SQL DB Instance Publicly Accessible

• Query id: 7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b
• Query name: SQL DB Instance Publicly Accessible
• Platform: Ansible
• Severity: High
• Category: Insecure Configurations
• URL: Github

Description

Cloud SQL instances should not be publicly accessible.
Documentation

Code samples

Code samples with security vulnerabilities

Postitive test num. 1 - yaml file

- name: sql_instance
  google.cloud.gcp_sql_instance:
    auth_kind: serviceaccount
    name: "{{ resource_name }}-2"
    project: test_project
    region: us-central1
    service_account_file: /tmp/auth.pem
    settings:
      ip_configuration:
        authorized_networks:
          - name: "google dns server"
            value: "0.0.0.0"
      tier: db-n1-standard-1
    state: present
- name: sql_instance2
  google.cloud.gcp_sql_instance:
    auth_kind: serviceaccount
    name: "{{ resource_name }}-2"
    project: test_project
    region: us-central1
    service_account_file: /tmp/auth.pem
    settings:
      ip_configuration:
        ipv4_enabled: yes
      tier: db-n1-standard-1
    state: present
- name: sql_instance3
  google.cloud.gcp_sql_instance:
    auth_kind: serviceaccount
    name: "{{ resource_name }}-2"
    project: test_project
    region: us-central1
    service_account_file: /tmp/auth.pem
    settings:
      tier: db-n1-standard-1
    state: present

Code samples without security vulnerabilities

Negative test num. 1 - yaml file

- name: sql_instance
  google.cloud.gcp_sql_instance:
    auth_kind: serviceaccount
    name: '{{ resource_name }}-2'
    project: test_project
    region: us-central1
    service_account_file: /tmp/auth.pem
    settings:
      ip_configuration:
        authorized_networks:
        - name: google dns server
          value: 8.8.8.8/32
      tier: db-n1-standard-1
    state: present