azure-sdk-for-go
azure-sdk-for-go copied to clipboard
Azure
for Cosmos DB account creation, publicAccessEnabled = false being changed back to true
Bug Report
When using the dbAccountsClient.CreateOrUpdate method in the Azure SDK for GO to create CosmosDB accounts, if I specify PublicNetworkAccess = false but an empty [] IPAddressOrRange array, the account gets created with PublicNetworkAccess = true.
Need to check if this is an issue with Azure SDK for Go or are we doing something incorrectly
Here is the sample code that was used:
const (
AzureCosmosDBKeyVaultKeyURI string = "AZURE_COSMOSDB_KEYVAULTKEYURI"
)
// for CosmosDB creation we need a KeyVault Key URI, read it from the env var
func GetKeyVaultKeyURI() string {
return strings.ToLower(os.Getenv(AzureCosmosDBKeyVaultKeyURI))
}
func (state *testStateAzure) createAccountWithPublicAccessSettingAndNetworkAddressAndKeyVaultKeyURI(publicaccessenabled string, networkaddress string) error {
var publicaccessenabledenum azureCosmosDB.PublicNetworkAccess
switch strings.ToLower(publicaccessenabled) {
case "true":
publicaccessenabledenum = azureCosmosDB.PublicNetworkAccessEnabled
case "false":
publicaccessenabledenum = azureCosmosDB.PublicNetworkAccessDisabled
default:
return fmt.Errorf("Invalid publicaccessenabled value: %v", publicaccessenabled)
}
var keyvaultkeyurifinal string = cosmosdb.GetKeyVaultKeyURI()
state.accountGetResults, state.runningErr = cosmosdb.CreateDatabaseAccount(state.ctx, state.tags, publicaccessenabledenum, networkaddress, keyvaultkeyurifinal)
if state.runningErr == nil {
state.accountName = *state.accountGetResults.Name
}
return nil
}
// getDatabaseAccountsClient returns an authenticated DatabaseAccountsClient with the authorization to create accounts
func getDatabaseAccountsClient() documentdb.DatabaseAccountsClient {
client := documentdb.NewDatabaseAccountsClient(azureutil.GetAzureSubscriptionID())
// create an authorizer from env vars or Azure Managed Service Identity
authorizer, err := auth.NewAuthorizerFromEnvironment()
if err == nil {
client.Authorizer = authorizer
} else {
log.Fatalf("[DEBUG] Unable to get authorization: %v", err)
}
return client
}
// Just add 5 random digits at the end of the name (typically a server or account name)
func generateName(prefix string) string {
return strings.ToLower(randname.GenerateWithPrefix(prefix, 5))
}
// CreateDatabaseAccount creates or updates an Azure Cosmos DB database account
func CreateDatabaseAccount(ctx context.Context, tags map[string]*string, publicnetworkaccessenum documentdb.PublicNetworkAccess, networkaddress string, keyvaultkeyuri string) (account documentdb.DatabaseAccountGetResults, err error) {
dbAccountsClient := getDatabaseAccountsClient()
var IPRangeArray []documentdb.IPAddressOrRange
if strings.ToLower(networkaddress) == "nil" {
IPRangeArray = []documentdb.IPAddressOrRange{}
} else {
IPRange := documentdb.IPAddressOrRange{
IPAddressOrRange: &networkaddress,
}
IPRangeArray = []documentdb.IPAddressOrRange{
IPRange,
}
}
var accountName = generateName("mycosmosdb")
var IsVirtualNetworkFilterEnabled bool = false
future, err := dbAccountsClient.CreateOrUpdate(
ctx,
azureutil.GetAzureResourceGP(),
accountName,
documentdb.DatabaseAccountCreateUpdateParameters{
Location: to.StringPtr(azureutil.GetAzureLocation()),
Kind: documentdb.DatabaseAccountKindGlobalDocumentDB,
Tags: tags,
DatabaseAccountCreateUpdateProperties: &documentdb.DatabaseAccountCreateUpdateProperties{
DatabaseAccountOfferType: to.StringPtr("Standard"),
KeyVaultKeyURI: &keyvaultkeyuri,
IsVirtualNetworkFilterEnabled: &IsVirtualNetworkFilterEnabled,
PublicNetworkAccess: publicnetworkaccessenum,
IPRules: &IPRangeArray,
Locations: &[]documentdb.Location{
{
FailoverPriority: to.Int32Ptr(0),
LocationName: to.StringPtr(azureutil.GetAzureLocation()),
},
},
},
},
)
if err != nil {
log.Printf("[DEBUG] Account creation request error: %v", err)
} else {
log.Printf("[DEBUG] Account creation request success: %v", accountName)
}
err = future.WaitForCompletionRef(ctx, dbAccountsClient.Client)
return future.Result(dbAccountsClient)
}
//GetAzureResourceGP - Default resourece GP
func GetAzureResourceGP() string {
currentTime := time.Now()
timeformatted := fmt.Sprintf("%d%02d%02d%02d%02d%02d", currentTime.Year(), currentTime.Month(), currentTime.Day(), currentTime.Hour(), currentTime.Minute(), currentTime.Second())
if azureResourceGp == "" {
azureResourceGp = GetTestPrefix() + "resourecGP" + timeformatted
}
return azureResourceGp
}
// GetTestPrefix return a random test prefix with test + 6 random characters
func GetTestPrefix() string {
if testprefix == "" {
testprefix = "test" + RandStringBytesMaskImprSrcUnsafe(6) + ""
}
return testprefix
}
//GetAzureLocation - Default location
func GetAzureLocation() string {
return getFromEnvVar(AzureLocation)
}
const (
// AzureLocation - Env Variable for location
AzureLocation string = "AZURE_LOCATION"
// AzureSubscriptionID - Env Variable for subscription
AzureSubscriptionID string = "AZURE_SUBSCRIPTION_ID"
}
Hi @yamandeepsingh thanks for this issue!
Is it possible that you could run your program again with the SDK logging enabled and paste the log here or in your github gist (please ensure you redacted all sensitive data)? In this way we can confirm whether the issue comes from the SDK or the service.
You can enable the request logging by exporting this env var: AZURE_GO_SDK_LOG_LEVEL=DEBUG
Sharing the debug logs. This was raised as a support case by customer and they are looking for an answer by August 10. If this is a bug in SDK or something else which needs code change or something, customer could wait, but they want to know about this by August 10
Sharing the debug logs. This was raised as a support case by customer and they are looking for an answer by August 10. If this is a bug in SDK or something else which needs code change or something, customer could wait, but they want to know about this by August 10.
Regards Yamandeep Singh | Big Data Engineer @.<../../../../Pictures/picsign.gif> Office: +1 (980) 7761094 Email: @.@.> Azure Rapid Response Hours: Mon-Fri 9:00am - 6:00pm ET If you have any questions about a case, please contact @.@.> Team Manager | Robert Beene @.@.>) +1 (980) 7767213 If you have any feedback about my work, please let either me or my manager Robert Beene @ @.@.***>
From: Arcturus @.> Sent: Tuesday, August 3, 2021 12:28 AM To: Azure/azure-sdk-for-go @.> Cc: Yamandeep Singh @.>; Mention @.> Subject: Re: [Azure/azure-sdk-for-go] for Cosmos DB account creation, publicAccessEnabled = false being changed back to true (#15199)
Is it possible that you could run your program again with the SDK logging enabled and paste the log here or in your github gist (please ensure you redacted all sensitive data)? In this way we can confirm whether the issue comes from the SDK or the service.
You can enable the request logging by exporting this env var: AZURE_GO_SDK_LOG_LEVEL=DEBUG
You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FAzure%2Fazure-sdk-for-go%2Fissues%2F15199%23issuecomment-891513576&data=04%7C01%7CYamandeep.Singh%40microsoft.com%7C0431720df3624af14a4c08d956370743%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637635616645894651%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=DOf54HqgYwvnuqs0%2Fc74v5VycljxmsWy32N1jbIcH3Y%3D&reserved=0, or unsubscribehttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FAVB5AJKPRLNZY2SEB6OK6PTT25V3XANCNFSM5BMZPPTQ&data=04%7C01%7CYamandeep.Singh%40microsoft.com%7C0431720df3624af14a4c08d956370743%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637635616645904645%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=gp7hJ8kv2t0VnB69rNsC1lY%2FaarSOX9%2FS1NBqJ2Q5oQ%3D&reserved=0. Triage notifications on the go with GitHub Mobile for iOShttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fapps.apple.com%2Fapp%2Fapple-store%2Fid1477376905%3Fct%3Dnotification-email%26mt%3D8%26pt%3D524675&data=04%7C01%7CYamandeep.Singh%40microsoft.com%7C0431720df3624af14a4c08d956370743%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637635616645914639%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=LVChDMtWUHK%2FHej5BclEyq7TAL6UHt3iMzDx3J5mpA4%3D&reserved=0 or Androidhttps://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fplay.google.com%2Fstore%2Fapps%2Fdetails%3Fid%3Dcom.github.android%26utm_campaign%3Dnotification-email&data=04%7C01%7CYamandeep.Singh%40microsoft.com%7C0431720df3624af14a4c08d956370743%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637635616645914639%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=z2ucuWZjZ8HZkgFfXpNsrG%2BMD4jgde4MOCyxdbr6lco%3D&reserved=0.
