gcp-sql-public-access¶
Ensure that Cloud SQL database Instances are not open to the world
It is highly recommended not to allow access to your Cloud SQL database instance over the Internet. If you really need to, you should make sure to limit access to trusted network ranges.
Examples¶
Insecure Example
resource "google_sql_database_instance" "main-db" {
name = "main-db"
database_version = "MYSQL_5_7"
"settings" {
tier = "db-n1-standard-1"
disk_autoresize = true
ip_configuration {
ipv4_enabled = true
authorized_networks {
name = "all"
value = "0.0.0.0/0"
}
}
backup_configuration {
binary_log_enabled = true
enabled = true
start_time = "03:00"
}
}
}
Secure Example
resource "google_sql_database_instance" "main-db" {
name = "main-db"
database_version = "MYSQL_5_7"
"settings" {
tier = "db-n1-standard-1"
disk_autoresize = true
ip_configuration {
ipv4_enabled = true
authorized_networks {
name = "trusted-admin"
value = "7.1.2.0/24" # Example of trusted network
}
}
backup_configuration {
binary_log_enabled = true
enabled = true
start_time = "03:00"
}
}
}