gcp-sql-public-ip¶
Ensure SQL database do not have public IP
It is highly recommended not to give Cloud SQL external public IP address routable over the Internet. If you have to make sure to limit access to trusted networks using the authorized_networks attribute.
Generally, you only want your production compute instances to have direct access to your database, through the VPC internal IP addressing.
Examples¶
Insecure Example
resource "google_sql_database_instance" "main-db" {
name = "main-db"
database_version = "MYSQL_5_7"
"settings" {
tier = "db-n1-standard-1"
disk_autoresize = true
ip_configuration {
ipv4_enabled = true
authorized_networks {
name = "all"
value = "0.0.0.0/0"
}
}
backup_configuration {
binary_log_enabled = true
enabled = true
start_time = "03:00"
}
}
}
Secure Example
resource "google_sql_database_instance" "main-db" {
name = "main-db"
database_version = "MYSQL_5_7"
"settings" {
tier = "db-n1-standard-1"
disk_autoresize = true
ip_configuration {
ipv4_enabled = false # This default to false, meaning the database will be accessible only inside the VPC
}
backup_configuration {
binary_log_enabled = true
enabled = true
start_time = "03:00"
}
}
}