Via bash script. (Install “jq” tool)
#!/bin/bash json=$(curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d 'client_id=xxxxxx&scope=https%3A%2F%2Fmanagement.azure.com%2F.default&client_secret=xxxxxxx&grant_type=client_credentials' 'https://login.microsoftonline.com/xxxxxxxxxxxxxxxx/oauth2/v2.0/token') token=$(echo ${json} | jq -r '.access_token') curl --location --request PUT 'https://management.azure.com/subscriptions/xxxxxxxxx/resourceGroups/Default-SQL-WestEurope/providers/Microsoft.Sql/servers/<serverdbname>/firewallRules/<firewallRuleName>?api-version=2021-02-01-preview' --header "Authorization: Bearer ${token}" --header 'Content-Type: application/json' --data-raw '{ "properties": { "startIpAddress": "<IP address>", "endIpAddress": "<IP address>" } }'
Replace the “xxxxxxxx” with client_id, client_secret and tennantId in the first curl request. See this on how to obtain them (client_id is the app_id).
In the second curl PUT request first “xxxxx” is the subscription id. Don't forget to put the correct server db name, firewall rule name and the IP range to whitelist.
To use in rundeck check this job definition:
- defaultTab: nodes description: 'Update or create Azure firewall whitelist rule for IP to access the database' executionEnabled: true id: d63d774f-1302-4ed7-aa50-cdcf1bc96810 loglevel: INFO name: Azure IP whitelist nodeFilterEditable: false options: - label: IP address name: IP regex: ^((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}$ required: true - description: Rule name label: firewallRuleName name: firewallRuleName required: true plugins: ExecutionLifecycle: null scheduleEnabled: true sequence: commands: - script: |+ #!/bin/bash json=$(curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d 'client_id=xxxxxxxxxx&scope=https%3A%2F%2Fmanagement.azure.com%2F.default&client_secret=xxxxxxxxxxxxxxxxxxxxxx&grant_type=client_credentials' 'https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxxx/oauth2/v2.0/token') token=$(echo ${json} | jq -r '.access_token') curl --location --request PUT 'https://management.azure.com/subscriptions/xxxxxxxxxxxxxxxxx/resourceGroups/Default-SQL-WestEurope/providers/Microsoft.Sql/servers/xxxxxxxxxxxxx/firewallRules/@option.firewallRuleName@?api-version=2021-02-01-preview' --header "Authorization: Bearer ${token}" --header 'Content-Type: application/json' --data-raw '{ "properties": { "startIpAddress": "@option.IP@", "endIpAddress": "@option.IP@" } }' keepgoing: true strategy: node-first uuid: d63d774f-1302-4ed7-aa50-cdcf1bc96810
Here is an alternative to the script above using the Rundecks “HTTP Request Node Step” (Install the plugin Rundeck HTTP Workflow Step Plugin and jq filter plugin)
- defaultTab: nodes description: 'Update or create Azure firewall whitelist rule for IP to access the database' executionEnabled: true id: c1354a3d-c0f9-4b56-a30c-ddac083d99ec loglevel: INFO name: Azure IP whitelist nodeFilterEditable: false options: - label: IP address name: IP regex: ^((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}$ required: true - description: Rule name enforced: true label: firewallRuleName name: firewallRuleName required: true values: - aaa - bbb - cccc valuesListDelimiter: ',' plugins: ExecutionLifecycle: null scheduleEnabled: true sequence: commands: - configuration: authentication: None body: client_id=xxxxxxxxxxxxxx&scope=https%3A%2F%2Fmanagement.azure.com%2F.default&client_secret=xxxxxxxxxxxxx&grant_type=client_credentials checkResponseCode: 'true' headers: | Content-Type: application/x-www-form-urlencoded" method: POST printResponse: 'true' printResponseToFile: 'false' proxySettings: 'false' remoteUrl: https://login.microsoftonline.com/xxxxxxxxxxxxxxx/oauth2/v2.0/token responseCode: '200' sslVerify: 'true' timeout: '30000' nodeStep: true type: edu.ohio.ais.rundeck.HttpWorkflowNodeStepPlugin - configuration: authentication: None body: |- { "properties": { "startIpAddress": "${option.IP}", "endIpAddress": "${option.IP}" } }' checkResponseCode: 'false' headers: |- Authorization: Bearer ${data.access_token} Content-Type: application/json method: PUT printResponse: 'true' printResponseToFile: 'false' proxySettings: 'false' remoteUrl: https://management.azure.com/subscriptions/xxxxxxxxxxxxxxx/resourceGroups/Default-SQL-WestEurope/providers/Microsoft.Sql/servers/xxxxxxxxxxx/firewallRules/${option.firewallRuleName}?api-version=2021-02-01-preview sslVerify: 'true' timeout: '30000' nodeStep: true type: edu.ohio.ais.rundeck.HttpWorkflowNodeStepPlugin keepgoing: true pluginConfig: LogFilter: - config: filter: .access_token logData: 'false' prefix: access_token type: json-mapper strategy: node-first uuid: c1354a3d-c0f9-4b56-a30c-ddac083d99ec
Replace the “xxxxxxxxxxx” with your values.