2021/08/03 12:09:12 [DEBUG] creating resource group 'testpcgoibresourecGP20210803120912' on location: eastus2 (2021-08-03T12:09:13.3026724-04:00) INFO: REQUEST: PUT https://management.azure.com/subscriptions/6cd693dc-7804-45c6-972f-feca478cf1c2/resourcegroups/testpcgoibresourecGP20210803120912?api-version=2018-02-01 Content-Type: application/json; charset=utf-8 User-Agent: Go/go1.13.3 (amd64-windows) go-autorest/v14.2.1 Azure-SDK-For-Go/v56.0.0 resources/2018-02-01 Authorization: REDACTED {"location":"eastus2","tags":{"env":"test","project":"azure-policy","tier":"internal"}} (2021-08-03T12:09:14.2528526-04:00) INFO: RESPONSE: 201 https://management.azure.com/subscriptions/6cd693dc-7804-45c6-972f-feca478cf1c2/resourcegroups/testpcgoibresourecGP20210803120912?api-version=2018-02-01 Cache-Control: no-cache, proxy-revalidate Content-Length: 287 X-Ms-Request-Id: bc2b8cc4-8870-4891-8309-7f365ae31314 X-Ms-Ratelimit-Remaining-Subscription-Writes: 1199 Date: Tue, 03 Aug 2021 16:09:13 GMT Pragma: no-cache Content-Type: application/json; charset=utf-8 Via: 1.1 rrinbcgwcs51 Connection: Keep-Alive X-Ms-Correlation-Request-Id: bc2b8cc4-8870-4891-8309-7f365ae31314 Strict-Transport-Security: max-age=31536000; includeSubDomains X-Content-Type-Options: nosniff Proxy-Connection: Keep-Alive Expires: -1 X-Ms-Routing-Request-Id: CANADACENTRAL:20210803T160914Z:bc2b8cc4-8870-4891-8309-7f365ae31314 {"id":"/subscriptions/6cd693dc-7804-45c6-972f-feca478cf1c2/resourceGroups/testpcgoibresourecGP20210803120912","name":"testpcgoibresourecGP20210803120912","location":"eastus2","tags":{"env":"test","project":"azure-policy","tier":"internal"},"properties":{"provisioningState":"Succeeded"}} 2021/08/03 12:09:14 [DEBUG] Created resource group: testpcgoibresourecGP20210803120912 2021/08/03 12:09:14 [DEBUG] Setup is successful [1;37mFeature:[0m Deny Unrestricted Network Access to Cosmos DB Accounts In order to prevent unrestricted network access to Cosmos DB accounts As a Cloud Security Architect I want to ensure that suitable security controls are applied to Cosmos DB accounts So that Cosmos DB accounts cannot be configured with unrestricted network access 2021/08/03 12:09:14 [DEBUG] Check setup is successful. Step [PASSED]
[1;37mBackground:[0m Control In Place [32mGiven[0m [32msetup is successful[0m [1;30m# cosmosdb-unrestricted_access_test.go:26 -> ms.com/policies/tests/policies/cosmosdb-unrestricted_access.testState.checkSetupSuccessful-fm[0m 2021/08/03 12:09:14 [DEBUG] Getting Policy Assignment with scope: /providers/Microsoft.Management/managementGroups/lz-dev-test-robkozlo2 (2021-08-03T12:09:14.5595102-04:00) INFO: REQUEST: GET https://management.azure.com//providers/Microsoft.Management/managementGroups/lz-dev-test-robkozlo2/providers/Microsoft.Authorization/policyAssignments/deny_cosmosdb_wo_netacl?api-version=2019-09-01 User-Agent: Go/go1.13.3 (amd64-windows) go-autorest/v14.2.1 Azure-SDK-For-Go/v56.0.0 policy/2019-09-01 Authorization: REDACTED (2021-08-03T12:09:14.6467939-04:00) INFO: RESPONSE: 200 https://management.azure.com//providers/Microsoft.Management/managementGroups/lz-dev-test-robkozlo2/providers/Microsoft.Authorization/policyAssignments/deny_cosmosdb_wo_netacl?api-version=2019-09-01 Content-Length: 1058 Content-Type: application/json; charset=utf-8 Strict-Transport-Security: max-age=31536000; includeSubDomains Via: 1.1 rrinbcgwcs51 Proxy-Connection: Keep-Alive Pragma: no-cache Expires: -1 X-Ms-Request-Id: 2ef02405-49f8-4ba4-9e9f-0acda3876094 X-Content-Type-Options: nosniff Date: Tue, 03 Aug 2021 16:09:14 GMT X-Ms-Routing-Request-Id: CANADACENTRAL:20210803T160914Z:2ef02405-49f8-4ba4-9e9f-0acda3876094 Cache-Control: no-cache, proxy-revalidate Connection: Keep-Alive Server: Kestrel X-Ms-Ratelimit-Remaining-Tenant-Reads: 11999 X-Ms-Correlation-Request-Id: 2ef02405-49f8-4ba4-9e9f-0acda3876094 {"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"Azure Cosmos DB accounts should have firewall rules","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb","scope":"/providers/Microsoft.Management/managementGroups/lz-dev-test-robkozlo2","parameters":{"effect":{"value":"Deny"}},"description":"Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant.","metadata":{"createdBy":"ba5055ff-61eb-47e8-ba00-067777f42dcf","createdOn":"2021-07-08T19:28:04.0329424Z","updatedBy":null,"updatedOn":null},"enforcementMode":"Default"},"id":"/providers/Microsoft.Management/managementGroups/lz-dev-test-robkozlo2/providers/Microsoft.Authorization/policyAssignments/deny_cosmosdb_wo_netacl","type":"Microsoft.Authorization/policyAssignments","name":"deny_cosmosdb_wo_netacl"} 2021/08/03 12:09:14 [DEBUG] Policy assignment EnforcementMode: Default 2021/08/03 12:09:14 [DEBUG] Policy assignment check: deny_cosmosdb_wo_netacl [PASSED] [32mAnd[0m [32mcontrol is in place to prevent Cosmos DB accounts from being configured with unrestricted network access[0m [1;30m# cosmosdb-unrestricted_access_test.go:27 -> ms.com/policies/tests/policies/cosmosdb-unrestricted_access.testState.checkPolicyAssigned-fm[0m (2021-08-03T12:09:14.8148282-04:00) INFO: REQUEST: PUT https://management.azure.com/subscriptions/6cd693dc-7804-45c6-972f-feca478cf1c2/resourceGroups/testpcgoibresourecGP20210803120912/providers/Microsoft.DocumentDB/databaseAccounts/mycosmosdbxdmip?api-version=2021-06-15 Content-Type: application/json; charset=utf-8 User-Agent: Go/go1.13.3 (amd64-windows) go-autorest/v14.2.1 Azure-SDK-For-Go/v56.0.0 documentdb/2021-06-15 Authorization: REDACTED {"kind":"GlobalDocumentDB","location":"eastus2","properties":{"locations":[{"failoverPriority":0,"locationName":"eastus2"}],"databaseAccountOfferType":"Standard","ipRules":[{"ipAddressOrRange":"170.74.231.0/27"}],"isVirtualNetworkFilterEnabled":false,"keyVaultKeyUri":"","publicNetworkAccess":"Disabled"}} (2021-08-03T12:09:18.7840618-04:00) INFO: RESPONSE: 200 https://management.azure.com/subscriptions/6cd693dc-7804-45c6-972f-feca478cf1c2/resourceGroups/testpcgoibresourecGP20210803120912/providers/Microsoft.DocumentDB/databaseAccounts/mycosmosdbxdmip?api-version=2021-06-15 Connection: Keep-Alive Azure-Asyncoperation: https://management.azure.com/subscriptions/6cd693dc-7804-45c6-972f-feca478cf1c2/providers/Microsoft.DocumentDB/locations/eastus2/operationsStatus/b4c2d675-eb9c-4329-ac5a-f3e315e45e0b?api-version=2021-06-15 X-Ms-Gatewayversion: version=2.14.0 Server: Microsoft-HTTPAPI/2.0 X-Ms-Correlation-Request-Id: f3ee9f69-9436-4f91-aaeb-09e8ad295f75 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains Via: 1.1 rrinbcgwcs51 Proxy-Connection: Keep-Alive Pragma: no-cache Content-Length: 1969 Content-Type: application/json X-Ms-Ratelimit-Remaining-Subscription-Writes: 1198 Date: Tue, 03 Aug 2021 16:09:18 GMT Location: https://management.azure.com/subscriptions/6cd693dc-7804-45c6-972f-feca478cf1c2/resourceGroups/testpcgoibresourecGP20210803120912/providers/Microsoft.DocumentDB/databaseAccounts/mycosmosdbxdmip/operationResults/b4c2d675-eb9c-4329-ac5a-f3e315e45e0b?api-version=2021-06-15 X-Ms-Request-Id: b4c2d675-eb9c-4329-ac5a-f3e315e45e0b X-Ms-Routing-Request-Id: CANADACENTRAL:20210803T160918Z:f3ee9f69-9436-4f91-aaeb-09e8ad295f75 Cache-Control: no-store, no-cache, proxy-revalidate {"id":"/subscriptions/6cd693dc-7804-45c6-972f-feca478cf1c2/resourceGroups/testpcgoibresourecGP20210803120912/providers/Microsoft.DocumentDB/databaseAccounts/mycosmosdbxdmip","name":"mycosmosdbxdmip","location":"East US 2","type":"Microsoft.DocumentDB/databaseAccounts","kind":"GlobalDocumentDB","tags":{},"systemData":{"createdAt":"2021-08-03T16:09:17.0783529Z"},"properties":{"provisioningState":"Creating","publicNetworkAccess":"Disabled","enableAutomaticFailover":false,"enableMultipleWriteLocations":false,"enablePartitionKeyMonitor":false,"isVirtualNetworkFilterEnabled":false,"virtualNetworkRules":[],"EnabledApiTypes":"Sql","disableKeyBasedMetadataWriteAccess":false,"enableFreeTier":false,"enableAnalyticalStorage":false,"analyticalStorageConfiguration":{"schemaType":"WellDefined"},"instanceId":"2fc9078f-9b2c-4c61-b995-51a93b627d78","databaseAccountOfferType":"Standard","keyVaultKeyUri":"","defaultIdentity":"","networkAclBypass":"None","disableLocalAuth":false,"consistencyPolicy":{"defaultConsistencyLevel":"Session","maxIntervalInSeconds":5,"maxStalenessPrefix":100},"configurationOverrides":{},"writeLocations":[{"id":"mycosmosdbxdmip-eastus2","locationName":"East