New samples and auxiliary functions to properly handle SQLSERVER databases (do not support 'TRUSTED_CLIENT_CERTIFICATE_REQUIRED' value

Author: cx-andre-pereira

assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/query.rego

@@ -19,7 +19,7 @@ CxPolicy[result] {
 		"keyExpectedValue": "'settings.ip_configuration' should be defined and not null",
 		"keyActualValue": "'settings.ip_configuration' is undefined or null",
 		"searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name],["settings"]),
-		"remediation": "ip_configuration {\n\t\trequire_ssl = true\n\t}\n",
+		"remediation": sprintf("ip_configuration {\n\t\tssl_mode = %s\n\t}\n", [get_remediation(input.document[i].resource.google_sql_database_instance[name].database_version)]),
 		"remediationType": "addition",
 	}
 }
@@ -40,28 +40,30 @@ CxPolicy[result] {
 		"keyExpectedValue": "'settings.ip_configuration.ssl_mode' should be defined and not null",
 		"keyActualValue": "'settings.ip_configuration.ssl_mode' is undefined or null",
 		"searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name],["settings", "ip_configuration"]),
-		"remediation": "ssl_mode = TRUSTED_CLIENT_CERTIFICATE_REQUIRED",
+		"remediation": sprintf("ssl_mode = %s", [get_remediation(input.document[i].resource.google_sql_database_instance[name].database_version)]),
 		"remediationType": "addition",
 	}
 }
 
 CxPolicy[result] {
-	settings := input.document[i].resource.google_sql_database_instance[name].settings
+	resource := input.document[i].resource.google_sql_database_instance[name]
+	settings := resource.settings
 
-	not common_lib.inArray(allowed_ssl_modes, settings.ip_configuration.ssl_mode)
+	database_version := input.document[i].resource.google_sql_database_instance[name].database_version
+	kev := get_expected_key(database_version, settings.ip_configuration.ssl_mode)
 
 	result := {
 		"documentId": input.document[i].id,
 		"resourceType": "google_sql_database_instance",
 		"resourceName": tf_lib.get_resource_name(input.document[i].resource.google_sql_database_instance[name].settings, name),
 		"searchKey": sprintf("google_sql_database_instance[%s].settings.ip_configuration.ssl_mode", [name]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": "'settings.ip_configuration.ssl_mode' should be set to 'ENCRYPTED_ONLY' or 'TRUSTED_CLIENT_CERTIFICATE_REQUIRED'",
+		"keyExpectedValue": sprintf("'settings.ip_configuration.ssl_mode' should be set to %s", [kev]),
 		"keyActualValue": sprintf("'settings.ip_configuration.ssl_mode' is set to '%s'", [settings.ip_configuration.ssl_mode]),
 		"searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name],["settings", "ip_configuration", "ssl_mode"]),
 		"remediation": json.marshal({
 			"before": settings.ip_configuration.ssl_mode,
-			"after": "TRUSTED_CLIENT_CERTIFICATE_REQUIRED"
+			"after": get_remediation(database_version)
 		}),
 		"remediationType": "replacement",
 	}
@@ -88,3 +90,14 @@ CxPolicy[result] {																			# legacy support (terraform version < 6.0.1
 		"remediationType": "replacement",
 	}
 }
+
+get_expected_key(database_version, ssl_mode) = "'ENCRYPTED_ONLY'" {
+	contains(database_version, "SQLSERVER")
+	ssl_mode == "ENCRYPTED_ONLY"
+} else = "'ENCRYPTED_ONLY' or 'TRUSTED_CLIENT_CERTIFICATE_REQUIRED'" {
+	not common_lib.inArray(allowed_ssl_modes, ssl_mode)
+}
+
+get_remediation(database_version) = "ENCRYPTED_ONLY" {
+	contains(database_version, "SQLSERVER")
+} else = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED"

assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/negative1.tf

@@ -1,7 +1,8 @@
-resource "google_sql_database_instance" "negative1" {   # legacy support (terraform version < 6.0.1)
+resource "google_sql_database_instance" "negative1_1" {   # legacy support (terraform version < 6.0.1)
   provider = google-beta
 
   name   = "private-instance-${random_id.db_name_suffix.hex}"
+  database_version = "POSTGRES_15"
   region = "us-central1"
 
   depends_on = [google_service_networking_connection.private_vpc_connection]

assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/negative2.tf

@@ -1,5 +1,6 @@
-resource "google_sql_database_instance" "negative1" {
+resource "google_sql_database_instance" "negative2_1" {
   name   = "private-instance-encrypted"
+  database_version = "POSTGRES_15"
   region = "us-central1"
 
   depends_on = [google_service_networking_connection.private_vpc_connection]
@@ -15,8 +16,9 @@ resource "google_sql_database_instance" "negative1" {
   }
 }
 
