From 011fc350ede1bff9c9481b44f39091abdfa6d0dc Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Tue, 7 Apr 2026 16:16:41 +0100 Subject: [PATCH 1/5] First commit: udpated query to handle deprecation of 'require_ssl' field, support for all 'ssl_mode' field values, new tests and metadata Url updated --- .../metadata.json | 2 +- .../query.rego | 31 +++++++++-- .../test/{negative.tf => negative1.tf} | 2 +- .../test/negative2.tf | 33 ++++++++++++ .../test/{positive.tf => positive1.tf} | 9 ++-- .../test/positive2.tf | 51 +++++++++++++++++++ .../test/positive_expected_result.json | 27 ++++++++-- 7 files changed, 143 insertions(+), 12 deletions(-) rename assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/{negative.tf => negative1.tf} (79%) create mode 100644 assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/negative2.tf rename assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/{positive.tf => positive1.tf} (71%) create mode 100644 assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive2.tf diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/metadata.json b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/metadata.json index 2d7173cf948..263904686f3 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/metadata.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/metadata.json @@ -4,7 +4,7 @@ "severity": "HIGH", "category": "Encryption", "descriptionText": "Cloud SQL Database Instance should have SSL enabled", - "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance#require_ssl", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance#ssl_mode-1", "platform": "Terraform", "descriptionID": "8983549e", "cloudProvider": "gcp", diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/query.rego b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/query.rego index ca8961c9785..0ca71fb282c 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/query.rego +++ b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/query.rego @@ -3,6 +3,8 @@ package Cx import data.generic.common as common_lib import data.generic.terraform as tf_lib +allowed_ssl_modes := ["ENCRYPTED_ONLY", "TRUSTED_CLIENT_CERTIFICATE_REQUIRED"] + CxPolicy[result] { settings := input.document[i].resource.google_sql_database_instance[name].settings @@ -26,6 +28,7 @@ CxPolicy[result] { settings := input.document[i].resource.google_sql_database_instance[name].settings ip_configuration := settings.ip_configuration + not common_lib.valid_key(ip_configuration, "ssl_mode") not common_lib.valid_key(ip_configuration, "require_ssl") result := { @@ -34,10 +37,10 @@ CxPolicy[result] { "resourceName": tf_lib.get_resource_name(input.document[i].resource.google_sql_database_instance[name].settings, name), "searchKey": sprintf("google_sql_database_instance[%s].settings.ip_configuration", [name]), "issueType": "MissingAttribute", - "keyExpectedValue": "'settings.ip_configuration.require_ssl' should be defined and not null", - "keyActualValue": "'settings.ip_configuration.require_ssl' is undefined or null", + "keyExpectedValue": "'settings.ip_configuration.ssl_mode' should be defined and not null", + "keyActualValue": "'settings.ip_configuration.ssl_mode' is undefined or null", "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name],["settings", "ip_configuration"]), - "remediation": "require_ssl = true", + "remediation": "ssl_mode = TRUSTED_CLIENT_CERTIFICATE_REQUIRED", "remediationType": "addition", } } @@ -45,6 +48,28 @@ CxPolicy[result] { CxPolicy[result] { settings := input.document[i].resource.google_sql_database_instance[name].settings + not common_lib.inArray(allowed_ssl_modes, settings.ip_configuration.ssl_mode) + + result := { + "documentId": input.document[i].id, + "resourceType": "google_sql_database_instance", + "resourceName": tf_lib.get_resource_name(input.document[i].resource.google_sql_database_instance[name].settings, name), + "searchKey": sprintf("google_sql_database_instance[%s].settings.ip_configuration.ssl_mode", [name]), + "issueType": "IncorrectValue", + "keyExpectedValue": "'settings.ip_configuration.ssl_mode' should be set to 'ENCRYPTED_ONLY' or 'TRUSTED_CLIENT_CERTIFICATE_REQUIRED'", + "keyActualValue": sprintf("'settings.ip_configuration.ssl_mode' is