US 2","provisioningState":"Creating","failoverPriority":0,"isZoneRedundant":false}],"readLocations":[{"id":"mycosmosdbxdmip-eastus2","locationName":"East US 2","provisioningState":"Creating","failoverPriority":0,"isZoneRedundant":false}],"locations":[{"id":"mycosmosdbxdmip-eastus2","locationName":"East US 2","provisioningState":"Creating","failoverPriority":0,"isZoneRedundant":false}],"failoverPolicies":[{"id":"mycosmosdbxdmip-eastus2","locationName":"East US 2","failoverPriority":0}],"cors":[],"capabilities":[],"ipRules":[{"ipAddressOrRange":"170.74.231.0/27"}],"backupPolicy":{"type":"Periodic","periodicModeProperties":{"backupIntervalInMinutes":240,"backupRetentionIntervalInHours":8,"backupStorageRedundancy":"Geo"}},"networkAclBypassResourceIds":[]},"identity":{"type":"None"}} 2021/08/03 12:09:18 [DEBUG] Account creation request success: mycosmosdbxdmip (2021-08-03T12:09:18.7940711-04:00) INFO: REQUEST: GET https://management.azure.com/subscriptions/6cd693dc-7804-45c6-972f-feca478cf1c2/providers/Microsoft.DocumentDB/locations/eastus2/operationsStatus/b4c2d675-eb9c-4329-ac5a-f3e315e45e0b?api-version=2021-06-15 User-Agent: Go/go1.13.3 (amd64-windows) go-autorest/v14.2.1 Azure-SDK-For-Go/v56.0.0 documentdb/2021-06-15 Authorization: REDACTED (2021-08-03T12:09:18.8840679-04:00) INFO: RESPONSE: 200 https://management.azure.com/subscriptions/6cd693dc-7804-45c6-972f-feca478cf1c2/providers/Microsoft.DocumentDB/locations/eastus2/operationsStatus/b4c2d675-eb9c-4329-ac5a-f3e315e45e0b?api-version=2021-06-15 Server: Microsoft-HTTPAPI/2.0 X-Ms-Correlation-Request-Id: 0109bf4e-76eb-4d6d-9b01-d6c1073c73fb X-Ms-Routing-Request-Id: CANADACENTRAL:20210803T160918Z:0109bf4e-76eb-4d6d-9b01-d6c1073c73fb Via: 1.1 rrinbcgwcs51 Connection: Keep-Alive X-Ms-Gatewayversion: version=2.14.0 Strict-Transport-Security: max-age=31536000; includeSubDomains X-Ms-Request-Id: 0109bf4e-76eb-4d6d-9b01-d6c1073c73fb X-Content-Type-Options: nosniff X-Ms-Ratelimit-Remaining-Subscription-Reads: 11999 Content-Length: 21 Content-Type: application/json Date: Tue, 03 Aug 2021 16:09:18 GMT Cache-Control: no-store, no-cache, proxy-revalidate Proxy-Connection: Keep-Alive Pragma: no-cache {"status":"Enqueued"} (2021-08-03T12:10:18.8915257-04:00) INFO: REQUEST: GET https://management.azure.com/subscriptions/6cd693dc-7804-45c6-972f-feca478cf1c2/providers/Microsoft.DocumentDB/locations/eastus2/operationsStatus/b4c2d675-eb9c-4329-ac5a-f3e315e45e0b?api-version=2021-06-15 User-Agent: Go/go1.13.3 (amd64-windows) go-autorest/v14.2.1 Azure-SDK-For-Go/v56.0.0 documentdb/2021-06-15 Authorization: REDACTED (2021-08-03T12:10:19.1785380-04:00) INFO: RESPONSE: 200 https://management.azure.com/subscriptions/6cd693dc-7804-45c6-972f-feca478cf1c2/providers/Microsoft.DocumentDB/locations/eastus2/operationsStatus/b4c2d675-eb9c-4329-ac5a-f3e315e45e0b?api-version=2021-06-15 Via: 1.1 rrinbcgwcs51 Pragma: no-cache Content-Length: 21 Content-Type: application/json X-Ms-Gatewayversion: version=2.14.0 Strict-Transport-Security: max-age=31536000; includeSubDomains Server: Microsoft-HTTPAPI/2.0 Cache-Control: no-store, no-cache, proxy-revalidate X-Ms-Request-Id: 966066d8-78f6-4891-bd07-f34aa5b63b07 X-Ms-Correlation-Request-Id: 966066d8-78f6-4891-bd07-f34aa5b63b07 X-Ms-Routing-Request-Id: CANADACENTRAL:20210803T161019Z:966066d8-78f6-4891-bd07-f34aa5b63b07 Connection: Keep-Alive X-Ms-Ratelimit-Remaining-Subscription-Reads: 11998 X-Content-Type-Options: nosniff Date: Tue, 03 Aug 2021 16:10:19 GMT Proxy-Connection: Keep-Alive {"status":"Dequeued"} (2021-08-03T12:11:19.1813447-04:00) INFO: REQUEST: GET https://management.azure.com/subscriptions/6cd693dc-7804-45c6-972f-feca478cf1c2/providers/Microsoft.DocumentDB/locations/eastus2/operationsStatus/b4c2d675-eb9c-4329-ac5a-f3e315e45e0b?api-version=2021-06-15 Authorization: REDACTED User-Agent: Go/go1.13.3 (amd64-windows) go-autorest/v14.2.1 Azure-SDK-For-Go/v56.0.0 documentdb/2021-06-15 (2021-08-03T12:11:19.3633432-04:00) INFO: RESPONSE: 200 https://management.azure.com/subscriptions/6cd693dc-7804-45c6-972f-feca478cf1c2/providers/Microsoft.DocumentDB/locations/eastus2/operationsStatus/b4c2d675-eb9c-4329-ac5a-f3e315e45e0b?api-version=2021-06-15 X-Content-Type-Options: nosniff Proxy-Connection: Keep-Alive Server: Microsoft-HTTPAPI/2.0 X-Ms-Ratelimit-Remaining-Subscription-Reads: 11997 X-Ms-Routing-Request-Id: CANADACENTRAL:20210803T161119Z:e2eb5b54-88c0-4ce9-9ae1-5e94d323c2f7 Connection: Keep-Alive Content-Type: application/json X-Ms-Correlation-Request-Id: e2eb5b54-88c0-4ce9-9ae1-5e94d323c2f7 X-Ms-Request-Id: e2eb5b54-88c0-4ce9-9ae1-5e94d323c2f7 Date: Tue, 03 Aug 2021 16:11:19 GMT Strict-Transport-Security: max-age=31536000; includeSubDomains X-Ms-Gatewayversion: version=2.14.0 Via: 1.1 rrinbcgwcs51 Cache-Control: no-store, no-cache, proxy-revalidate Pragma: no-cache Content-Length: 22 {"status":"Succeeded"} (2021-08-03T12:11:19.3673489-04:00) INFO: REQUEST: GET https://management.azure.com/subscriptions/6cd693dc-7804-45c6-972f-feca478cf1c2/resourceGroups/testpcgoibresourecGP20210803120912/providers/Microsoft.DocumentDB/databaseAccounts/mycosmosdbxdmip?api-version=2021-06-15 User-Agent: Go/go1.13.3 (amd64-windows) go-autorest/v14.2.1 Azure-SDK-For-Go/v56.0.0 documentdb/2021-06-15 Authorization: REDACTED (2021-08-03T12:11:19.4603535-04:00) INFO: RESPONSE: 200 https://management.azure.com/subscriptions/6cd693dc-7804-45c6-972f-feca478cf1c2/resourceGroups/testpcgoibresourecGP20210803120912/providers/Microsoft.DocumentDB/databaseAccounts/mycosmosdbxdmip?api-version=2021-06-15 X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains Server: Microsoft-HTTPAPI/2.0 X-Ms-Ratelimit-Remaining-Subscription-Reads: 11996 X-Ms-Correlation-Request-Id: 19bb89e0-2cae-4835-b001-d98f0192f76f Date: Tue, 03 Aug 2021 16:11:19 GMT Cache-Control: no-store, no-cache, proxy-revalidate Content-Length: 2294 X-Ms-Gatewayversion: version=2.14.0 Proxy-Connection: Keep-Alive X-Ms-Request-Id: 19bb89e0-2cae-4835-b001-d98f0192f76f X-Ms-Routing-Request-Id: CANADACENTRAL:20210803T161119Z:19bb89e0-2cae-4835-b001-d98f0192f76f Via: 1.1 rrinbcgwcs51 Connection: Keep-Alive Pragma: no-cache Content-Type: application/json {"id":"/subscriptions/6cd693dc-7804-45c6-972f-feca478cf1c2/resourceGroups/testpcgoibresourecGP20210803120912/providers/Microsoft.DocumentDB/databaseAccounts/mycosmosdbxdmip","name":"mycosmosdbxdmip","location":"East US 2","type":"Microsoft.DocumentDB/databaseAccounts","kind":"GlobalDocumentDB","tags":{},"systemData":{"createdAt":"2021-08-03T16:10:45.385735Z"},"properties":{"provisioningState":"Succeeded","documentEndpoint":"https://mycosmosdbxdmip.documents.azure.com:443/","publicNetworkAccess":"Disabled","enableAutomaticFailover":false,"enableMultipleWriteLocations":false,"enablePartitionKeyMonitor":false,"isVirtualNetworkFilterEnabled":false,"virtualNetworkRules":[],"EnabledApiTypes":"Sql","disableKeyBasedMetadataWriteAccess":false,"enableFreeTier":false,"enableAnalyticalStorage":false,"analyticalStorageConfiguration":{"schemaType":"WellDefined"},"instanceId":"2fc9078f-9b2c-4c61-b995-51a93b627d78","databaseAccountOfferType":"Standard","keyVaultKeyUri":"","defaultIdentity":"FirstPartyIdentity","networkAclBypass":"None","disableLocalAuth":false,"consistencyPolicy":{"defaultConsistencyLevel":"Session","maxIntervalInSeconds":5,"maxStalenessPrefix":100},"configurationOverrides":{},"writeLocations":[{"id":"mycosmosdbxdmip-eastus2","locationName":"East US 2","documentEndpoint":"https://mycosmosdbxdmip-eastus2.documents.azure.com:443/","provisioningState":"Succeeded","failoverPriority":0,"isZoneRedundant":false}],"readLocations":[{"id":"mycosmosdbxdmip-eastus2","locationName":"East US 2","documentEndpoint":"https://mycosmosdbxdmip-eastus2.documents.azure.com:443/","provisioningState":"Succeeded","failoverPriority":0,"isZoneRedundant":false}],"locations":[{"id":"mycosmosdbxdmip-eastus2","locationName":"East US 2","documentEndpoint":"https://mycosmosdbxdmip-eastus2.documents.azure.com:443/","provisioningState":"Succeeded","failoverPriority":0,"isZoneRedundant":false}],"failoverPolicies":[{"id":"mycosmosdbxdmip-eastus2","locationName":"East US 2","failoverPriority":0}],"cors":[],"capabilities":[],"ipRules":[{"ipAddressOrRange":"170.74.231.0/27"}],"backupPolicy":{"type":"Periodic","periodicModeProperties":{"backupIntervalInMinutes":240,"backupRetentionIntervalInHours":8,"backupStorageRedundancy":"Geo"}},"networkAclBypassResourceIds":[]},"identity":{"type":"None"}}
