From e9e4bd5670430d3951bd81d4f34cd4758250dee3 Mon Sep 17 00:00:00 2001 From: nikpivkin Date: Fri, 20 Sep 2024 17:07:57 +0600 Subject: [PATCH] feat(misconf): ssl_mode support for GCP SQL DB instance Signed-off-by: nikpivkin --- pkg/iac/adapters/terraform/google/sql/adapt.go | 12 ++++-------- pkg/iac/adapters/terraform/google/sql/adapt_test.go | 2 ++ pkg/iac/providers/google/sql/sql.go | 1 + pkg/iac/rego/schemas/cloud.json | 4 ++++ 4 files changed, 11 insertions(+), 8 deletions(-) diff --git a/pkg/iac/adapters/terraform/google/sql/adapt.go b/pkg/iac/adapters/terraform/google/sql/adapt.go index 6418942384d4..6d68795bcfac 100644 --- a/pkg/iac/adapters/terraform/google/sql/adapt.go +++ b/pkg/iac/adapters/terraform/google/sql/adapt.go @@ -52,6 +52,7 @@ func adaptInstance(resource *terraform.Block) sql.DatabaseInstance { IPConfiguration: sql.IPConfiguration{ Metadata: resource.GetMetadata(), RequireTLS: iacTypes.BoolDefault(false, resource.GetMetadata()), + SSLMode: iacTypes.String("", resource.GetMetadata()), EnableIPv4: iacTypes.BoolDefault(true, resource.GetMetadata()), AuthorizedNetworks: nil, }, @@ -125,12 +126,6 @@ func adaptIPConfig(resource *terraform.Block) sql.IPConfiguration { CIDR iacTypes.StringValue } - tlsRequiredAttr := resource.GetAttribute("require_ssl") - tlsRequiredVal := tlsRequiredAttr.AsBoolValueOrDefault(false, resource) - - ipv4enabledAttr := resource.GetAttribute("ipv4_enabled") - ipv4enabledVal := ipv4enabledAttr.AsBoolValueOrDefault(true, resource) - authNetworksBlocks := resource.GetBlocks("authorized_networks") for _, authBlock := range authNetworksBlocks { nameVal := authBlock.GetAttribute("name").AsStringValueOrDefault("", authBlock) @@ -147,8 +142,9 @@ func adaptIPConfig(resource *terraform.Block) sql.IPConfiguration { return sql.IPConfiguration{ Metadata: resource.GetMetadata(), - RequireTLS: tlsRequiredVal, - EnableIPv4: ipv4enabledVal, + RequireTLS: resource.GetAttribute("require_ssl").AsBoolValueOrDefault(false, resource), + SSLMode: resource.GetAttribute("ssl_mode").AsStringValueOrDefault("", resource), + EnableIPv4: resource.GetAttribute("ipv4_enabled").AsBoolValueOrDefault(true, resource), AuthorizedNetworks: authorizedNetworks, } } diff --git a/pkg/iac/adapters/terraform/google/sql/adapt_test.go b/pkg/iac/adapters/terraform/google/sql/adapt_test.go index 29e89d6282b7..fd3207ed3547 100644 --- a/pkg/iac/adapters/terraform/google/sql/adapt_test.go +++ b/pkg/iac/adapters/terraform/google/sql/adapt_test.go @@ -34,6 +34,7 @@ func Test_Adapt(t *testing.T) { name = "internal" } require_ssl = true + ssl_mode = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED" } } } @@ -67,6 +68,7 @@ func Test_Adapt(t *testing.T) { Metadata: iacTypes.NewTestMetadata(), RequireTLS: iacTypes.Bool(true, iacTypes.NewTestMetadata()), EnableIPv4: iacTypes.Bool(false, iacTypes.NewTestMetadata()), + SSLMode: iacTypes.StringTest("TRUSTED_CLIENT_CERTIFICATE_REQUIRED"), AuthorizedNetworks: []struct { Name iacTypes.StringValue CIDR iacTypes.StringValue diff --git a/pkg/iac/providers/google/sql/sql.go b/pkg/iac/providers/google/sql/sql.go index 18778dd1daef..672e78a42fbd 100755 --- a/pkg/iac/providers/google/sql/sql.go +++ b/pkg/iac/providers/google/sql/sql.go @@ -66,6 +66,7 @@ type Backups struct { type IPConfiguration struct { Metadata iacTypes.Metadata RequireTLS iacTypes.BoolValue + SSLMode iacTypes.StringValue EnableIPv4 iacTypes.BoolValue AuthorizedNetworks []struct { Name iacTypes.StringValue diff --git a/pkg/iac/rego/schemas/cloud.json b/pkg/iac/rego/schemas/cloud.json index b034f24fa104..1ac27848a4d5 100644 --- a/pkg/iac/rego/schemas/cloud.json +++ b/pkg/iac/rego/schemas/cloud.json @@ -6987,6 +6987,10 @@ "requiretls": { "type": "object", "$ref": "#/definitions/github.aaakk.us.kg.aquasecurity.trivy.pkg.iac.types.BoolValue" + }, + "sslmode": { + "type": "object", + "$ref": "#/definitions/github.aaakk.us.kg.aquasecurity.trivy.pkg.iac.types.StringValue" } } },