Table: azure_postgresql_server - Query Azure PostgreSQL Servers using SQL
Azure Database for PostgreSQL is a fully managed relational database service based on the open-source Postgres database engine. It's built to support the Postgres community edition, allowing users to leverage community-driven features and plugins. This service provides built-in high availability, security, and automated scaling to help businesses focus on application development rather than database management.
Table Usage Guide
The azure_postgresql_server
table provides insights into PostgreSQL servers within Azure Database for PostgreSQL. As a database administrator or developer, explore server-specific details through this table, including configuration settings, performance tiers, and resource usage. Utilize it to manage server settings, monitor resource consumption, and ensure optimal performance for your PostgreSQL databases within Azure.
Examples
Basic info
Explore which PostgreSQL servers are currently running on your Azure platform and where they are located. This information can assist in managing server distribution and planning for future resources.
select name, id, locationfrom azure_postgresql_server;
select name, id, locationfrom azure_postgresql_server;
List servers with encryption disabled
Discover the segments that contain servers with disabled encryption, enabling you to identify potential security vulnerabilities and take necessary action to enhance data protection.
select name, id, location, ssl_enforcementfrom azure_postgresql_serverwhere ssl_enforcement = 'Disabled';
select name, id, location, ssl_enforcementfrom azure_postgresql_serverwhere ssl_enforcement = 'Disabled';
List servers that allow access to Azure services
Explore which servers allow access to Azure services, a crucial element in managing security and controlling access. You can also pinpoint specific servers without an Active Directory admin, helping you identify potential vulnerabilities and areas that may require additional security measures.
select name, id, rule ->> 'Name' as rule_name, rule ->> 'Type' as rule_type, rule -> 'FirewallRuleProperties' ->> 'endIpAddress' as end_ip_address, rule -> 'FirewallRuleProperties' ->> 'startIpAddress' as start_ip_addressfrom azure_postgresql_server, jsonb_array_elements(firewall_rules) as rulewhere rule ->> 'Name' = 'AllowAllWindowsAzureIps' and rule -> 'FirewallRuleProperties' ->> 'startIpAddress' = '0.0.0.0' and rule -> 'FirewallRuleProperties' ->> 'endIpAddress' = '0.0.0.0';
select name, s.id, json_extract(rule.value, '$.Name') as rule_name, json_extract(rule.value, '$.Type') as rule_type, json_extract( rule.value, '$.FirewallRuleProperties.endIpAddress' ) as end_ip_address, json_extract( rule.value, '$.FirewallRuleProperties.startIpAddress' ) as start_ip_addressfrom azure_postgresql_server as s, json_each(firewall_rules) as rulewhere json_extract(rule.value, '$.Name') = 'AllowAllWindowsAzureIps' and json_extract( rule.value, '$.FirewallRuleProperties.startIpAddress' ) = '0.0.0.0' and json_extract( rule.value, '$.FirewallRuleProperties.endIpAddress' ) = '0.0.0.0';
List servers without an Active Directory admin
select name, id, locationfrom azure_postgresql_serverwhere server_administrators is null;
select name, id, locationfrom azure_postgresql_serverwhere server_administrators is null;
List servers with log checkpoints disabled
Determine the areas in which log checkpoints are disabled on your Azure PostgreSQL servers. This can help identify potential security vulnerabilities and improve your database management.
select name, configurations ->> 'Name' as configuration_name, configurations -> 'ConfigurationProperties' ->> 'value' as configuration_valuefrom azure_postgresql_server, jsonb_array_elements(server_configurations) as configurationswhere configurations ->> 'Name' = 'log_checkpoints' and configurations -> 'ConfigurationProperties' ->> 'value' = 'OFF';
select name, json_extract(configurations.value, '$.Name') as configuration_name, json_extract( configurations.value, '$.ConfigurationProperties.value' ) as configuration_valuefrom azure_postgresql_server, json_each(server_configurations) as configurationswhere json_extract(configurations.value, '$.Name') = 'log_checkpoints' and json_extract( configurations.value, '$.ConfigurationProperties.value' ) = 'OFF';
List servers with a logging retention period greater than 3 days
Determine the servers in your Azure PostgreSQL setup that have a logging retention period of more than 3 days. This is useful for ensuring your logging policies meet your organization's data retention requirements.