[1;37mScenario Outline:[0m Prevent Cosmos DB Accounts From Being Configured With Unrestricted Network Access [1;30m# features\cosmosdb-unrestricted_access.feature:19[0m
2021/08/03 12:11:19 [DEBUG] Expected result: Success
2021/08/03 12:11:19 [DEBUG] Account mycosmosdbxdmip successfully created. [Step PASSED]
[36mWhen[0m [36mattempting to configure a Cosmos DB account with public access enabled setting "[0m[1;36m
[1;37mExamples:[0m
| [36mpublicaccessenabled[0m | [36mnetworkaddress[0m | [36mresult[0m | [36mreason[0m |
| [32mFalse[0m | [32m170.74.231.0/27[0m | [32mSuccess[0m | [32mn/a[0m |
2021/08/03 12:11:19 [DEBUG] Check setup is successful. Step [PASSED] 2021/08/03 12:11:19 [DEBUG] Getting Policy Assignment with scope: /providers/Microsoft.Management/managementGroups/lz-dev-test-robkozlo2 (2021-08-03T12:11:19.6953364-04:00) INFO: REQUEST: GET https://management.azure.com//providers/Microsoft.Management/managementGroups/lz-dev-test-robkozlo2/providers/Microsoft.Authorization/policyAssignments/deny_cosmosdb_wo_netacl?api-version=2019-09-01 User-Agent: Go/go1.13.3 (amd64-windows) go-autorest/v14.2.1 Azure-SDK-For-Go/v56.0.0 policy/2019-09-01 Authorization: REDACTED (2021-08-03T12:11:19.7773472-04:00) INFO: RESPONSE: 200 https://management.azure.com//providers/Microsoft.Management/managementGroups/lz-dev-test-robkozlo2/providers/Microsoft.Authorization/policyAssignments/deny_cosmosdb_wo_netacl?api-version=2019-09-01 Proxy-Connection: Keep-Alive Connection: Keep-Alive Pragma: no-cache Content-Type: application/json; charset=utf-8 X-Ms-Routing-Request-Id: CANADACENTRAL:20210803T161119Z:3e4bdc9f-97c8-4068-8242-ac350f0ee29b Cache-Control: no-cache, proxy-revalidate Strict-Transport-Security: max-age=31536000; includeSubDomains X-Content-Type-Options: nosniff Via: 1.1 rrinbcgwcs51 X-Ms-Ratelimit-Remaining-Tenant-Reads: 11998 X-Ms-Request-Id: 3e4bdc9f-97c8-4068-8242-ac350f0ee29b Date: Tue, 03 Aug 2021 16:11:19 GMT Content-Length: 1058 Expires: -1 Server: Kestrel X-Ms-Correlation-Request-Id: 3e4bdc9f-97c8-4068-8242-ac350f0ee29b {"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"Azure Cosmos DB accounts should have firewall rules","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb","scope":"/providers/Microsoft.Management/managementGroups/lz-dev-test-robkozlo2","parameters":{"effect":{"value":"Deny"}},"description":"Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant.","metadata":{"createdBy":"ba5055ff-61eb-47e8-ba00-067777f42dcf","createdOn":"2021-07-08T19:28:04.0329424Z","updatedBy":null,"updatedOn":null},"enforcementMode":"Default"},"id":"/providers/Microsoft.Management/managementGroups/lz-dev-test-robkozlo2/providers/Microsoft.Authorization/policyAssignments/deny_cosmosdb_wo_netacl","type":"Microsoft.Authorization/policyAssignments","name":"deny_cosmosdb_wo_netacl"} 2021/08/03 12:11:19 [DEBUG] Policy assignment EnforcementMode: Default 2021/08/03 12:11:19 [DEBUG] Policy assignment check: deny_cosmosdb_wo_netacl [PASSED] (2021-08-03T12:11:19.9473460-04:00) INFO: REQUEST: PUT https://management.azure.com/subscriptions/6cd693dc-7804-45c6-972f-feca478cf1c2/resourceGroups/testpcgoibresourecGP20210803120912/providers/Microsoft.DocumentDB/databaseAccounts/mycosmosdbvcdfi?api-version=2021-06-15 Content-Type: application/json; charset=utf-8 User-Agent: Go/go1.13.3 (amd64-windows) go-autorest/v14.2.1 Azure-SDK-For-Go/v56.0.0 documentdb/2021-06-15 Authorization: REDACTED {"kind":"GlobalDocumentDB","location":"eastus2","properties":{"locations":[{"failoverPriority":0,"locationName":"eastus2"}],"databaseAccountOfferType":"Standard","ipRules":[],"isVirtualNetworkFilterEnabled":false,"keyVaultKeyUri":"","publicNetworkAccess":"Disabled"}} (2021-08-03T12:11:23.9603876-04:00) INFO: RESPONSE: 200 https://management.azure.com/subscriptions/6cd693dc-7804-45c6-972f-feca478cf1c2/resourceGroups/testpcgoibresourecGP20210803120912/providers/Microsoft.DocumentDB/databaseAccounts/mycosmosdbvcdfi?api-version=2021-06-15 Content-Length: 1931 X-Ms-Request-Id: 767d14d3-cdb0-440e-887b-18f3bbaaf6b6 X-Ms-Gatewayversion: version=2.14.0 Location: https://management.azure.com/subscriptions/6cd693dc-7804-45c6-972f-feca478cf1c2/resourceGroups/testpcgoibresourecGP20210803120912/providers/Microsoft.DocumentDB/databaseAccounts/mycosmosdbvcdfi/operationResults/767d14d3-cdb0-440e-887b-18f3bbaaf6b6?api-version=2021-06-15 Azure-Asyncoperation: https://management.azure.com/subscriptions/6cd693dc-7804-45c6-972f-feca478cf1c2/providers/Microsoft.DocumentDB/locations/eastus2/operationsStatus/767d14d3-cdb0-440e-887b-18f3bbaaf6b6?api-version=2021-06-15 X-Ms-Ratelimit-Remaining-Subscription-Writes: 1197 Via: 1.1 rrinbcgwcs51 Proxy-Connection: Keep-Alive Strict-Transport-Security: max-age=31536000; includeSubDomains Connection: Keep-Alive X-Content-Type-Options: nosniff Date: Tue, 03 Aug 2021 16:11:23 GMT Cache-Control: no-store, no-cache, proxy-revalidate Pragma: no-cache Content-Type: application/json Server: Microsoft-HTTPAPI/2.0 X-Ms-Correlation-Request-Id: cfe2b592-2b7e-4662-b926-2f182702f350 X-Ms-Routing-Request-Id: CANADACENTRAL:20210803T161124Z:cfe2b592-2b7e-4662-b926-2f182702f350 {"id":"/subscriptions/6cd693dc-7804-45c6-972f-feca478cf1c2/resourceGroups/testpcgoibresourecGP20210803120912/providers/Microsoft.DocumentDB/databaseAccounts/mycosmosdbvcdfi","name":"mycosmosdbvcdfi","location":"East US 2","type":"Microsoft.DocumentDB/databaseAccounts","kind":"GlobalDocumentDB","tags":{},"systemData":{"createdAt":"2021-08-03T16:11:22.0793999Z"},"properties":{"provisioningState":"Creating","publicNetworkAccess":"Disabled","enableAutomaticFailover":false,"enableMultipleWriteLocations":false,"enablePartitionKeyMonitor":false,"isVirtualNetworkFilterEnabled":false,"virtualNetworkRules":[],"EnabledApiTypes":"Sql","disableKeyBasedMetadataWriteAccess":false,"enableFreeTier":false,"enableAnalyticalStorage":false,"analyticalStorageConfiguration":{"schemaType":"WellDefined"},"instanceId":"01dd7922-3bb4-4c61-82ed-6c477179405b","databaseAccountOfferType":"Standard","keyVaultKeyUri":"","defaultIdentity":"","networkAclBypass":"None","disableLocalAuth":false,"consistencyPolicy":{"defaultConsistencyLevel":"Session","maxIntervalInSeconds":5,"maxStalenessPrefix":100},"configurationOverrides":{},"writeLocations":[{"id":"mycosmosdbvcdfi-eastus2","locationName":"East US 2","provisioningState":"Creating","failoverPriority":0,"isZoneRedundant":false}],"readLocations":[{"id":"mycosmosdbvcdfi-eastus2","locationName":"East US 2","provisioningState":"Creating","failoverPriority":0,"isZoneRedundant":false}],"locations":[{"id":"mycosmosdbvcdfi-eastus2","locationName":"East US 2","provisioningState":"Creating","failoverPriority":0,"isZoneRedundant":false}],"failoverPolicies":[{"id":"mycosmosdbvcdfi-eastus2","locationName":"East US 2","failoverPriority":0}],"cors":[],"capabilities":[],"ipRules":[],"backupPolicy":{"type":"Periodic","periodicModeProperties":{"backupIntervalInMinutes":240,"backupRetentionIntervalInHours":8,"backupStorageRedundancy":"Geo"}},"networkAclBypassResourceIds":[]},"identity":{"type":"None"}} 2021/08/03 12:11:23 [DEBUG] Account creation request success: mycosmosdbvcdfi (2021-08-03T12:11:23.9633797-04:00) INFO: REQUEST: GET https://management.azure.com/subscriptions/6cd693dc-7804-45c6-972f-feca478cf1c2/providers/Microsoft.DocumentDB/locations/eastus2/operationsStatus/767d14d3-cdb0-440e-887b-18f3bbaaf6b6?api-version=2021-06-15 User-Agent: Go/go1.13.3 (amd64-windows) go-autorest/v14.2.1 Azure-SDK-For-Go/v56.0.0 documentdb/2021-06-15 Authorization: REDACTED (2021-08-03T12:11:24.0484006-04:00) INFO: RESPONSE: 200 https://management.azure.com/subscriptions/6cd693dc-7804-45c6-972f-feca478cf1c2/providers/Microsoft.DocumentDB/locations/eastus2/operationsStatus/767d14d3-cdb0-440e-887b-18f3bbaaf6b6?api-version=2021-06-15 Cache-Control: no-store, no-cache, proxy-revalidate Server: Microsoft-HTTPAPI/2.0 X-Ms-Ratelimit-Remaining-Subscription-Reads: 11995 Via: 1.1 rrinbcgwcs51 