fix(query): updated "SQL DB Instance With SSL Disabled" Terraform query to handle 'require_ssl' field deprecation #8029
Open
cx-andre-pereira wants to merge 7 commits intoCheckmarx:masterfrom
Conversation
…eld, support for all 'ssl_mode' field values, new tests and metadata Url updated
cx-artur-ribeiro
previously approved these changes
Apr 7, 2026
Contributor
cx-artur-ribeiro
left a comment
cx-artur-ribeiro
left a comment
There was a problem hiding this comment.
LGTM, good job André.
…bases (do not support 'TRUSTED_CLIENT_CERTIFICATE_REQUIRED' value
…sabled--Terraform
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #7263
Reason for Proposed Changes
ssl_mode, and instead checks for the deprecatedrequire_sslfield. (deprecation notice)Proposed Changes
Updated the query to handle the newer field and added relevant samples where all possible values for
ssl_modeare tested.For
google_sql_database_instanceresources with aSQLSERVERbased database_version field, the only supported value isENCRYPTED_ONLYas per google's documentation - "Only applicable to MySQL and PostgreSQL. Not applicable to SQL Server."Note that for the existing remediations i took the liberty of recommending the most restrictive mode available "
TRUSTED_CLIENT_CERTIFICATE_REQUIRED" (with the exception of theSQLSERVERbased resources). The value could just as easily be set toENCRYPTED_ONLY, but i assumed maximum security would be best for a fix recommendation.I submit this contribution under the Apache-2.0 license.