feat(terraform): add support for the ssl_mode attribute of the google_sql_database_instance resource

[nikpivkin]

We must retain support for the deprecated attribute.

Ref:

• https://cloud.google.com/sql/docs/postgres/admin-api/rest/v1beta4/instances#ipconfiguration

Discussed in #6646

^{Originally posted by desolatorxxl May 7, 2024}

IDs

avd-gcp-0015

Description

The Google docs recommend to use ssl_mode instead of the legacy require_ssl attribute.

See:

https://cloud.google.com/sql/docs/postgres/admin-api/rest/v1beta4/instances#ipconfiguration
https://cloud.google.com/sql/docs/postgres/admin-api/rest/v1beta4/instances#sslmode

Reproduction Steps

cat <<EOT > sql.tf
resource "google_sql_database_instance" "foo" {
  name             = "foo"
  database_version = "POSTGRES_13"
  region           = "europe-west1"

  settings {
    disk_autoresize_limit = 250
    disk_autoresize       = true

    ip_configuration {
      ipv4_enabled    = false
      private_network = "default"
    }

    backup_configuration {
      enabled = true
    }



    database_flags {
      name  = "log_lock_waits"
      value = "on"
    }

    database_flags {
      name  = "log_checkpoints"
      value = "on"
    }

    database_flags {
      name  = "log_connections"
      value = "on"
    }

    database_flags {
      name  = "log_disconnections"
      value = "on"
    }

    database_flags {
      name  = "log_temp_files"
      value = "0"
    }
  }
}
EOT

trivy config .

### Target

Filesystem

### Scanner

Misconfiguration

### Target OS

Gentoo

### Debug Output

```bash
$ trivy config .
2024-05-07T10:34:16.961+0200	�[35mDEBUG�[0m	Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-05-07T10:34:16.973+0200	�[35mDEBUG�[0m	cache dir:  /home/foo/.cache/trivy
2024-05-07T10:34:16.973+0200	�[34mINFO�[0m	Misconfiguration scanning is enabled
2024-05-07T10:34:16.974+0200	�[35mDEBUG�[0m	Policies successfully loaded from disk
2024-05-07T10:34:16.974+0200	�[35mDEBUG�[0m	Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-05-07T10:34:16.975+0200	�[35mDEBUG�[0m	The nuget packages directory couldn't be found. License search disabled
2024-05-07T10:34:16.982+0200	�[35mDEBUG�[0m	Walk the file tree rooted at '.' in series
2024-05-07T10:34:16.982+0200	�[35mDEBUG�[0m	Scanning Terraform files for misconfigurations...
2024-05-07T10:34:16.982+0200	�[35mDEBUG�[0m	[misconf] 34:16.982306570 terraform.scanner                Scanning [&{%!s(*mapfs.file=&{ [] {. 256 2147484096 {13945000156661059123 327184098 0x555f9b04e1c0} <nil>} {{{0 0} {[] {} 0xc00193a8b0} map[sql.tf:0xc001184bb8] 0}}}) .}] at '.'...
2024-05-07T10:34:16.983+0200	�[35mDEBUG�[0m	[misconf] 34:16.983432873 terraform.scanner.rego           Overriding filesystem for policies!
2024-05-07T10:34:17.016+0200	�[35mDEBUG�[0m	[misconf] 34:17.016733440 terraform.scanner.rego           Loaded 194 policies from disk.
2024-05-07T10:34:17.016+0200	�[35mDEBUG�[0m	[misconf] 34:17.016986495 terraform.scanner.rego           Overriding filesystem for data!
2024-05-07T10:34:17.260+0200	�[35mDEBUG�[0m	[misconf] 34:17.260609383 terraform.parser.<root>          Setting project/module root to '.'
2024-05-07T10:34:17.260+0200	�[35mDEBUG�[0m	[misconf] 34:17.260627646 terraform.parser.<root>          Parsing FS from '.'
2024-05-07T10:34:17.260+0200	�[35mDEBUG�[0m	[misconf] 34:17.260639493 terraform.parser.<root>          Parsing 'sql.tf'...
2024-05-07T10:34:17.260+0200	�[35mDEBUG�[0m	[misconf] 34:17.260741970 terraform.parser.<root>          Added file sql.tf.
2024-05-07T10:34:17.260+0200	�[35mDEBUG�[0m	[misconf] 34:17.260842909 terraform.scanner                Scanning root module '.'...
2024-05-07T10:34:17.260+0200	�[35mDEBUG�[0m	[misconf] 34:17.260845225 terraform.parser.<root>          Setting project/module root to '.'
2024-05-07T10:34:17.260+0200	�[35mDEBUG�[0m	[misconf] 34:17.260846534 terraform.parser.<root>          Parsing FS from '.'
2024-05-07T10:34:17.260+0200	�[35mDEBUG�[0m	[misconf] 34:17.260849370 terraform.parser.<root>          Parsing 'sql.tf'...
2024-05-07T10:34:17.260+0200	�[35mDEBUG�[0m	[misconf] 34:17.260934942 terraform.parser.<root>          Added file sql.tf.
2024-05-07T10:34:17.260+0200	�[35mDEBUG�[0m	[misconf] 34:17.260937088 terraform.parser.<root>          Evaluating module...
2024-05-07T10:34:17.261+0200	�[35mDEBUG�[0m	[misconf] 34:17.261006673 terraform.parser.<root>          Read 2 block(s) and 0 ignore(s) for module 'root' (1 file[s])...
2024-05-07T10:34:17.261+0200	�[35mDEBUG�[0m	[misconf] 34:17.261011956 terraform.parser.<root>          Added 0 variables from tfvars.
2024-05-07T10:34:17.261+0200	�[35mDEBUG�[0m	[misconf] 34:17.261015334 terraform.parser.<root>          Error loading module metadata: open .terraform/modules/modules.json: file does not exist.
2024-05-07T10:34:17.261+0200	�[35mDEBUG�[0m	[misconf] 34:17.261020143 terraform.parser.<root>          Working directory for module evaluation is '/tmp/foo'
2024-05-07T10:34:17.261+0200	�[35mDEBUG�[0m	[misconf] 34:17.261040267 terraform.parser.<root>.evaluator Filesystem key is '95149b582ed3a1d2426c8a44c1fc3979c3f855fa29b2ce7bbf4a91b5109dddce'
2024-05-07T10:34:17.261+0200	�[35mDEBUG�[0m	[misconf] 34:17.261042035 terraform.parser.<root>.evaluator Starting module evaluation...
2024-05-07T10:34:17.261+0200	�[35mDEBUG�[0m	[misconf] 34:17.261084279 terraform.parser.<root>.evaluator Starting submodule evaluation...
2024-05-07T10:34:17.261+0200	�[35mDEBUG�[0m	[misconf] 34:17.261086019 terraform.parser.<root>.evaluator Finished processing 0 submodule(s).
2024-05-07T10:34:17.261+0200	�[35mDEBUG�[0m	[misconf] 34:17.261087336 terraform.parser.<root>.evaluator Starting post-submodule evaluation...
2024-05-07T10:34:17.261+0200	�[35mDEBUG�[0m	[misconf] 34:17.261125689 terraform.parser.<root>.evaluator Module evaluation complete.
2024-05-07T10:34:17.261+0200	�[35mDEBUG�[0m	[misconf] 34:17.261127809 terraform.parser.<root>          Finished parsing module 'root'.
2024-05-07T10:34:17.261+0200	�[35mDEBUG�[0m	[misconf] 34:17.261130102 terraform.executor               Adapting modules...
2024-05-07T10:34:17.261+0200	�[35mDEBUG�[0m	[misconf] 34:17.261204626 terraform.executor               Adapted 1 module(s) into defsec state data.
2024-05-07T10:34:17.261+0200	�[35mDEBUG�[0m	[misconf] 34:17.261207039 terraform.executor               Using max routines of 23
2024-05-07T10:34:17.261+0200	�[35mDEBUG�[0m	[misconf] 34:17.261208359 terraform.executor               Applying state modifier functions...
2024-05-07T10:34:17.261+0200	�[35mDEBUG�[0m	[misconf] 34:17.261289946 terraform.executor               Initialized 486 rule(s).
2024-05-07T10:34:17.261+0200	�[35mDEBUG�[0m	[misconf] 34:17.261291635 terraform.executor               Created pool with 23 worker(s) to apply rules.
2024-05-07T10:34:17.261+0200	�[35mDEBUG�[0m	[misconf] 34:17.261578549 terraform.scanner.rego           Scanning 1 inputs...
2024-05-07T10:34:17.265+0200	�[35mDEBUG�[0m	[misconf] 34:17.265095084 terraform.executor               Finished applying rules.
2024-05-07T10:34:17.265+0200	�[35mDEBUG�[0m	[misconf] 34:17.265101502 terraform.executor               Applying ignores...
2024-05-07T10:34:17.282+0200	�[35mDEBUG�[0m	OS is not detected.
2024-05-07T10:34:17.282+0200	�[34mINFO�[0m	Detected config files: 2
2024-05-07T10:34:17.282+0200	�[35mDEBUG�[0m	Scanned config file: .
2024-05-07T10:34:17.282+0200	�[35mDEBUG�[0m	Scanned config file: sql.tf

sql.tf (terraform)
==================
Tests: 9 (SUCCESSES: 8, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

HIGH: Database instance does not require TLS for all connections.
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
In-transit data should be encrypted so that if traffic is intercepted data will not be exposed in plaintext to attackers.

See https://avd.aquasec.com/misconfig/avd-gcp-0015
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 sql.tf:16-19
   via sql.tf:10-51 (settings)
    via sql.tf:5-52 (google_sql_database_instance.foo)
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
   5   resource "google_sql_database_instance" "foo" {
   .   
  16 ┌     ip_configuration {
  17 │       ipv4_enabled    = false
  18 │       private_network = "default"
  19 └     }
  ..   
  52   }
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Version

$ trivy --version
Version: 0.50.2
Policy Bundle:
  Digest: sha256:6d0771effa53c6cf8130861fc3ac28f5515c35a028edb4bb1e67261b9218c80e
  DownloadedAt: 2024-05-07 07:54:21.435447743 +0000 UTC

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct