Defender: Azure Cosmos DB should disable public network access (#4324)

* Defender: Azure Cosmos DB should disable public network access #4322

CHANGELOG.md

@@ -9,12 +9,11 @@ ENHANCEMENTS:
 * Remove public IP from TRE's firewall when forced tunneling is configured ([#4346](https://github.com/microsoft/AzureTRE/pull/4346))
 * Upgrade AzureRM Terraform provider from `3.117.0` to `4.14.0`. ([[#4255](https://github.com/microsoft/AzureTRE/pull/4255/)])
 * Subnet definitions are now inline in the `azurerm_virtual_network` resource, and NSG associations are set using `security_group` in each subnet block (no separate `azurerm_subnet_network_security_group_association` needed). ([[#4255](https://github.com/microsoft/AzureTRE/pull/4255/)])
+* Azure Cosmos DB should disable public network access ([#4322](https://github.com/microsoft/AzureTRE/issues/4322))
 
 BUG FIXES:
 * Fix upgrade when porter install has failed ([#4338](https://github.com/microsoft/AzureTRE/pull/4338))
 
-
-
 COMPONENTS:
 
 ## 0.20.0 (Feburary 9, 2025)

core/terraform/cosmos_mongo.tf

@@ -1,12 +1,13 @@
 resource "azurerm_cosmosdb_account" "mongo" {
-  name                       = "cosmos-mongo-${var.tre_id}"
-  location                   = azurerm_resource_group.core.location
-  resource_group_name        = azurerm_resource_group.core.name
-  offer_type                 = "Standard"
-  kind                       = "MongoDB"
-  automatic_failover_enabled = false
-  mongo_server_version       = 4.2
-  ip_range_filter            = local.cosmos_ip_filter_set
+  name                          = "cosmos-mongo-${var.tre_id}"
+  location                      = azurerm_resource_group.core.location
+  resource_group_name           = azurerm_resource_group.core.name
+  offer_type                    = "Standard"
+  kind                          = "MongoDB"
+  automatic_failover_enabled    = false
+  mongo_server_version          = 4.2
+  ip_range_filter               = local.cosmos_ip_filter_set
+  public_network_access_enabled = var.enable_local_debugging
 
   capabilities {
     name = "EnableServerless"

core/terraform/locals.tf

@@ -16,17 +16,16 @@ locals {
   # https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-configure-firewall#allow-requests-from-the-azure-portal
 
   azure_portal_cosmos_ips_list = [
-    "104.42.195.92",
-    "40.76.54.131",
-    "52.176.6.30",
-    "52.169.50.45",
-    "52.187.184.26"
+    "13.91.105.215",
+    "4.210.172.107",
+    "13.88.56.148",
+    "40.91.218.243"
   ]
 
   cosmos_ip_filter_set = toset(
     var.enable_local_debugging
     ? concat(local.azure_portal_cosmos_ips_list, [local.myip])
-    : local.azure_portal_cosmos_ips_list
+    : []
   )
 
   # we define some zones in core despite not used by the core infra because

core/terraform/statestore.tf

@@ -5,9 +5,11 @@ resource "azurerm_cosmosdb_account" "tre_db_account" {
   offer_type                    = "Standard"
   kind                          = "GlobalDocumentDB"
   automatic_failover_enabled    = false
+  public_network_access_enabled = var.enable_local_debugging
   ip_range_filter               = local.cosmos_ip_filter_set
   local_authentication_disabled = true
   tags                          = local.tre_core_tags
+
   dynamic "capabilities" {
     # We can't change an existing cosmos
     for_each = var.is_cosmos_defined_throughput ? [] : [1]

core/version.txt

@@ -1 +1 @@
-__version__ = "0.12.0"
+__version__ = "0.12.1"