Information disclosure from non-TLS connections to Cloud SQL instance in Terraform

High Risk infrastructure-security

gcpcloud-sqldatabase-securitytlsencryption-in-transitinformation-disclosureterraform

What it is

Google Cloud SQL instances configured without TLS enforcement allow unencrypted database connections, enabling attackers to intercept queries, data, and credentials through man-in-the-middle attacks. This vulnerability exposes sensitive database traffic and authentication information over plaintext connections.

Language:

# VULNERABLE: Cloud SQL without TLS enforcement
resource "google_sql_database_instance" "vulnerable_mysql" {
  name             = "vulnerable-mysql-instance"
  database_version = "MYSQL_8_0"
  region           = "us-central1"

  settings {
    tier = "db-f1-micro"
    
    # VULNERABLE: No require_ssl setting (defaults to false)
    ip_configuration {
      ipv4_enabled = true
      authorized_networks {
        name  = "all"
        value = "0.0.0.0/0"
      }
    }
  }
}

# VULNERABLE: Explicitly allowing non-TLS connections
resource "google_sql_database_instance" "postgres_no_tls" {
  name             = "postgres-no-tls"
  database_version = "POSTGRES_14"
  region           = "us-east1"

  settings {
    tier = "db-custom-2-7680"
    
    ip_configuration {
      ipv4_enabled = true
      # VULNERABLE: require_ssl explicitly false
      require_ssl  = false
    }
  }
}

# SECURE: Cloud SQL with TLS enforcement
resource "google_sql_database_instance" "secure_mysql" {
  name             = "secure-mysql-instance"
  database_version = "MYSQL_8_0"
  region           = "us-central1"

  settings {
    tier = "db-f1-micro"
    
    # SECURE: Require TLS for all connections
    ip_configuration {
      ipv4_enabled = true
      require_ssl  = true
      
      authorized_networks {
        name  = "trusted-network"
        value = "10.0.0.0/24"
      }
    }
  }
}

# SECURE: PostgreSQL with TLS and private IP
resource "google_sql_database_instance" "postgres_secure" {
  name             = "postgres-secure"
  database_version = "POSTGRES_14"
  region           = "us-east1"

  settings {
    tier = "db-custom-2-7680"
    
    ip_configuration {
      ipv4_enabled    = false
      private_network = google_compute_network.private.id
      # SECURE: Enforce TLS connections
      require_ssl     = true
    }
  }
}

# SECURE: SQL Server with TLS enforcement
resource "google_sql_database_instance" "sqlserver_secure" {
  name             = "sqlserver-secure"
  database_version = "SQLSERVER_2019_STANDARD"
  region           = "us-west1"

  settings {
    tier = "db-custom-4-16384"
    
    ip_configuration {
      ipv4_enabled = true
      # SECURE: Require TLS
      require_ssl  = true
    }
  }
}

💡 Why This Fix Works

The vulnerable configurations either omit the require_ssl setting (defaulting to false) or explicitly set it to false, allowing unencrypted database connections that expose queries and credentials to man-in-the-middle attacks. The secure version sets require_ssl to true in the ip_configuration block, enforcing TLS encryption for all database connections and protecting data in transit.

Why it happens

Google Cloud SQL instances created without the require_ssl setting enabled in ip_configuration. This allows database clients to connect without TLS encryption, transmitting queries and data in plaintext over the network.

Root causes

Missing TLS Enforcement Configuration

Insecure Default Configuration

Cloud SQL defaults to allowing both encrypted and unencrypted connections for backward compatibility. Unless explicitly configured to require SSL/TLS, instances accept plaintext connections, exposing sensitive data to interception.

Incomplete Terraform Configuration

Terraform google_sql_database_instance resources lack require_ssl = true in the ip_configuration block. Without this explicit setting, database instances deploy with insecure default connection policies.

Legacy Application Compatibility

Organizations avoid enforcing TLS to maintain compatibility with legacy applications that don't support encrypted database connections. Security is sacrificed for operational continuity without assessing actual client capabilities.

Insufficient Security Awareness

Developers and operators are unaware that TLS enforcement must be explicitly configured for Cloud SQL. They assume encryption is enabled by default or don't understand the risks of unencrypted database connections.

Fixes

Enable SSL Requirement in Configuration

Set require_ssl = true within the ip_configuration block of google_sql_database_instance resources in Terraform. This forces all client connections to use TLS/SSL encryption, rejecting any plaintext connection attempts.

Enforce TLS Across All Instances

Apply TLS enforcement to all Cloud SQL database instances in your infrastructure. Audit existing instances and update configurations to require SSL, ensuring no database accepts unencrypted connections.

Update Client Connection Strings

Modify application connection strings and database client configurations to use SSL/TLS parameters. Ensure all clients connecting to Cloud SQL use sslmode=require or equivalent settings for their database driver.

Deploy SSL Certificates

Generate and distribute SSL certificates for Cloud SQL connections using gcloud sql ssl-certs create. Configure clients to use these certificates for mutual TLS authentication, providing additional security beyond basic encryption.

Use Cloud SQL Auth Proxy

Deploy the Cloud SQL Auth Proxy for application database connections. The proxy automatically handles TLS encryption, certificate management, and authentication, providing secure connections without manual SSL configuration in applications.

Detect This Vulnerability in Your Code

Sourcery automatically identifies information disclosure from non-tls connections to cloud sql instance in terraform and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities