diff --git a/terraform/gcp/security/gcp-sql-database-require-ssl.yaml b/terraform/gcp/security/gcp-sql-database-require-ssl.yaml index dd8ada68c1..c173358049 100644 --- a/terraform/gcp/security/gcp-sql-database-require-ssl.yaml +++ b/terraform/gcp/security/gcp-sql-database-require-ssl.yaml @@ -39,7 +39,8 @@ rules: - terraform - gcp references: - - https://owasp.org/Top10/A02_2021-Cryptographic_Failures + - "https://cloud.google.com/sql/docs/postgres/admin-api/rest/v1/instances#ipconfiguration" + - "https://owasp.org/Top10/A02_2021-Cryptographic_Failures" subcategory: - vuln likelihood: LOW diff --git a/terraform/gcp/security/gcp-sql-database-ssl-insecure-value-postgres-mysql.fixed.tf b/terraform/gcp/security/gcp-sql-database-ssl-insecure-value-postgres-mysql.fixed.tf new file mode 100644 index 0000000000..438f24197c --- /dev/null +++ b/terraform/gcp/security/gcp-sql-database-ssl-insecure-value-postgres-mysql.fixed.tf @@ -0,0 +1,138 @@ +# ok: gcp-sql-database-ssl-insecure-value-postgres-mysql +resource "google_sql_database_instance" "fail" { + database_version = "MYSQL_8_0" + name = "instance" + region = "us-central1" + settings { + tier = "db-f1-micro" + } +} + +# ok: gcp-sql-database-ssl-insecure-value-postgres-mysql +resource "google_sql_database_instance" "success" { + database_version = "MYSQL_8_0" + name = "instance" + region = "us-central1" + ip_configuration { + ipv4_enabled = true + require_ssl = true + } +} + +resource "google_sql_database_instance" "main" { + name = "some-example-name" + database_version = "POSTGRES_15" + region = "europe-west3" + settings { + tier = "db-f1-micro" + ip_configuration { + # ok: gcp-sql-database-ssl-insecure-value-postgres-mysql + ssl_mode = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED" + } + } +} + +resource "google_sql_database_instance" "main" { + name = "some-example-name" + database_version = "POSTGRES_15" + region = "europe-west3" + settings { + tier = "db-f1-micro" + ip_configuration { + # ok: gcp-sql-database-ssl-insecure-value-postgres-mysql + ssl_mode = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED" + } + } +} + +resource "google_sql_database_instance" "main" { + name = "some-example-name" + database_version = "POSTGRES_15" + region = "europe-west3" + settings { + tier = "db-f1-micro" + ip_configuration { + # ruleid: gcp-sql-database-ssl-insecure-value-postgres-mysql + ssl_mode = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED" + } + } +} + +resource "google_sql_database_instance" "main" { + name = "some-example-name" + database_version = "POSTGRES_15" + region = "europe-west3" + settings { + tier = "db-f1-micro" + ip_configuration { + # ruleid: gcp-sql-database-ssl-insecure-value-postgres-mysql + ssl_mode = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED" + } + } +} + +resource "google_sql_database_instance" "mysql_fail" { + database_version = "MYSQL_8_0" + name = "mysql-instance" + region = "us-central1" + settings { + tier = "db-f1-micro" + ip_configuration { + # ruleid: gcp-sql-database-ssl-insecure-value-postgres-mysql + ssl_mode = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED" + } + } +} + +resource "google_sql_database_instance" "mysql_success" { + database_version = "MYSQL_8_0" + name = "mysql-instance" + region = "us-central1" + settings { + tier = "db-f1-micro" + ip_configuration { + # ruleid: gcp-sql-database-ssl-insecure-value-postgres-mysql + ssl_mode = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED" + } + } +} + +resource "google_sql_database_instance" "sqlserver_fail" { + database_version = "SQLSERVER_2019_STANDARD" + name = "sqlserver-instance" + region = "us-central1" + settings { + tier = "db-f1-micro" + ip_configuration { + # ok: gcp-sql-database-ssl-insecure-value-postgres-mysql + ssl_mode = "ALLOW_UNENCRYPTED_AND_ENCRYPTED" + } + } +} + +resource "google_sql_database_instance" "sqlserver_success" { + database_version = "SQLSERVER_2019_STANDARD" + name = "sqlserver-instance" + region = "us-central1" + settings { + tier = "db-f1-micro" + ip_configuration { + # ok: gcp-sql-database-ssl-insecure-value-postgres-mysql + ssl_mode = "ENCRYPTED_ONLY" + } + } +} + +resource "google_sql_database_instance" "mysql_success_with_ssl_mode" { + database_version = "MYSQL_8_0" + name = "mysql-instance" + region = "us-central1" + settings { + tier = "db-f1-micro" + ip_configuration { + # ok: gcp-sql-database-ssl-insecure-value-postgres-mysql + ssl_mode = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED" + } + } +} + diff --git a/terraform/gcp/security/gcp-sql-database-ssl-insecure-value-postgres-mysql.tf b/terraform/gcp/security/gcp-sql-database-ssl-insecure-value-postgres-mysql.tf new file mode 100644 index 0000000000..9e45bb7168 --- /dev/null +++ b/terraform/gcp/security/gcp-sql-database-ssl-insecure-value-postgres-mysql.tf @@ -0,0 +1,138 @@ +# ok: gcp-sql-database-ssl-insecure-value-postgres-mysql +resource "google_sql_database_instance" "fail" { + database_version = "MYSQL_8_0" + name = "instance" + region = "us-central1" + settings { + tier = "db-f1-micro" + } +} + +# ok: gcp-sql-database-ssl-insecure-value-postgres-mysql +resource "google_sql_database_instance" "success" { + database_version = "MYSQL_8_0" + name = "instance" + region = "us-central1" + ip_configuration { + ipv4_enabled = true + require_ssl = true + } +} + +resource "google_sql_database_instance" "main" { + name = "some-example-name" + database_version = "POSTGRES_15" + region = "europe-west3" + settings { + tier = "db-f1-micro" + ip_configuration { + # ok: gcp-sql-database-ssl-insecure-value-postgres-mysql + ssl_mode = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED" + } + } +} + +resource "google_sql_database_instance" "main" { + name = "some-example-name" + database_version = "POSTGRES_15" + region = "europe-west3" + settings { + tier = "db-f1-micro" + ip_configuration { + # ok: gcp-sql-database-ssl-insecure-value-postgres-mysql + ssl_mode = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED" + } + } +} + +resource "google_sql_database_instance" "main" { + name = "some-example-name" + database_version = "POSTGRES_15" + region = "europe-west3" + settings { + tier = "db-f1-micro" + ip_configuration { + # ruleid: gcp-sql-database-ssl-insecure-value-postgres-mysql + ssl_mode = "ENCRYPTED_ONLY" + } + } +} + +resource "google_sql_database_instance" "main" { + name = "some-example-name" + database_version = "POSTGRES_15" + region = "europe-west3" + settings { + tier = "db-f1-micro" + ip_configuration { + # ruleid: gcp-sql-database-ssl-insecure-value-postgres-mysql + ssl_mode = "ALLOW_UNENCRYPTED_AND_ENCRYPTED" + } + } +} + +resource "google_sql_database_instance" "mysql_fail" { + database_version = "MYSQL_8_0" + name = "mysql-instance" + region = "us-central1" + settings { + tier = "db-f1-micro" + ip_configuration { + # ruleid: gcp-sql-database-ssl-insecure-value-postgres-mysql + ssl_mode = "ENCRYPTED_ONLY" + } + } +} + +resource "google_sql_database_instance" "mysql_success" { + database_version = "MYSQL_8_0" + name = "mysql-instance" + region = "us-central1" + settings { + tier = "db-f1-micro" + ip_configuration { + # ruleid: gcp-sql-database-ssl-insecure-value-postgres-mysql + ssl_mode = "ENCRYPTED_ONLY" + } + } +} + +resource "google_sql_database_instance" "sqlserver_fail" { + database_version = "SQLSERVER_2019_STANDARD" + name = "sqlserver-instance" + region = "us-central1" + settings { + tier = "db-f1-micro" + ip_configuration { + # ok: gcp-sql-database-ssl-insecure-value-postgres-mysql + ssl_mode = "ALLOW_UNENCRYPTED_AND_ENCRYPTED" + } + } +} + +resource "google_sql_database_instance" "sqlserver_success" { + database_version = "SQLSERVER_2019_STANDARD" + name = "sqlserver-instance" + region = "us-central1" + settings { + tier = "db-f1-micro" + ip_configuration { + # ok: gcp-sql-database-ssl-insecure-value-postgres-mysql + ssl_mode = "ENCRYPTED_ONLY" + } + } +} + +resource "google_sql_database_instance" "mysql_success_with_ssl_mode" { + database_version = "MYSQL_8_0" + name = "mysql-instance" + region = "us-central1" + settings { + tier = "db-f1-micro" + ip_configuration { + # ok: gcp-sql-database-ssl-insecure-value-postgres-mysql + ssl_mode = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED" + } + } +} + diff --git a/terraform/gcp/security/gcp-sql-database-ssl-insecure-value-postgres-mysql.yaml b/terraform/gcp/security/gcp-sql-database-ssl-insecure-value-postgres-mysql.yaml new file mode 100644 index 0000000000..6bed95a5c0 --- /dev/null +++ b/terraform/gcp/security/gcp-sql-database-ssl-insecure-value-postgres-mysql.yaml @@ -0,0 +1,58 @@ +rules: +- id: gcp-sql-database-ssl-insecure-value-postgres-mysql + patterns: + - pattern-inside: | + resource "google_sql_database_instance" "..." { + ... + database_version = "$DB" + ... + } + - pattern-inside: | + resource "google_sql_database_instance" "..." { + ... + ip_configuration { + ... + ssl_mode = $VALUE + ... + } + ... + } + - pattern-not-inside: | + resource "google_sql_database_instance" "..." { + ... + ip_configuration { + ... + ssl_mode = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED" + ... + } + ... + } + - metavariable-regex: + metavariable: $DB + regex: .*(MYSQL|POSTGRES).* + - focus-metavariable: $VALUE + fix: | + "TRUSTED_CLIENT_CERTIFICATE_REQUIRED" + message: >- + Ensure all Cloud SQL database instance require incoming connections to use SSL. To enable this for PostgresSQL and MySQL, use `ssl_mode="TRUSTED_CLIENT_CERTIFICATE_REQUIRED"`. + metadata: + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + cwe: + - 'CWE-326: Inadequate Encryption Strength' + category: security + technology: + - terraform + - gcp + references: + - "https://cloud.google.com/sql/docs/postgres/admin-api/rest/v1/instances#ipconfiguration" + - "https://owasp.org/Top10/A02_2021-Cryptographic_Failures" + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + languages: [hcl] + severity: WARNING + diff --git a/terraform/gcp/security/gcp-sql-database-ssl-insecure-value-sqlserver.fixed.tf b/terraform/gcp/security/gcp-sql-database-ssl-insecure-value-sqlserver.fixed.tf new file mode 100644 index 0000000000..1528f8c839 --- /dev/null +++ b/terraform/gcp/security/gcp-sql-database-ssl-insecure-value-sqlserver.fixed.tf @@ -0,0 +1,138 @@ +# ok: gcp-sql-database-ssl-insecure-value-sqlserver +resource "google_sql_database_instance" "fail" { + database_version = "MYSQL_8_0" + name = "instance" + region = "us-central1" + settings { + tier = "db-f1-micro" + } +} + +# ok: gcp-sql-database-ssl-insecure-value-sqlserver +resource "google_sql_database_instance" "success" { + database_version = "MYSQL_8_0" + name = "instance" + region = "us-central1" + ip_configuration { + ipv4_enabled = true + require_ssl = true + } +} + +resource "google_sql_database_instance" "main" { + name = "some-example-name" + database_version = "POSTGRES_15" + region = "europe-west3" + settings { + tier = "db-f1-micro" + ip_configuration { + # ok: gcp-sql-database-ssl-insecure-value-sqlserver + ssl_mode = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED" + } + } +} + +resource "google_sql_database_instance" "main" { + name = "some-example-name" + database_version = "POSTGRES_15" + region = "europe-west3" + settings { + tier = "db-f1-micro" + ip_configuration { + # ok: gcp-sql-database-ssl-insecure-value-sqlserver + ssl_mode = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED" + } + } +} + +resource "google_sql_database_instance" "main" { + name = "some-example-name" + database_version = "POSTGRES_15" + region = "europe-west3" + settings { + tier = "db-f1-micro" + ip_configuration { + # ok: gcp-sql-database-ssl-insecure-value-sqlserver + ssl_mode = "ENCRYPTED_ONLY" + } + } +} + +resource "google_sql_database_instance" "main" { + name = "some-example-name" + database_version = "POSTGRES_15" + region = "europe-west3" + settings { + tier = "db-f1-micro" + ip_configuration { + # ok: gcp-sql-database-ssl-insecure-value-sqlserver + ssl_mode = "ALLOW_UNENCRYPTED_AND_ENCRYPTED" + } + } +} + +resource "google_sql_database_instance" "mysql_fail" { + database_version = "MYSQL_8_0" + name = "mysql-instance" + region = "us-central1" + settings { + tier = "db-f1-micro" + ip_configuration { + # ok: gcp-sql-database-ssl-insecure-value-sqlserver + ssl_mode = "ENCRYPTED_ONLY" + } + } +} + +resource "google_sql_database_instance" "mysql_success" { + database_version = "MYSQL_8_0" + name = "mysql-instance" + region = "us-central1" + settings { + tier = "db-f1-micro" + ip_configuration { + # ok: gcp-sql-database-ssl-insecure-value-sqlserver + ssl_mode = "ENCRYPTED_ONLY" + } + } +} + +resource "google_sql_database_instance" "sqlserver_fail" { + database_version = "SQLSERVER_2019_STANDARD" + name = "sqlserver-instance" + region = "us-central1" + settings { + tier = "db-f1-micro" + ip_configuration { + # ruleid: gcp-sql-database-ssl-insecure-value-sqlserver + ssl_mode = "ENCRYPTED_ONLY" + } + } +} + +resource "google_sql_database_instance" "sqlserver_success" { + database_version = "SQLSERVER_2019_STANDARD" + name = "sqlserver-instance" + region = "us-central1" + settings { + tier = "db-f1-micro" + ip_configuration { + # ok: gcp-sql-database-ssl-insecure-value-sqlserver + ssl_mode = "ENCRYPTED_ONLY" + } + } +} + +resource "google_sql_database_instance" "mysql_success_with_ssl_mode" { + database_version = "MYSQL_8_0" + name = "mysql-instance" + region = "us-central1" + settings { + tier = "db-f1-micro" + ip_configuration { + # ok: gcp-sql-database-ssl-insecure-value-sqlserver + ssl_mode = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED" + } + } +} + diff --git a/terraform/gcp/security/gcp-sql-database-ssl-insecure-value-sqlserver.tf b/terraform/gcp/security/gcp-sql-database-ssl-insecure-value-sqlserver.tf new file mode 100644 index 0000000000..af24765398 --- /dev/null +++ b/terraform/gcp/security/gcp-sql-database-ssl-insecure-value-sqlserver.tf @@ -0,0 +1,138 @@ +# ok: gcp-sql-database-ssl-insecure-value-sqlserver +resource "google_sql_database_instance" "fail" { + database_version = "MYSQL_8_0" + name = "instance" + region = "us-central1" + settings { + tier = "db-f1-micro" + } +} + +# ok: gcp-sql-database-ssl-insecure-value-sqlserver +resource "google_sql_database_instance" "success" { + database_version = "MYSQL_8_0" + name = "instance" + region = "us-central1" + ip_configuration { + ipv4_enabled = true + require_ssl = true + } +} + +resource "google_sql_database_instance" "main" { + name = "some-example-name" + database_version = "POSTGRES_15" + region = "europe-west3" + settings { + tier = "db-f1-micro" + ip_configuration { + # ok: gcp-sql-database-ssl-insecure-value-sqlserver + ssl_mode = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED" + } + } +} + +resource "google_sql_database_instance" "main" { + name = "some-example-name" + database_version = "POSTGRES_15" + region = "europe-west3" + settings { + tier = "db-f1-micro" + ip_configuration { + # ok: gcp-sql-database-ssl-insecure-value-sqlserver + ssl_mode = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED" + } + } +} + +resource "google_sql_database_instance" "main" { + name = "some-example-name" + database_version = "POSTGRES_15" + region = "europe-west3" + settings { + tier = "db-f1-micro" + ip_configuration { + # ok: gcp-sql-database-ssl-insecure-value-sqlserver + ssl_mode = "ENCRYPTED_ONLY" + } + } +} + +resource "google_sql_database_instance" "main" { + name = "some-example-name" + database_version = "POSTGRES_15" + region = "europe-west3" + settings { + tier = "db-f1-micro" + ip_configuration { + # ok: gcp-sql-database-ssl-insecure-value-sqlserver + ssl_mode = "ALLOW_UNENCRYPTED_AND_ENCRYPTED" + } + } +} + +resource "google_sql_database_instance" "mysql_fail" { + database_version = "MYSQL_8_0" + name = "mysql-instance" + region = "us-central1" + settings { + tier = "db-f1-micro" + ip_configuration { + # ok: gcp-sql-database-ssl-insecure-value-sqlserver + ssl_mode = "ENCRYPTED_ONLY" + } + } +} + +resource "google_sql_database_instance" "mysql_success" { + database_version = "MYSQL_8_0" + name = "mysql-instance" + region = "us-central1" + settings { + tier = "db-f1-micro" + ip_configuration { + # ok: gcp-sql-database-ssl-insecure-value-sqlserver + ssl_mode = "ENCRYPTED_ONLY" + } + } +} + +resource "google_sql_database_instance" "sqlserver_fail" { + database_version = "SQLSERVER_2019_STANDARD" + name = "sqlserver-instance" + region = "us-central1" + settings { + tier = "db-f1-micro" + ip_configuration { + # ruleid: gcp-sql-database-ssl-insecure-value-sqlserver + ssl_mode = "ALLOW_UNENCRYPTED_AND_ENCRYPTED" + } + } +} + +resource "google_sql_database_instance" "sqlserver_success" { + database_version = "SQLSERVER_2019_STANDARD" + name = "sqlserver-instance" + region = "us-central1" + settings { + tier = "db-f1-micro" + ip_configuration { + # ok: gcp-sql-database-ssl-insecure-value-sqlserver + ssl_mode = "ENCRYPTED_ONLY" + } + } +} + +resource "google_sql_database_instance" "mysql_success_with_ssl_mode" { + database_version = "MYSQL_8_0" + name = "mysql-instance" + region = "us-central1" + settings { + tier = "db-f1-micro" + ip_configuration { + # ok: gcp-sql-database-ssl-insecure-value-sqlserver + ssl_mode = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED" + } + } +} + diff --git a/terraform/gcp/security/gcp-sql-database-ssl-insecure-value-sqlserver.yaml b/terraform/gcp/security/gcp-sql-database-ssl-insecure-value-sqlserver.yaml new file mode 100644 index 0000000000..a2770d385c --- /dev/null +++ b/terraform/gcp/security/gcp-sql-database-ssl-insecure-value-sqlserver.yaml @@ -0,0 +1,58 @@ +rules: +- id: gcp-sql-database-ssl-insecure-value-sqlserver + patterns: + - pattern-inside: | + resource "google_sql_database_instance" "..." { + ... + database_version = "$DB" + ... + } + - pattern-inside: | + resource "google_sql_database_instance" "..." { + ... + ip_configuration { + ... + ssl_mode = $VALUE + ... + } + ... + } + - pattern-not-inside: | + resource "google_sql_database_instance" "..." { + ... + ip_configuration { + ... + ssl_mode = "ENCRYPTED_ONLY" + ... + } + ... + } + - metavariable-regex: + metavariable: $DB + regex: .*(SQLSERVER).* + - focus-metavariable: $VALUE + fix: | + "ENCRYPTED_ONLY" + message: >- + Ensure all Cloud SQL database instance require incoming connections to use SSL. For SQL Server, `ssl_mode="ENCRYPTED_ONLY"` is the most secure value that is supported. + metadata: + owasp: + - A03:2017 - Sensitive Data Exposure + - A02:2021 - Cryptographic Failures + cwe: + - 'CWE-326: Inadequate Encryption Strength' + category: security + technology: + - terraform + - gcp + references: + - "https://cloud.google.com/sql/docs/postgres/admin-api/rest/v1/instances#ipconfiguration" + - "https://owasp.org/Top10/A02_2021-Cryptographic_Failures" + subcategory: + - vuln + likelihood: LOW + impact: MEDIUM + confidence: MEDIUM + languages: [hcl] + severity: WARNING +