The following code snippets show the configuration settings that are required to successfully deploy Sentinel policies that follow the security recommendations that are provided in the CIS Google Cloud Computing Platform Foundations Benchmark v.1.0.0. We cover policy configuration in more details in the Managing Sentinel Policies section in the Terraform Cloud documentation.
For security, it is recommended to always use SSL encryption when connecting to your instance. This recommendation is applicable for Postgresql, MySql generation 1 and MySql generation 2 Instances.
policy "gcp-cis-6.1-databases-cloud-sql-databases-instance-requires-all-incoming-connections-to-use-ssl" {
source = "https://raw.githubusercontent.com/hashicorp/terraform-foundational-policies-library/master/cis/gcp/databases/gcp-cis-6.1-databases-cloud-sql-databases-instance-requires-all-incoming-connections-to-use-ssl/gcp-cis-6.1-databases-cloud-sql-databases-instance-requires-all-incoming-connections-to-use-ssl.sentinel"
enforcement_level = "advisory"
}To minimize attack surface on a Database server Instance, only trusted/known and required IP(s) should be white-listed to connect to it.
policy "gcp-cis-6.2-databases-cloud-sql-databases-instances-are-not-open-to-the-world" {
source = "https://raw.githubusercontent.com/hashicorp/terraform-foundational-policies-library/master/cis/gcp/databases/gcp-cis-6.2-databases-cloud-sql-databases-instances-are-not-open-to-the-world/gcp-cis-6.2-databases-cloud-sql-databases-instances-are-not-open-to-the-world.sentinel"
enforcement_level = "advisory"
}