GCP SQL Instances do not have SSL configured for incoming connections
Description
Cloud SQL is a fully managed relational database service for MySQL, PostgreSQL and SQL Server. It offers data encryption at rest and in transit, Private connectivity with VPC and user-controlled network access with firewall protection. Cloud SQL creates a server certificate automatically when a new instance is created. We recommend you enforce all connections to use SSL/TLS.
Code Example
go
resource "google_sql_database_instance" "main" {
name = "main-instance"
database_version = "POSTGRES_14"
region = "us-central1"
settings {
# Second-generation instance tiers are based on the machine
# type. See argument reference below.
tier = "db-f1-micro"
ip_configuration {
ssl_mode = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED"
}
}
}Remediation
Terraform
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0866 |
| Severity | HIGH |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_GCP_6 |