SQL DB Instance Publicly Accessible

ID

gcp_sql_db_instance_publicly_accesible

Severity

high

Vendor

GCP

Resource

NETWORK

Tags

reachable

Description

SQL instance should allow only trusted networks to prevent unauthorized access to database from outside sources. Use authorized or private networks to specify which IP addresses or ranges are allowed to connect to the instance.

To fix it, you must define a ip_configuration and one of following configurations:

  • Configure one or more authorized_networks avoiding to use unrestricted range 0.0.0.0,

    • ipV4_enabled should not be enabled when there is no authorized networks

  • Configure a private_network

Learn more about this topic at Authorize with authorized networks.

Examples

---
- name: create a instance
  google.cloud.gcp_sql_instance:
    name: "my-instance"
    settings:
      ip_configuration:
        ipv4_enabled: true
      tier: db-n1-standard-1
    region: us-central1
    project: my-project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present

Mitigation / Fix

---
- name: create a instance
  google.cloud.gcp_sql_instance:
    name: "my-instance"
    settings:
      ip_configuration:
        authorized_networks:
        - name: google dns server
          value: 8.8.8.8/32
        ipv4_enabled: true
      tier: db-n1-standard-1
    region: us-central1
    project: my-project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present