From 4e679a1fe1503f1d473fa9fc02edb95dbf4a73e6 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Mon, 20 Oct 2025 12:06:29 +0100 Subject: [PATCH 1/8] initial implementation --- .../metadata.json | 14 ++++ .../query.rego | 72 +++++++++++++++++++ .../test/negative.tf | 23 ++++++ .../test/positive.tf | 39 ++++++++++ .../test/positive_expected_result.json | 17 +++++ 5 files changed, 165 insertions(+) create mode 100644 assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/metadata.json create mode 100644 assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/query.rego create mode 100644 assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/negative.tf create mode 100644 assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive.tf create mode 100644 assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive_expected_result.json diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/metadata.json b/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/metadata.json new file mode 100644 index 00000000000..b898c5c3cd4 --- /dev/null +++ b/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/metadata.json @@ -0,0 +1,14 @@ +{ + "id": "51a2c34d-dfd0-436f-aa34-e8f796e052fd", + "queryName": "Beta - SQL DB Instance With Local Data Loading Enabled", + "severity": "MEDIUM", + "category": "Insecure Configurations", + "descriptionText": "All 'google_sql_database_instance' resources based on 'MYSQL' should disable the 'local_infile' flag to prevent unwanted exposure", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance.html#settings-1", + "platform": "Terraform", + "descriptionID": "51a2c34d", + "cloudProvider": "gcp", + "cwe": "732", + "riskScore": "3.0", + "experimental": "true" +} diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/query.rego b/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/query.rego new file mode 100644 index 00000000000..b93cb00b710 --- /dev/null +++ b/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/query.rego @@ -0,0 +1,72 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + resource := input.document[i].resource.google_sql_database_instance[name] + + contains(resource.database_version, "MYSQL") + results := get_results(resource, name) + + result := { + "documentId": input.document[i].id, + "resourceType": "google_sql_database_instance", + "resourceName": tf_lib.get_resource_name(resource, name), + "searchKey": results.searchKey, + "issueType": results.issueType, + "keyExpectedValue": results.keyExpectedValue, + "keyActualValue": results.keyActualValue, + "searchLine": results.searchLine + } +} + +get_results(resource, name) = results { + not common_lib.valid_key(resource, "settings") + + results := { + "searchKey": sprintf("google_sql_database_instance[%s]", [name]), + "issueType": "MissingAttribute", + "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be set 'local_infile' to 'on'", [name]), + "keyActualValue": sprintf("'google_sql_database_instance[%s].settings' is undefined or null", [name]), + "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name], []) + + } +} else = results { + not common_lib.valid_key(resource.settings, "database_flags") + + results := { + "searchKey": sprintf("google_sql_database_instance[%s].settings", [name]), + "issueType": "MissingAttribute", + "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be set 'local_infile' to 'on'", [name]), + "keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' is undefined or null", [name]), + "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings"], []) + } + +} else = results { + not has_flag(resource.settings.database_flags) + + results := { + "searchKey": sprintf("google_sql_database_instance[%s].settings.database_flags", [name]), + "issueType": "MissingAttribute", + "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be set 'local_infile' to 'on'", [name]), + "keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' does not set 'local_infile'", [name]), + "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags"], []) + } + +} else = results { + resource.settings.database_flags[x].name == "local_infile" + resource.settings.database_flags[x].value != "on" + + results := { + "searchKey": sprintf("google_sql_database_instance[%s].settings.database_flags[%s]", [name, x]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be set 'local_infile' to 'on'", [name]), + "keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' sets 'local_infile' to '%s'", [name, resource.settings.database_flags[x].value]), + "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags", x], []) + } +} + +has_flag(database_flags) { + database_flags[_].name == "local_infile" +} diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/negative.tf b/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/negative.tf new file mode 100644 index 00000000000..2618aaea5c4 --- /dev/null +++ b/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/negative.tf @@ -0,0 +1,23 @@ +resource "google_sql_database_instance" "negative_1" { + name = "main-instance" + database_version = "POSTGRES_15" # Is not a MYSQL instance + region = "us-central1" + + settings { + tier = "db-f1-micro" + } +} + +resource "google_sql_database_instance" "negative_2" { + name = "mysql-instance-with-flag" + database_version = "MYSQL_8_0" + region = "us-central1" + + settings { + tier = "db-f1-micro" + + database_flags = [ + { name = "local_infile", value = "off" }, # Has flag set to "off" + ] + } +} diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive.tf b/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive.tf new file mode 100644 index 00000000000..7fe79886d9b --- /dev/null +++ b/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive.tf @@ -0,0 +1,39 @@ +resource "google_sql_database_instance" "positive_1" { + name = "mysql-instance-without-flag" + database_version = "MYSQL_8_0" + region = "us-central1" + + # Missing 'settings' field +} + +resource "google_sql_database_instance" "positive_2" { + name = "mysql-instance-without-flag" + database_version = "MYSQL_8_0" + region = "us-central1" + + settings {} # Missing 'database_flags' field +} + +resource "google_sql_database_instance" "positive_3" { + name = "mysql-instance-without-flag" + database_version = "MYSQL_8_0" + region = "us-central1" + + settings { + database_flags = [ + # Missing 'local_infile' flag + ] + } +} + +resource "google_sql_database_instance" "positive_4" { + name = "mysql-instance-with-flag" + database_version = "MYSQL_8_0" + region = "us-central1" + + settings { + database_flags = [ + { name = "skip_show_database", value = "off" } # Flag is not set to "off" + ] + } +} diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive_expected_result.json new file mode 100644 index 00000000000..96cda78074a --- /dev/null +++ b/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive_expected_result.json @@ -0,0 +1,17 @@ +[ + { + "queryName": "Beta - SQL DB Instance With Local Data Loading Enabled", + "severity": "MEDIUM", + "line": 1 + }, + { + "queryName": "Beta - SQL DB Instance With Local Data Loading Enabled", + "severity": "MEDIUM", + "line": 14 + }, + { + "queryName": "Beta - SQL DB Instance With Local Data Loading Enabled", + "severity": "MEDIUM", + "line": 23 + } +] From b325ea3c4354a48bd3f6a4b384b2826d67b86fe5 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Mon, 20 Oct 2025 12:12:24 +0100 Subject: [PATCH 2/8] fixes --- .../query.rego | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/query.rego b/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/query.rego index b93cb00b710..e6ad197303b 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/query.rego +++ b/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/query.rego @@ -27,7 +27,7 @@ get_results(resource, name) = results { results := { "searchKey": sprintf("google_sql_database_instance[%s]", [name]), "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be set 'local_infile' to 'on'", [name]), + "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be set 'local_infile' to 'off'", [name]), "keyActualValue": sprintf("'google_sql_database_instance[%s].settings' is undefined or null", [name]), "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name], []) @@ -38,7 +38,7 @@ get_results(resource, name) = results { results := { "searchKey": sprintf("google_sql_database_instance[%s].settings", [name]), "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be set 'local_infile' to 'on'", [name]), + "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be set 'local_infile' to 'off'", [name]), "keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' is undefined or null", [name]), "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings"], []) } @@ -49,19 +49,19 @@ get_results(resource, name) = results { results := { "searchKey": sprintf("google_sql_database_instance[%s].settings.database_flags", [name]), "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be set 'local_infile' to 'on'", [name]), + "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be set 'local_infile' to 'off'", [name]), "keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' does not set 'local_infile'", [name]), "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags"], []) } } else = results { resource.settings.database_flags[x].name == "local_infile" - resource.settings.database_flags[x].value != "on" + resource.settings.database_flags[x].value != "off" results := { "searchKey": sprintf("google_sql_database_instance[%s].settings.database_flags[%s]", [name, x]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be set 'local_infile' to 'on'", [name]), + "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be set 'local_infile' to 'off'", [name]), "keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' sets 'local_infile' to '%s'", [name, resource.settings.database_flags[x].value]), "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags", x], []) } From 63e50f4fb5a1f271faabf606cbe9fdbe2feabd46 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Mon, 20 Oct 2025 12:14:38 +0100 Subject: [PATCH 3/8] improvements --- .../query.rego | 8 ++++---- .../test/positive_expected_result.json | 5 +++++ 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/query.rego b/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/query.rego index e6ad197303b..d2d3e4b398b 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/query.rego +++ b/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/query.rego @@ -27,7 +27,7 @@ get_results(resource, name) = results { results := { "searchKey": sprintf("google_sql_database_instance[%s]", [name]), "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be set 'local_infile' to 'off'", [name]), + "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be defined and set 'local_infile' to 'off'", [name]), "keyActualValue": sprintf("'google_sql_database_instance[%s].settings' is undefined or null", [name]), "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name], []) @@ -38,7 +38,7 @@ get_results(resource, name) = results { results := { "searchKey": sprintf("google_sql_database_instance[%s].settings", [name]), "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be set 'local_infile' to 'off'", [name]), + "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be defined and set 'local_infile' to 'off'", [name]), "keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' is undefined or null", [name]), "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings"], []) } @@ -49,7 +49,7 @@ get_results(resource, name) = results { results := { "searchKey": sprintf("google_sql_database_instance[%s].settings.database_flags", [name]), "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be