---
title: Cloud SQL instance with cross DB ownership chaining on
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > Cloud SQL instance with cross DB ownership
  chaining on
---

# Cloud SQL instance with cross DB ownership chaining on

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `ansible-gcp-cloud-sql-instance-with-cross-db-ownership-chaining-on` 

**Provider:** GCP

**Platform:** Ansible

**Severity:** High

**Category:** Insecure Configurations

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_sql_instance_module.html#parameter-settings/database_flags)

### Description{% #description %}

SQL Server instances must have Cross DB Ownership Chaining disabled to prevent cross-database privilege escalation and lateral access between databases.

For Ansible-managed Google Cloud SQL resources (`google.cloud.gcp_sql_instance` or `gcp_sql_instance`), ensure the `settings.database_flags` entry with name `cross db ownership chaining` is present and its `value` is set to `off`. This check applies only when `database_version` indicates SQL Server. Instances missing the flag or with a value other than `off` are flagged.

Secure Ansible configuration example:

```yaml
- name: Create secure Cloud SQL SQLServer instance
  google.cloud.gcp_sql_instance:
    name: my-sqlserver-instance
    database_version: SQLSERVER_2019_STANDARD
    settings:
      tier: db-custom-1-3840
      database_flags:
        - name: "cross db ownership chaining"
          value: "off"
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
- name: sql_instance
  google.cloud.gcp_sql_instance:
    auth_kind: serviceaccount
    database_version: SQLSERVER_13_1
    name: '{{ resource_name }}-2'
    project: test_project
    region: us-central1
    service_account_file: /tmp/auth.pem
    settings:
      database_flags:
      - name: name1
        value: value1
      tier: db-n1-standard-1
    state: present
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
- name: sql_instance
  google.cloud.gcp_sql_instance:
    auth_kind: serviceaccount
    database_version: SQLSERVER_13_1
    name: "{{ resource_name }}-2"
    project: test_project
    region: us-central1
    service_account_file: /tmp/auth.pem
    settings:
      database_flags:
      - name: cross db ownership chaining
        value: on
      tier: db-n1-standard-1
    state: present
```