Checkmarx · cx-andre-pereira · Nov 6, 2025 · Oct 22, 2025 · Oct 23, 2025 · Oct 26, 2025
@@ -0,0 +1,14 @@
+{
+  "id": "d4436ca8-1caf-427c-8911-8b4d31ff6b40",
+  "queryName": "Beta - SQL DB Instance With Remote Access Enabled",
+  "severity": "HIGH",
+  "category": "Insecure Defaults",
+  "descriptionText": "All 'google_sql_database_instance' resources based on SQLSERVER should set the 'remote access' flag to 'off'",
+  "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance.html#settings-1",
+  "platform": "Terraform",
+  "descriptionID": "d4436ca8",
+  "cloudProvider": "gcp",
+  "cwe": "266",
+  "riskScore": "6.0",
+  "experimental": "true"
+}
@@ -0,0 +1,85 @@
+package Cx
+
+import data.generic.common as common_lib
+import data.generic.terraform as tf_lib
+
+CxPolicy[result] {
+	resource := input.document[i].resource.google_sql_database_instance[name]
+
+	contains(resource.database_version, "SQLSERVER")
+	results := get_results(resource, name)
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": "google_sql_database_instance",
+		"resourceName": tf_lib.get_resource_name(resource, name),
+		"searchKey": results.searchKey,
+		"issueType": results.issueType,
+		"keyExpectedValue": results.keyExpectedValue,
+		"keyActualValue": results.keyActualValue,
+		"searchLine": results.searchLine
+	}
+}
+
+get_results(resource, name) = results {
+	not common_lib.valid_key(resource, "settings")
+
+	results := {
+		"searchKey": sprintf("google_sql_database_instance[%s]", [name]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be defined and set 'remote access' to 'off'", [name]),
+		"keyActualValue": sprintf("'google_sql_database_instance[%s].settings' is undefined or null", [name]),
+		"searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name], [])
+
+	}
+} else = results {
+	not common_lib.valid_key(resource.settings, "database_flags")
+
+	results := {
+		"searchKey": sprintf("google_sql_database_instance[%s].settings", [name]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be defined and set 'remote access' to 'off'", [name]),
+		"keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' is undefined or null", [name]),
+		"searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings"], [])
+	}
+
+} else = results {
+	not has_flag(resource.settings.database_flags)
+
+	results := {
+		"searchKey": sprintf("google_sql_database_instance[%s].settings.database_flags", [name]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be defined and set 'remote access' to 'off'", [name]),
+		"keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' does not set 'remote access'", [name]),
+		"searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags"], [])
+	}
+
+} else = results { # array
+	resource.settings.database_flags[x].name  == "remote access"
+	resource.settings.database_flags[x].value != "off"
+
+	results := {
+		"searchKey": sprintf("google_sql_database_instance[%s].settings.database_flags[%d].name", [name, x]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be defined and set 'remote access' to 'off'", [name]),
+		"keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' sets 'remote access' to '%s'", [name, resource.settings.database_flags[x].value]),
+		"searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags", x, "name"], [])
+	}
+} else = results { # single object
+	resource.settings.database_flags.name  == "remote access"
+	resource.settings.database_flags.value != "off"
+
+	results := {
+		"searchKey": sprintf("google_sql_database_instance[%s].settings.database_flags.name", [name]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be defined and set 'remote access' to 'off'", [name]),
+		"keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' sets 'remote access' to '%s'", [name, resource.settings.database_flags.value]),
+		"searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags", "name"], [])
+	}
+}
+
+has_flag(database_flags) {
+	database_flags[_].name == "remote access"
+} else {
+	database_flags.name == "remote access"
+}
