Add -pattern not to gcp=sql-datavase-require-ssl to allow new fix int…

…roduced in version 6.0 (#3532)
semgrep · Dec 13, 2024 · 0f5a85c · 0f5a85c
1 parent 576e1bd
commit 0f5a85c
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 2 deletions.
diff --git a/terraform/gcp/security/gcp-sql-database-require-ssl.tf b/terraform/gcp/security/gcp-sql-database-require-ssl.tf
@@ -1,4 +1,3 @@
-# fail
 # ruleid: gcp-sql-database-require-ssl
 resource "google_sql_database_instance" "fail" {
   database_version = "MYSQL_8_0"
@@ -18,4 +17,17 @@ resource "google_sql_database_instance" "success" {
       ipv4_enabled = true
       require_ssl = true
   }
-}
+}
+
+# ok: gcp-sql-database-require-ssl
+resource "google_sql_database_instance" "main" {
+  name      = "some-example-name"
+  database_version  = "POSTGRES_15"
+  region      = "europe-west3"
+  settings {
+    tier = "db-f1-micro"
+    ip_configuration {
+      ssl_mode = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED"
+    }
+  }
+}
diff --git a/terraform/gcp/security/gcp-sql-database-require-ssl.yaml b/terraform/gcp/security/gcp-sql-database-require-ssl.yaml
@@ -16,6 +16,16 @@ rules:
           }
           ...
       }
+  - pattern-not-inside: |
+      resource "google_sql_database_instance" "..." {
+          ...
+          ip_configuration {
+              ...
+              ssl_mode = ...
+              ...
+          }
+          ...
+      }
   message: >-
     Ensure all Cloud SQL database instance requires all incoming connections to use SSL
   metadata: