From 8adc72ad57e67180e402595252dc1c0849aa0cda Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pedro=20Mart=C3=ADn?= Date: Mon, 5 Aug 2024 18:12:00 +0200 Subject: [PATCH] fix(gcp): check cloudsql sslMode (#4635) --- .../cloudsql_instance_ssl_connections.py | 2 +- .../gcp/services/cloudsql/cloudsql_service.py | 8 ++- tests/providers/gcp/gcp_fixtures.py | 2 + ...loudsql_instance_automated_backups_test.py | 6 +- ...l_instance_mysql_local_infile_flag_test.py | 12 ++-- ...ance_mysql_skip_show_database_flag_test.py | 12 ++-- ...tance_postgres_enable_pgaudit_flag_test.py | 12 ++-- ...ance_postgres_log_connections_flag_test.py | 12 ++-- ...e_postgres_log_disconnections_flag_test.py | 12 ++-- ..._postgres_log_error_verbosity_flag_test.py | 12 ++-- ...es_log_min_duration_statement_flag_test.py | 12 ++-- ...tgres_log_min_error_statement_flag_test.py | 12 ++-- ...nce_postgres_log_min_messages_flag_test.py | 12 ++-- ...stance_postgres_log_statement_flag_test.py | 12 ++-- .../cloudsql_instance_public_access_test.py | 6 +- .../cloudsql_instance_public_ip_test.py | 6 +- ...ained_database_authentication_flag_test.py | 12 ++-- ...r_cross_db_ownership_chaining_flag_test.py | 12 ++-- ...rver_external_scripts_enabled_flag_test.py | 12 ++-- ...tance_sqlserver_remote_access_flag_test.py | 12 ++-- ...dsql_instance_sqlserver_trace_flag_test.py | 12 ++-- ...ce_sqlserver_user_connections_flag_test.py | 12 ++-- ...stance_sqlserver_user_options_flag_test.py | 12 ++-- .../cloudsql_instance_ssl_connections_test.py | 58 +++++++++++++++++-- .../cloudsql/cloudsql_service_test.py | 9 ++- 25 files changed, 218 insertions(+), 83 deletions(-) diff --git a/prowler/providers/gcp/services/cloudsql/cloudsql_instance_ssl_connections/cloudsql_instance_ssl_connections.py b/prowler/providers/gcp/services/cloudsql/cloudsql_instance_ssl_connections/cloudsql_instance_ssl_connections.py index 8f70b3ce28d..0f7ee531042 100644 --- a/prowler/providers/gcp/services/cloudsql/cloudsql_instance_ssl_connections/cloudsql_instance_ssl_connections.py +++ b/prowler/providers/gcp/services/cloudsql/cloudsql_instance_ssl_connections/cloudsql_instance_ssl_connections.py @@ -15,7 +15,7 @@ def execute(self) -> Check_Report_GCP: report.status_extended = ( f"Database Instance {instance.name} requires SSL connections." ) - if not instance.ssl: + if not instance.require_ssl or instance.ssl_mode != "ENCRYPTED_ONLY": report.status = "FAIL" report.status_extended = f"Database Instance {instance.name} does not require SSL connections." findings.append(report) diff --git a/prowler/providers/gcp/services/cloudsql/cloudsql_service.py b/prowler/providers/gcp/services/cloudsql/cloudsql_service.py index 4baf8a3b2b8..df6aee6426e 100644 --- a/prowler/providers/gcp/services/cloudsql/cloudsql_service.py +++ b/prowler/providers/gcp/services/cloudsql/cloudsql_service.py @@ -31,9 +31,12 @@ def __get_instances__(self): region=instance["region"], ip_addresses=instance.get("ipAddresses", []), public_ip=public_ip, - ssl=instance["settings"]["ipConfiguration"].get( + require_ssl=instance["settings"]["ipConfiguration"].get( "requireSsl", False ), + ssl_mode=instance["settings"]["ipConfiguration"].get( + "sslMode", "ALLOW_UNENCRYPTED_AND_ENCRYPTED" + ), automated_backups=instance["settings"][ "backupConfiguration" ]["enabled"], @@ -61,7 +64,8 @@ class Instance(BaseModel): region: str public_ip: bool authorized_networks: list - ssl: bool + require_ssl: bool + ssl_mode: str automated_backups: bool flags: list project_id: str diff --git a/tests/providers/gcp/gcp_fixtures.py b/tests/providers/gcp/gcp_fixtures.py index c0944033ce9..e1c1f6ce892 100644 --- a/tests/providers/gcp/gcp_fixtures.py +++ b/tests/providers/gcp/gcp_fixtures.py @@ -583,6 +583,7 @@ def mock_api_instances_calls(client: MagicMock, service: str): "settings": { "ipConfiguration": { "requireSsl": True, + "sslMode": "ENCRYPTED_ONLY", "authorizedNetworks": [{"value": "test"}], }, "backupConfiguration": {"enabled": True}, @@ -597,6 +598,7 @@ def mock_api_instances_calls(client: MagicMock, service: str): "settings": { "ipConfiguration": { "requireSsl": False, + "sslMode": "ALLOW_UNENCRYPTED_AND_ENCRYPTED", "authorizedNetworks": [{"value": "test"}], }, "backupConfiguration": {"enabled": False}, diff --git a/tests/providers/gcp/services/cloudsql/cloudsql_instance_automated_backups/cloudsql_instance_automated_backups_test.py b/tests/providers/gcp/services/cloudsql/cloudsql_instance_automated_backups/cloudsql_instance_automated_backups_test.py index 47fa7e7796d..73caf250f6a 100644 --- a/tests/providers/gcp/services/cloudsql/cloudsql_instance_automated_backups/cloudsql_instance_automated_backups_test.py +++ b/tests/providers/gcp/services/cloudsql/cloudsql_instance_automated_backups/cloudsql_instance_automated_backups_test.py @@ -52,7 +52,8 @@ def test_cloudsql_instance_with_automated_backups(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[], @@ -97,7 +98,8 @@ def test_cloudsql_instance_without_automated_backups(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=False, authorized_networks=[], flags=[], diff --git a/tests/providers/gcp/services/cloudsql/cloudsql_instance_mysql_local_infile_flag/cloudsql_instance_mysql_local_infile_flag_test.py b/tests/providers/gcp/services/cloudsql/cloudsql_instance_mysql_local_infile_flag/cloudsql_instance_mysql_local_infile_flag_test.py index e1b3a156b84..361f3ff499d 100644 --- a/tests/providers/gcp/services/cloudsql/cloudsql_instance_mysql_local_infile_flag/cloudsql_instance_mysql_local_infile_flag_test.py +++ b/tests/providers/gcp/services/cloudsql/cloudsql_instance_mysql_local_infile_flag/cloudsql_instance_mysql_local_infile_flag_test.py @@ -52,7 +52,8 @@ def test_cloudsql_postgres_instance(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[], @@ -88,7 +89,8 @@ def test_cloudsql_instance_with_no_flags(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[], @@ -133,7 +135,8 @@ def test_cloudsql_instance_with_local_infile_flag_off(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[{"name": "local_infile", "value": "off"}], @@ -178,7 +181,8 @@ def test_cloudsql_instance_with_local_infile_flag_on(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[{"name": "local_infile", "value": "on"}], diff --git a/tests/providers/gcp/services/cloudsql/cloudsql_instance_mysql_skip_show_database_flag/cloudsql_instance_mysql_skip_show_database_flag_test.py b/tests/providers/gcp/services/cloudsql/cloudsql_instance_mysql_skip_show_database_flag/cloudsql_instance_mysql_skip_show_database_flag_test.py index 2615b7380a6..b6bf83ab4f5 100644 --- a/tests/providers/gcp/services/cloudsql/cloudsql_instance_mysql_skip_show_database_flag/cloudsql_instance_mysql_skip_show_database_flag_test.py +++ b/tests/providers/gcp/services/cloudsql/cloudsql_instance_mysql_skip_show_database_flag/cloudsql_instance_mysql_skip_show_database_flag_test.py @@ -52,7 +52,8 @@ def test_cloudsql_postgres_instance(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[], @@ -88,7 +89,8 @@ def test_cloudsql_instance_no_flags(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[], @@ -133,7 +135,8 @@ def test_cloudsql_instance_with_skip_show_databases_off(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[{"name": "skip_show_database", "value": "off"}], @@ -178,7 +181,8 @@ def test_cloudsql_instance_with_skip_show_databases_on(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[{"name": "skip_show_database", "value": "on"}], diff --git a/tests/providers/gcp/services/cloudsql/cloudsql_instance_postgres_enable_pgaudit_flag/cloudsql_instance_postgres_enable_pgaudit_flag_test.py b/tests/providers/gcp/services/cloudsql/cloudsql_instance_postgres_enable_pgaudit_flag/cloudsql_instance_postgres_enable_pgaudit_flag_test.py index 97a9f8aa016..c2c4f13b221 100644 --- a/tests/providers/gcp/services/cloudsql/cloudsql_instance_postgres_enable_pgaudit_flag/cloudsql_instance_postgres_enable_pgaudit_flag_test.py +++ b/tests/providers/gcp/services/cloudsql/cloudsql_instance_postgres_enable_pgaudit_flag/cloudsql_instance_postgres_enable_pgaudit_flag_test.py @@ -52,7 +52,8 @@ def test_cloudsql_mysql_instance(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[], @@ -88,7 +89,8 @@ def test_cloudsql_instance_no_flags(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[], @@ -133,7 +135,8 @@ def test_cloudsql_instance_pgaudit_flag_off(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[{"name": "cloudsql.enable_pgaudit", "value": "off"}], @@ -178,7 +181,8 @@ def test_cloudsql_instance_pgaudit_flag_on(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[{"name": "cloudsql.enable_pgaudit", "value": "on"}], diff --git a/tests/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_connections_flag/cloudsql_instance_postgres_log_connections_flag_test.py b/tests/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_connections_flag/cloudsql_instance_postgres_log_connections_flag_test.py index e1dfe603dec..b8b57bd15b1 100644 --- a/tests/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_connections_flag/cloudsql_instance_postgres_log_connections_flag_test.py +++ b/tests/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_connections_flag/cloudsql_instance_postgres_log_connections_flag_test.py @@ -52,7 +52,8 @@ def test_cloudsql_mysql_instance(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[], @@ -88,7 +89,8 @@ def test_cloudsql_instance_no_flags(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[], @@ -133,7 +135,8 @@ def test_cloudsql_instance_log_connections_flag_off(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[{"name": "log_connections", "value": "off"}], @@ -178,7 +181,8 @@ def test_cloudsql_instance_log_connections_flag_on(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[{"name": "log_connections", "value": "on"}], diff --git a/tests/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_disconnections_flag/cloudsql_instance_postgres_log_disconnections_flag_test.py b/tests/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_disconnections_flag/cloudsql_instance_postgres_log_disconnections_flag_test.py index 57a58a23d1d..fd7f4e1339b 100644 --- a/tests/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_disconnections_flag/cloudsql_instance_postgres_log_disconnections_flag_test.py +++ b/tests/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_disconnections_flag/cloudsql_instance_postgres_log_disconnections_flag_test.py @@ -52,7 +52,8 @@ def test_cloudsql_mysql_instance(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[], @@ -88,7 +89,8 @@ def test_cloudsql_instance_no_flags(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[], @@ -133,7 +135,8 @@ def test_cloudsql_instance_log_disconnections_flag_off(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[{"name": "log_disconnections", "value": "off"}], @@ -178,7 +181,8 @@ def test_cloudsql_instance_log_disconnections_flag_on(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[{"name": "log_disconnections", "value": "on"}], diff --git a/tests/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_error_verbosity_flag/cloudsql_instance_postgres_log_error_verbosity_flag_test.py b/tests/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_error_verbosity_flag/cloudsql_instance_postgres_log_error_verbosity_flag_test.py index da9e61343a2..e905ebdf88e 100644 --- a/tests/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_error_verbosity_flag/cloudsql_instance_postgres_log_error_verbosity_flag_test.py +++ b/tests/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_error_verbosity_flag/cloudsql_instance_postgres_log_error_verbosity_flag_test.py @@ -52,7 +52,8 @@ def test_cloudsql_mysql_instance(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[], @@ -88,7 +89,8 @@ def test_cloudsql_instance_no_flags(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[], @@ -133,7 +135,8 @@ def test_cloudsql_instance_log_error_verbosity_flag_off(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[{"name": "log_error_verbosity", "value": "off"}], @@ -178,7 +181,8 @@ def test_cloudsql_instance_log_error_verbosity_flag_on(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[{"name": "log_error_verbosity", "value": "default"}], diff --git a/tests/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_min_duration_statement_flag/cloudsql_instance_postgres_log_min_duration_statement_flag_test.py b/tests/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_min_duration_statement_flag/cloudsql_instance_postgres_log_min_duration_statement_flag_test.py index b009bacde25..6a568e9e43f 100644 --- a/tests/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_min_duration_statement_flag/cloudsql_instance_postgres_log_min_duration_statement_flag_test.py +++ b/tests/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_min_duration_statement_flag/cloudsql_instance_postgres_log_min_duration_statement_flag_test.py @@ -52,7 +52,8 @@ def test_cloudsql_mysql_instance(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[], @@ -88,7 +89,8 @@ def test_cloudsql_instance_no_flags(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[], @@ -133,7 +135,8 @@ def test_cloudsql_instance_log_min_duration_statement_flag_off(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[{"name": "log_min_duration_statement", "value": "0"}], @@ -178,7 +181,8 @@ def test_cloudsql_instance_log_min_duration_statement_flag_on(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[{"name": "log_min_duration_statement", "value": "-1"}], diff --git a/tests/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_min_error_statement_flag/cloudsql_instance_postgres_log_min_error_statement_flag_test.py b/tests/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_min_error_statement_flag/cloudsql_instance_postgres_log_min_error_statement_flag_test.py index 2abe0ded1a0..28f8a583c6c 100644 --- a/tests/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_min_error_statement_flag/cloudsql_instance_postgres_log_min_error_statement_flag_test.py +++ b/tests/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_min_error_statement_flag/cloudsql_instance_postgres_log_min_error_statement_flag_test.py @@ -52,7 +52,8 @@ def test_cloudsql_mysql_instance(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[], @@ -88,7 +89,8 @@ def test_cloudsql_instance_no_flags(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[], @@ -133,7 +135,8 @@ def test_cloudsql_instance_log_min_error_statement_flag_off(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[{"name": "log_min_error_statement", "value": "warning"}], @@ -178,7 +181,8 @@ def test_cloudsql_instance_log_min_error_statement_flag_on(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[{"name": "log_min_error_statement", "value": "error"}], diff --git a/tests/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_min_messages_flag/cloudsql_instance_postgres_log_min_messages_flag_test.py b/tests/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_min_messages_flag/cloudsql_instance_postgres_log_min_messages_flag_test.py index 95dd3c0802b..54510ca2023 100644 --- a/tests/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_min_messages_flag/cloudsql_instance_postgres_log_min_messages_flag_test.py +++ b/tests/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_min_messages_flag/cloudsql_instance_postgres_log_min_messages_flag_test.py @@ -52,7 +52,8 @@ def test_cloudsql_mysql_instance(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[], @@ -88,7 +89,8 @@ def test_cloudsql_instance_no_flags(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[], @@ -133,7 +135,8 @@ def test_cloudsql_instance_log_min_messages_flag_off(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[{"name": "log_min_messages", "value": "debug"}], @@ -178,7 +181,8 @@ def