set 'local_infile' to 'off'", [name]), + "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be defined and set 'local_infile' to 'off'", [name]), "keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' does not set 'local_infile'", [name]), "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags"], []) } @@ -61,7 +61,7 @@ get_results(resource, name) = results { results := { "searchKey": sprintf("google_sql_database_instance[%s].settings.database_flags[%s]", [name, x]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be set 'local_infile' to 'off'", [name]), + "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be defined and set 'local_infile' to 'off'", [name]), "keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' sets 'local_infile' to '%s'", [name, resource.settings.database_flags[x].value]), "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags", x], []) } diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive_expected_result.json index 96cda78074a..0816419bded 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive_expected_result.json @@ -13,5 +13,10 @@ "queryName": "Beta - SQL DB Instance With Local Data Loading Enabled", "severity": "MEDIUM", "line": 23 + }, + { + "queryName": "Beta - SQL DB Instance With Local Data Loading Enabled", + "severity": "MEDIUM", + "line": 35 } ] From 4b5cbcb7dc9c689748f83a4f9fb35d8597129e20 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Mon, 20 Oct 2025 17:40:06 +0100 Subject: [PATCH 4/8] fixes --- .../query.rego | 4 ++-- .../test/positive.tf | 4 +++- .../test/positive_expected_result.json | 2 +- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/query.rego b/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/query.rego index d2d3e4b398b..9ce11a86844 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/query.rego +++ b/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/query.rego @@ -59,11 +59,11 @@ get_results(resource, name) = results { resource.settings.database_flags[x].value != "off" results := { - "searchKey": sprintf("google_sql_database_instance[%s].settings.database_flags[%s]", [name, x]), + "searchKey": sprintf("google_sql_database_instance[%s].settings.database_flags[%d].name", [name, x]), "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be defined and set 'local_infile' to 'off'", [name]), "keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' sets 'local_infile' to '%s'", [name, resource.settings.database_flags[x].value]), - "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags", x], []) + "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags", x, "name"], []) } } diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive.tf b/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive.tf index 7fe79886d9b..d8863c73096 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive.tf +++ b/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive.tf @@ -33,7 +33,9 @@ resource "google_sql_database_instance" "positive_4" { settings { database_flags = [ - { name = "skip_show_database", value = "off" } # Flag is not set to "off" + { name = "sample_flag1", value = "on" }, + { name = "local_infile", value = "on" }, # Flag is not set to "off" + { name = "sample_flag2", value = "on" } ] } } diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive_expected_result.json index 0816419bded..4789af6ec9d 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive_expected_result.json @@ -17,6 +17,6 @@ { "queryName": "Beta - SQL DB Instance With Local Data Loading Enabled", "severity": "MEDIUM", - "line": 35 + "line": 37 } ] From 154758c9a31f0f517ba46d88eae76c23221f9eb7 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Tue, 21 Oct 2025 17:38:12 +0100 Subject: [PATCH 5/8] support for single object --- .../query.rego | 15 ++++++++++++++- .../test/negative.tf | 15 +++++++++++++++ .../test/positive.tf | 13 +++++++++++++ .../test/positive_expected_result.json | 5 +++++ 4 files changed, 47 insertions(+), 1 deletion(-) diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/query.rego b/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/query.rego index 9ce11a86844..91949f66079 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/query.rego +++ b/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/query.rego @@ -54,7 +54,7 @@ get_results(resource, name) = results { "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags"], []) } -} else = results { +} else = results { # array resource.settings.database_flags[x].name == "local_infile" resource.settings.database_flags[x].value != "off" @@ -65,8 +65,21 @@ get_results(resource, name) = results { "keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' sets 'local_infile' to '%s'", [name, resource.settings.database_flags[x].value]), "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags", x, "name"], []) } +} else = results { + resource.settings.database_flags.name == "local_infile" + resource.settings.database_flags.value != "off" + + results := { + "searchKey": sprintf("google_sql_database_instance[%s].settings.database_flags.name", [name]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be defined and set 'local_infile' to 'off'", [name]), + "keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' sets 'local_infile' to '%s'", [name, resource.settings.database_flags.value]), + "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags", "name"], []) + } } has_flag(database_flags) { database_flags[_].name == "local_infile" +} else { + database_flags.name == "local_infile" } diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/negative.tf b/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/negative.tf index 2618aaea5c4..57cdb6e879f 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/negative.tf +++ b/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/negative.tf @@ -21,3 +21,18 @@ resource "google_sql_database_instance" "negative_2" { ] } } + +resource "google_sql_database_instance" "negative_3" { # Single object support test + name = "mysql-instance-with-flag" + database_version = "MYSQL_8_0" + region = "us-central1" + + settings { + tier = "db-f1-micro" + + database_flags { + name = "local_infile" + value = "off" + } # Has flag set to "off" + } +} diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive.tf b/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive.tf index d8863c73096..6f48c83130d 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive.tf +++ b/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive.tf @@ -39,3 +39,16 @@ resource "google_sql_database_instance" "positive_4" { ] } } + +resource "google_sql_database_instance" "positive_5" { # Single object support test + name = "mysql-instance-with-flag" + database_version = "MYSQL_8_0" + region = "us-central1" + + settings { + database_flags { + name = "local_infile" + value = "on" + } # Flag is not set to "off" + } +} diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive_expected_result.json index 4789af6ec9d..74924999200 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive_expected_result.json @@ -18,5 +18,10 @@ "queryName": "Beta - SQL DB Instance With Local Data Loading Enabled", "severity": "MEDIUM", "line": 37 + }, + { + "queryName": "Beta - SQL DB Instance With Local Data Loading Enabled", + "severity": "MEDIUM", + "line": 50 } ] From a5779d776f58fba038997aefc3bb46a0d9a5e935 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Mon, 27 Oct 2025 16:31:15 +0000 Subject: [PATCH 6/8] fixed tests --- .../test/negative.tf | 17 +++++++++--- .../test/positive.tf | 26 +++++++++++++------ .../test/positive_expected_result.json | 4 +-- 3 files changed, 34 insertions(+), 13 deletions(-) diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/negative.tf b/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/negative.tf index 57cdb6e879f..7b61d61a0c8 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/negative.tf +++ b/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/negative.tf @@ -16,9 +16,20 @@ resource "google_sql_database_instance" "negative_2" { settings { tier = "db-f1-micro" - database_flags = [ - { name = "local_infile", value = "off" }, # Has flag set to "off" - ] + database_flags { + name = "sample_flag1" + value = "off" + } + + database_flags { # Has flag set to "off" + name = "local_infile" + value = "off" + } + + database_flags { + name = "sample_flag2" + value = "off" + } } } diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive.tf b/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive.tf index 6f48c83130d..cca046cd67f 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive.tf +++ b/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive.tf @@ -20,9 +20,10 @@ resource "google_sql_database_instance" "positive_3" { region = "us-central1" settings { - database_flags = [ - # Missing 'local_infile' flag - ] + database_flags { + name = "sample_flag1" + value = "off" + } # Missing 'local_infile' flag } } @@ -32,11 +33,20 @@ resource "google_sql_database_instance" "positive_4" { region = "us-central1" settings { - database_flags = [ - { name = "sample_flag1", value = "on" }, - { name = "local_infile", value = "on" }, # Flag is not set to "off" - { name = "sample_flag2", value = "on" } - ] + database_flags { + name = "sample_flag1" + value = "off" + } + + database_flags { # Flag is not set to "off" + name = "local_infile" + value = "on" + } + + database_flags { + name = "sample_flag2" + value = "off" + } } } diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive_expected_result.json index 74924999200..162410cf2b9 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/test/positive_expected_result.json @@ -17,11 +17,11 @@ { "queryName": "Beta - SQL DB Instance With Local Data Loading Enabled", "severity": "MEDIUM", - "line": 37 + "line": 42 }, { "queryName": "Beta - SQL DB Instance With Local Data Loading Enabled", "severity": "MEDIUM", - "line": 50 + "line": 60 } ] From efd696a0211c8af8d22b12c021cea5dff471f548 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Tue, 28 Oct 2025 13:51:04 +0000 Subject: [PATCH 7/8] simId transition update --- assets/similarityID_transition/terraform_gcp.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/assets/similarityID_transition/terraform_gcp.yaml b/assets/similarityID_transition/terraform_gcp.yaml index c3eeee7d298..1f525dbc98f 100644 --- a/assets/similarityID_transition/terraform_gcp.yaml +++ b/assets/similarityID_transition/terraform_gcp.yaml @@ -3,3 +3,7 @@ similarityIDChangeList: queryName: Beta - Google DNS Policy Logging Disabled observations: "" change: 2 + - queryId: 51a2c34d-dfd0-436f-aa34-e8f796e052fd + queryName: Beta - SQL DB Instance With Local Data Loading Enabled + observations: "" + change: 2 From 10b79912a3c9ebc7e052f85287525e3358b98fbf Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Tue, 28 Oct 2025 14:20:19 +0000 Subject: [PATCH 8/8] metadata update --- .../metadata.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/metadata.json b/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/metadata.json index b898c5c3cd4..db95a6d6179 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/metadata.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_local_data_loading_enabled/metadata.json @@ -2,7 +2,7 @@ "id": "51a2c34d-dfd0-436f-aa34-e8f796e052fd", "queryName": "Beta - SQL DB Instance With Local Data Loading Enabled", "severity": "MEDIUM", - "category": "Insecure Configurations", + "category": "Insecure Defaults", "descriptionText": "All 'google_sql_database_instance' resources based on 'MYSQL' should disable the 'local_infile' flag to prevent unwanted exposure", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance.html#settings-1", "platform": "Terraform",