Skip to content

Commit

Permalink
feat(misconf): ssl_mode support for GCP SQL DB instance (#7564)
Browse files Browse the repository at this point in the history
Signed-off-by: nikpivkin <[email protected]>
  • Loading branch information
nikpivkin authored Oct 17, 2024
1 parent bcfc37b commit 2eaa17e
Show file tree
Hide file tree
Showing 4 changed files with 11 additions and 8 deletions.
12 changes: 4 additions & 8 deletions pkg/iac/adapters/terraform/google/sql/adapt.go
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@ func adaptInstance(resource *terraform.Block) sql.DatabaseInstance {
IPConfiguration: sql.IPConfiguration{
Metadata: resource.GetMetadata(),
RequireTLS: iacTypes.BoolDefault(false, resource.GetMetadata()),
SSLMode: iacTypes.String("", resource.GetMetadata()),
EnableIPv4: iacTypes.BoolDefault(true, resource.GetMetadata()),
AuthorizedNetworks: nil,
},
Expand Down Expand Up @@ -125,12 +126,6 @@ func adaptIPConfig(resource *terraform.Block) sql.IPConfiguration {
CIDR iacTypes.StringValue
}

tlsRequiredAttr := resource.GetAttribute("require_ssl")
tlsRequiredVal := tlsRequiredAttr.AsBoolValueOrDefault(false, resource)

ipv4enabledAttr := resource.GetAttribute("ipv4_enabled")
ipv4enabledVal := ipv4enabledAttr.AsBoolValueOrDefault(true, resource)

authNetworksBlocks := resource.GetBlocks("authorized_networks")
for _, authBlock := range authNetworksBlocks {
nameVal := authBlock.GetAttribute("name").AsStringValueOrDefault("", authBlock)
Expand All @@ -147,8 +142,9 @@ func adaptIPConfig(resource *terraform.Block) sql.IPConfiguration {

return sql.IPConfiguration{
Metadata: resource.GetMetadata(),
RequireTLS: tlsRequiredVal,
EnableIPv4: ipv4enabledVal,
RequireTLS: resource.GetAttribute("require_ssl").AsBoolValueOrDefault(false, resource),
SSLMode: resource.GetAttribute("ssl_mode").AsStringValueOrDefault("", resource),
EnableIPv4: resource.GetAttribute("ipv4_enabled").AsBoolValueOrDefault(true, resource),
AuthorizedNetworks: authorizedNetworks,
}
}
2 changes: 2 additions & 0 deletions pkg/iac/adapters/terraform/google/sql/adapt_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ func Test_Adapt(t *testing.T) {
name = "internal"
}
require_ssl = true
ssl_mode = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED"
}
}
}
Expand Down Expand Up @@ -67,6 +68,7 @@ func Test_Adapt(t *testing.T) {
Metadata: iacTypes.NewTestMetadata(),
RequireTLS: iacTypes.Bool(true, iacTypes.NewTestMetadata()),
EnableIPv4: iacTypes.Bool(false, iacTypes.NewTestMetadata()),
SSLMode: iacTypes.StringTest("TRUSTED_CLIENT_CERTIFICATE_REQUIRED"),
AuthorizedNetworks: []struct {
Name iacTypes.StringValue
CIDR iacTypes.StringValue
Expand Down
1 change: 1 addition & 0 deletions pkg/iac/providers/google/sql/sql.go
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,7 @@ type Backups struct {
type IPConfiguration struct {
Metadata iacTypes.Metadata
RequireTLS iacTypes.BoolValue
SSLMode iacTypes.StringValue
EnableIPv4 iacTypes.BoolValue
AuthorizedNetworks []struct {
Name iacTypes.StringValue
Expand Down
4 changes: 4 additions & 0 deletions pkg/iac/rego/schemas/cloud.json
Original file line number Diff line number Diff line change
Expand Up @@ -6991,6 +6991,10 @@
"requiretls": {
"type": "object",
"$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.BoolValue"
},
"sslmode": {
"type": "object",
"$ref": "#/definitions/github.com.aquasecurity.trivy.pkg.iac.types.StringValue"
}
}
},
Expand Down

0 comments on commit 2eaa17e

Please sign in to comment.