test_cloudsql_instance_log_min_messages_flag_on(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[{"name": "log_min_messages", "value": "error"}], diff --git a/tests/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_statement_flag/cloudsql_instance_postgres_log_statement_flag_test.py b/tests/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_statement_flag/cloudsql_instance_postgres_log_statement_flag_test.py index 67ad6e3a2b7..47df151209a 100644 --- a/tests/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_statement_flag/cloudsql_instance_postgres_log_statement_flag_test.py +++ b/tests/providers/gcp/services/cloudsql/cloudsql_instance_postgres_log_statement_flag/cloudsql_instance_postgres_log_statement_flag_test.py @@ -52,7 +52,8 @@ def test_cloudsql_mysql_instance(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[], @@ -88,7 +89,8 @@ def test_cloudsql_instance_no_flags(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[], @@ -133,7 +135,8 @@ def test_cloudsql_instance_log_statement_flag_off(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[{"name": "log_statement", "value": "all"}], @@ -178,7 +181,8 @@ def test_cloudsql_instance_log_statement_flag_on(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[{"name": "log_statement", "value": "ddl"}], diff --git a/tests/providers/gcp/services/cloudsql/cloudsql_instance_public_access/cloudsql_instance_public_access_test.py b/tests/providers/gcp/services/cloudsql/cloudsql_instance_public_access/cloudsql_instance_public_access_test.py index 11c9c9ca9b7..5435b8f6de4 100644 --- a/tests/providers/gcp/services/cloudsql/cloudsql_instance_public_access/cloudsql_instance_public_access_test.py +++ b/tests/providers/gcp/services/cloudsql/cloudsql_instance_public_access/cloudsql_instance_public_access_test.py @@ -52,7 +52,8 @@ def test_cloudsql_instance_no_public_access(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[{"value": "192.168.1.1/32"}], project_id=GCP_PROJECT_ID, @@ -97,7 +98,8 @@ def test_cloudsql_instance_public_access(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[{"value": "0.0.0.0/0"}], project_id=GCP_PROJECT_ID, diff --git a/tests/providers/gcp/services/cloudsql/cloudsql_instance_public_ip/cloudsql_instance_public_ip_test.py b/tests/providers/gcp/services/cloudsql/cloudsql_instance_public_ip/cloudsql_instance_public_ip_test.py index 14c1074977f..1e0d3b73f61 100644 --- a/tests/providers/gcp/services/cloudsql/cloudsql_instance_public_ip/cloudsql_instance_public_ip_test.py +++ b/tests/providers/gcp/services/cloudsql/cloudsql_instance_public_ip/cloudsql_instance_public_ip_test.py @@ -52,7 +52,8 @@ def test_cloudsql_instance_no_public_ip(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[], @@ -97,7 +98,8 @@ def test_cloudsql_instance_public_ip(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=True, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[], diff --git a/tests/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_contained_database_authentication_flag/cloudsql_instance_sqlserver_contained_database_authentication_flag_test.py b/tests/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_contained_database_authentication_flag/cloudsql_instance_sqlserver_contained_database_authentication_flag_test.py index b8b429a4b9f..7055121b95f 100644 --- a/tests/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_contained_database_authentication_flag/cloudsql_instance_sqlserver_contained_database_authentication_flag_test.py +++ b/tests/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_contained_database_authentication_flag/cloudsql_instance_sqlserver_contained_database_authentication_flag_test.py @@ -52,7 +52,8 @@ def test_cloudsql_postgres_instance(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[], @@ -88,7 +89,8 @@ def test_cloudsql_instance_no_flags(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[], @@ -133,7 +135,8 @@ def test_cloudsql_instance_contained_database_authentication_flag_on(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[ @@ -180,7 +183,8 @@ def test_cloudsql_instance_contained_database_authentication_flag_off(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[ diff --git a/tests/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_cross_db_ownership_chaining_flag/cloudsql_instance_sqlserver_cross_db_ownership_chaining_flag_test.py b/tests/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_cross_db_ownership_chaining_flag/cloudsql_instance_sqlserver_cross_db_ownership_chaining_flag_test.py index 998933e4a77..8a276eb837a 100644 --- a/tests/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_cross_db_ownership_chaining_flag/cloudsql_instance_sqlserver_cross_db_ownership_chaining_flag_test.py +++ b/tests/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_cross_db_ownership_chaining_flag/cloudsql_instance_sqlserver_cross_db_ownership_chaining_flag_test.py @@ -52,7 +52,8 @@ def test_cloudsql_postgres_instance(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[], @@ -88,7 +89,8 @@ def test_cloudsql_instance_no_flags(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[], @@ -133,7 +135,8 @@ def test_cloudsql_instance_cross_db_ownership_flag_on(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[{"name": "cross db ownership chaining", "value": "on"}], @@ -178,7 +181,8 @@ def test_cloudsql_instance_cross_db_ownership_flag_off(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[{"name": "cross db ownership chaining", "value": "off"}], diff --git a/tests/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_external_scripts_enabled_flag/cloudsql_instance_sqlserver_external_scripts_enabled_flag_test.py b/tests/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_external_scripts_enabled_flag/cloudsql_instance_sqlserver_external_scripts_enabled_flag_test.py index e7b2035361d..ce42bb6d31b 100644 --- a/tests/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_external_scripts_enabled_flag/cloudsql_instance_sqlserver_external_scripts_enabled_flag_test.py +++ b/tests/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_external_scripts_enabled_flag/cloudsql_instance_sqlserver_external_scripts_enabled_flag_test.py @@ -52,7 +52,8 @@ def test_cloudsql_postgres_instance(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[], @@ -88,7 +89,8 @@ def test_cloudsql_sqlserver_instance_no_flags(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[], @@ -133,7 +135,8 @@ def test_cloudsql_sqlserver_instance_external_scripts_enabled_flag_on(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[{"name": "external scripts enabled", "value": "on"}], @@ -178,7 +181,8 @@ def test_cloudsql_sqlserver_instance_external_scripts_enabled_flag_off(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[{"name": "external scripts enabled", "value": "off"}], diff --git a/tests/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_remote_access_flag/cloudsql_instance_sqlserver_remote_access_flag_test.py b/tests/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_remote_access_flag/cloudsql_instance_sqlserver_remote_access_flag_test.py index 8f3a9490cba..13f7321a61b 100644 --- a/tests/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_remote_access_flag/cloudsql_instance_sqlserver_remote_access_flag_test.py +++ b/tests/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_remote_access_flag/cloudsql_instance_sqlserver_remote_access_flag_test.py @@ -52,7 +52,8 @@ def test_cloudsql_postgres_instance(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[], @@ -88,7 +89,8 @@ def test_cloudsql_instance_no_flags(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[], @@ -133,7 +135,8 @@ def test_cloudsql_instance_remote_access_flag_on(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[{"name": "remote access", "value": "on"}], @@ -178,7 +181,8 @@ def test_cloudsql_instance_remote_access_flag_off(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[{"name": "remote access", "value": "off"}], diff --git a/tests/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_trace_flag/cloudsql_instance_sqlserver_trace_flag_test.py b/tests/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_trace_flag/cloudsql_instance_sqlserver_trace_flag_test.py index 3088c8e2ddf..4375509e21c 100644 --- a/tests/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_trace_flag/cloudsql_instance_sqlserver_trace_flag_test.py +++ b/tests/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_trace_flag/cloudsql_instance_sqlserver_trace_flag_test.py @@ -52,7 +52,8 @@ def test_cloudsql_postgres_instance(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[], @@ -88,7 +89,8 @@ def test_cloudsql_instance_no_flags(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[], @@ -133,7 +135,8 @@ def test_cloudsql_instance_trace_flag_off(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[{"name": "3625", "value": "off"}], @@ -178,7 +181,8 @@ def test_cloudsql_instance_trace_flag_on(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[{"name": "3625", "value": "on"}], diff --git a/tests/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_user_connections_flag/cloudsql_instance_sqlserver_user_connections_flag_test.py b/tests/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_user_connections_flag/cloudsql_instance_sqlserver_user_connections_flag_test.py index 55143a51e1f..cf527241ccc 100644 --- a/tests/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_user_connections_flag/cloudsql_instance_sqlserver_user_connections_flag_test.py +++ b/tests/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_user_connections_flag/cloudsql_instance_sqlserver_user_connections_flag_test.py @@ -52,7 +52,8 @@ def test_cloudsql_postgres_instance(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[], @@ -88,7 +89,8 @@ def test_cloudsql_sqlserver_instance_no_flags(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[], @@ -133,7 +135,8 @@ def test_cloudsql_sqlserver_instance_user_connections_flag_off(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[{"name": "user connections", "value": "1"}], @@ -178,7 +181,8 @@ def test_cloudsql_sqlserver_instance_user_connections_flag_on(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[{"name": "user connections", "value": "0"}], diff --git a/tests/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_user_options_flag/cloudsql_instance_sqlserver_user_options_flag_test.py b/tests/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_user_options_flag/cloudsql_instance_sqlserver_user_options_flag_test.py index 30769cb357b..0c1bc4ba494 100644 --- a/tests/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_user_options_flag/cloudsql_instance_sqlserver_user_options_flag_test.py +++ b/tests/providers/gcp/services/cloudsql/cloudsql_instance_sqlserver_user_options_flag/cloudsql_instance_sqlserver_user_options_flag_test.py @@ -52,7 +52,8 @@ def test_cloudsql_postgres_instance(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[], @@ -88,7 +89,8 @@ def test_cloudsql_sqlserver_instance_no_flags(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[], @@ -133,7 +135,8 @@ def test_cloudsql_sqlserver_instance_user_options_flag_empty(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[{"name": "user options", "value": ""}], @@ -178,7 +181,8 @@ def test_cloudsql_sqlserver_instance_user_options_flag_set(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=False, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[{"name": "user options", "value": "0"}], diff --git a/tests/providers/gcp/services/cloudsql/cloudsql_instance_ssl_connections/cloudsql_instance_ssl_connections_test.py b/tests/providers/gcp/services/cloudsql/cloudsql_instance_ssl_connections/cloudsql_instance_ssl_connections_test.py index 46389b29758..70ed073b3e2 100644 --- a/tests/providers/gcp/services/cloudsql/cloudsql_instance_ssl_connections/cloudsql_instance_ssl_connections_test.py +++ b/tests/providers/gcp/services/cloudsql/cloudsql_instance_ssl_connections/cloudsql_instance_ssl_connections_test.py @@ -28,7 +28,7 @@ def test_no_cloudsql_instances(self): result = check.execute() assert len(result) == 0 - def test_cloudsql_instance_ssl_connections_enabled(self): + def test_cloudsql_instance_ssl_connections_enabled_and_ssl_mode_encrypted(self): cloudsql_client = mock.MagicMock with mock.patch( @@ -52,7 +52,8 @@ def test_cloudsql_instance_ssl_connections_enabled(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=True, + require_ssl=True, + ssl_mode="ENCRYPTED_ONLY", automated_backups=True, authorized_networks=[], flags=[], @@ -73,7 +74,7 @@ def test_cloudsql_instance_ssl_connections_enabled(self): assert result[0].location == GCP_EU1_LOCATION assert result[0].project_id == GCP_PROJECT_ID - def test_cloudsql_instance_ssl_connections_disabled(self): + def test_cloudsql_instance_ssl_connections_enabled_and_ssl_mode_not_encrypted(self): cloudsql_client = mock.MagicMock with mock.patch( @@ -97,7 +98,56 @@ def test_cloudsql_instance_ssl_connections_disabled(self): ip_addresses=[], region=GCP_EU1_LOCATION, public_ip=False, - ssl=False, + require_ssl=True, + ssl_mode="ALLOW_UNENCRYPTED_AND_ENCRYPTED", + automated_backups=True, + authorized_networks=[], + flags=[], + project_id=GCP_PROJECT_ID, + ) + ] + + check = cloudsql_instance_ssl_connections() + result = check.execute() + assert len(result) == 1 + assert result[0].status == "FAIL" + assert ( + result[0].status_extended + == "Database Instance instance1 does not require SSL connections." + ) + assert result[0].resource_id == "instance1" + assert result[0].resource_name == "instance1" + assert result[0].location == GCP_EU1_LOCATION + assert result[0].project_id == GCP_PROJECT_ID + + def test_cloudsql_instance_ssl_connections_disabled_and_ssl_mode_not_encrypted( + self, + ): + cloudsql_client = mock.MagicMock + + with mock.patch( + "prowler.providers.common.provider.Provider.get_global_provider", + return_value=set_mocked_gcp_provider(), + ), mock.patch( + "prowler.providers.gcp.services.cloudsql.cloudsql_instance_ssl_connections.cloudsql_instance_ssl_connections.cloudsql_client", + new=cloudsql_client, + ): + from prowler.providers.gcp.services.cloudsql.cloudsql_instance_ssl_connections.cloudsql_instance_ssl_connections import ( + cloudsql_instance_ssl_connections, + ) + from prowler.providers.gcp.services.cloudsql.cloudsql_service import ( + Instance, + ) + + cloudsql_client.instances = [ + Instance( + name="instance1", + version="POSTGRES_15", + ip_addresses=[], + region=GCP_EU1_LOCATION, + public_ip=False, + require_ssl=False, + ssl_mode="ALLOW_UNENCRYPTED_AND_ENCRYPTED", automated_backups=True, authorized_networks=[], flags=[], diff --git a/tests/providers/gcp/services/cloudsql/cloudsql_service_test.py b/tests/providers/gcp/services/cloudsql/cloudsql_service_test.py index 86f67ac6333..d38e1a680d2 100644 --- a/tests/providers/gcp/services/cloudsql/cloudsql_service_test.py +++ b/tests/providers/gcp/services/cloudsql/cloudsql_service_test.py @@ -33,7 +33,8 @@ def test_service(self): {"type": "PRIMARY", "ipAddress": "66.66.66.66"} ] assert cloudsql_client.instances[0].public_ip - assert cloudsql_client.instances[0].ssl + assert cloudsql_client.instances[0].require_ssl + assert cloudsql_client.instances[0].ssl_mode == "ENCRYPTED_ONLY" assert cloudsql_client.instances[0].automated_backups assert cloudsql_client.instances[0].authorized_networks == [ {"value": "test"} @@ -48,7 +49,11 @@ def test_service(self): {"type": "PRIMARY", "ipAddress": "22.22.22.22"} ] assert cloudsql_client.instances[1].public_ip - assert not cloudsql_client.instances[1].ssl + assert not cloudsql_client.instances[1].require_ssl + assert ( + cloudsql_client.instances[1].ssl_mode + == "ALLOW_UNENCRYPTED_AND_ENCRYPTED" + ) assert not cloudsql_client.instances[1].automated_backups assert cloudsql_client.instances[1].authorized_networks == [ {"value": "test"}