terraform.gcp.security.gcp-sql-database-require-ssl.gcp-sql-database-require-ssl

profile photo of semgrepsemgrep
Author
unknown
Download Count*

Ensure all Cloud SQL database instance requires all incoming connections to use SSL

Run Locally

Run in CI

Defintion

rules:
  - id: gcp-sql-database-require-ssl
    patterns:
      - pattern: resource
      - pattern-inside: |
          resource "google_sql_database_instance" "..." {
              ...
          }
      - pattern-not-inside: |
          resource "google_sql_database_instance" "..." {
              ...
              ip_configuration {
                  ...
                  require_ssl = true
                  ...
              }
              ...
          }
    message: Ensure all Cloud SQL database instance requires all incoming
      connections to use SSL
    metadata:
      owasp:
        - A03:2017 - Sensitive Data Exposure
        - A02:2021 - Cryptographic Failures
      cwe:
        - "CWE-326: Inadequate Encryption Strength"
      category: security
      technology:
        - terraform
        - gcp
      references:
        - https://owasp.org/Top10/A02_2021-Cryptographic_Failures
      subcategory:
        - vuln
      likelihood: LOW
      impact: MEDIUM
      confidence: MEDIUM
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Cryptographic Issues
    languages:
      - hcl
    severity: WARNING

Examples

gcp-sql-database-require-ssl.tf

# fail
# ruleid: gcp-sql-database-require-ssl
resource "google_sql_database_instance" "fail" {
  database_version = "MYSQL_8_0"
  name             = "instance"
  region           = "us-central1"
  settings {
    tier = "db-f1-micro"
  }
}

# ok: gcp-sql-database-require-ssl
resource "google_sql_database_instance" "success" {
  database_version = "MYSQL_8_0"
  name             = "instance"
  region           = "us-central1"
  ip_configuration {
      ipv4_enabled = true
      require_ssl = true
  }
}