rspec/rules/S6403/terraform/rule.adoc

By default, GCP SQL instances offer encryption in transit, with support for TLS, but insecure connections are still accepted. On an unsecured network, such as a public network, the risk of traffic being intercepted is high. When the data isn't encrypted, an attacker can intercept it and read confidential information.

When creating a GCP SQL instance, a public IP address is automatically assigned to it and connections to the SQL instance from public networks can be authorized.

TLS is automatically used when connecting to SQL instances through:

* The https://cloud.google.com/sql/docs/mysql/connect-admin-proxy[Cloud SQL Auth proxy].
* The https://cloud.google.com/sql/docs/mysql/connect-overview#languages[Java Socket Library].
* The built-in mechanisms in the https://cloud.google.com/appengine/docs[App Engine] environments.


== Ask Yourself Whether

Connections are not already automatically encrypted by GCP (eg: SQL Auth proxy) and

* Connections to the SQL instance are performed on untrusted networks.
* The data stored in the SQL instance is confidential.

There is a risk if you answered yes to any of those questions.


== Recommended Secure Coding Practices

It's recommended to encrypt all connections to the SQL instance, whether using public or private IP addresses. However, since private networks can be considered trusted, requiring TLS in this situation is usually a lower priority task.


== Sensitive Code Example

[source,terraform]
----
resource "google_sql_database_instance" "example" { # Sensitive: tls is not required
  name             = "noncompliant-master-instance"
  database_version = "POSTGRES_11"
  region           = "us-central1"

  settings {
    tier = "db-f1-micro"
  }
}
----

== Compliant Solution

[source,terraform]
----
resource "google_sql_database_instance" "example" {
  name             = "compliant-master-instance"
  database_version = "POSTGRES_11"
  region           = "us-central1"

  settings {
    tier = "db-f1-micro"
    ip_configuration {
      require_ssl = true
      ipv4_enabled = true
    }
  }
}
----

== See

* CWE - https://cwe.mitre.org/data/definitions/311[CWE-311 - Missing Encryption of Sensitive Data]
* CWE - https://cwe.mitre.org/data/definitions/79[CWE-319 - Cleartext Transmission of Sensitive Information]
* https://cloud.google.com/sql/docs/mysql/authorize-ssl[GCP Documentation] - Cloud SQL: Authorizing with SSL/TLS certificates


ifdef::env-github,rspecator-view[]

'''
== Implementation Specification
(visible only on this page)

=== Message

Make sure creating a GCP SQL instance without requiring TLS is safe here.

Omitting {parameter} allows unencrypted connections to the database. Make sure it is safe here.


endif::env-github,rspecator-view[]
Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`By default, GCP SQL instances offer encryption in transit, with support for TLS, but insecure connections are still accepted. On an unsecured network, such as a public network, the risk of traffic being intercepted is high. When the data isn't encrypted, an attacker can intercept it and read confidential information.`
Create rule S6403[terraform] Creating GCP SQL instances without requiring TLS is security-sensitive (#712) * Create rule S6403 * init s6403 * fixes after review * Add message for omitted attributes. (#844) * Add message for omitted attributes. * Update rules/S6403/message.adoc Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> * Add new source tags for code examples Co-authored-by: eric-therond-sonarsource <eric-therond-sonarsource@users.noreply.github.com> Co-authored-by: eric-therond-sonarsource <eric.therond@sonarsource.com> Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> Co-authored-by: Nils Werner <nils.werner@sonarsource.com> 2022-02-22 11:01:40 +00:00
Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`When creating a GCP SQL instance, a public IP address is automatically assigned to it and connections to the SQL instance from public networks can be authorized.`

			`TLS is automatically used when connecting to SQL instances through:`

			`* The https://cloud.google.com/sql/docs/mysql/connect-admin-proxy[Cloud SQL Auth proxy].`
			`* The https://cloud.google.com/sql/docs/mysql/connect-overview#languages[Java Socket Library].`
			`* The built-in mechanisms in the https://cloud.google.com/appengine/docs[App Engine] environments.`


			`== Ask Yourself Whether`

			`Connections are not already automatically encrypted by GCP (eg: SQL Auth proxy) and`

			`* Connections to the SQL instance are performed on untrusted networks.`
			`* The data stored in the SQL instance is confidential.`

			`There is a risk if you answered yes to any of those questions.`


			`== Recommended Secure Coding Practices`

			`It's recommended to encrypt all connections to the SQL instance, whether using public or private IP addresses. However, since private networks can be considered trusted, requiring TLS in this situation is usually a lower priority task.`
Create rule S6403[terraform] Creating GCP SQL instances without requiring TLS is security-sensitive (#712) * Create rule S6403 * init s6403 * fixes after review * Add message for omitted attributes. (#844) * Add message for omitted attributes. * Update rules/S6403/message.adoc Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> * Add new source tags for code examples Co-authored-by: eric-therond-sonarsource <eric-therond-sonarsource@users.noreply.github.com> Co-authored-by: eric-therond-sonarsource <eric.therond@sonarsource.com> Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> Co-authored-by: Nils Werner <nils.werner@sonarsource.com> 2022-02-22 11:01:40 +00:00

			`== Sensitive Code Example`

			`[source,terraform]`
			`----`
			`resource "google_sql_database_instance" "example" { # Sensitive: tls is not required`
			`name = "noncompliant-master-instance"`
			`database_version = "POSTGRES_11"`
			`region = "us-central1"`

			`settings {`
			`tier = "db-f1-micro"`
			`}`
			`}`
			`----`

			`== Compliant Solution`

			`[source,terraform]`
			`----`
			`resource "google_sql_database_instance" "example" {`
			`name = "compliant-master-instance"`
			`database_version = "POSTGRES_11"`
			`region = "us-central1"`

			`settings {`
			`tier = "db-f1-micro"`
			`ip_configuration {`
			`require_ssl = true`
			`ipv4_enabled = true`
			`}`
			`}`
			`}`
			`----`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`== See`

Modify CWE and OWASP Top 10 links to follow standard link format (APPSEC-1134) (#3529) * Fix all CWE references * Fix all OWASP references * Fix missing CWE prefixes 2024-01-15 17:15:56 +01:00			`* CWE - https://cwe.mitre.org/data/definitions/311[CWE-311 - Missing Encryption of Sensitive Data]`
			`* CWE - https://cwe.mitre.org/data/definitions/79[CWE-319 - Cleartext Transmission of Sensitive Information]`
Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`* https://cloud.google.com/sql/docs/mysql/authorize-ssl[GCP Documentation] - Cloud SQL: Authorizing with SSL/TLS certificates`

Create rule S6403[terraform] Creating GCP SQL instances without requiring TLS is security-sensitive (#712) * Create rule S6403 * init s6403 * fixes after review * Add message for omitted attributes. (#844) * Add message for omitted attributes. * Update rules/S6403/message.adoc Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> * Add new source tags for code examples Co-authored-by: eric-therond-sonarsource <eric-therond-sonarsource@users.noreply.github.com> Co-authored-by: eric-therond-sonarsource <eric.therond@sonarsource.com> Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> Co-authored-by: Nils Werner <nils.werner@sonarsource.com> 2022-02-22 11:01:40 +00:00
			`ifdef::env-github,rspecator-view[]`

			`'''`
			`== Implementation Specification`
			`(visible only on this page)`

Inline adoc when include has no additional value (#1940) Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in. 2023-05-25 14:18:12 +02:00			`=== Message`

			`Make sure creating a GCP SQL instance without requiring TLS is safe here.`

			`Omitting {parameter} allows unencrypted connections to the database. Make sure it is safe here.`

Create rule S6403[terraform] Creating GCP SQL instances without requiring TLS is security-sensitive (#712) * Create rule S6403 * init s6403 * fixes after review * Add message for omitted attributes. (#844) * Add message for omitted attributes. * Update rules/S6403/message.adoc Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> * Add new source tags for code examples Co-authored-by: eric-therond-sonarsource <eric-therond-sonarsource@users.noreply.github.com> Co-authored-by: eric-therond-sonarsource <eric.therond@sonarsource.com> Co-authored-by: Nils Werner <64034005+nils-werner-sonarsource@users.noreply.github.com> Co-authored-by: hendrik-buchwald-sonarsource <64110887+hendrik-buchwald-sonarsource@users.noreply.github.com> Co-authored-by: Nils Werner <nils.werner@sonarsource.com> 2022-02-22 11:01:40 +00:00
			`endif::env-github,rspecator-view[]`