set to '%s'", [settings.ip_configuration.ssl_mode]), + "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name],["settings", "ip_configuration", "ssl_mode"]), + "remediation": json.marshal({ + "before": settings.ip_configuration.ssl_mode, + "after": "TRUSTED_CLIENT_CERTIFICATE_REQUIRED" + }), + "remediationType": "replacement", + } +} + +CxPolicy[result] { # legacy support (terraform version < 6.0.1) + settings := input.document[i].resource.google_sql_database_instance[name].settings + settings.ip_configuration.require_ssl == false result := { diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/negative.tf b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/negative1.tf similarity index 79% rename from assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/negative.tf rename to assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/negative1.tf index 5d30e0e42d8..cf7c7abd506 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/negative.tf +++ b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/negative1.tf @@ -1,4 +1,4 @@ -resource "google_sql_database_instance" "negative1" { +resource "google_sql_database_instance" "negative1" { # legacy support (terraform version < 6.0.1) provider = google-beta name = "private-instance-${random_id.db_name_suffix.hex}" diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/negative2.tf b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/negative2.tf new file mode 100644 index 00000000000..ea28c5cc789 --- /dev/null +++ b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/negative2.tf @@ -0,0 +1,33 @@ +resource "google_sql_database_instance" "negative1" { + name = "private-instance-encrypted" + region = "us-central1" + + depends_on = [google_service_networking_connection.private_vpc_connection] + + settings { + tier = "db-f1-micro" + + ip_configuration { + ipv4_enabled = false + private_network = google_compute_network.private_network.id + ssl_mode = "ENCRYPTED_ONLY" # Only allows connections encrypted with SSL/TLS + } + } +} + +resource "google_sql_database_instance" "negative2" { + name = "private-instance-trusted-cert" + region = "us-central1" + + depends_on = [google_service_networking_connection.private_vpc_connection] + + settings { + tier = "db-f1-micro" + + ip_configuration { + ipv4_enabled = false + private_network = google_compute_network.private_network.id + ssl_mode = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED" # Only allow connections encrypted with SSL/TLS and with valid client certificates + } + } +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive.tf b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive1.tf similarity index 71% rename from assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive.tf rename to assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive1.tf index bc68849dc09..e59b5e68320 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive.tf +++ b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive1.tf @@ -1,4 +1,4 @@ -resource "google_sql_database_instance" "positive1" { +resource "google_sql_database_instance" "positive1" { # legacy support (terraform version < 6.0.1) provider = google-beta name = "private-instance-${random_id.db_name_suffix.hex}" @@ -7,11 +7,11 @@ resource "google_sql_database_instance" "positive1" { depends_on = [google_service_networking_connection.private_vpc_connection] settings { - tier = "db-f1-micro" + tier = "db-f1-micro" # Missing "ip_configuration" } } -resource "google_sql_database_instance" "positive2" { +resource "google_sql_database_instance" "positive2" { # legacy support (terraform version < 6.0.1) provider = google-beta name = "private-instance-${random_id.db_name_suffix.hex}" @@ -24,11 +24,12 @@ resource "google_sql_database_instance" "positive2" { ip_configuration { ipv4_enabled = false private_network = google_compute_network.private_network.id + # Missing "require_ssl" } } } -resource "google_sql_database_instance" "positive3" { +resource "google_sql_database_instance" "positive3" { # legacy support (terraform version < 6.0.1) provider = google-beta name = "private-instance-${random_id.db_name_suffix.hex}" diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive2.tf b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive2.tf new file mode 100644 index 00000000000..3dad0a84970 --- /dev/null +++ b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive2.tf @@ -0,0 +1,51 @@ + +resource "google_sql_database_instance" "positive1" { + name = "private-instance-no-ssl-mode" + region = "us-central1" + + depends_on = [google_service_networking_connection.private_vpc_connection] + + settings { + tier = "db-f1-micro" + + ip_configuration { + ipv4_enabled = false + private_network = google_compute_network.private_network.id + # Undefined "ssl_mode" + } + } +} + +resource "google_sql_database_instance" "positive2" { + name = "private-instance-unspecified" + region = "us-central1" + + depends_on = [google_service_networking_connection.private_vpc_connection] + + settings { + tier = "db-f1-micro" + + ip_configuration { + ipv4_enabled = false + private_network = google_compute_network.private_network.id + ssl_mode = "SSL_MODE_UNSPECIFIED" # Unexpected value + } + } +} + +resource "google_sql_database_instance" "positive3" { + name = "private-instance-unencrypted" + region = "us-central1" + + depends_on = [google_service_networking_connection.private_vpc_connection] + + settings { + tier = "db-f1-micro" + + ip_configuration { + ipv4_enabled = false + private_network = google_compute_network.private_network.id + ssl_mode = "ALLOW_UNENCRYPTED_AND_ENCRYPTED" # Allows unencrypted (non-SSL/non-TLS) connections + } + } +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json index 842962c52cb..eac03bffcbb 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json @@ -2,16 +2,37 @@ { "queryName": "SQL DB Instance With SSL Disabled", "severity": "HIGH", - "line": 9 + "line": 9, + "fileName": "positive1.tf" }, { "queryName": "SQL DB Instance With SSL Disabled", "severity": "HIGH", - "line": 24 + "line": 24, + "fileName": "positive1.tf" }, { "queryName": "SQL DB Instance With SSL Disabled", "severity": "HIGH", - "line": 44 + "line": 45, + "fileName": "positive1.tf" + }, + { + "queryName": "SQL DB Instance With SSL Disabled", + "severity": "HIGH", + "line": 11, + "fileName": "positive2.tf" + }, + { + "queryName": "SQL DB Instance With SSL Disabled", + "severity": "HIGH", + "line": 31, + "fileName": "positive2.tf" + }, + { + "queryName": "SQL DB Instance With SSL Disabled", + "severity": "HIGH", + "line": 48, + "fileName": "positive2.tf" } ] From d04ce1dd61fcea6325ccc041d33669fc9bb5c31d Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Tue, 7 Apr 2026 16:58:03 +0100 Subject: [PATCH 2/5] Small change to comments for consistency sake --- .../gcp/sql_db_instance_with_ssl_disabled/test/positive1.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive1.tf b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive1.tf index e59b5e68320..ee66560e610 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive1.tf +++ b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive1.tf @@ -7,7 +7,7 @@ resource "google_sql_database_instance" "positive1" { # legacy support (terraf depends_on = [google_service_networking_connection.private_vpc_connection] settings { - tier = "db-f1-micro" # Missing "ip_configuration" + tier = "db-f1-micro" # Undefined "ip_configuration" } } @@ -24,7 +24,7 @@ resource "google_sql_database_instance" "positive2" { # legacy support (terraf ip_configuration { ipv4_enabled = false private_network = google_compute_network.private_network.id - # Missing "require_ssl" + # Undefined "require_ssl" } } } From 013435bd98d4a18b46a777da02adcafd134f5b98 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Wed, 8 Apr 2026 11:24:09 +0100 Subject: [PATCH 3/5] New samples and auxiliary functions to properly handle SQLSERVER databases (do not support 'TRUSTED_CLIENT_CERTIFICATE_REQUIRED' value --- .../query.rego | 25 +++++-- .../test/negative1.tf | 3 +- .../test/negative2.tf | 6 +- .../test/negative3.tf | 17 +++++ .../test/positive1.tf | 9 ++- .../test/positive2.tf | 9 ++- .../test/positive3.tf | 71 +++++++++++++++++++ 7 files changed, 125 insertions(+), 15 deletions(-) create mode 100644 assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/negative3.tf create mode 100644 assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive3.tf diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/query.rego b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/query.rego index 0ca71fb282c..828ec2fa16a 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/query.rego +++ b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/query.rego @@ -19,7 +19,7 @@ CxPolicy[result] { "keyExpectedValue": "'settings.ip_configuration' should be defined and not null", "keyActualValue": "'settings.ip_configuration' is undefined or null", "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name],["settings"]), - "remediation": "ip_configuration {\n\t\trequire_ssl = true\n\t}\n", + "remediation": sprintf("ip_configuration {\n\t\tssl_mode = %s\n\t}\n", [get_remediation(input.document[i].resource.google_sql_database_instance[name].database_version)]), "remediationType": "addition", } } @@ -40,15 +40,17 @@ CxPolicy[result] { "keyExpectedValue": "'settings.ip_configuration.ssl_mode' should be defined and not null", "keyActualValue": "'settings.ip_configuration.ssl_mode' is undefined or null", "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name],["settings", "ip_configuration"]), - "remediation": "ssl_mode = TRUSTED_CLIENT_CERTIFICATE_REQUIRED", + "remediation": sprintf("ssl_mode = %s", [get_remediation(input.document[i].resource.google_sql_database_instance[name].database_version)]), "remediationType": "addition", } } CxPolicy[result] { - settings := input.document[i].resource.google_sql_database_instance[name].settings + resource := input.document[i].resource.google_sql_database_instance[name] + settings := resource.settings - not common_lib.inArray(allowed_ssl_modes, settings.ip_configuration.ssl_mode) + database_version := input.document[i].resource.google_sql_database_instance[name].database_version + kev := get_expected_key(database_version, settings.ip_configuration.ssl_mode) result := { "documentId": input.document[i].id, @@ -56,12 +58,12 @@ CxPolicy[result] { "resourceName": tf_lib.get_resource_name(input.document[i].resource.google_sql_database_instance[name].settings, name), "searchKey": sprintf("google_sql_database_instance[%s].settings.ip_configuration.ssl_mode", [name]), "issueType": "IncorrectValue", - "keyExpectedValue": "'settings.ip_configuration.ssl_mode' should be set to 'ENCRYPTED_ONLY' or 'TRUSTED_CLIENT_CERTIFICATE_REQUIRED'", + "keyExpectedValue": sprintf("'settings.ip_configuration.ssl_mode' should be set to %s", [kev]), "keyActualValue": sprintf("'settings.ip_configuration.ssl_mode' is set to '%s'", [settings.ip_configuration.ssl_mode]), "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name],["settings", "ip_configuration", "ssl_mode"]), "remediation": json.marshal({ "before": settings.ip_configuration.ssl_mode, - "after": "TRUSTED_CLIENT_CERTIFICATE_REQUIRED" + "after": get_remediation(database_version) }), "remediationType": "replacement", } @@ -88,3 +90,14 @@ CxPolicy[result] { # legacy support (terraform version < 6.0.1 "remediationType": "replacement", } } + +get_expected_key(database_version, ssl_mode) = "'ENCRYPTED_ONLY'" { + contains(database_version, "SQLSERVER") + ssl_mode == "ENCRYPTED_ONLY" +} else = "'ENCRYPTED_ONLY' or 'TRUSTED_CLIENT_CERTIFICATE_REQUIRED'" { + not common_lib.inArray(allowed_ssl_modes, ssl_mode) +} + +get_remediation(database_version) = "ENCRYPTED_ONLY" { + contains(database_version, "SQLSERVER") +} else = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED" \ No newline at end of file diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/negative1.tf b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/negative1.tf index cf7c7abd506..66bc7bb0cfe 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/negative1.tf +++ b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/negative1.tf @@ -1,7 +1,8 @@ -resource "google_sql_database_instance" "negative1" { # legacy support (terraform version < 6.0.1) +resource "google_sql_database_instance" "negative1_1" { # legacy support (terraform version < 6.0.1) provider = google-beta name = "private-instance-${random_id.db_name_suffix.hex}" + database_version = "POSTGRES_15" region = "us-central1" depends_on = [google_service_networking_connection.private_vpc_connection] diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/negative2.tf b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/negative2.tf index ea28c5cc789..3a5ee4f8061 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/negative2.tf +++ b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/negative2.tf @@ -1,5 +1,6 @@ -resource "google_sql_database_instance" "negative1" { +resource "google_sql_database_instance" "negative2_1" { name = "private-instance-encrypted" + database_version = "POSTGRES_15" region = "us-central1" depends_on = [google_service_networking_connection.private_vpc_connection] @@ -15,8 +16,9 @@ resource "google_sql_database_instance" "negative1" { } } -resource "google_sql_database_instance" "negative2" { +resource "google_sql_database_instance" "negative2_2" { name = "private-instance-trusted-cert" + database_version = "POSTGRES_15" region = "us-central1" depends_on = [google_service_networking_connection.private_vpc_connection] diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/negative3.tf b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/negative3.tf new file mode 100644 index 00000000000..ed69f09e2e4 --- /dev/null +++ b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/negative3.tf @@ -0,0 +1,17 @@ +resource "google_sql_database_instance" "negative3_1" { + name = "private-instance-encrypted" + database_version = "SQLSERVER_2017_STANDARD" + region = "us-central1" + + depends_on = [google_service_networking_connection.private_vpc_connection] + + settings { + tier = "db-f1-micro" + + ip_configuration { + ipv4_enabled = false + private_network = google_compute_network.private_network.id + ssl_mode = "ENCRYPTED_ONLY" # Only allows connections encrypted with SSL/TLS + } + } +} \ No newline at end of file diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive1.tf b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive1.tf index ee66560e610..c02af49d0b7 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive1.tf +++ b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive1.tf @@ -1,7 +1,8 @@ -resource "google_sql_database_instance" "positive1" { # legacy support (terraform version < 6.0.1) +resource "google_sql_database_instance" "positive1_1" { # legacy support (terraform version < 6.0.1) provider = google-beta name = "private-instance-${random_id.db_name_suffix.hex}" + database_version = "POSTGRES_15" region = "us-central1" depends_on = [google_service_networking_connection.private_vpc_connection] @@ -11,10 +12,11 @@ resource "google_sql_database_instance" "positive1" { # legacy support (terraf } } -resource "google_sql_database_instance" "positive2" { # legacy support (terraform version < 6.0.1) +resource "google_sql_database_instance" "positive1_2" { # legacy support (terraform version < 6.0.1) provider = google-beta name = "private-instance-${random_id.db_name_suffix.hex}" + database_version = "POSTGRES_15" region = "us-central1" depends_on = [google_service_networking_connection.private_vpc_connection] @@ -29,10 +31,11 @@ resource "google_sql_database_instance" "positive2" { # legacy support (terraf } } -resource "google_sql_database_instance" "positive3" { # legacy support (terraform version < 6.0.1) +resource "google_sql_database_instance" "positive1_3" { # legacy support (terraform version < 6.0.1) provider = google-beta name = "private-instance-${random_id.db_name_suffix.hex}" + database_version = "POSTGRES_15" region = "us-central1" depends_on = [google_service_networking_connection.private_vpc_connection] diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive2.tf b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive2.tf index 3dad0a84970..e64fc2cd479 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive2.tf +++ b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive2.tf @@ -1,6 +1,7 @@ -resource "google_sql_database_instance" "positive1" { +resource "google_sql_database_instance" "positive2_1" { name = "private-instance-no-ssl-mode" + database_version = "POSTGRES_15" region = "us-central1" depends_on = [google_service_networking_connection.private_vpc_connection] @@ -16,8 +17,9 @@ resource "google_sql_database_instance" "positive1" { } } -resource "google_sql_database_instance" "positive2" { +resource "google_sql_database_instance" "positive2_2" { name = "private-instance-unspecified" + database_version = "POSTGRES_15" region = "us-central1" depends_on = [google_service_networking_connection.private_vpc_connection] @@ -33,8 +35,9 @@ resource "google_sql_database_instance" "positive2" { } } -resource "google_sql_database_instance" "positive3" { +resource "google_sql_database_instance" "positive2_3" { name = "private-instance-unencrypted" + database_version = "POSTGRES_15" region = "us-central1" depends_on = [google_service_networking_connection.private_vpc_connection] diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive3.tf b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive3.tf new file mode 100644 index 00000000000..1883b5fb34c --- /dev/null +++ b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive3.tf @@ -0,0 +1,71 @@ +resource "google_sql_database_instance" "positive3_1" { + name = "private-instance-no-ssl-mode" + database_version = "SQLSERVER_2017_STANDARD" + region = "us-central1" + + depends_on = [google_service_networking_connection.private_vpc_connection] + + settings { + tier = "db-f1-micro" + + ip_configuration { + ipv4_enabled = false + private_network = google_compute_network.private_network.id + # Undefined "ssl_mode" + } + } +} + +resource "google_sql_database_instance" "positive3_2" { + name = "private-instance-unspecified" + database_version = "SQLSERVER_2017_STANDARD" + region = "us-central1" + + depends_on = [google_service_networking_connection.private_vpc_connection] + + settings { + tier = "db-f1-micro" + + ip_configuration { + ipv4_enabled = false + private_network = google_compute_network.private_network.id + ssl_mode = "SSL_MODE_UNSPECIFIED" # Unexpected value + } + } +} + +resource "google_sql_database_instance" "positive3_3" { + name = "private-instance-unencrypted" + database_version = "SQLSERVER_2017_STANDARD" + region = "us-central1" + + depends_on = [google_service_networking_connection.private_vpc_connection] + + settings { + tier = "db-f1-micro" + + ip_configuration { + ipv4_enabled = false + private_network = google_compute_network.private_network.id + ssl_mode = "ALLOW_UNENCRYPTED_AND_ENCRYPTED" # Allows unencrypted (non-SSL/non-TLS) connections + } + } +} + +resource "google_sql_database_instance" "positive3_4" { + name = "private-instance-unspecified" + database_version = "SQLSERVER_2017_STANDARD" + region = "us-central1" + + depends_on = [google_service_networking_connection.private_vpc_connection] + + settings { + tier = "db-f1-micro" + + ip_configuration { + ipv4_enabled = false + private_network = google_compute_network.private_network.id + ssl_mode = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED" # Value Unsupported by SQLSERVER databases + } + } +} \ No newline at end of file From c5686d229586678282f14bb0dda887cba4f2386f Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Wed, 8 Apr 2026 11:37:12 +0100 Subject: [PATCH 4/5] Expected values and some test changes --- .../query.rego | 2 +- .../test/negative1.tf | 2 +- .../test/positive3.tf | 20 ++++++++-- .../test/positive_expected_result.json | 40 ++++++++++++++++--- 4 files changed, 54 insertions(+), 10 deletions(-) diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/query.rego b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/query.rego index 828ec2fa16a..af1fd89f26f 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/query.rego +++ b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/query.rego @@ -93,7 +93,7 @@ CxPolicy[result] { # legacy support (terraform version < 6.0.1 get_expected_key(database_version, ssl_mode) = "'ENCRYPTED_ONLY'" { contains(database_version, "SQLSERVER") - ssl_mode == "ENCRYPTED_ONLY" + ssl_mode != "ENCRYPTED_ONLY" } else = "'ENCRYPTED_ONLY' or 'TRUSTED_CLIENT_CERTIFICATE_REQUIRED'" { not common_lib.inArray(allowed_ssl_modes, ssl_mode) } diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/negative1.tf