SQL DB Instance Publicly Accessible
- Query id: b187edca-b81e-4fdc-aff4-aab57db45edb
- Query name: SQL DB Instance Publicly Accessible
- Platform: Terraform
- Severity: Critical
- Category: Insecure Configurations
- CWE: 732
- URL: Github
Description¶
Cloud SQL instances should not be publicly accessible.
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "google_sql_database_instance" "positive1" {
name = "master-instance"
database_version = "POSTGRES_11"
region = "us-central1"
settings {
# Second-generation instance tiers are based on the machine
# type. See argument reference below.
tier = "db-f1-micro"
}
}
resource "google_sql_database_instance" "positive2" {
name = "postgres-instance-2"
database_version = "POSTGRES_11"
settings {
tier = "db-f1-micro"
ip_configuration {
authorized_networks {
name = "pub-network"
value = "0.0.0.0/0"
}
}
}
}
resource "google_sql_database_instance" "positive3" {
name = "master-instance"
database_version = "POSTGRES_11"
region = "us-central1"
settings {
# Second-generation instance tiers are based on the machine
# type. See argument reference below.
tier = "db-f1-micro"
ip_configuration {
ipv4_enabled = true
}
}
}
resource "google_sql_database_instance" "positive4" {
name = "master-instance"
database_version = "POSTGRES_11"
region = "us-central1"
settings {
# Second-generation instance tiers are based on the machine
# type. See argument reference below.
tier = "db-f1-micro"
ip_configuration {}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "google_sql_database_instance" "negative1" {
name = "private-instance-1"
database_version = "POSTGRES_11"
settings {
ip_configuration {
ipv4_enabled = false
private_network = "some_private_network"
}
}
}
resource "google_sql_database_instance" "negative2" {
name = "postgres-instance-2"
database_version = "POSTGRES_11"
settings {
tier = "db-f1-micro"
ip_configuration {
authorized_networks {
content {
name = "some_trusted_network"
value = "some_trusted_network_address"
}
}
authorized_networks {
content {
name = "another_trusted_network"
value = "another_trusted_network_address"
}
}
}
}
}