From a95e8ba69b80c1e39c53cfb738e6d0e4159a35a1 Mon Sep 17 00:00:00 2001 From: Pieter De Cremer Date: Wed, 11 Dec 2024 14:30:01 +0100 Subject: [PATCH] Add -pattern not to gcp=sql-datavase-require-ssl to allow new fix introduced in version 6.0 --- .../gcp/security/gcp-sql-database-require-ssl.tf | 16 ++++++++++++++-- .../security/gcp-sql-database-require-ssl.yaml | 10 ++++++++++ 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/terraform/gcp/security/gcp-sql-database-require-ssl.tf b/terraform/gcp/security/gcp-sql-database-require-ssl.tf index 123e299cfd..eabb5959a1 100644 --- a/terraform/gcp/security/gcp-sql-database-require-ssl.tf +++ b/terraform/gcp/security/gcp-sql-database-require-ssl.tf @@ -1,4 +1,3 @@ -# fail # ruleid: gcp-sql-database-require-ssl resource "google_sql_database_instance" "fail" { database_version = "MYSQL_8_0" @@ -18,4 +17,17 @@ resource "google_sql_database_instance" "success" { ipv4_enabled = true require_ssl = true } -} \ No newline at end of file +} + +# ok: gcp-sql-database-require-ssl +resource "google_sql_database_instance" "main" { + name = "some-example-name" + database_version = "POSTGRES_15" + region = "europe-west3" + settings { + tier = "db-f1-micro" + ip_configuration { + ssl_mode = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED" + } + } +} diff --git a/terraform/gcp/security/gcp-sql-database-require-ssl.yaml b/terraform/gcp/security/gcp-sql-database-require-ssl.yaml index b139b21e5b..dd8ada68c1 100644 --- a/terraform/gcp/security/gcp-sql-database-require-ssl.yaml +++ b/terraform/gcp/security/gcp-sql-database-require-ssl.yaml @@ -16,6 +16,16 @@ rules: } ... } + - pattern-not-inside: | + resource "google_sql_database_instance" "..." { + ... + ip_configuration { + ... + ssl_mode = ... + ... + } + ... + } message: >- Ensure all Cloud SQL database instance requires all incoming connections to use SSL metadata: