Ensure that Cloud SQL Database Instances are not publicly exposed

Explanation

Database instances should be configured so that they are not available over the public internet, but to internal compute resources which access them.

Possible Impact

Public exposure of sensitive data

Suggested Resolution

Remove public access from database instances

Insecure Example

The following example will fail the google-sql-no-public-access check.

resource "google_sql_database_instance" "postgres" {
	name             = "postgres-instance-a"
	database_version = "POSTGRES_11"
	
	settings {
		tier = "db-f1-micro"
	
		ip_configuration {
			ipv4_enabled = false
			authorized_networks {
				value           = "108.12.12.0/24"
				name            = "internal"
			}
	
			authorized_networks {
				value           = "0.0.0.0/0"
				name            = "internet"
			}
		}
	}
}
			

Secure Example

The following example will pass the google-sql-no-public-access check.

resource "google_sql_database_instance" "postgres" {
	name             = "postgres-instance-a"
	database_version = "POSTGRES_11"
	
	settings {
		tier = "db-f1-micro"
	
		ip_configuration {
			ipv4_enabled = false
			authorized_networks {
				value           = "108.12.12.0/24"
				name            = "internal"
			}
		}
	}
}
			

Getting Started
Provider Checks
Config
GitHub Actions