Risk Level: Medium
Cloud Entity: GCP CloudSql
CloudGuard Rule ID: D9.GCP.VLN.04
Covered by Spectral: Yes
Category: Database

GSL LOGIC

CloudSql where databaseVersion like 'SQLSERVER%' should have settings.databaseFlags contain [ name like 'contained database authentication' and value like 'off' ]

REMEDIATION

From Portal

Navigate to the instance where the flag needs to be set: https://console.cloud.google.com/sql/instances
Click Edit Configurations
Under flags section, choose add flag, look for 'contained database authentication' and choose value - off.
Save and review your changes

From TF
Set the flag 'contained database authentication' to 'off':

resource 'google_sql_database_instance' 'default' {
	...
	settings {
		database_flags {
			name  = 'contained database authentication'
			value = 'off'
		}
	}
}

From Command Line

First retrieve all existing flags values:

gcloud sql instances describe INSTANCE_NAME

Add all existing flags and their value to the patch request - otherwise they will get set to their default value.

gcloud sql instances patch INSTANCE_NAME --database-flags (ExistingFlag1=Value1,ExistingFlag2=Value2,...),'contained database authentication'=off

References

GCP CloudSql

Cloud SQL is a fully managed database service that makes it easy to set up, maintain, manage, and administer your relational PostgreSQL, MySQL, and SQL Server databases in the cloud.

Compliance Frameworks

CloudGuard GCP All Rules Ruleset
GCP CIS Controls V 8
GCP CIS Foundations v. 1.1.0
GCP CIS Foundations v. 1.2.0
GCP CIS Foundations v. 1.3.0
GCP CIS Foundations v. 2.0
GCP CloudGuard Best Practices
GCP MITRE ATT&CK Framework v12.1
GCP NIST 800-53 Rev 5