select name, configurations ->> 'Name' as configuration_name, configurations -> 'ConfigurationProperties' ->> 'value' as configuration_valuefrom azure_postgresql_server, jsonb_array_elements(server_configurations) as configurationswhere configurations ->> 'Name' = 'log_retention_days' and ( configurations -> 'ConfigurationProperties' ->> 'value' ) :: INTEGER > 3;
select name, json_extract(configurations.value, '$.Name') as configuration_name, json_extract( json_extract(configurations.value, '$.ConfigurationProperties'), '$.value' ) as configuration_valuefrom azure_postgresql_server, json_each(server_configurations) as configurationswhere json_extract(configurations.value, '$.Name') = 'log_retention_days' and cast( json_extract( json_extract(configurations.value, '$.ConfigurationProperties'), '$.value' ) as INTEGER ) > 3;
List servers with geo-redundant backup storage disabled
Discover the segments where servers are running without geo-redundant backup storage. This is useful for identifying potential risk areas in your server infrastructure where data loss may occur in the event of a server failure.
select name, id, location, geo_redundant_backupfrom azure_postgresql_serverwhere geo_redundant_backup = 'Disabled';
select name, id, location, geo_redundant_backupfrom azure_postgresql_serverwhere geo_redundant_backup = 'Disabled';
List private endpoint connection details
Explore the status and details of private endpoint connections on your Azure PostgreSQL server. This can help in identifying any required actions or understanding the current provisioning state of these connections.
select name as server_name, id as server_id, connections ->> 'id' as connection_id, connections ->> 'privateEndpointPropertyId' as connection_private_endpoint_property_id, connections ->> 'privateLinkServiceConnectionStateActionsRequired' as connection_actions_required, connections ->> 'privateLinkServiceConnectionStateDescription' as connection_description, connections ->> 'privateLinkServiceConnectionStateStatus' as connection_status, connections ->> 'provisioningState' as connection_provisioning_statefrom azure_postgresql_server, jsonb_array_elements(private_endpoint_connections) as connections;
select name as server_name, s.id as server_id, json_extract(connections.value, '$.id') as connection_id, json_extract(connections.value, '$.privateEndpointPropertyId') as connection_private_endpoint_property_id, json_extract( connections.value, '$.privateLinkServiceConnectionStateActionsRequired' ) as connection_actions_required, json_extract( connections.value, '$.privateLinkServiceConnectionStateDescription' ) as connection_description, json_extract( connections.value, '$.privateLinkServiceConnectionStateStatus' ) as connection_status, json_extract(connections.value, '$.provisioningState') as connection_provisioning_statefrom azure_postgresql_server as s, json_each(private_endpoint_connections) as connections;
Query examples
Control examples
- All Controls > PostgreSQL > Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
- All Controls > PostgreSQL > Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
- All Controls > PostgreSQL > Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server
- All Controls > PostgreSQL > PostgreSQL servers should have the latest TLS version
- CIS v1.3.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
- CIS v1.3.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.3 Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
- CIS v1.3.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.4 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server
- CIS v1.3.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.5 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server
- CIS v1.3.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.6 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
- CIS v1.3.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.7 Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server
- CIS v1.4.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
- CIS v1.4.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.2 Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
- CIS v1.4.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.3 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server
- CIS v1.4.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.4 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server
- CIS v1.4.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.5 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
- CIS v1.4.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.6 Ensure server parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server
- CIS v1.4.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.8 Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled'
- CIS v1.5.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
- CIS v1.5.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.2 Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
- CIS v1.5.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.3 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server
- CIS v1.5.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.4 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server
- CIS v1.5.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.5 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
- CIS v1.5.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.6 Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server
- CIS v1.5.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.8 Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled'
- CIS v2.0.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
- CIS v2.0.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.2 Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
- CIS v2.0.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.3 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server
- CIS v2.0.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.4 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server
- CIS v2.0.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.5 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
- CIS v2.0.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.6 Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server
- CIS v2.0.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.7 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
