SQL DB Instance Publicly Accessible

  • Query id: 7d7054c0-3a52-4e9b-b9ff-cbfe16a2378b
  • Query name: SQL DB Instance Publicly Accessible
  • Platform: Ansible
  • Severity: High
  • Category: Insecure Configurations
  • URL: Github

Description

Cloud SQL instances should not be publicly accessible.
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
- name: sql_instance
  google.cloud.gcp_sql_instance:
    auth_kind: serviceaccount
    name: "{{ resource_name }}-2"
    project: test_project
    region: us-central1
    service_account_file: /tmp/auth.pem
    settings:
      ip_configuration:
        authorized_networks:
          - name: "google dns server"
            value: "0.0.0.0"
      tier: db-n1-standard-1
    state: present
- name: sql_instance2
  google.cloud.gcp_sql_instance:
    auth_kind: serviceaccount
    name: "{{ resource_name }}-2"
    project: test_project
    region: us-central1
    service_account_file: /tmp/auth.pem
    settings:
      ip_configuration:
        ipv4_enabled: yes
      tier: db-n1-standard-1
    state: present
- name: sql_instance3
  google.cloud.gcp_sql_instance:
    auth_kind: serviceaccount
    name: "{{ resource_name }}-2"
    project: test_project
    region: us-central1
    service_account_file: /tmp/auth.pem
    settings:
      tier: db-n1-standard-1
    state: present

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
- name: sql_instance
  google.cloud.gcp_sql_instance:
    auth_kind: serviceaccount
    name: '{{ resource_name }}-2'
    project: test_project
    region: us-central1
    service_account_file: /tmp/auth.pem
    settings:
      ip_configuration:
        authorized_networks:
        - name: google dns server
          value: 8.8.8.8/32
      tier: db-n1-standard-1
    state: present