-resource "google_sql_database_instance" "negative2" {
+resource "google_sql_database_instance" "negative2_2" {
   name   = "private-instance-trusted-cert"
+  database_version = "POSTGRES_15"
   region = "us-central1"
 
   depends_on = [google_service_networking_connection.private_vpc_connection]

assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/negative3.tf

@@ -0,0 +1,17 @@
+resource "google_sql_database_instance" "negative3_1" {
+  name   = "private-instance-encrypted"
+  database_version = "SQLSERVER_2017_STANDARD"
+  region = "us-central1"
+
+  depends_on = [google_service_networking_connection.private_vpc_connection]
+
+  settings {
+    tier = "db-f1-micro"
+
+    ip_configuration {
+      ipv4_enabled    = false
+      private_network = google_compute_network.private_network.id
+      ssl_mode        = "ENCRYPTED_ONLY"  # Only allows connections encrypted with SSL/TLS
+    }
+  }
+}

assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive1.tf

@@ -1,7 +1,8 @@
-resource "google_sql_database_instance" "positive1" {   # legacy support (terraform version < 6.0.1)
+resource "google_sql_database_instance" "positive1_1" {   # legacy support (terraform version < 6.0.1)
   provider = google-beta
 
   name   = "private-instance-${random_id.db_name_suffix.hex}"
+  database_version = "POSTGRES_15"
   region = "us-central1"
 
   depends_on = [google_service_networking_connection.private_vpc_connection]
@@ -11,10 +12,11 @@ resource "google_sql_database_instance" "positive1" {   # legacy support (terraf
   }
 }
 
-resource "google_sql_database_instance" "positive2" {   # legacy support (terraform version < 6.0.1)
+resource "google_sql_database_instance" "positive1_2" {   # legacy support (terraform version < 6.0.1)
   provider = google-beta
 
   name   = "private-instance-${random_id.db_name_suffix.hex}"
+  database_version = "POSTGRES_15"
   region = "us-central1"
 
   depends_on = [google_service_networking_connection.private_vpc_connection]
@@ -29,10 +31,11 @@ resource "google_sql_database_instance" "positive2" {   # legacy support (terraf
   }
 }
 
-resource "google_sql_database_instance" "positive3" {   # legacy support (terraform version < 6.0.1)
+resource "google_sql_database_instance" "positive1_3" {   # legacy support (terraform version < 6.0.1)
   provider = google-beta
 
   name   = "private-instance-${random_id.db_name_suffix.hex}"
+  database_version = "POSTGRES_15"
   region = "us-central1"
 
   depends_on = [google_service_networking_connection.private_vpc_connection]

assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive2.tf

@@ -1,6 +1,7 @@
 
-resource "google_sql_database_instance" "positive1" {
+resource "google_sql_database_instance" "positive2_1" {
   name   = "private-instance-no-ssl-mode"
+  database_version = "POSTGRES_15"
   region = "us-central1"
 
   depends_on = [google_service_networking_connection.private_vpc_connection]
@@ -16,8 +17,9 @@ resource "google_sql_database_instance" "positive1" {
   }
 }
 
-resource "google_sql_database_instance" "positive2" {
+resource "google_sql_database_instance" "positive2_2" {
   name   = "private-instance-unspecified"
+  database_version = "POSTGRES_15"
   region = "us-central1"
 
   depends_on = [google_service_networking_connection.private_vpc_connection]
@@ -33,8 +35,9 @@ resource "google_sql_database_instance" "positive2" {
   }
 }
 
-resource "google_sql_database_instance" "positive3" {
+resource "google_sql_database_instance" "positive2_3" {
   name   = "private-instance-unencrypted"
+  database_version = "POSTGRES_15"
   region = "us-central1"
 
   depends_on = [google_service_networking_connection.private_vpc_connection]

assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive3.tf

@@ -0,0 +1,71 @@
+resource "google_sql_database_instance" "positive3_1" {
+  name   = "private-instance-no-ssl-mode"
+  database_version = "SQLSERVER_2017_STANDARD"
+  region = "us-central1"
+
+  depends_on = [google_service_networking_connection.private_vpc_connection]
+
+  settings {
+    tier = "db-f1-micro"
+
+    ip_configuration {
+      ipv4_enabled    = false
+      private_network = google_compute_network.private_network.id
+      # Undefined "ssl_mode"
+    }
+  }
+}
+
+resource "google_sql_database_instance" "positive3_2" {
+  name   = "private-instance-unspecified"
+  database_version = "SQLSERVER_2017_STANDARD"
+  region = "us-central1"
+
+  depends_on = [google_service_networking_connection.private_vpc_connection]
+
+  settings {
+    tier = "db-f1-micro"
+
+    ip_configuration {
+      ipv4_enabled    = false
+      private_network = google_compute_network.private_network.id
+      ssl_mode        = "SSL_MODE_UNSPECIFIED"  # Unexpected value
+    }
+  }
+}
+
+resource "google_sql_database_instance" "positive3_3" {
+  name   = "private-instance-unencrypted"
+  database_version = "SQLSERVER_2017_STANDARD"
+  region = "us-central1"
+
+  depends_on = [google_service_networking_connection.private_vpc_connection]
+
+  settings {
+    tier = "db-f1-micro"
+
+    ip_configuration {
+      ipv4_enabled    = false
+      private_network = google_compute_network.private_network.id
+      ssl_mode        = "ALLOW_UNENCRYPTED_AND_ENCRYPTED"  # Allows unencrypted (non-SSL/non-TLS) connections
+    }
+  }
+}
+
+resource "google_sql_database_instance" "positive3_4" {
+  name   = "private-instance-unspecified"
+  database_version = "SQLSERVER_2017_STANDARD"
+  region = "us-central1"
+
+  depends_on = [google_service_networking_connection.private_vpc_connection]
+
+  settings {
+    tier = "db-f1-micro"
+
+    ip_configuration {
+      ipv4_enabled    = false
+      private_network = google_compute_network.private_network.id
+      ssl_mode        = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED"  # Value Unsupported by SQLSERVER databases
+    }
+  }
+}