b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/negative1.tf index 66bc7bb0cfe..895502bf918 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/negative1.tf +++ b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/negative1.tf @@ -12,7 +12,7 @@ resource "google_sql_database_instance" "negative1_1" { # legacy support (terr ip_configuration { ipv4_enabled = false private_network = google_compute_network.private_network.id - require_ssl = true + require_ssl = true } } } \ No newline at end of file diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive3.tf b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive3.tf index 1883b5fb34c..590db8fec80 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive3.tf +++ b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive3.tf @@ -1,4 +1,18 @@ resource "google_sql_database_instance" "positive3_1" { + provider = google-beta + + name = "private-instance-${random_id.db_name_suffix.hex}" + database_version = "POSTGRES_15" + region = "us-central1" + + depends_on = [google_service_networking_connection.private_vpc_connection] + + settings { + tier = "db-f1-micro" # Undefined "ip_configuration" + } +} + +resource "google_sql_database_instance" "positive3_2" { name = "private-instance-no-ssl-mode" database_version = "SQLSERVER_2017_STANDARD" region = "us-central1" @@ -16,7 +30,7 @@ resource "google_sql_database_instance" "positive3_1" { } } -resource "google_sql_database_instance" "positive3_2" { +resource "google_sql_database_instance" "positive3_3" { name = "private-instance-unspecified" database_version = "SQLSERVER_2017_STANDARD" region = "us-central1" @@ -34,7 +48,7 @@ resource "google_sql_database_instance" "positive3_2" { } } -resource "google_sql_database_instance" "positive3_3" { +resource "google_sql_database_instance" "positive3_4" { name = "private-instance-unencrypted" database_version = "SQLSERVER_2017_STANDARD" region = "us-central1" @@ -52,7 +66,7 @@ resource "google_sql_database_instance" "positive3_3" { } } -resource "google_sql_database_instance" "positive3_4" { +resource "google_sql_database_instance" "positive3_5" { name = "private-instance-unspecified" database_version = "SQLSERVER_2017_STANDARD" region = "us-central1" diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json index eac03bffcbb..a50463bf92b 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json @@ -8,31 +8,61 @@ { "queryName": "SQL DB Instance With SSL Disabled", "severity": "HIGH", - "line": 24, + "line": 26, "fileName": "positive1.tf" }, { "queryName": "SQL DB Instance With SSL Disabled", "severity": "HIGH", - "line": 45, + "line": 48, "fileName": "positive1.tf" }, { "queryName": "SQL DB Instance With SSL Disabled", "severity": "HIGH", - "line": 11, + "line": 12, "fileName": "positive2.tf" }, { "queryName": "SQL DB Instance With SSL Disabled", "severity": "HIGH", - "line": 31, + "line": 33, "fileName": "positive2.tf" }, { "queryName": "SQL DB Instance With SSL Disabled", "severity": "HIGH", - "line": 48, + "line": 51, "fileName": "positive2.tf" + }, + { + "queryName": "SQL DB Instance With SSL Disabled", + "severity": "HIGH", + "line": 10, + "fileName": "positive3.tf" + }, + { + "queryName": "SQL DB Instance With SSL Disabled", + "severity": "HIGH", + "line": 25, + "fileName": "positive3.tf" + }, + { + "queryName": "SQL DB Instance With SSL Disabled", + "severity": "HIGH", + "line": 46, + "fileName": "positive3.tf" + }, + { + "queryName": "SQL DB Instance With SSL Disabled", + "severity": "HIGH", + "line": 64, + "fileName": "positive3.tf" + }, + { + "queryName": "SQL DB Instance With SSL Disabled", + "severity": "HIGH", + "line": 82, + "fileName": "positive3.tf" } ] From d22ab9c7779e25621229b49e67e66203c7157700 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Wed, 8 Apr 2026 12:06:37 +0100 Subject: [PATCH 5/5] Fix expected results again --- .../test/positive_expected_result.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json index a50463bf92b..37b62fa2980 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json @@ -2,7 +2,7 @@ { "queryName": "SQL DB Instance With SSL Disabled", "severity": "HIGH", - "line": 9, + "line": 10, "fileName": "positive1.tf" }, {