For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/terraform-azure-unrestricted-sql-server-access.md. A documentation index is available at /llms.txt.

Unrestricted SQL server access

This product is not supported for your selected Datadog site. ().

Metadata

Id: terraform-azure-unrestricted-sql-server-access

Provider: Azure

Platform: Terraform

Severity: Critical

Category: Networking and Firewall

Learn More

Description

This vulnerability occurs when Azure SQL Server firewall rules allow access from a wide range of IP addresses or use the 0.0.0.0 address, potentially exposing the database to unauthorized access from the internet. Overly permissive firewall rules significantly increase the attack surface and risk of data breaches or unauthorized access to sensitive database information. To secure your SQL Server, define tight IP ranges in your firewall rules, as shown in the secure example below:

resource "azurerm_sql_firewall_rule" "secure_example" {
  name                = "FirewallRule1"
  resource_group_name = azurerm_resource_group.example.name
  server_name         = azurerm_sql_server.example.name
  start_ip_address    = "10.0.17.62"
  end_ip_address      = "10.0.17.62"
}

Avoid wide IP ranges or using 0.0.0.0 as seen in insecure configurations.

Compliant Code Examples

resource "azurerm_resource_group" "negative1" {
  name     = "acceptanceTestResourceGroup1"
  location = "West US"
}

resource "azurerm_sql_server" "negative2" {
  name                         = "mysqlserver"
  resource_group_name          = azurerm_resource_group.example.name
  location                     = "West US"
  version                      = "12.0"
  administrator_login          = "4dm1n157r470r"
  administrator_login_password = "4-v3ry-53cr37-p455w0rd"
}

resource "azurerm_sql_firewall_rule" "negative3" {
  name                = "FirewallRule1"
  resource_group_name = azurerm_resource_group.example.name
  server_name         = azurerm_sql_server.example.name
  start_ip_address    = "10.0.17.62"
  end_ip_address      = "10.0.17.62"
}

Non-Compliant Code Examples

resource "azurerm_resource_group" "positive1" {
  name     = "acceptanceTestResourceGroup1"
  location = "West US"
}

resource "azurerm_sql_server" "positive2" {
  name                         = "mysqlserver"
  resource_group_name          = azurerm_resource_group.example.name
  location                     = "West US"
  version                      = "12.0"
  administrator_login          = "4dm1n157r470r"
  administrator_login_password = "4-v3ry-53cr37-p455w0rd"
}

resource "azurerm_sql_firewall_rule" "positive3" {
  name                = "FirewallRule1"
  resource_group_name = azurerm_resource_group.example.name
  server_name         = azurerm_sql_server.example.name
  start_ip_address    = "0.0.0.0"
  end_ip_address      = "10.0.27.62"
}

resource "azurerm_sql_firewall_rule" "positive4" {
  name                = "FirewallRule1"
  resource_group_name = azurerm_resource_group.example.name
  server_name         = azurerm_sql_server.example.name
  start_ip_address    = "10.0.17.62"
  end_ip_address      = "10.0.27.62"
}