- CIS v2.0.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.8 Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled'
- CIS v2.1.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.1 Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server
- CIS v2.1.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.2 Ensure Server Parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
- CIS v2.1.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.3 Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server
- CIS v2.1.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.4 Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server
- CIS v2.1.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.5 Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server
- CIS v2.1.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.6 Ensure Server Parameter 'log_retention_days' is greater than 3 days for PostgreSQL Database Server
- CIS v2.1.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.7 Ensure 'Allow access to Azure services' for PostgreSQL Database Server is disabled
- CIS v2.1.0 > 4 Database Services > 4.3 PostgreSQL Database Server > 4.3.8 Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled'
- CIS v3.0.0 > 5 Database Services > 5.2 Azure Database for PostgreSQL > 5.2.6 [LEGACY]Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL single Server
- CIS v3.0.0 > 5 Database Services > 5.2 Azure Database for PostgreSQL > 5.2.7 [LEGACY]Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL single Server
- CIS v3.0.0 > 5 Database Services > 5.2 Azure Database for PostgreSQL > 5.2.8 [LEGACY]Ensure 'Infrastructure double encryption' for PostgreSQL Database Server is 'Enabled'
- Enforce SSL connection should be enabled for PostgreSQL database servers
- Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server
- Ensure server parameter 'log_connections' is set to 'ON' for PostgreSQL Database Server
- Ensure server parameter 'log_disconnections' is set to 'ON' for PostgreSQL Database Server
- Ensure server parameter 'log_duration' is set to 'ON' for PostgreSQL Database Server
- Geo-redundant backup should be enabled for Azure Database for PostgreSQL
- Infrastructure encryption should be enabled for Azure Database for PostgreSQL servers
- PostgreSQL servers should use customer-managed keys to encrypt data at rest
- Private endpoint should be enabled for PostgreSQL servers
- Public network access should be disabled for PostgreSQL servers
Schema for azure_postgresql_server
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
administrator_login | text | Specifies the username of the administrator for this server. | |
akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
backup_retention_days | bigint | Backup retention days for the server. | |
byok_enforcement | text | Status showing whether the server data encryption is enabled with customer-managed keys. | |
cloud_environment | text | The Azure Cloud Environment. | |
earliest_restore_date | timestamp with time zone | Specifies the earliest restore point creation time. | |
firewall_rules | jsonb | A list of firewall rules for a server. | |
fully_qualified_domain_name | text | The fully qualified domain name of the server. | |
geo_redundant_backup | text | Indicates whether Geo-redundant is enabled, or not for server backup. | |
id | text | Contains ID to identify a server uniquely. | |
infrastructure_encryption | text | Status showing whether the server enabled infrastructure encryption. Possible values include: 'InfrastructureEncryptionEnabled', 'InfrastructureEncryptionDisabled'. | |
location | text | The resource location. | |
master_server_id | text | The master server id of a replica server. | |
minimal_tls_version | text | Enforce a minimal Tls version for the server. Possible values include: 'TLS10', 'TLS11', 'TLS12', 'TLSEnforcementDisabled'. | |
name | text | = | The friendly name that identifies the server. |
private_endpoint_connections | jsonb | A list of private endpoint connections on a server. | |
public_network_access | text | Indicates whether or not public network access is allowed for this server. Value is optional but if passed in, must be 'Enabled' or 'Disabled'. Possible values include: 'PublicNetworkAccessEnumEnabled', 'PublicNetworkAccessEnumDisabled'. | |
region | text | The Azure region/location in which the resource is located. | |
replica_capacity | bigint | The maximum number of replicas that a master server can have. | |
replication_role | text | The replication role of the server. | |
resource_group | text | = | The resource group which holds this resource. |
server_administrators | jsonb | A list of server administrators. | |
server_configurations | jsonb | A list of configurations for a server. | |
server_keys | jsonb | A list of server keys for a server. | |
server_security_alert_policy | jsonb | Server security alert policy associated with the PostgreSQL Server. | |
sku_capacity | bigint | The scale up/out capacity, representing server's compute units. | |
sku_family | text | The family of hardware. | |
sku_name | text | The name of the sku. For example: 'B_Gen4_1', 'GP_Gen5_8'. | |
sku_size | text | The size code, to be interpreted by resource as appropriate. | |
sku_tier | text | The tier of the particular SKU. Possible values include: 'Basic', 'GeneralPurpose', 'MemoryOptimized'. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
ssl_enforcement | text | Enable ssl enforcement or not when connect to server. Possible values include: 'Enabled', 'Disabled'. | |
storage_auto_grow | text | Indicates whether storage auto grow is enabled, or not. | |
storage_mb | bigint | Indicates max storage allowed for a server. | |
subscription_id | text | =, !=, ~~, ~~*, !~~, !~~* | The Azure Subscription ID in which the resource is located. |
tags | jsonb | A map of tags for the resource. | |
title | text | Title of the resource. | |
type | text | The resource type of the SQL server. | |
user_visible_state | text | A state of a server that is visible to user. Possible values include: 'ServerStateReady', 'ServerStateDropping', 'ServerStateDisabled', 'ServerStateInaccessible'. | |
version | text | Specifies the version of the server. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- azure
You can pass the configuration to the command with the --config
argument:
steampipe_export_azure --config '<your_config>' azure_postgresql_server