GCP code review #504
Open
GCP code review #504
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![bridgecrew[bot]](https://avatars.githubusercontent.com/in/52968?s=60&v=4){kind=small}
| } | ||
| } | ||
| backup_configuration { | ||
| enabled = false |
There was a problem hiding this comment.
Suggested change
| enabled = false | |
| enabled = true |
Ensure all Cloud SQL database instance have backup configuration enabled
Resource: google_sql_database_instance.master_instance | ID: BC_GCP_GENERAL_6
Description
Cloud SQL is a fully managed relational database service for MySQL, PostgreSQL and SQL Server. It offers data encryption at rest and in transit, Private connectivity with VPC and user-controlled network access with firewall protection. Backups provide a way to restore a Cloud SQL instance to recover lost data or recover from a problem with your instance.We recommend you enable automated backups for instances that contain data of high importance.
Benchmarks
- ISO27001 A.12.3.1
- CIS GCP V1.1 6.7
| @@ -0,0 +1,19 @@ | |||
| resource google_sql_database_instance "master_instance" { | |||
There was a problem hiding this comment.
Ensure all Cloud SQL database instance requires all incoming connections to use SSL
Resource: google_sql_database_instance.master_instance | ID: BC_GCP_GENERAL_5
Description
Cloud SQL is a fully managed relational database service for MySQL, PostgreSQL and SQL Server. It offers data encryption at rest and in transit, Private connectivity with VPC and user-controlled network access with firewall protection. Cloud SQL creates a server certificate automatically when a new instance is created.We recommend you enforce all connections to use SSL/TLS.
Benchmarks
- CIS GCP V1.1 6.4
| @@ -0,0 +1,19 @@ | |||
| resource google_sql_database_instance "master_instance" { | |||
There was a problem hiding this comment.
Ensure that Cloud SQL database Instances are not open to the world
Resource: google_sql_database_instance.master_instance | ID: BC_GCP_NETWORKING_4
How to Fix
resource "google_compute_network" "private_network" {
provider = google-beta
name = "private-network"
}
resource "google_compute_global_address" "private_ip_address" {
provider = google-beta
name = "private-ip-address"
purpose = "VPC_PEERING"
address_type = "INTERNAL"
prefix_length = 16
network = google_compute_network.private_network.id
}Description
Cloud SQL is a fully managed relational database service for MySQL, PostgreSQL, and SQL Server. It offers data encryption at rest and in transit, Private connectivity with VPC and user-controlled network access with firewall protection.It is possible to configure Cloud SQL to have a public IPv4 address. This means your cluster can accept connections from specific IP addresses, or a range of addresses, by adding authorized addresses to your instance. We do not recommend this option.
We recommend you ensure Cloud SQL Database Instances are not publicly accessible, to help secure against attackers scanning the internet in search of public databases.
Benchmarks
- NIST-800-53 CA-3
- CIS GCP V1.1 6.5
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.