{{tag>microsoft azure api}}

====== Updateing Azure database firewall via Azure API ======
Via bash script. (Install "jq" tool)

<file bash azure_whitelist.sh>
#!/bin/bash

json=$(curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d 'client_id=xxxxxx&scope=https%3A%2F%2Fmanagement.azure.com%2F.default&client_secret=xxxxxxx&grant_type=client_credentials' 'https://login.microsoftonline.com/xxxxxxxxxxxxxxxx/oauth2/v2.0/token')
token=$(echo ${json} | jq -r '.access_token')

curl --location --request PUT 'https://management.azure.com/subscriptions/xxxxxxxxx/resourceGroups/Default-SQL-WestEurope/providers/Microsoft.Sql/servers/<serverdbname>/firewallRules/<firewallRuleName>?api-version=2021-02-01-preview' --header "Authorization: Bearer ${token}" --header 'Content-Type: application/json' --data-raw '{
  "properties": {
    "startIpAddress": "<IP address>",
    "endIpAddress": "<IP address>"
  }
}'
</file>

Replace the "xxxxxxxx" with **client_id**, **client_secret** and **tennantId** in the first curl request. See [[wiki:connect_azure_rest_api|this]] on how to obtain them (client_id is the app_id).

In the second curl PUT request first "xxxxx" is the subscription id. Don't forget to put the correct server db name, firewall rule name and the IP range to whitelist.

To use in rundeck check this job definition:

<file yaml azure_whitelist1.yaml>
- defaultTab: nodes
  description: 'Update or create Azure firewall whitelist rule for IP to access the
    database'
  executionEnabled: true
  id: d63d774f-1302-4ed7-aa50-cdcf1bc96810
  loglevel: INFO
  name: Azure IP whitelist
  nodeFilterEditable: false
  options:
  - label: IP address
    name: IP
    regex: ^((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}$
    required: true
  - description: Rule name
    label: firewallRuleName
    name: firewallRuleName
    required: true
  plugins:
    ExecutionLifecycle: null
  scheduleEnabled: true
  sequence:
    commands:
    - script: |+
        #!/bin/bash
        

        json=$(curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d 'client_id=xxxxxxxxxx&scope=https%3A%2F%2Fmanagement.azure.com%2F.default&client_secret=xxxxxxxxxxxxxxxxxxxxxx&grant_type=client_credentials' 'https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxxx/oauth2/v2.0/token')
        token=$(echo ${json} | jq -r '.access_token')

        curl --location --request PUT 'https://management.azure.com/subscriptions/xxxxxxxxxxxxxxxxx/resourceGroups/Default-SQL-WestEurope/providers/Microsoft.Sql/servers/xxxxxxxxxxxxx/firewallRules/@option.firewallRuleName@?api-version=2021-02-01-preview' --header "Authorization: Bearer ${token}" --header 'Content-Type: application/json' --data-raw '{
          "properties": {
            "startIpAddress": "@option.IP@",
            "endIpAddress": "@option.IP@"
          }
        }'


    keepgoing: true
    strategy: node-first
  uuid: d63d774f-1302-4ed7-aa50-cdcf1bc96810
</file>

Here is an alternative to the script above using the Rundecks "HTTP Request Node Step" ([[https://docs.rundeck.com/docs/learning/howto/calling-apis.html#community-version-prerequisite|Install]] the plugin **Rundeck HTTP Workflow Step Plugin** and [[wiki:install_json_log_filter_parser_plugin_rundeck|jq filter plugin]])

<file yaml azure_whitelist2>
- defaultTab: nodes
  description: 'Update or create Azure firewall whitelist rule for IP to access the
    database'
  executionEnabled: true
  id: c1354a3d-c0f9-4b56-a30c-ddac083d99ec
  loglevel: INFO
  name: Azure IP whitelist
  nodeFilterEditable: false
  options:
  - label: IP address
    name: IP
    regex: ^((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}$
    required: true
  - description: Rule name
    enforced: true
    label: firewallRuleName
    name: firewallRuleName
    required: true
    values:
    - aaa
    - bbb
    - cccc
    valuesListDelimiter: ','
  plugins:
    ExecutionLifecycle: null
  scheduleEnabled: true
  sequence:
    commands:
    - configuration:
        authentication: None
        body: client_id=xxxxxxxxxxxxxx&scope=https%3A%2F%2Fmanagement.azure.com%2F.default&client_secret=xxxxxxxxxxxxx&grant_type=client_credentials
        checkResponseCode: 'true'
        headers: |
          Content-Type: application/x-www-form-urlencoded"
        method: POST
        printResponse: 'true'
        printResponseToFile: 'false'
        proxySettings: 'false'
        remoteUrl: https://login.microsoftonline.com/xxxxxxxxxxxxxxx/oauth2/v2.0/token
        responseCode: '200'
        sslVerify: 'true'
        timeout: '30000'
      nodeStep: true
      type: edu.ohio.ais.rundeck.HttpWorkflowNodeStepPlugin
    - configuration:
        authentication: None
        body: |-
          {
            "properties": {
              "startIpAddress": "${option.IP}",
              "endIpAddress": "${option.IP}"
            }
          }'
        checkResponseCode: 'false'
        headers: |-
          Authorization: Bearer ${data.access_token}
          Content-Type: application/json
        method: PUT
        printResponse: 'true'
        printResponseToFile: 'false'
        proxySettings: 'false'
        remoteUrl: https://management.azure.com/subscriptions/xxxxxxxxxxxxxxx/resourceGroups/Default-SQL-WestEurope/providers/Microsoft.Sql/servers/xxxxxxxxxxx/firewallRules/${option.firewallRuleName}?api-version=2021-02-01-preview
        sslVerify: 'true'
        timeout: '30000'
      nodeStep: true
      type: edu.ohio.ais.rundeck.HttpWorkflowNodeStepPlugin
    keepgoing: true
    pluginConfig:
      LogFilter:
      - config:
          filter: .access_token
          logData: 'false'
          prefix: access_token
        type: json-mapper
    strategy: node-first
  uuid: c1354a3d-c0f9-4b56-a30c-ddac083d99ec
</file>

Replace the "xxxxxxxxxxx" with your values.
====== Tested on ======
  * Azure API 2022-09-02
  * Rundeck 4.5.0 

====== See also ======
  * [[wiki:connect_azure_rest_api|Connect to Azure REST API]]
  * [[wiki:connect_azure_database|Connect to Azure database]]
====== References ======