Skip to content

BoostSecurity

gcp-sql-public-access

gcp-sql-public-access¶

Ensure that Cloud SQL database Instances are not open to the world

It is highly recommended not to allow access to your Cloud SQL database instance over the Internet. If you really need to, you should make sure to limit access to trusted network ranges.

Examples¶

Insecure Example

resource "google_sql_database_instance" "main-db" {
  name = "main-db"
  database_version = "MYSQL_5_7"

  "settings" {
    tier = "db-n1-standard-1"
    disk_autoresize = true

    ip_configuration {
      ipv4_enabled = true
      authorized_networks {
        name = "all"
        value = "0.0.0.0/0"
      }
    }
    backup_configuration {
      binary_log_enabled = true
      enabled = true
      start_time = "03:00"
    }
  }
}

Secure Example

resource "google_sql_database_instance" "main-db" {
  name = "main-db"
  database_version = "MYSQL_5_7"

  "settings" {
    tier = "db-n1-standard-1"
    disk_autoresize = true

    ip_configuration {
      ipv4_enabled = true
      authorized_networks {
        name = "trusted-admin"
        value = "7.1.2.0/24" # Example of trusted network
      }
    }
    backup_configuration {
      binary_log_enabled = true
      enabled = true
      start_time = "03:00"
    }
  }
}

More information¶