Via bash script. (Install “jq” tool)

azure_whitelist.sh

#!/bin/bash
 
json=$(curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d 'client_id=xxxxxx&scope=https%3A%2F%2Fmanagement.azure.com%2F.default&client_secret=xxxxxxx&grant_type=client_credentials' 'https://login.microsoftonline.com/xxxxxxxxxxxxxxxx/oauth2/v2.0/token')
token=$(echo ${json} | jq -r '.access_token')
 
curl --location --request PUT 'https://management.azure.com/subscriptions/xxxxxxxxx/resourceGroups/Default-SQL-WestEurope/providers/Microsoft.Sql/servers/<serverdbname>/firewallRules/<firewallRuleName>?api-version=2021-02-01-preview' --header "Authorization: Bearer ${token}" --header 'Content-Type: application/json' --data-raw '{
  "properties": {
    "startIpAddress": "<IP address>",
    "endIpAddress": "<IP address>"
  }
}'

Replace the “xxxxxxxx” with client_id, client_secret and tennantId in the first curl request. See this on how to obtain them (client_id is the app_id).

In the second curl PUT request first “xxxxx” is the subscription id. Don't forget to put the correct server db name, firewall rule name and the IP range to whitelist.

To use in rundeck check this job definition:

azure_whitelist1.yaml

- defaultTab: nodes
  description: 'Update or create Azure firewall whitelist rule for IP to access the
    database'
  executionEnabled: true
  id: d63d774f-1302-4ed7-aa50-cdcf1bc96810
  loglevel: INFO
  name: Azure IP whitelist
  nodeFilterEditable: false
  options:
  - label: IP address
    name: IP
    regex: ^((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}$
    required: true
  - description: Rule name
    label: firewallRuleName
    name: firewallRuleName
    required: true
  plugins:
    ExecutionLifecycle: null
  scheduleEnabled: true
  sequence:
    commands:
    - script: |+
        #!/bin/bash
 

        json=$(curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d 'client_id=xxxxxxxxxx&scope=https%3A%2F%2Fmanagement.azure.com%2F.default&client_secret=xxxxxxxxxxxxxxxxxxxxxx&grant_type=client_credentials' 'https://login.microsoftonline.com/xxxxxxxxxxxxxxxxxxxxxxx/oauth2/v2.0/token')
        token=$(echo ${json} | jq -r '.access_token')
 
        curl --location --request PUT 'https://management.azure.com/subscriptions/xxxxxxxxxxxxxxxxx/resourceGroups/Default-SQL-WestEurope/providers/Microsoft.Sql/servers/xxxxxxxxxxxxx/firewallRules/@option.firewallRuleName@?api-version=2021-02-01-preview' --header "Authorization: Bearer ${token}" --header 'Content-Type: application/json' --data-raw '{
          "properties": {
            "startIpAddress": "@option.IP@",
            "endIpAddress": "@option.IP@"
          }
        }'
 
 
    keepgoing: true
    strategy: node-first
  uuid: d63d774f-1302-4ed7-aa50-cdcf1bc96810

Here is an alternative to the script above using the Rundecks “HTTP Request Node Step” (Install the plugin Rundeck HTTP Workflow Step Plugin and jq filter plugin)

azure_whitelist2

- defaultTab: nodes
  description: 'Update or create Azure firewall whitelist rule for IP to access the
    database'
  executionEnabled: true
  id: c1354a3d-c0f9-4b56-a30c-ddac083d99ec
  loglevel: INFO
  name: Azure IP whitelist
  nodeFilterEditable: false
  options:
  - label: IP address
    name: IP
    regex: ^((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}$
    required: true
  - description: Rule name
    enforced: true
    label: firewallRuleName
    name: firewallRuleName
    required: true
    values:
    - aaa
    - bbb
    - cccc
    valuesListDelimiter: ','
  plugins:
    ExecutionLifecycle: null
  scheduleEnabled: true
  sequence:
    commands:
    - configuration:
        authentication: None
        body: client_id=xxxxxxxxxxxxxx&scope=https%3A%2F%2Fmanagement.azure.com%2F.default&client_secret=xxxxxxxxxxxxx&grant_type=client_credentials
        checkResponseCode: 'true'
        headers: |
          Content-Type: application/x-www-form-urlencoded"
        method: POST
        printResponse: 'true'
        printResponseToFile: 'false'
        proxySettings: 'false'
        remoteUrl: https://login.microsoftonline.com/xxxxxxxxxxxxxxx/oauth2/v2.0/token
        responseCode: '200'
        sslVerify: 'true'
        timeout: '30000'
      nodeStep: true
      type: edu.ohio.ais.rundeck.HttpWorkflowNodeStepPlugin
    - configuration:
        authentication: None
        body: |-
          {
            "properties": {
              "startIpAddress": "${option.IP}",
              "endIpAddress": "${option.IP}"
            }
          }'
        checkResponseCode: 'false'
        headers: |-
          Authorization: Bearer ${data.access_token}
          Content-Type: application/json
        method: PUT
        printResponse: 'true'
        printResponseToFile: 'false'
        proxySettings: 'false'
        remoteUrl: https://management.azure.com/subscriptions/xxxxxxxxxxxxxxx/resourceGroups/Default-SQL-WestEurope/providers/Microsoft.Sql/servers/xxxxxxxxxxx/firewallRules/${option.firewallRuleName}?api-version=2021-02-01-preview
        sslVerify: 'true'
        timeout: '30000'
      nodeStep: true
      type: edu.ohio.ais.rundeck.HttpWorkflowNodeStepPlugin
    keepgoing: true
    pluginConfig:
      LogFilter:
      - config:
          filter: .access_token
          logData: 'false'
          prefix: access_token
        type: json-mapper
    strategy: node-first
  uuid: c1354a3d-c0f9-4b56-a30c-ddac083d99ec

Replace the “xxxxxxxxxxx” with your values.

• Azure API 2022-09-02
• Rundeck 4.5.0

• Connect to Azure REST API
• Connect to Azure database