                         = "mysqlserver"
  resource_group_name          = azurerm_resource_group.example.name
  location                     = "West US"
  version                      = "12.0"
  administrator_login          = "4dm1n157r470r"
  administrator_login_password = "4-v3ry-53cr37-p455w0rd"
}

resource "azurerm_sql_firewall_rule" "firewall_rule_good" {
  name                = "FirewallRule1"
  resource_group_name = azurerm_resource_group.example.name
  server_name         = azurerm_sql_server.sql_server_good.name
  start_ip_address    = "10.0.17.62"
  end_ip_address      = "10.0.17.62"
}