Check that database accounts use a paid tier Azure#2845 (Azure#2847)

Author: BernieWhite

data/policy-ignore.json

@@ -259,5 +259,12 @@
     ],
     "reason": "Duplicate",
     "value": "Azure.SQL.Auditing"
+  },
+  {
+    "policyDefinitionIds": [
+      "/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5"
+    ],
+    "reason": "Duplicate",
+    "value": "Azure.Cosmos.DisableMetadataWrite"
   }
 ]

docs/CHANGELOG-v1.md

@@ -35,6 +35,10 @@ See [upgrade notes][1] for helpful information when upgrading from previous vers
 
 What's changed since v1.36.0:
 
+- New rules:
+  - Cosmos DB:
+    - Check that database accounts use a paid tier by @BernieWhite.
+      [#2845](https://github.com/Azure/PSRule.Rules.Azure/issues/2845)
 - General improvements:
   - Quality updates to documentation by @BernieWhite.
     [#2570](https://github.com/Azure/PSRule.Rules.Azure/issues/2570)

docs/en/rules/Azure.Cosmos.DisableMetadataWrite.md

@@ -1,5 +1,5 @@
 ---
-reviewed: 2024-04-09
+reviewed: 2024-05-01
 severity: Important
 pillar: Security
 category: SE:05 Identity and access management
@@ -48,6 +48,7 @@ For example:
   "name": "[parameters('name')]",
   "location": "[parameters('location')]",
   "properties": {
+    "enableFreeTier": false,
     "consistencyPolicy": {
       "defaultConsistencyLevel": "Session"
     },
@@ -77,6 +78,7 @@ resource account 'Microsoft.DocumentDB/databaseAccounts@2023-04-15' = {
   name: name
   location: location
   properties: {
+    enableFreeTier: false
     consistencyPolicy: {
       defaultConsistencyLevel: 'Session'
     }
@@ -93,6 +95,13 @@ resource account 'Microsoft.DocumentDB/databaseAccounts@2023-04-15' = {
 }
 ```
 
+### Configure with Azure Policy
+
+To address this issue at runtime use the following policies:
+
+- [Azure Cosmos DB key based metadata write access should be disabled](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_DisableMetadata_Append.json)
+  `/providers/Microsoft.Authorization/policyDefinitions/4750c32b-89c0-46af-bfcb-2e4541a818d5`
+
 ## LINKS
 
 - [SE:05 Identity and access management](https://learn.microsoft.com/azure/well-architected/security/identity-access)

docs/en/rules/Azure.Cosmos.SLA.md

@@ -0,0 +1,97 @@
+---
+reviewed: 2024-05-01
+severity: Important
+pillar: Reliability
+category: RE:04 Target metrics
+resource: Cosmos DB
+online version: https://azure.github.io/PSRule.Rules.Azure/en/rules/Azure.Cosmos.SLA/
+---
+
+# Use paid tier for production workloads
+
+## SYNOPSIS
+
+Use a paid tier to qualify for a Service Level Agreement (SLA).
+
+## DESCRIPTION
+
+Cosmos DB offers one account on selected subscriptions to be marked to use a free tier allowance of 1000 DTUs.
+This free tier is intended for developers to try Cosmos DB during early development and proof of concepts (PoC).
+Using the free tier offer is not intended to be used for production level workloads.
+
+When using the free tier, the SLA for Cosmos DB does not apply.
+
+## RECOMMENDATION
+
+Consider using a paid SKU to qualify for a Service Level Agreement (SLA).
+
+## EXAMPLES
+
+### Configure with Azure template
+
+To deploy Cosmos DB accounts that pass this rule:
+
+- Set the `properties.enableFreeTier` property to `false` or do not configure the property.
+
+For example:
+
+```json
+{
+  "type": "Microsoft.DocumentDB/databaseAccounts",
+  "apiVersion": "2023-04-15",
+  "name": "[parameters('name')]",
+  "location": "[parameters('location')]",
+  "properties": {
+    "enableFreeTier": false,
+    "consistencyPolicy": {
+      "defaultConsistencyLevel": "Session"
+    },
+    "databaseAccountOfferType": "Standard",
+    "locations": [
+      {
+        "locationName": "[parameters('location')]",
+        "failoverPriority": 0,
+        "isZoneRedundant": true
+      }
+    ],
+    "disableKeyBasedMetadataWriteAccess": true
+  }
+}
+```
+
+### Configure with Bicep
+
+To deploy Cosmos DB accounts that pass this rule:
+
+- Set the `properties.enableFreeTier` property to `false` or do not configure the property.
+
+For example:
+
+```bicep
+resource account 'Microsoft.DocumentDB/databaseAccounts@2023-04-15' = {
+  name: name
+  location: location
+  properties: {
+    enableFreeTier: false
+    consistencyPolicy: {
+      defaultConsistencyLevel: 'Session'
+    }
+    databaseAccountOfferType: 'Standard'
+    locations: [
+      {