X-Ms-Routing-Request-Id: CANADACENTRAL:20210803T161124Z:805d5975-8133-4ca2-9d30-bcb3d7ce65f5 X-Content-Type-Options: nosniff Connection: Keep-Alive Pragma: no-cache Content-Type: application/json X-Ms-Request-Id: 805d5975-8133-4ca2-9d30-bcb3d7ce65f5 X-Ms-Correlation-Request-Id: 805d5975-8133-4ca2-9d30-bcb3d7ce65f5 Content-Length: 21 Strict-Transport-Security: max-age=31536000; includeSubDomains X-Ms-Gatewayversion: version=2.14.0 Date: Tue, 03 Aug 2021 16:11:23 GMT Proxy-Connection: Keep-Alive {"status":"Enqueued"} (2021-08-03T12:12:24.0527588-04:00) INFO: REQUEST: GET https://management.azure.com/subscriptions/6cd693dc-7804-45c6-972f-feca478cf1c2/providers/Microsoft.DocumentDB/locations/eastus2/operationsStatus/767d14d3-cdb0-440e-887b-18f3bbaaf6b6?api-version=2021-06-15 User-Agent: Go/go1.13.3 (amd64-windows) go-autorest/v14.2.1 Azure-SDK-For-Go/v56.0.0 documentdb/2021-06-15 Authorization: REDACTED (2021-08-03T12:12:24.2307735-04:00) INFO: RESPONSE: 200 https://management.azure.com/subscriptions/6cd693dc-7804-45c6-972f-feca478cf1c2/providers/Microsoft.DocumentDB/locations/eastus2/operationsStatus/767d14d3-cdb0-440e-887b-18f3bbaaf6b6?api-version=2021-06-15 X-Ms-Correlation-Request-Id: b5177931-1a51-43f1-b657-60c2cb99bab2 Connection: Keep-Alive Strict-Transport-Security: max-age=31536000; includeSubDomains X-Ms-Ratelimit-Remaining-Subscription-Reads: 11994 X-Content-Type-Options: nosniff Via: 1.1 rrinbcgwcs51 Content-Length: 21 Server: Microsoft-HTTPAPI/2.0 X-Ms-Routing-Request-Id: CANADACENTRAL:20210803T161224Z:b5177931-1a51-43f1-b657-60c2cb99bab2 Cache-Control: no-store, no-cache, proxy-revalidate X-Ms-Gatewayversion: version=2.14.0 X-Ms-Request-Id: b5177931-1a51-43f1-b657-60c2cb99bab2 Date: Tue, 03 Aug 2021 16:12:23 GMT Proxy-Connection: Keep-Alive Pragma: no-cache Content-Type: application/json {"status":"Dequeued"} (2021-08-03T12:13:24.2378300-04:00) INFO: REQUEST: GET https://management.azure.com/subscriptions/6cd693dc-7804-45c6-972f-feca478cf1c2/providers/Microsoft.DocumentDB/locations/eastus2/operationsStatus/767d14d3-cdb0-440e-887b-18f3bbaaf6b6?api-version=2021-06-15 User-Agent: Go/go1.13.3 (amd64-windows) go-autorest/v14.2.1 Azure-SDK-For-Go/v56.0.0 documentdb/2021-06-15 Authorization: REDACTED (2021-08-03T12:13:24.4388166-04:00) INFO: RESPONSE: 200 https://management.azure.com/subscriptions/6cd693dc-7804-45c6-972f-feca478cf1c2/providers/Microsoft.DocumentDB/locations/eastus2/operationsStatus/767d14d3-cdb0-440e-887b-18f3bbaaf6b6?api-version=2021-06-15 Pragma: no-cache Strict-Transport-Security: max-age=31536000; includeSubDomains X-Ms-Request-Id: c38a472a-acdf-4f2f-80ef-dfc2729a657f X-Ms-Routing-Request-Id: CANADACENTRAL:20210803T161324Z:c38a472a-acdf-4f2f-80ef-dfc2729a657f Date: Tue, 03 Aug 2021 16:13:24 GMT Cache-Control: no-store, no-cache, proxy-revalidate Server: Microsoft-HTTPAPI/2.0 Proxy-Connection: Keep-Alive Content-Length: 22 Content-Type: application/json X-Content-Type-Options: nosniff X-Ms-Gatewayversion: version=2.14.0 X-Ms-Ratelimit-Remaining-Subscription-Reads: 11993 X-Ms-Correlation-Request-Id: c38a472a-acdf-4f2f-80ef-dfc2729a657f Via: 1.1 rrinbcgwcs51 Connection: Keep-Alive {"status":"Succeeded"} (2021-08-03T12:13:24.4398469-04:00) INFO: REQUEST: GET https://management.azure.com/subscriptions/6cd693dc-7804-45c6-972f-feca478cf1c2/resourceGroups/testpcgoibresourecGP20210803120912/providers/Microsoft.DocumentDB/databaseAccounts/mycosmosdbvcdfi?api-version=2021-06-15 User-Agent: Go/go1.13.3 (amd64-windows) go-autorest/v14.2.1 Azure-SDK-For-Go/v56.0.0 documentdb/2021-06-15 Authorization: REDACTED (2021-08-03T12:13:24.5358192-04:00) INFO: RESPONSE: 200 https://management.azure.com/subscriptions/6cd693dc-7804-45c6-972f-feca478cf1c2/resourceGroups/testpcgoibresourecGP20210803120912/providers/Microsoft.DocumentDB/databaseAccounts/mycosmosdbvcdfi?api-version=2021-06-15 Server: Microsoft-HTTPAPI/2.0 Connection: Keep-Alive X-Ms-Gatewayversion: version=2.14.0 Strict-Transport-Security: max-age=31536000; includeSubDomains X-Ms-Ratelimit-Remaining-Subscription-Reads: 11992 X-Ms-Correlation-Request-Id: 182d1b40-7665-4d7d-91c9-993c6f7ee275 X-Content-Type-Options: nosniff Content-Length: 2257 Content-Type: application/json Date: Tue, 03 Aug 2021 16:13:24 GMT Via: 1.1 rrinbcgwcs51 Pragma: no-cache X-Ms-Routing-Request-Id: CANADACENTRAL:20210803T161324Z:182d1b40-7665-4d7d-91c9-993c6f7ee275 Cache-Control: no-store, no-cache, proxy-revalidate Proxy-Connection: Keep-Alive X-Ms-Request-Id: 182d1b40-7665-4d7d-91c9-993c6f7ee275 {"id":"/subscriptions/6cd693dc-7804-45c6-972f-feca478cf1c2/resourceGroups/testpcgoibresourecGP20210803120912/providers/Microsoft.DocumentDB/databaseAccounts/mycosmosdbvcdfi","name":"mycosmosdbvcdfi","location":"East US 2","type":"Microsoft.DocumentDB/databaseAccounts","kind":"GlobalDocumentDB","tags":{},"systemData":{"createdAt":"2021-08-03T16:12:38.4072156Z"},"properties":{"provisioningState":"Succeeded","documentEndpoint":"https://mycosmosdbvcdfi.documents.azure.com:443/","publicNetworkAccess":"Disabled","enableAutomaticFailover":false,"enableMultipleWriteLocations":false,"enablePartitionKeyMonitor":false,"isVirtualNetworkFilterEnabled":false,"virtualNetworkRules":[],"EnabledApiTypes":"Sql","disableKeyBasedMetadataWriteAccess":false,"enableFreeTier":false,"enableAnalyticalStorage":false,"analyticalStorageConfiguration":{"schemaType":"WellDefined"},"instanceId":"01dd7922-3bb4-4c61-82ed-6c477179405b","databaseAccountOfferType":"Standard","keyVaultKeyUri":"","defaultIdentity":"FirstPartyIdentity","networkAclBypass":"None","disableLocalAuth":false,"consistencyPolicy":{"defaultConsistencyLevel":"Session","maxIntervalInSeconds":5,"maxStalenessPrefix":100},"configurationOverrides":{},"writeLocations":[{"id":"mycosmosdbvcdfi-eastus2","locationName":"East US 2","documentEndpoint":"https://mycosmosdbvcdfi-eastus2.documents.azure.com:443/","provisioningState":"Succeeded","failoverPriority":0,"isZoneRedundant":false}],"readLocations":[{"id":"mycosmosdbvcdfi-eastus2","locationName":"East US 2","documentEndpoint":"https://mycosmosdbvcdfi-eastus2.documents.azure.com:443/","provisioningState":"Succeeded","failoverPriority":0,"isZoneRedundant":false}],"locations":[{"id":"mycosmosdbvcdfi-eastus2","locationName":"East US 2","documentEndpoint":"https://mycosmosdbvcdfi-eastus2.documents.azure.com:443/","provisioningState":"Succeeded","failoverPriority":0,"isZoneRedundant":false}],"failoverPolicies":[{"id":"mycosmosdbvcdfi-eastus2","locationName":"East US 2","failoverPriority":0}],"cors":[],"capabilities":[],"ipRules":[],"backupPolicy":{"type":"Periodic","periodicModeProperties":{"backupIntervalInMinutes":240,"backupRetentionIntervalInHours":8,"backupStorageRedundancy":"Geo"}},"networkAclBypassResourceIds":[]},"identity":{"type":"None"}} 2021/08/03 12:13:24 [DEBUG] Expected result: Failure | [31mFalse[0m | [31mnil[0m | [31mFailure[0m | [31mRequestDisallowedByPolicy[0m | [1;31mIncorrectly created account[0m 2021/08/03 12:13:24 [DEBUG] Check setup is successful. Step [PASSED] 2021/08/03 12:13:24 [DEBUG] Getting Policy Assignment with scope: /providers/Microsoft.Management/managementGroups/lz-dev-test-robkozlo2 (2021-08-03T12:13:24.7518383-04:00) INFO: REQUEST: GET https://management.azure.com//providers/Microsoft.Management/managementGroups/lz-dev-test-robkozlo2/providers/Microsoft.Authorization/policyAssignments/deny_cosmosdb_wo_netacl?api-version=2019-09-01 User-Agent: Go/go1.13.3 (amd64-windows) go-autorest/v14.2.1 Azure-SDK-For-Go/v56.0.0 policy/2019-09-01 Authorization: REDACTED (2021-08-03T12:13:24.8408267-04:00) INFO: RESPONSE: 200 https://management.azure.com//providers/Microsoft.Management/managementGroups/lz-dev-test-robkozlo2/providers/Microsoft.Authorization/policyAssignments/deny_cosmosdb_wo_netacl?api-version=2019-09-01 Content-Type: application/json; charset=utf-8 Strict-Transport-Security: max-age=31536000; includeSubDomains X-Ms-Request-Id: acbf1d5d-8116-4656-aaac-fba116afbe61 X-Ms-Routing-Request-Id: CANADACENTRAL:20210803T161324Z:acbf1d5d-8116-4656-aaac-fba116afbe61 X-Content-Type-Options: nosniff Proxy-Connection: Keep-Alive Pragma: no-cache Content-Length: 1058 Expires: -1 X-Ms-Correlation-Request-Id: acbf1d5d-8116-4656-aaac-fba116afbe61 Date: Tue, 03 Aug 2021 16:13:24 GMT Server: Kestrel