[IMPROVEMENT] Lack of Automated Script in Cosmos DB Firewall Update Instructions
Description: The current instructions for updating the Cosmos DB firewall settings do not include an automated method to add the user's current public IP address. Users often encounter issues when their requests originate from an IP that is blocked by the Cosmos DB firewall, as indicated by the error:
azure.cosmos.exceptions.CosmosHttpResponseError: (Forbidden) Request originated from IP xx.xx.xx.xx through public internet. This is blocked by your Cosmos DB account firewall settings.
Details: When users attempt to connect to Cosmos DB from an unlisted IP address, they receive the above error. This requires them to manually check their public IP and then update the Cosmos DB firewall settings, a process that can be tedious and error-prone.
Expected Behavior: Users should have a seamless way to add their current public IP address to the Cosmos DB firewall settings without having to manually determine their IP and update the settings.
Actual Behavior: Users need to manually determine their public IP and update the Cosmos DB firewall settings, resulting in possible human errors and inefficiencies.
Steps to Reproduce:
- Access Cosmos DB from an IP not listed in the firewall settings.
- Observe the aforementioned error.
- Manually determine the public IP.
- Manually update the Cosmos DB firewall settings to include the new IP.
Suggested Fix: Provide an automated bash script that:
- Determines the user's public IP.
- Fetches the existing allowed IPs from the Cosmos DB firewall settings.
- Adds the new IP to the list if not already present.
- Updates the firewall settings with the new list.
Here's the script:
#!/bin/bash
# Ensure required environment variables are set
if [[ -z "$COSMOS_ENDPOINT" || -z "$GROUP" ]]; then
echo "Please make sure the COSMOS_ENDPOINT and GROUP environment variables are set."
exit 1
fi
# Extract Cosmos DB account name from the endpoint URL
COSMOS_DB_ACCOUNT_NAME=$(echo $COSMOS_ENDPOINT | awk -F'://' '{print $2}' | awk -F'.' '{print $1}')
# Fetch the public IP address
MY_IP=$(curl -s ifconfig.me)
# Fetch existing allowed IPs from Cosmos DB
EXISTING_IPS=$(az cosmosdb show --name $COSMOS_DB_ACCOUNT_NAME --resource-group $GROUP --query "ipRangeFilter" -o tsv)
# Check if your IP is already in the list
if [[ $EXISTING_IPS == *$MY_IP* ]]; then
echo "Your IP ($MY_IP) is already in the list."
exit 0
fi
# Combine your IP with the existing IPs
if [ -z "$EXISTING_IPS" ]; then
NEW_IPS=$MY_IP
else
NEW_IPS="$EXISTING_IPS,$MY_IP"
fi
# Update the firewall rules
az cosmosdb update --name $COSMOS_DB_ACCOUNT_NAME --resource-group $GROUP --ip-range-filter "$NEW_IPS"
echo "Firewall rules updated successfully."
Users just need to update the placeholders with their Cosmos DB account name and resource group and then run the script.
Environment:
- Azure Cosmos DB SDK version: (e.g., 2.14.0, or the version you are referring to)
- Azure CLI version: (e.g., 2.x.x)