+        locationName: location
+        failoverPriority: 0
+        isZoneRedundant: true
+      }
+    ]
+    disableKeyBasedMetadataWriteAccess: true
+  }
+}
+```
+
+## LINKS
+
+- [RE:04 Target metrics](https://learn.microsoft.com/azure/well-architected/reliability/metrics)
+- [Try Azure Cosmos DB free](https://learn.microsoft.com/azure/cosmos-db/try-free)
+- [Azure Cosmos DB pricing](https://azure.microsoft.com/pricing/details/cosmos-db/autoscale-provisioned/)
+- [Azure deployment reference](https://learn.microsoft.com/azure/templates/microsoft.documentdb/databaseaccounts)

docs/examples-cosmos.bicep

@@ -9,7 +9,7 @@ param name string
 @description('The location resources will be deployed.')
 param location string = resourceGroup().location
 
-// An example Cosmos DB account using the NoSQL API.
+@description('A Cosmos DB account using the NoSQL API.')
 resource account 'Microsoft.DocumentDB/databaseAccounts@2023-11-15' = {
   name: name
   location: location
@@ -31,6 +31,7 @@ resource account 'Microsoft.DocumentDB/databaseAccounts@2023-11-15' = {
   }
 }
 
+@description('A No SQL API database in a Cosmos DB account.')
 resource database 'Microsoft.DocumentDB/databaseAccounts/sqlDatabases@2023-11-15' = {
   name: 'sql-001'
   parent: account

docs/examples-cosmos.json

@@ -4,8 +4,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.26.54.24096",
-      "templateHash": "12996554638761229869"
+      "version": "0.26.170.59819",
+      "templateHash": "14244543187074389953"
     }
   },
   "parameters": {
@@ -44,6 +44,9 @@
         ],
         "disableKeyBasedMetadataWriteAccess": true,
         "minimalTlsVersion": "Tls12"
+      },
+      "metadata": {
+        "description": "A Cosmos DB account using the NoSQL API."
       }
     },
     {
@@ -57,7 +60,10 @@
       },
       "dependsOn": [
         "[resourceId('Microsoft.DocumentDB/databaseAccounts', parameters('name'))]"
-      ]
+      ],
+      "metadata": {
+        "description": "A No SQL API database in a Cosmos DB account."
+      }
     }
   ]
 }

src/PSRule.Rules.Azure/rules/Azure.Cosmos.Rule.yaml

@@ -70,4 +70,22 @@ spec:
     field: properties.minimalTlsVersion
     equals: Tls12
 
+---
+# Synopsis: Use a paid tier to qualify for a Service Level Agreement (SLA).
+apiVersion: github.com/microsoft/PSRule/v1
+kind: Rule
+metadata:
+  name: Azure.Cosmos.SLA
+  ref: AZR-000419
+  tags:
+    release: GA
+    ruleSet: 2024_06
+    Azure.WAF/pillar: Reliability
+spec:
+  type:
+  - Microsoft.DocumentDb/databaseAccounts
+  condition:
+    field: properties.enableFreeTier
+    hasDefault: false
+
 #endregion Rules

tests/PSRule.Rules.Azure.Tests/Azure.Cosmos.Tests.ps1

@@ -56,12 +56,26 @@ Describe 'Azure.Cosmos' -Tag 'Cosmos', 'CosmosDB' {
             # Fail
             $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' });
             $ruleResult.Length | Should -Be 4;
-            $ruleResult.TargetName | Should -Be 'graph-B', 'nosql-A', 'nosql-B', 'nosql-C';
+            $ruleResult.TargetName | Should -BeIn 'graph-B', 'nosql-A', 'nosql-B', 'nosql-C';
 
             # Pass
             $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' });
             $ruleResult.Length | Should -Be 1;
-            $ruleResult.TargetName | Should -Be 'graph-A';
+            $ruleResult.TargetName | Should -BeIn 'graph-A';
+        }
+
+        It 'Azure.Cosmos.SLA' {
+            $filteredResult = $result | Where-Object { $_.RuleName -eq 'Azure.Cosmos.SLA' };
+
+            # Fail
+            $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Fail' });
+            $ruleResult.Length | Should -Be 1;
+            $ruleResult.TargetName | Should -BeIn 'graph-A';
+
+            # Pass
+            $ruleResult = @($filteredResult | Where-Object { $_.Outcome -eq 'Pass' });
+            $ruleResult.Length | Should -Be 4;
+            $ruleResult.TargetName | Should -BeIn 'graph-B', 'nosql-A', 'nosql-B', 'nosql-C';
         }
     }
 

tests/PSRule.Rules.Azure.Tests/Resources.Cosmos.json

@@ -26,7 +26,7 @@
       "virtualNetworkRules": [],
       "EnabledApiTypes": "Gremlin, Sql",
       "disableKeyBasedMetadataWriteAccess": false,
-      "enableFreeTier": false,
+      "enableFreeTier": true,
       "enableAnalyticalStorage": false,
       "analyticalStorageConfiguration": null,
       "createMode": "Default",