Google Compute firewall ingress allows unrestricted MySQL access

Docs > Plateforme de sécurité Datadog > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Google Compute firewall ingress allows unrestricted MySQL access

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

Id: d0a1b2c3-d4e5-6789-abcd-ef0123456789

Cloud Provider: GCP

Platform: Terraform

Severity: Medium

Category: Networking and Firewall

Learn More

Provider Reference

Description

Allowing ingress traffic from 0.0.0.0/0 on port 3306, as shown in the Terraform attribute source_ranges = ["0.0.0.0/0"], exposes MySQL databases to the internet, making them susceptible to unauthorized access and potential attacks. This misconfiguration can lead to data breaches, data loss, or system compromise if malicious actors exploit the open MySQL port. Restricting access to trusted IP ranges, for example source_ranges = ["192.168.1.0/24"], significantly reduces this risk by limiting who can attempt to connect to the database.

Compliant Code Examples

resource "google_compute_firewall" "good_example" {
  name    = "good-firewall-mysql"
  network = "default"

  allow {
    protocol = "tcp"
    ports    = ["3306"]
  }

  source_ranges = ["192.168.1.0/24"] # Restricted ingress for MySQL
}

Non-Compliant Code Examples

resource "google_compute_firewall" "bad_example" {
  name    = "bad-firewall-mysql"
  network = "default"

  allow {
    protocol = "tcp"
    ports    = ["3306"]
  }

  source_ranges = ["0.0.0.0/0"] # Unrestricted ingress for MySQL
}