X-Ms-Ratelimit-Remaining-Tenant-Reads: 11997 Via: 1.1 rrinbcgwcs51 Cache-Control: no-cache, proxy-revalidate Connection: Keep-Alive {"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"Azure Cosmos DB accounts should have firewall rules","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb","scope":"/providers/Microsoft.Management/managementGroups/lz-dev-test-robkozlo2","parameters":{"effect":{"value":"Deny"}},"description":"Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant.","metadata":{"createdBy":"ba5055ff-61eb-47e8-ba00-067777f42dcf","createdOn":"2021-07-08T19:28:04.0329424Z","updatedBy":null,"updatedOn":null},"enforcementMode":"Default"},"id":"/providers/Microsoft.Management/managementGroups/lz-dev-test-robkozlo2/providers/Microsoft.Authorization/policyAssignments/deny_cosmosdb_wo_netacl","type":"Microsoft.Authorization/policyAssignments","name":"deny_cosmosdb_wo_netacl"} 2021/08/03 12:13:24 [DEBUG] Policy assignment EnforcementMode: Default 2021/08/03 12:13:24 [DEBUG] Policy assignment check: deny_cosmosdb_wo_netacl [PASSED] (2021-08-03T12:13:25.0228335-04:00) INFO: REQUEST: PUT https://management.azure.com/subscriptions/6cd693dc-7804-45c6-972f-feca478cf1c2/resourceGroups/testpcgoibresourecGP20210803120912/providers/Microsoft.DocumentDB/databaseAccounts/mycosmosdbld26a?api-version=2021-06-15 User-Agent: Go/go1.13.3 (amd64-windows) go-autorest/v14.2.1 Azure-SDK-For-Go/v56.0.0 documentdb/2021-06-15 Authorization: REDACTED Content-Type: application/json; charset=utf-8 {"kind":"GlobalDocumentDB","location":"eastus2","properties":{"locations":[{"failoverPriority":0,"locationName":"eastus2"}],"databaseAccountOfferType":"Standard","ipRules":[{"ipAddressOrRange":"170.74.231.0/27"}],"isVirtualNetworkFilterEnabled":false,"keyVaultKeyUri":"","publicNetworkAccess":"Enabled"}} (2021-08-03T12:13:29.1503208-04:00) INFO: RESPONSE: 200 https://management.azure.com/subscriptions/6cd693dc-7804-45c6-972f-feca478cf1c2/resourceGroups/testpcgoibresourecGP20210803120912/providers/Microsoft.DocumentDB/databaseAccounts/mycosmosdbld26a?api-version=2021-06-15 X-Ms-Gatewayversion: version=2.14.0 Date: Tue, 03 Aug 2021 16:13:29 GMT Via: 1.1 rrinbcgwcs51 Content-Length: 1968 X-Ms-Ratelimit-Remaining-Subscription-Writes: 1196 X-Content-Type-Options: nosniff Pragma: no-cache Server: Microsoft-HTTPAPI/2.0 X-Ms-Correlation-Request-Id: 354eed01-4c86-4bf0-83e6-29f64a0d18d4 Proxy-Connection: Keep-Alive Connection: Keep-Alive Content-Type: application/json X-Ms-Request-Id: 49a16b81-9e3a-4b3f-85f8-3c4f844705e9 Azure-Asyncoperation: https://management.azure.com/subscriptions/6cd693dc-7804-45c6-972f-feca478cf1c2/providers/Microsoft.DocumentDB/locations/eastus2/operationsStatus/49a16b81-9e3a-4b3f-85f8-3c4f844705e9?api-version=2021-06-15 Strict-Transport-Security: max-age=31536000; includeSubDomains X-Ms-Routing-Request-Id: CANADACENTRAL:20210803T161329Z:354eed01-4c86-4bf0-83e6-29f64a0d18d4 Cache-Control: no-store, no-cache, proxy-revalidate Location: https://management.azure.com/subscriptions/6cd693dc-7804-45c6-972f-feca478cf1c2/resourceGroups/testpcgoibresourecGP20210803120912/providers/Microsoft.DocumentDB/databaseAccounts/mycosmosdbld26a/operationResults/49a16b81-9e3a-4b3f-85f8-3c4f844705e9?api-version=2021-06-15 {"id":"/subscriptions/6cd693dc-7804-45c6-972f-feca478cf1c2/resourceGroups/testpcgoibresourecGP20210803120912/providers/Microsoft.DocumentDB/databaseAccounts/mycosmosdbld26a","name":"mycosmosdbld26a","location":"East US 2","type":"Microsoft.DocumentDB/databaseAccounts","kind":"GlobalDocumentDB","tags":{},"systemData":{"createdAt":"2021-08-03T16:13:27.3362082Z"},"properties":{"provisioningState":"Creating","publicNetworkAccess":"Enabled","enableAutomaticFailover":false,"enableMultipleWriteLocations":false,"enablePartitionKeyMonitor":false,"isVirtualNetworkFilterEnabled":false,"virtualNetworkRules":[],"EnabledApiTypes":"Sql","disableKeyBasedMetadataWriteAccess":false,"enableFreeTier":false,"enableAnalyticalStorage":false,"analyticalStorageConfiguration":{"schemaType":"WellDefined"},"instanceId":"022922cc-ead2-4069-924f-68d06c72c022","databaseAccountOfferType":"Standard","keyVaultKeyUri":"","defaultIdentity":"","networkAclBypass":"None","disableLocalAuth":false,"consistencyPolicy":{"defaultConsistencyLevel":"Session","maxIntervalInSeconds":5,"maxStalenessPrefix":100},"configurationOverrides":{},"writeLocations":[{"id":"mycosmosdbld26a-eastus2","locationName":"East US 2","provisioningState":"Creating","failoverPriority":0,"isZoneRedundant":false}],"readLocations":[{"id":"mycosmosdbld26a-eastus2","locationName":"East US 2","provisioningState":"Creating","failoverPriority":0,"isZoneRedundant":false}],"locations":[{"id":"mycosmosdbld26a-eastus2","locationName":"East US 2","provisioningState":"Creating","failoverPriority":0,"isZoneRedundant":false}],"failoverPolicies":[{"id":"mycosmosdbld26a-eastus2","locationName":"East US 2","failoverPriority":0}],"cors":[],"capabilities":[],"ipRules":[{"ipAddressOrRange":"170.74.231.0/27"}],"backupPolicy":{"type":"Periodic","periodicModeProperties":{"backupIntervalInMinutes":240,"backupRetentionIntervalInHours":8,"backupStorageRedundancy":"Geo"}},"networkAclBypassResourceIds":[]},"identity":{"type":"None"}} 2021/08/03 12:13:29 [DEBUG] Account creation request success: mycosmosdbld26a (2021-08-03T12:13:29.1523235-04:00) INFO: REQUEST: GET https://management.azure.com/subscriptions/6cd693dc-7804-45c6-972f-feca478cf1c2/providers/Microsoft.DocumentDB/locations/eastus2/operationsStatus/49a16b81-9e3a-4b3f-85f8-3c4f844705e9?api-version=2021-06-15 User-Agent: Go/go1.13.3 (amd64-windows) go-autorest/v14.2.1 Azure-SDK-For-Go/v56.0.0 documentdb/2021-06-15 Authorization: REDACTED (2021-08-03T12:13:29.2353293-04:00) INFO: RESPONSE: 200 https://management.azure.com/subscriptions/6cd693dc-7804-45c6-972f-feca478cf1c2/providers/Microsoft.DocumentDB/locations/eastus2/operationsStatus/49a16b81-9e3a-4b3f-85f8-3c4f844705e9?api-version=2021-06-15 Content-Length: 21 X-Ms-Ratelimit-Remaining-Subscription-Reads: 11991 X-Ms-Request-Id: bb9ad356-618f-45e9-91f2-62ae2c563313 X-Ms-Routing-Request-Id: CANADACENTRAL:20210803T161329Z:bb9ad356-618f-45e9-91f2-62ae2c563313 Cache-Control: no-store, no-cache, proxy-revalidate Connection: Keep-Alive Pragma: no-cache Content-Type: application/json Strict-Transport-Security: max-age=31536000; includeSubDomains Via: 1.1 rrinbcgwcs51 Proxy-Connection: Keep-Alive X-Ms-Gatewayversion: version=2.14.0 Server: Microsoft-HTTPAPI/2.0 X-Ms-Correlation-Request-Id: bb9ad356-618f-45e9-91f2-62ae2c563313 X-Content-Type-Options: nosniff Date: Tue, 03 Aug 2021 16:13:29 GMT {"status":"Enqueued"} (2021-08-03T12:14:29.2381577-04:00) INFO: REQUEST: GET https://management.azure.com/subscriptions/6cd693dc-7804-45c6-972f-feca478cf1c2/providers/Microsoft.DocumentDB/locations/eastus2/operationsStatus/49a16b81-9e3a-4b3f-85f8-3c4f844705e9?api-version=2021-06-15 User-Agent: Go/go1.13.3 (amd64-windows) go-autorest/v14.2.1 Azure-SDK-For-Go/v56.0.0 documentdb/2021-06-15 Authorization: REDACTED (2021-08-03T12:14:29.4231544-04:00) INFO: RESPONSE: 200 https://management.azure.com/subscriptions/6cd693dc-7804-45c6-972f-feca478cf1c2/providers/Microsoft.DocumentDB/locations/eastus2/operationsStatus/49a16b81-9e3a-4b3f-85f8-3c4f844705e9?api-version=2021-06-15 X-Ms-Gatewayversion: version=2.14.0 Server: Microsoft-HTTPAPI/2.0 X-Content-Type-Options: nosniff Cache-Control: no-store, no-cache, proxy-revalidate Proxy-Connection: Keep-Alive Content-Length: 21 X-Ms-Ratelimit-Remaining-Subscription-Reads: 11990 X-Ms-Routing-Request-Id: CANADACENTRAL:20210803T161429Z:bf917016-cfdd-4ca9-a620-620bd6de3f8a Via: 1.1 rrinbcgwcs51 Connection: Keep-Alive Content-Type: application/json Strict-Transport-Security: max-age=31536000; includeSubDomains X-Ms-Correlation-Request-Id: bf917016-cfdd-4ca9-a620-620bd6de3f8a Pragma: no-cache X-Ms-Request-Id: bf917016-cfdd-4ca9-a620-620bd6de3f8a Date: Tue, 03 Aug 2021 16:14:29 GMT {"status":"Dequeued"} (2021-08-03T12:15:29.4276730-04:00) INFO: REQUEST: GET https://management.azure.com/subscriptions/6cd693dc-7804-45c6-972f-feca478cf1c2/providers/Microsoft.DocumentDB/locations/eastus2/operationsStatus/49a16b81-9e3a-4b3f-85f8-3c4f844705e9?api-version=2021-06-15 User-Agent: Go/go1.13.3 (amd64-windows) go-autorest/v14.2.1 Azure-SDK-For-Go/v56.0.0 documentdb/2021-06-15 Authorization: REDACTED (2021-08-03T12:15:29.6446773-04:00) INFO: RESPONSE: 200 https://management.azure.com/subscriptions/6cd693dc-7804-45c6-972f-feca478cf1c2/providers/Microsoft.DocumentDB/locations/eastus2/operationsStatus/49a16b81-9e3a-4b3f-85f8-3c4f844705e9?api-version=2021-06-15 Content-Type: application/json Strict-Transport-Security: max-age=31536000; includeSubDomains X-Ms-Gatewayversion: version=2.14.0 X-Ms-Request-Id: bd8fce10-9b18-4499-b3cd-e3b5d438ab5e Date: Tue, 03 Aug 2021 16:15:29 GMT Connection: Keep-Alive X-Ms-Correlation-Request-Id: bd8fce10-9b18-4499-b3cd-e3b5d438ab5e X-Content-Type-Options: nosniff Via: 1.1 rrinbcgwcs51 Pragma: no-cache Content-Length: 22 Server: Microsoft-HTTPAPI/2.0 Proxy-Connection: Keep-Alive X-Ms-Ratelimit-Remaining-Subscription-Reads: 11999 X-Ms-Routing-Request-Id: CENTRALUS:20210803T161529Z:bd8fce10-9b18-4499-b3cd-e3b5d438ab5e Cache-Control: no-store, no-cache, proxy-revalidate {"status":"Succeeded"} (2021-08-03T12:15:29.6466871-04:00) INFO: REQUEST: GET https://management.azure.com/subscriptions/6cd693dc-7804-45c6-972f-feca478cf1c2/resourceGroups/testpcgoibresourecGP20210803120912/providers/Microsoft.DocumentDB/databaseAccounts/mycosmosdbld26a?api-version=2021-06-15 Authorization: REDACTED User-Agent: Go/go1.13.3 (amd64-windows) go-autorest/v14.2.1 Azure-SDK-For-Go/v56.0.0 documentdb/2021-06-15 (2021-08-03T12:15:29.7407113-04:00) INFO: RESPONSE: 200 https://management.azure.com/subscriptions/6cd693dc-7804-45c6-972f-feca478cf1c2/resourceGroups/testpcgoibresourecGP20210803120912/providers/Microsoft.DocumentDB/databaseAccounts/mycosmosdbld26a?api-version=2021-06-15 X-Ms-Ratelimit-Remaining-Subscription-Reads: 11998 X-Ms-Request-Id: 633606ab-8ab0-45cb-8ae5-525046ce6a0f X-Ms-Correlation-Request-Id: 633606ab-8ab0-45cb-8ae5-525046ce6a0f Via: 1.1 rrinbcgwcs51 Content-Length: 2294 Server: Microsoft-HTTPAPI/2.0 Date: Tue, 03 Aug 2021 16:15:29 GMT Connection: Keep-Alive Content-Type: application/json Strict-Transport-Security: max-age=31536000; includeSubDomains X-Ms-Gatewayversion: version=2.14.0 X-Ms-Routing-Request-Id: CENTRALUS:20210803T161529Z:633606ab-8ab0-45cb-8ae5-525046ce6a0f X-Content-Type-Options: nosniff Cache-Control: no-store, no-cache, proxy-revalidate Proxy-Connection: Keep-Alive Pragma: no-cache {"id":"/subscriptions/6cd693dc-7804-45c6-972f-feca478cf1c2/resourceGroups/testpcgoibresourecGP20210803120912/providers/Microsoft.DocumentDB/databaseAccounts/mycosmosdbld26a","name":"mycosmosdbld26a","location":"East US 2","type":"Microsoft.DocumentDB/databaseAccounts","kind":"GlobalDocumentDB","tags":{},"systemData":{"createdAt":"2021-08-03T16:14:42.2616386Z"},"properties":{"provisioningState":"Succeeded","documentEndpoint":"https://mycosmosdbld26a.documents.azure.com:443/","publicNetworkAccess":"Enabled","enableAutomaticFailover":false,"enableMultipleWriteLocations":false,"enablePartitionKeyMonitor":false,"isVirtualNetworkFilterEnabled":false,"virtualNetworkRules":[],"EnabledApiTypes":"Sql","disableKeyBasedMetadataWriteAccess":false,"enableFreeTier":false,"enableAnalyticalStorage":false,"analyticalStorageConfiguration":{"schemaType":"WellDefined"},"instanceId":"022922cc-ead2-4069-924f-68d06c72c022","databaseAccountOfferType":"Standard","keyVaultKeyUri":"","defaultIdentity":"FirstPartyIdentity","networkAclBypass":"None","disableLocalAuth":false,"consistencyPolicy":{"defaultConsistencyLevel":"Session","maxIntervalInSeconds":5,"maxStalenessPrefix":100},"configurationOverrides":{},"writeLocations":[{"id":"mycosmosdbld26a-eastus2","locationName":"East US 2","documentEndpoint":"https://mycosmosdbld26a-eastus2.documents.azure.com:443/","provisioningState":"Succeeded","failoverPriority":0,"isZoneRedundant":false}],"readLocations":[{"id":"mycosmosdbld26a-eastus2","locationName":"East US 2","documentEndpoint":"https://mycosmosdbld26a-eastus2.documents.azure.com:443/","provisioningState":"Succeeded","failoverPriority":0,"isZoneRedundant":false}],"locations":[{"id":"mycosmosdbld26a-eastus2","locationName":"East US 2","documentEndpoint":"https://mycosmosdbld26a-eastus2.documents.azure.com:443/","provisioningState":"Succeeded","failoverPriority":0,"isZoneRedundant":false}],"failoverPolicies":[{"id":"mycosmosdbld26a-eastus2","locationName":"East US 2","failoverPriority":0}],"cors":[],"capabilities":[],"ipRules":[{"ipAddressOrRange":"170.74.231.0/27"}],"backupPolicy":{"type":"Periodic","periodicModeProperties":{"backupIntervalInMinutes":240,"backupRetentionIntervalInHours":8,"backupStorageRedundancy":"Geo"}},"networkAclBypassResourceIds":[]},"identity":{"type":"None"}} 2021/08/03 12:15:29 [DEBUG] Expected result: Success 2021/08/03 12:15:29 [DEBUG] Account mycosmosdbld26a successfully created. [Step PASSED] | [32mTrue[0m | [32m170.74.231.0/27[0m | [32mSuccess[0m | [32mn/a[0m | 2021/08/03 12:15:29 [DEBUG] Check setup is successful. Step [PASSED] 2021/08/03 12:15:29 [DEBUG] Getting Policy Assignment with scope: /providers/Microsoft.Management/managementGroups/lz-dev-test-robkozlo2 (2021-08-03T12:15:30.0986785-04:00) INFO: REQUEST: GET https://management.azure.com//providers/Microsoft.Management/managementGroups/lz-dev-test-robkozlo2/providers/Microsoft.Authorization/policyAssignments/deny_cosmosdb_wo_netacl?api-version=2019-09-01 User-Agent: Go/go1.13.3 (amd64-windows) go-autorest/v14.2.1 Azure-SDK-For-Go/v56.0.0 policy/2019-09-01 Authorization: REDACTED (2021-08-03T12:15:30.1886912-04:00) INFO: RESPONSE: 200 https://management.azure.com//providers/Microsoft.Management/managementGroups/lz-dev-test-robkozlo2/providers/Microsoft.Authorization/policyAssignments/deny_cosmosdb_wo_netacl?api-version=2019-09-01 X-Content-Type-Options: nosniff Content-Type: application/json; charset=utf-8 Content-Length: 1058 Server: Kestrel X-Ms-Request-Id: 20377b6c-7c75-4bec-ac2f-42dbe0715b48 X-Ms-Correlation-Request-Id: 20377b6c-7c75-4bec-ac2f-42dbe0715b48 X-Ms-Routing-Request-Id: CENTRALUS:20210803T161530Z:20377b6c-7c75-4bec-ac2f-42dbe0715b48 Proxy-Connection: Keep-Alive Pragma: no-cache Cache-Control: no-cache, proxy-revalidate Connection: Keep-Alive Via: 1.1 rrinbcgwcs51 Strict-Transport-Security: max-age=31536000; includeSubDomains X-Ms-Ratelimit-Remaining-Tenant-Reads: 11999 Date: Tue, 03 Aug 2021 16:15:29 GMT Expires: -1 {"sku":{"name":"A0","tier":"Free"},"properties":{"displayName":"Azure Cosmos DB accounts should have firewall rules","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb","scope":"/providers/Microsoft.Management/managementGroups/lz-dev-test-robkozlo2","parameters":{"effect":{"value":"Deny"}},"description":"Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant.","metadata":{"createdBy":"ba5055ff-61eb-47e8-ba00-067777f42dcf","createdOn":"2021-07-08T19:28:04.0329424Z","updatedBy":null,"updatedOn":null},"enforcementMode":"Default"},"id":"/providers/Microsoft.Management/managementGroups/lz-dev-test-robkozlo2/providers/Microsoft.Authorization/policyAssignments/deny_cosmosdb_wo_netacl","type":"Microsoft.Authorization/policyAssignments","name":"deny_cosmosdb_wo_netacl"} 2021/08/03 12:15:30 [DEBUG] Policy assignment EnforcementMode: Default 2021/08/03 12:15:30 [DEBUG] Policy assignment check: deny_cosmosdb_wo_netacl [PASSED] (2021-08-03T12:15:30.4206958-04:00) INFO: REQUEST: PUT https://management.azure.com/subscriptions/6cd693dc-7804-45c6-972f-feca478cf1c2/resourceGroups/testpcgoibresourecGP20210803120912/providers/Microsoft.DocumentDB/databaseAccounts/mycosmosdbz0416?api-version=2021-06-15 Content-Type: application/json; charset=utf-8 User-Agent: Go/go1.13.3 (amd64-windows) go-autorest/v14.2.1 Azure-SDK-For-Go/v56.0.0 documentdb/2021-06-15 Authorization: REDACTED {"kind":"GlobalDocumentDB","location":"eastus2","properties":{"locations":[{"failoverPriority":0,"locationName":"eastus2"}],"databaseAccountOfferType":"Standard","ipRules":[],"isVirtualNetworkFilterEnabled":false,"keyVaultKeyUri":"","publicNetworkAccess":"Enabled"}} (2021-08-03T12:15:30.6396854-04:00) INFO: RESPONSE: 403 https://management.azure.com/subscriptions/6cd693dc-7804-45c6-972f-feca478cf1c2/resourceGroups/testpcgoibresourecGP20210803120912/providers/Microsoft.DocumentDB/databaseAccounts/mycosmosdbz0416?api-version=2021-06-15 X-Ms-Failure-Cause: gateway Proxy-Connection: Keep-Alive X-Content-Type-Options: nosniff Date: Tue, 03 Aug 2021 16:15:30 GMT Cache-Control: no-cache, proxy-revalidate Expires: -1 X-Ms-Request-Id: 7686de83-86e7-4d7a-83ff-3b5f1e7a2c8d Strict-Transport-Security: max-age=31536000; includeSubDomains X-Ms-Correlation-Request-Id: 7686de83-86e7-4d7a-83ff-3b5f1e7a2c8d Connection: Keep-Alive Content-Length: 2454 Via: 1.1 rrinbcgwcs51 Pragma: no-cache Content-Type: application/json; charset=utf-8 X-Ms-Routing-Request-Id: CENTRALUS:20210803T161530Z:7686de83-86e7-4d7a-83ff-3b5f1e7a2c8d {"error":{"code":"RequestDisallowedByPolicy","target":"mycosmosdbz0416","message":"Resource 'mycosmosdbz0416' was disallowed by policy. Policy identifiers: '[{"policyAssignment":{"name":"Azure Cosmos DB accounts should have firewall rules","id":"/providers/Microsoft.Management/managementGroups/lz-dev-test-robkozlo2/providers/Microsoft.Authorization/policyAssignments/deny_cosmosdb_wo_netacl"},"policyDefinition":{"name":"Azure Cosmos DB accounts should have firewall rules","id":"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb"}}]'.","additionalInfo":[{"type":"PolicyViolation","info":{"policyDefinitionDisplayName":"Azure Cosmos DB accounts should have firewall rules","evaluationDetails":{"evaluatedExpressions":[{"result":"True","expressionKind":"Field","expression":"type","path":"type","expressionValue":"Microsoft.DocumentDB/databaseAccounts","targetValue":"Microsoft.DocumentDB/databaseAccounts","operator":"Equals"},{"result":"True","expressionKind":"Field","expression":"Microsoft.DocumentDB/databaseAccounts/publicNetworkAccess","path":"properties.publicNetworkAccess","expressionValue":"Enabled","targetValue":"Enabled","operator":"Equals"},{"result":"True","expressionKind":"Field","expression":"Microsoft.DocumentDB/databaseAccounts/isVirtualNetworkFilterEnabled","path":"properties.isVirtualNetworkFilterEnabled","expressionValue":false,"targetValue":"false","operator":"Equals"},{"result":"True","expressionKind":"Count","expression":"Microsoft.DocumentDB/databaseAccounts/ipRules[]","path":"properties.ipRules[]","expressionValue":0,"targetValue":"0","operator":"Equals"},{"result":"True","expressionKind":"Field","expression":"Microsoft.DocumentDB/databaseAccounts/ipRangeFilter","path":"properties.ipRangeFilter","targetValue":"false","operator":"Exists"}]},"policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb","policyDefinitionName":"862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb","policyDefinitionEffect":"Deny","policyAssignmentId":"/providers/Microsoft.Management/managementGroups/lz-dev-test-robkozlo2/providers/Microsoft.Authorization/policyAssignments/deny_cosmosdb_wo_netacl","policyAssignmentName":"deny_cosmosdb_wo_netacl","policyAssignmentDisplayName":"Azure Cosmos DB accounts should have firewall rules","policyAssignmentScope":"/providers/Microsoft.Management/managementGroups/lz-dev-test-robkozlo2"}}]}} 2021/08/03 12:15:30 [DEBUG] Account creation request error: documentdb.DatabaseAccountsClient#CreateOrUpdate: Failure sending request: StatusCode=0 -- Original Error: Code="RequestDisallowedByPolicy" Message="Resource 'mycosmosdbz0416' was disallowed by policy. Policy identifiers: '[{"policyAssignment":{"name":"Azure Cosmos DB accounts should have firewall rules","id":"/providers/Microsoft.Management/managementGroups/lz-dev-test-robkozlo2/providers/Microsoft.Authorization/policyAssignments/deny_cosmosdb_wo_netacl"},"policyDefinition":{"name":"Azure Cosmos DB accounts should have firewall rules","id":"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb"}}]'." Target="mycosmosdbz0416" AdditionalInfo=[{"info":{"evaluationDetails":{"evaluatedExpressions":[{"expression":"type","expressionKind":"Field","expressionValue":"Microsoft.DocumentDB/databaseAccounts","operator":"Equals","path":"type","result":"True","targetValue":"Microsoft.DocumentDB/databaseAccounts"},{"expression":"Microsoft.DocumentDB/databaseAccounts/publicNetworkAccess","expressionKind":"Field","expressionValue":"Enabled","operator":"Equals","path":"properties.publicNetworkAccess","result":"True","targetValue":"Enabled"},{"expression":"Microsoft.DocumentDB/databaseAccounts/isVirtualNetworkFilterEnabled","expressionKind":"Field","expressionValue":false,"operator":"Equals","path":"properties.isVirtualNetworkFilterEnabled","result":"True","targetValue":"false"},{"expression":"Microsoft.DocumentDB/databaseAccounts/ipRules[]","expressionKind":"Count","expressionValue":0,"operator":"Equals","path":"properties.ipRules[]","result":"True","targetValue":"0"},{"expression":"Microsoft.DocumentDB/databaseAccounts/ipRangeFilter","expressionKind":"Field","operator":"Exists","path":"properties.ipRangeFilter","result":"True","targetValue":"false"}]},"policyAssignmentDisplayName":"Azure Cosmos DB accounts should have firewall rules","policyAssignmentId":"/providers/Microsoft.Management/managementGroups/lz-dev-test-robkozlo2/providers/Microsoft.Authorization/policyAssignments/deny_cosmosdb_wo_netacl","policyAssignmentName":"deny_cosmosdb_wo_netacl","policyAssignmentScope":"/providers/Microsoft.Management/managementGroups/lz-dev-test-robkozlo2","policyDefinitionDisplayName":"Azure Cosmos DB accounts should have firewall rules","policyDefinitionEffect":"Deny","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb","policyDefinitionName":"862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb"},"type":"PolicyViolation"}] 2021/08/03 12:15:30 [DEBUG] Expected result: Failure 2021/08/03 12:15:30 [DEBUG] Account create request correctly denied. [Step PASSED] 2021/08/03 12:15:30 [DEBUG] Type of error: autorest.DetailedError 2021/08/03 12:15:30 [DEBUG] Value of error: autorest.DetailedError{Original:(*azure.ServiceError)(0xc0001f49c0), PackageType:"documentdb.DatabaseAccountsCreateOrUpdateFuture", Method:"Result", StatusCode:403, Message:"Polling failure", ServiceError:[]uint8(nil), Response:(*http.Response)(0xc0002ca2d0)} 2021/08/03 12:15:30 [DEBUG] Account create error is the desired: RequestDisallowedByPolicy | [32mTrue[0m | [32mnil[0m | [32mFailure[0m | [32mRequestDisallowedByPolicy[0m | 2021/08/03 12:15:30 [DEBUG] deleting resources (2021-08-03T12:15:30.8557007-04:00) INFO: REQUEST: DELETE https://management.azure.com/subscriptions/6cd693dc-7804-45c6-972f-feca478cf1c2/resourcegroups/testpcgoibresourecGP20210803120912?api-version=2018-02-01 User-Agent: Go/go1.13.3 (amd64-windows) go-autorest/v14.2.1 Azure-SDK-For-Go/v56.0.0 resources/2018-02-01 Authorization: REDACTED (2021-08-03T12:15:31.7576930-04:00) INFO: RESPONSE: 202 https://management.azure.com/subscriptions/6cd693dc-7804-45c6-972f-feca478cf1c2/resourcegroups/testpcgoibresourecGP20210803120912?api-version=2018-02-01 X-Ms-Correlation-Request-Id: 19888082-597d-4ee2-96d2-b9c615a8143e X-Content-Type-Options: nosniff Content-Length: 0 X-Ms-Ratelimit-Remaining-Subscription-Deletes: 14999 X-Ms-Routing-Request-Id: CENTRALUS:20210803T161531Z:19888082-597d-4ee2-96d2-b9c615a8143e Via: 1.1 rrinbcgwcs51 Expires: -1 Location: https://management.azure.com/subscriptions/6cd693dc-7804-45c6-972f-feca478cf1c2/operationresults/eyJqb2JJZCI6IlJFU09VUkNFR1JPVVBERUxFVElPTkpPQi1URVNUUENHT0lCUkVTT1VSRUNHUDIwMjEwODAzMTIwOTEyLUVBU1RVUzIiLCJqb2JMb2NhdGlvbiI6ImVhc3R1czIifQ?api-version=2018-02-01 Strict-Transport-Security: max-age=31536000; includeSubDomains Proxy-Connection: Keep-Alive Connection: Keep-Alive Pragma: no-cache Retry-After: 15 X-Ms-Request-Id: 19888082-597d-4ee2-96d2-b9c615a8143e Date: Tue, 03 Aug 2021 16:15:31 GMT Cache-Control: no-cache, proxy-revalidate
2021/08/03 12:15:31 [DEBUG] Cleanup request is successful (resources may take time to disappear from Azure portal). Step [PASSED]
--- [31mFailed steps:[0m
[31mScenario Outline: Prevent Cosmos DB Accounts From Being Configured With Unrestricted Network Access[0m[1;30m # features\cosmosdb-unrestricted_access.feature:19[0m [31mThen request is Failure[0m[1;30m # features\cosmosdb-unrestricted_access.feature:21[0m [31mError: [0m[1;31mIncorrectly created account[0m
4 scenarios ([32m3 passed[0m, [31m1 failed[0m) 20 steps ([32m18 passed[0m, [31m1 failed[0m, [36m1 skipped[0m) 6m19.4452346s testing: warning: no tests to run PASS exit status 1 FAIL ms.com/policies/tests/policies/cosmosdb-unrestricted_access 382.756s