From 083637b13a13a85b7e4be65b7fc7cb363e9f4959 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Wed, 22 Oct 2025 15:18:47 +0100 Subject: [PATCH 1/6] initial implementation --- .../sql_db_instance_template/metadata.json | 14 ++++ .../gcp/sql_db_instance_template/query.rego | 50 +++++++++++++ .../sql_db_instance_template/test/negative.tf | 70 +++++++++++++++++++ .../sql_db_instance_template/test/positive.tf | 26 +++++++ .../test/positive_expected_result.json | 12 ++++ 5 files changed, 172 insertions(+) create mode 100644 assets/queries/terraform/gcp/sql_db_instance_template/metadata.json create mode 100644 assets/queries/terraform/gcp/sql_db_instance_template/query.rego create mode 100644 assets/queries/terraform/gcp/sql_db_instance_template/test/negative.tf create mode 100644 assets/queries/terraform/gcp/sql_db_instance_template/test/positive.tf create mode 100644 assets/queries/terraform/gcp/sql_db_instance_template/test/positive_expected_result.json diff --git a/assets/queries/terraform/gcp/sql_db_instance_template/metadata.json b/assets/queries/terraform/gcp/sql_db_instance_template/metadata.json new file mode 100644 index 00000000000..e41fe4ff687 --- /dev/null +++ b/assets/queries/terraform/gcp/sql_db_instance_template/metadata.json @@ -0,0 +1,14 @@ +{ + "id": "5a8c5d26-c592-4c98-afac-9762c54cc868", + "queryName": "Beta - SQL DB Instance With Ownership Chaining Enabled", + "severity": "MEDIUM", + "category": "Insecure Configurations", + "descriptionText": "No 'google_sql_database_instance' resource based on SQLSERVER should enable the deprecated 'cross db ownership chaining'", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance.html#settings-1", + "platform": "Terraform", + "descriptionID": "5a8c5d26", + "cloudProvider": "gcp", + "cwe": "732", + "riskScore": "3.0", + "experimental": "true" +} diff --git a/assets/queries/terraform/gcp/sql_db_instance_template/query.rego b/assets/queries/terraform/gcp/sql_db_instance_template/query.rego new file mode 100644 index 00000000000..ae3f0a31c0b --- /dev/null +++ b/assets/queries/terraform/gcp/sql_db_instance_template/query.rego @@ -0,0 +1,50 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + resource := input.document[i].resource.google_sql_database_instance[name] + + contains(resource.database_version, "SQLSERVER") + results := get_results(resource, name) + + result := { + "documentId": input.document[i].id, + "resourceType": "google_sql_database_instance", + "resourceName": tf_lib.get_resource_name(resource, name), + "searchKey": results.searchKey, + "issueType": results.issueType, + "keyExpectedValue": results.keyExpectedValue, + "keyActualValue": results.keyActualValue, + "searchLine": results.searchLine + } +} + +get_results(resource, name) = results { # array + resource.settings.database_flags[x].name == "cross db ownership chaining" + resource.settings.database_flags[x].value != "off" + + results := { + "searchKey": sprintf("google_sql_database_instance[%s].settings.database_flags[%d].name", [name, x]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be defined and set 'cross db ownership chaining' to 'off'", [name]), + "keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' sets 'cross db ownership chaining' to '%s'", [name, resource.settings.database_flags[x].value]), + "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags", x, "name"], []) + } +} else = results { # single object + resource.settings.database_flags.name == "cross db ownership chaining" + resource.settings.database_flags.value != "off" + + results := { + "searchKey": sprintf("google_sql_database_instance[%s].settings.database_flags.name", [name]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be defined and set 'cross db ownership chaining' to 'off'", [name]), + "keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' sets 'cross db ownership chaining' to '%s'", [name, resource.settings.database_flags.value]), + "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags", "name"], []) + } +} + +has_flag(database_flags) { + database_flags[_].name == "cross db ownership chaining" +} diff --git a/assets/queries/terraform/gcp/sql_db_instance_template/test/negative.tf b/assets/queries/terraform/gcp/sql_db_instance_template/test/negative.tf new file mode 100644 index 00000000000..88635ce3c7f --- /dev/null +++ b/assets/queries/terraform/gcp/sql_db_instance_template/test/negative.tf @@ -0,0 +1,70 @@ +resource "google_sql_database_instance" "negative_1" { + name = "main-instance" + database_version = "MYSQL_8_0" # Is not a SQLSERVER instance + region = "us-central1" + + settings { + tier = "db-f1-micro" + + database_flags = [ + { name = "cross db ownership chaining", value = "on" }, + ] + } +} + +resource "google_sql_database_instance" "negative_2" { + name = "mysql-instance-without-flag" + database_version = "SQLSERVER_2017_STANDARD" + region = "us-central1" + + # Defaults to "off" +} + +resource "google_sql_database_instance" "negative_3" { + name = "sqlserver-instance-without-flag" + database_version = "SQLSERVER_2017_STANDARD" + region = "us-central1" + + settings {} # Defaults to "off" +} + +resource "google_sql_database_instance" "negative_4" { + name = "sqlserver-instance-without-flag" + database_version = "SQLSERVER_2017_STANDARD" + region = "us-central1" + + settings { + database_flags = [ + # Defaults to "off" + ] + } +} + +resource "google_sql_database_instance" "negative_5" { + name = "mysql-instance-with-flag" + database_version = "SQLSERVER_2019_STANDARD" + region = "us-central1" + + settings { + tier = "db-f1-micro" + + database_flags = [ + { name = "cross db ownership chaining", value = "off" }, # Has flag set to "off" + ] + } +} + +resource "google_sql_database_instance" "negative_6" { # Single object support test + name = "mysql-instance-with-flag" + database_version = "SQLSERVER_2019_STANDARD" + region = "us-central1" + + settings { + tier = "db-f1-micro" + + database_flags { + name = "cross db ownership chaining" + value = "off" + } # Has flag set to "off" + } +} diff --git a/assets/queries/terraform/gcp/sql_db_instance_template/test/positive.tf b/assets/queries/terraform/gcp/sql_db_instance_template/test/positive.tf new file mode 100644 index 00000000000..58f80181f74 --- /dev/null +++ b/assets/queries/terraform/gcp/sql_db_instance_template/test/positive.tf @@ -0,0 +1,26 @@ +resource "google_sql_database_instance" "positive_4" { + name = "sqlserver-instance-with-flag" + database_version = "SQLSERVER_2017_EXPRESS" + region = "us-central1" + + settings { + database_flags = [ + { name = "sample_flag1", value = "off" }, + { name = "cross db ownership chaining", value = "on" }, # Flag is not set to "off" + { name = "sample_flag2", value = "off" } + ] + } +} + +resource "google_sql_database_instance" "positive_5" { # Single object support test + name = "sqlserver-instance-with-flag" + database_version = "SQLSERVER_2017_EXPRESS" + region = "us-central1" + + settings { + database_flags { + name = "cross db ownership chaining" + value = "on" + } # Flag is not set to "off" + } +} diff --git a/assets/queries/terraform/gcp/sql_db_instance_template/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_template/test/positive_expected_result.json new file mode 100644 index 00000000000..88f430452f9 --- /dev/null +++ b/assets/queries/terraform/gcp/sql_db_instance_template/test/positive_expected_result.json @@ -0,0 +1,12 @@ +[ + { + "queryName": "Beta - SQL DB Instance With Ownership Chaining Enabled", + "severity": "MEDIUM", + "line": 9 + }, + { + "queryName": "Beta - SQL DB Instance With Ownership Chaining Enabled", + "severity": "MEDIUM", + "line": 22 + } +] From 2b2c361370b1db840536aa6c71d5e566732e0ac0 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Wed, 22 Oct 2025 15:23:08 +0100 Subject: [PATCH 2/6] implementation --- .../gcp/sql_db_instance_template/query.rego | 22 ++++++------------- .../sql_db_instance_template/test/positive.tf | 4 ++-- 2 files changed, 9 insertions(+), 17 deletions(-) diff --git a/assets/queries/terraform/gcp/sql_db_instance_template/query.rego b/assets/queries/terraform/gcp/sql_db_instance_template/query.rego index ae3f0a31c0b..b3a95e446c3 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_template/query.rego +++ b/assets/queries/terraform/gcp/sql_db_instance_template/query.rego @@ -14,9 +14,9 @@ CxPolicy[result] { "resourceType": "google_sql_database_instance", "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": results.searchKey, - "issueType": results.issueType, - "keyExpectedValue": results.keyExpectedValue, - "keyActualValue": results.keyActualValue, + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be defined and set 'cross db ownership chaining' to 'off'", [name]), + "keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' sets 'cross db ownership chaining' to '%s'", [name, results.value]), "searchLine": results.searchLine } } @@ -27,10 +27,8 @@ get_results(resource, name) = results { # array results := { "searchKey": sprintf("google_sql_database_instance[%s].settings.database_flags[%d].name", [name, x]), - "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be defined and set 'cross db ownership chaining' to 'off'", [name]), - "keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' sets 'cross db ownership chaining' to '%s'", [name, resource.settings.database_flags[x].value]), - "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags", x, "name"], []) + "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags", x, "name"], []), + "value": resource.settings.database_flags[x].value } } else = results { # single object resource.settings.database_flags.name == "cross db ownership chaining" @@ -38,13 +36,7 @@ get_results(resource, name) = results { # array results := { "searchKey": sprintf("google_sql_database_instance[%s].settings.database_flags.name", [name]), - "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be defined and set 'cross db ownership chaining' to 'off'", [name]), - "keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' sets 'cross db ownership chaining' to '%s'", [name, resource.settings.database_flags.value]), - "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags", "name"], []) + "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags", "name"], []), + "value": resource.settings.database_flags.value } } - -has_flag(database_flags) { - database_flags[_].name == "cross db ownership chaining" -} diff --git a/assets/queries/terraform/gcp/sql_db_instance_template/test/positive.tf b/assets/queries/terraform/gcp/sql_db_instance_template/test/positive.tf index 58f80181f74..3af136c8311 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_template/test/positive.tf +++ b/assets/queries/terraform/gcp/sql_db_instance_template/test/positive.tf @@ -1,4 +1,4 @@ -resource "google_sql_database_instance" "positive_4" { +resource "google_sql_database_instance" "positive_1" { name = "sqlserver-instance-with-flag" database_version = "SQLSERVER_2017_EXPRESS" region = "us-central1" @@ -12,7 +12,7 @@ resource "google_sql_database_instance" "positive_4" { } } -resource "google_sql_database_instance" "positive_5" { # Single object support test +resource "google_sql_database_instance" "positive_2" { # Single object support test name = "sqlserver-instance-with-flag" database_version = "SQLSERVER_2017_EXPRESS" region = "us-central1" From 55e790f231971155979a916029e4f32e3c969696 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Wed, 22 Oct 2025 15:34:12 +0100 Subject: [PATCH 3/6] renamed query folder --- .../metadata.json | 0 .../query.rego | 0 .../test/negative.tf | 0 .../test/positive.tf | 0 .../test/positive_expected_result.json | 0 5 files changed, 0 insertions(+), 0 deletions(-) rename assets/queries/terraform/gcp/{sql_db_instance_template => sql_db_instance_with_ownership_chaining_enabled}/metadata.json (100%) rename assets/queries/terraform/gcp/{sql_db_instance_template => sql_db_instance_with_ownership_chaining_enabled}/query.rego (100%) rename assets/queries/terraform/gcp/{sql_db_instance_template => sql_db_instance_with_ownership_chaining_enabled}/test/negative.tf (100%) rename assets/queries/terraform/gcp/{sql_db_instance_template => sql_db_instance_with_ownership_chaining_enabled}/test/positive.tf (100%) rename assets/queries/terraform/gcp/{sql_db_instance_template => sql_db_instance_with_ownership_chaining_enabled}/test/positive_expected_result.json (100%) diff --git a/assets/queries/terraform/gcp/sql_db_instance_template/metadata.json b/assets/queries/terraform/gcp/sql_db_instance_with_ownership_chaining_enabled/metadata.json similarity index 100% rename from assets/queries/terraform/gcp/sql_db_instance_template/metadata.json rename to assets/queries/terraform/gcp/sql_db_instance_with_ownership_chaining_enabled/metadata.json diff --git a/assets/queries/terraform/gcp/sql_db_instance_template/query.rego b/assets/queries/terraform/gcp/sql_db_instance_with_ownership_chaining_enabled/query.rego similarity index 100% rename from assets/queries/terraform/gcp/sql_db_instance_template/query.rego rename to assets/queries/terraform/gcp/sql_db_instance_with_ownership_chaining_enabled/query.rego diff --git a/assets/queries/terraform/gcp/sql_db_instance_template/test/negative.tf b/assets/queries/terraform/gcp/sql_db_instance_with_ownership_chaining_enabled/test/negative.tf similarity index 100% rename from assets/queries/terraform/gcp/sql_db_instance_template/test/negative.tf rename to assets/queries/terraform/gcp/sql_db_instance_with_ownership_chaining_enabled/test/negative.tf diff --git a/assets/queries/terraform/gcp/sql_db_instance_template/test/positive.tf b/assets/queries/terraform/gcp/sql_db_instance_with_ownership_chaining_enabled/test/positive.tf similarity index 100% rename from assets/queries/terraform/gcp/sql_db_instance_template/test/positive.tf rename to assets/queries/terraform/gcp/sql_db_instance_with_ownership_chaining_enabled/test/positive.tf diff --git a/assets/queries/terraform/gcp/sql_db_instance_template/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_ownership_chaining_enabled/test/positive_expected_result.json similarity index 100% rename from assets/queries/terraform/gcp/sql_db_instance_template/test/positive_expected_result.json rename to assets/queries/terraform/gcp/sql_db_instance_with_ownership_chaining_enabled/test/positive_expected_result.json From 2f61a2e0b2b00a2440ead0d36495178868a91075 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Mon, 27 Oct 2025 15:56:39 +0000 Subject: [PATCH 4/6] fixed tests --- .../test/negative.tf | 30 ++++++++++++++----- .../test/positive.tf | 19 ++++++++---- .../test/positive_expected_result.json | 4 +-- 3 files changed, 38 insertions(+), 15 deletions(-) diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_ownership_chaining_enabled/test/negative.tf b/assets/queries/terraform/gcp/sql_db_instance_with_ownership_chaining_enabled/test/negative.tf index 88635ce3c7f..d44935c001a 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_ownership_chaining_enabled/test/negative.tf +++ b/assets/queries/terraform/gcp/sql_db_instance_with_ownership_chaining_enabled/test/negative.tf @@ -6,9 +6,10 @@ resource "google_sql_database_instance" "negative_1" { settings { tier = "db-f1-micro" - database_flags = [ - { name = "cross db ownership chaining", value = "on" }, - ] + database_flags { + name = "cross db ownership chaining" + value = "on" + } } } @@ -34,9 +35,11 @@ resource "google_sql_database_instance" "negative_4" { region = "us-central1" settings { - database_flags = [ + database_flags { + name = "sample_flag1" + value = "off" + } # Defaults to "off" - ] } } @@ -48,9 +51,20 @@ resource "google_sql_database_instance" "negative_5" { settings { tier = "db-f1-micro" - database_flags = [ - { name = "cross db ownership chaining", value = "off" }, # Has flag set to "off" - ] + database_flags { + name = "sample_flag1" + value = "off" + } + + database_flags { # Has flag set to "off" + name = "cross db ownership chaining" + value = "off" + } + + database_flags { + name = "sample_flag2" + value = "off" + } } } diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_ownership_chaining_enabled/test/positive.tf b/assets/queries/terraform/gcp/sql_db_instance_with_ownership_chaining_enabled/test/positive.tf index 3af136c8311..7852fe66263 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_ownership_chaining_enabled/test/positive.tf +++ b/assets/queries/terraform/gcp/sql_db_instance_with_ownership_chaining_enabled/test/positive.tf @@ -4,11 +4,20 @@ resource "google_sql_database_instance" "positive_1" { region = "us-central1" settings { - database_flags = [ - { name = "sample_flag1", value = "off" }, - { name = "cross db ownership chaining", value = "on" }, # Flag is not set to "off" - { name = "sample_flag2", value = "off" } - ] + database_flags { + name = "sample_flag1" + value = "off" + } + + database_flags { # Flag is not set to "off" + name = "cross db ownership chaining" + value = "on" + } + + database_flags { + name = "sample_flag2" + value = "off" + } } } diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_ownership_chaining_enabled/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_ownership_chaining_enabled/test/positive_expected_result.json index 88f430452f9..794a4aa3bf3 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_ownership_chaining_enabled/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_ownership_chaining_enabled/test/positive_expected_result.json @@ -2,11 +2,11 @@ { "queryName": "Beta - SQL DB Instance With Ownership Chaining Enabled", "severity": "MEDIUM", - "line": 9 + "line": 13 }, { "queryName": "Beta - SQL DB Instance With Ownership Chaining Enabled", "severity": "MEDIUM", - "line": 22 + "line": 31 } ] From 5c2b80dd727cf01861619c9a8252cde93504bb7b Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Tue, 28 Oct 2025 13:58:57 +0000 Subject: [PATCH 5/6] simId transition update --- assets/similarityID_transition/terraform_gcp.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/assets/similarityID_transition/terraform_gcp.yaml b/assets/similarityID_transition/terraform_gcp.yaml index c3eeee7d298..57482854d8b 100644 --- a/assets/similarityID_transition/terraform_gcp.yaml +++ b/assets/similarityID_transition/terraform_gcp.yaml @@ -3,3 +3,7 @@ similarityIDChangeList: queryName: Beta - Google DNS Policy Logging Disabled observations: "" change: 2 + - queryId: 5a8c5d26-c592-4c98-afac-9762c54cc868 + queryName: Beta - SQL DB Instance With Ownership Chaining Enabled + observations: "" + change: 2 From 850c7c4bb584a6ec1558d3679080bc26f7149889 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Mon, 3 Nov 2025 11:21:14 +0000 Subject: [PATCH 6/6] suggested change --- .../sql_db_instance_with_ownership_chaining_enabled/query.rego | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_ownership_chaining_enabled/query.rego b/assets/queries/terraform/gcp/sql_db_instance_with_ownership_chaining_enabled/query.rego index b3a95e446c3..114213ab141 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_ownership_chaining_enabled/query.rego +++ b/assets/queries/terraform/gcp/sql_db_instance_with_ownership_chaining_enabled/query.rego @@ -15,7 +15,7 @@ CxPolicy[result] { "resourceName": tf_lib.get_resource_name(resource, name), "searchKey": results.searchKey, "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be defined and set 'cross db ownership chaining' to 'off'", [name]), + "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should set 'cross db ownership chaining' to 'off'", [name]), "keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' sets 'cross db ownership chaining' to '%s'", [name, results.value]), "searchLine": results.searchLine }