Framework/Core/SVT/Services/CosmosDb.ps1

Set-StrictMode -Version Latest

class CosmosDb : AzSVTBase
{
    hidden [PSObject] $Resource;

    CosmosDb([string] $subscriptionId, [SVTResource] $svtResource): 
        Base($subscriptionId, $svtResource) 
    {
        $this.LoadResource();
    }

    hidden [void] LoadResource()
    {
        if(-not $this.Resource)
        {
            $this.Resource =  Get-AzResource -Name $this.ResourceContext.ResourceName `
            -ResourceGroupName $this.ResourceContext.ResourceGroupName `
            -ResourceType $this.ResourceContext.ResourceType
            
            if(-not $this.Resource)
            {
                throw ([SuppressedException]::new(("Resource '{0}' not found under Resource Group '{1}'" -f ($this.ResourceContext.ResourceName), ($this.ResourceContext.ResourceGroupName)), [SuppressedExceptionType]::InvalidOperation))
            }
        }
    }
    
    [ControlResult] CheckCosmosDbFirewallState([ControlResult] $controlResult)
    {
        return $this.EvalBoolean($controlResult, -not [string]::IsNullOrWhiteSpace($this.Resource.Properties.ipRangeFilter))
    }

    [ControlResult] CheckCosmosDbFirewallIpRange([ControlResult] $controlResult)
    {
        if([string]::IsNullOrWhiteSpace($this.Resource.Properties.ipRangeFilter))
        {
            $controlResult.AddMessage([VerificationResult]::Failed, "Control cannot be validated. Firewall is not enabled for - ["+ $this.ResourceContext.ResourceName +"]");
            return $controlResult
        }
        $controlResult.VerificationResult = [VerificationResult]::Verify
        $totalIpLimit = $this.ControlSettings.CosmosDb.Firewall.IpLimitPerDb
        $limit = $this.ControlSettings.CosmosDb.Firewall.IpLimitPerRange
        $isPassed = 1
        $rangeFilter = $this.Resource.Properties.ipRangeFilter
        $ranges = $rangeFilter.Split(',')
        $controlResult.AddMessage([MessageData]::new(
            "Current firewall IP range(s) for - ["+ $this.ResourceContext.ResourceName +"]", $ranges));
        $totalIps = 0
        foreach($range in $ranges)
        {
            if($range.Contains('/'))
            {
                $mask = [int]($range.Split('/')[1])
                $ipCount = [Math]::Pow(2, 32 - $mask)
                $totalIps += $ipCount
                if($ipCount -gt $limit)
                {
                    $isPassed = $isPassed -band 0
                    $controlResult.AddMessage("Range - $range has $ipCount IPs which is more than $limit IP limit per range.")
                }
            }
            else
            {
                $totalIps += 1
            }
        }
        if($totalIps -gt $totalIpLimit)
        {
            $isPassed = $isPassed -band 0
            $controlResult.AddMessage("Total IPs allowed is $totalIps which is more than $totalIpLimit IP total limit per db.")
        }
        if($isPassed -eq 0)
        {
            $controlResult.VerificationResult = [VerificationResult]::Failed
        }
        $controlResult.SetStateData("Firewall IP ranges/addresses:", $ranges)
        return $controlResult
    }

    [ControlResult] CheckCosmosDbConsistency([ControlResult] $controlResult)
    {
        return $this.EvalBoolean($controlResult, 
            -not $this.Resource.Properties.consistencyPolicy.defaultConsistencyLevel.Equals(
                "Eventual", [System.StringComparison]::OrdinalIgnoreCase));
    }

    [ControlResult] CheckCosmosDbReplication([ControlResult] $controlResult)
    {
        return $this.EvalBoolean($controlResult, $this.Resource.Properties.readLocations.Count -gt 1);
    }

    [ControlResult] CheckCosmosDbAutomaticFailover([ControlResult] $controlResult)
    {
        return $this.EvalBoolean($controlResult, $this.Resource.Properties.enableAutomaticFailover);
    }

    hidden [ControlResult] EvalBoolean([ControlResult] $controlResult, [Boolean] $IsPassed)
    {
        if($IsPassed)
        {
            $controlResult.VerificationResult = [VerificationResult]::Passed
            return $controlResult
        }
        $controlResult.VerificationResult = [VerificationResult]::Failed
        return $controlResult
    }
}