Skip to content

Commit

Permalink
google cloud sql instance network restrictions
Browse files Browse the repository at this point in the history
  • Loading branch information
Danielle committed Dec 29, 2023
1 parent e61a21f commit 2f38528
Show file tree
Hide file tree
Showing 3 changed files with 61 additions and 0 deletions.
1 change: 1 addition & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,7 @@ _Access policies have been deprecated. Please [read this](./access/README.md) fo
- [Enforce Instance Type List](./plan/enforce-instance-type-list.rego)
- [Enforce module use policy](./plan/enforce-module-use-policy.rego)
- [Enforce Password Length](./plan/enforce-password-length.rego)
- [Enforce Google Cloud SQL Instance Networks](./plan/enforce-sqlinstance-network.rego)
- [Enforce Tags on Resources](./plan/enforce-tags-on-resources.rego)
- [Enforce Terraform version list](./plan/enforce-terraform-version-list.rego)
- [Ensure resource creation before deletion](./plan/ensure-resource-creation-before-deletion.rego)
Expand Down
26 changes: 26 additions & 0 deletions plan/enforce-sqlinstance-network.rego
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
package spacelift

Check failure on line 1 in plan/enforce-sqlinstance-network.rego

View workflow job for this annotation

GitHub Actions / Regal Check 

File should be formatted with `opa fmt`. To learn more, see: https://docs.styra.com/regal/rules/style/opa-fmt

# Deny changes that expose Cloud SQL instance to 0.0.0.0/0
deny[msg] {
change := input.terraform.resource_changes[_]
change.type == "google_sql_database_instance"
valid_action(change.change.actions)
setting := change.change.after.settings[_]
ip_config := setting.ip_configuration[_]
auth_network := ip_config.authorized_networks[_]
auth_network.value == "0.0.0.0/0"

msg := sprintf("Cloud SQL instance '%s' is exposed to 0.0.0.0/0", [change.address])
}

# Helper rule to check for valid actions
valid_action(actions) {
action := actions[_]
action == "update"
}

# Helper rule to check for create action
valid_action(actions) {
action := actions[_]
action == "create"
}
34 changes: 34 additions & 0 deletions plan/enforce-sqlinstance-network_test.rego
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
package spacelift

# Test allowing a valid Cloud SQL instance configuration
test_allow_valid_cloud_sql_instance {
count(deny) == 0 with input as {"terraform": {"resource_changes": [{
"type": "google_sql_database_instance",
"change": {
"actions": ["create"],
"after": {"settings": [{"ip_configuration": [{"authorized_networks": [{"value": "192.168.1.0/24"}]}]}]},
},
}]}}
}

# Test denying a Cloud SQL instance open to 0.0.0.0/0
test_deny_cloud_sql_instance_open_to_world {
deny with input as {"terraform": {"resource_changes": [{
"type": "google_sql_database_instance",
"change": {
"actions": ["create"],
"after": {"settings": [{"ip_configuration": [{"authorized_networks": [{"value": "0.0.0.0/0"}]}]}]},
},
}]}}
}

# Test non-applicability for a non-Cloud SQL resource
test_allow_non_cloud_sql_resource {
count(deny) == 0 with input as {"terraform": {"resource_changes": [{
"type": "google_compute_instance",
"change": {
"actions": ["create"],
"after": {"settings": [{"ip_configuration": [{"authorized_networks": [{"value": "0.0.0.0/0"}]}]}]},
},
}]}}
}

0 comments on commit 2f38528

Please sign in to comment.