@@ -0,0 +1,52 @@
+resource "google_sql_database_instance" "negative_1" {
+  name             = "main-instance"
+  database_version = "MYSQL_8_0"      # Is not a SQLSERVER instance
+  region           = "us-central1"
+
+  settings {
+    database_flags {
+      name = "remote access"
+      value = "on"
+      }
+  }
+}
+
+resource "google_sql_database_instance" "negative_2" {
+  name             = "mysql-instance-with-flag"
+  database_version = "SQLSERVER_2019_STANDARD"
+  region           = "us-central1"
+
+  settings {
+    tier = "db-f1-micro"
+
+    database_flags {
+      name = "sample_flag1"
+      value = "off"
+      }
+
+    database_flags {                                  # Has flag set to "off"
+      name = "remote access"
+      value = "off"
+      }
+
+    database_flags {
+      name = "sample_flag2"
+      value = "off"
+      }
+  }
+}
+
+resource "google_sql_database_instance" "negative_3" { # Single object support test
+  name             = "mysql-instance-with-flag"
+  database_version = "SQLSERVER_2019_STANDARD"
+  region           = "us-central1"
+
+  settings {
+    tier = "db-f1-micro"
+
+    database_flags {
+      name = "remote access"
+      value = "off"
+      }   # Has flag set to "off"
+  }
+}
@@ -0,0 +1,64 @@
+resource "google_sql_database_instance" "positive_1" {
+  name             = "mysql-instance-without-flag"
+  database_version = "SQLSERVER_2017_STANDARD"
+  region           = "us-central1"
+
+  # Missing 'settings' field
+}
+
+resource "google_sql_database_instance" "positive_2" {
+  name             = "sqlserver-instance-without-flag"
+  database_version = "SQLSERVER_2017_STANDARD"
+  region           = "us-central1"
+
+  settings {}  # Missing 'database_flags' field
+}
+
+resource "google_sql_database_instance" "positive_3" {
+  name             = "sqlserver-instance-without-flag"
+  database_version = "SQLSERVER_2017_STANDARD"
+  region           = "us-central1"
+
+  settings {
+    database_flags {
+      name = "sample_flag1"
+      value = "off"
+      } # Missing 'remote access' flag
+  }
+}
+
+resource "google_sql_database_instance" "positive_4" {
+  name             = "sqlserver-instance-with-flag"
+  database_version = "SQLSERVER_2017_EXPRESS"
+  region           = "us-central1"
+
+  settings {
+    database_flags {
+      name = "sample_flag1"
+      value = "off"
+      }
+
+    database_flags {                                  # Flag is not set to "off"
+      name = "remote access"
+      value = "on"
+      }
+
+    database_flags {
+      name = "sample_flag2"
+      value = "off"
+      }
+  }
+}
+
+resource "google_sql_database_instance" "positive_5" { # Single object support test
+  name             = "sqlserver-instance-with-flag"
+  database_version = "SQLSERVER_2017_EXPRESS"
+  region           = "us-central1"
+
+  settings {
+    database_flags {
+      name = "remote access"
+      value = "on"
+      }  # Flag is not set to "off"
+  }
+}
@@ -0,0 +1,27 @@
+[
+  {
+    "queryName": "Beta - SQL DB Instance With Remote Access Enabled",
+    "severity": "HIGH",
+    "line": 1
+  },
+  {
+    "queryName": "Beta - SQL DB Instance With Remote Access Enabled",
+    "severity": "HIGH",
+    "line": 14
+  },
+  {
+    "queryName": "Beta - SQL DB Instance With Remote Access Enabled",
+    "severity": "HIGH",
+    "line": 23
+  },
+  {
+    "queryName": "Beta - SQL DB Instance With Remote Access Enabled",
+    "severity": "HIGH",
+    "line": 42
+  },
+  {
+    "queryName": "Beta - SQL DB Instance With Remote Access Enabled",
+    "severity": "HIGH",
+    "line": 60
+  }
+]
@@ -3,6 +3,10 @@ similarityIDChangeList:
       queryName: Beta - Google DNS Policy Logging Disabled
       observations: ""
       change: 2
+    - queryId: d4436ca8-1caf-427c-8911-8b4d31ff6b40
+      queryName: Beta - SQL DB Instance With Remote Access Enabled
+      observations: ""
+      change: 2
     - queryId: c8e4444e-d9a9-4426-be8e-9f1b8c43133c
       queryName: Beta - SQL DB Instance With Global User Options
       observations: ""