SQL Instance should not have Contained Database Authentication On

ID

gcp_sql_instance_cont_db_auth

Severity

low

Vendor

GCP

Resource

AIM

Tags

reachable

Description

Contained database authentication is a feature that allows users to connect to a database without authenticating with the SQL Server instance. This can cause security risks and compliance issues for Google Cloud SQL Server instances. It is recommended to disable this flag and use IAM database authentication instead. By default, the flag value is off (disabled).

To fix it, you must set 'off' or remove the contained database authentication flag.

Learn more about this topic at Cloud SQL - Configure database flags.

Examples

---
- name: create a instance
  google.cloud.gcp_sql_instance:
    name: test_object
    settings:
      tier: db-n1-standard-1
      databaseFlags:
        - name: contained database authentication
          value: 'on'
    region: us-central1
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present

Mitigation / Fix

---
- name: create a instance
  google.cloud.gcp_sql_instance:
    name: test_object
    settings:
      tier: db-n1-standard-1
      databaseFlags:
        - name: contained database authentication
          value: 'off'
    region: us-central1
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present