This repository contains sample configuration scripts (Terraform and more to come) how to deploy a hardened Cosmos DB and uses a Python script to test.
- Resource group
- Azure Cosmos DB
- Managed identity
- Azure Key Vault
- Azure Log Analytics workspace
- Private DNS Zone
- Azure Virtual Network
- Windows 11 VM (with public ip)
- Customer Managed Key for encryption at rest
- Disabled key authentication
- Disabled public endpoint
- Disabled access key metadata writes
- TLS 1.2
- Private endpoint
- Continuous backup
- Enable Diagnostics full-text query
- Enable Diagnostic Settings (ControlPlaneRequests, DataPlaneRequests, QueryRuntimeStatistics)
-
Clone the repo
git clone https://github.com/fonsecamar/cosmos-security.git cd cosmos-security/terraform
-
Provision infrastructure (review terraform plan and type 'yes' to approve)
az login ./terraform.exe init ./terraform.exe apply
-
Connect to your VM using RDP using temporary credentials (adminuser/Password1234!)
-
Install Python (https://www.python.org/downloads/windows/)
-
Test private ip resolution
nslookup cosmos-security-demo-<sufix>.documents.azure.com
-
Copy sample.py to the VM
-
Run the commands below to install dependencies
pip install azure-cosmos pip install azure-identity
-
Set your Cosmos endpoit and run the python script which will use VM managed identity to connect to Cosmos DB
$env:COSMOS_ENDPOINT="https://cosmos-security-demo-<sufix>.documents.azure.com:443/" python .\sample.py
You should see the results of Point Read and Query operations.
If you find any errors or have suggestions for changes, please be part of this project!
- Create your branch:
git checkout -b my-new-feature - Add your changes:
git add . - Commit your changes:
git commit -m '<message>' - Push your branch to Github:
git push origin my-new-feature - Create a new Pull Request 😄