--- title: SQL DB instance publicly accessible description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > SQL DB instance publicly accessible --- # SQL DB instance publicly accessible {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `ansible-gcp-sql-db-instance-is-publicly-accessible` **Provider:** GCP **Platform:** Ansible **Severity:** Critical **Category:** Insecure Configurations #### Learn More{% #learn-more %} - [Provider Reference](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_sql_instance_module.html) ### Description{% #description %} Cloud SQL instances must not be publicly accessible. Allowing access from `0.0.0.0/0` or enabling public IPv4 without restricted networks exposes databases to unauthorized access and data exfiltration. For Ansible tasks using the `google.cloud.gcp_sql_instance` or `gcp_sql_instance` module, ensure `settings.ip_configuration.authorized_networks` does not contain an entry with `value: "0.0.0.0"`. Authorized networks should be explicit trusted CIDRs. If no `authorized_networks` are defined, `settings.ip_configuration.ipv4_enabled` must be set to `false` (or omitted/disabled) to prevent public IPv4 access. Resources missing `settings.ip_configuration` should be defined with a restricted `authorized_networks` list or have `ipv4_enabled: false`. Instances with `value` set to `"0.0.0.0"` or with IPv4 enabled and no authorized networks are flagged. Secure configuration examples: ```yaml - name: create Cloud SQL instance with restricted authorized networks google.cloud.gcp_sql_instance: name: my-sql settings: ip_configuration: authorized_networks: - name: office value: 203.0.113.0/24 ipv4_enabled: true ``` ```yaml - name: create Cloud SQL instance without public IPv4 google.cloud.gcp_sql_instance: name: my-sql settings: ip_configuration: ipv4_enabled: false ``` ## Compliant Code Examples{% #compliant-code-examples %} ```yaml - name: sql_instance google.cloud.gcp_sql_instance: auth_kind: serviceaccount name: '{{ resource_name }}-2' project: test_project region: us-central1 service_account_file: /tmp/auth.pem settings: ip_configuration: authorized_networks: - name: google dns server value: 8.8.8.8/32 tier: db-n1-standard-1 state: present ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```yaml - name: sql_instance google.cloud.gcp_sql_instance: auth_kind: serviceaccount name: "{{ resource_name }}-2" project: test_project region: us-central1 service_account_file: /tmp/auth.pem settings: ip_configuration: authorized_networks: - name: "google dns server" value: "0.0.0.0" tier: db-n1-standard-1 state: present - name: sql_instance2 google.cloud.gcp_sql_instance: auth_kind: serviceaccount name: "{{ resource_name }}-2" project: test_project region: us-central1 service_account_file: /tmp/auth.pem settings: ip_configuration: ipv4_enabled: yes tier: db-n1-standard-1 state: present - name: sql_instance3 google.cloud.gcp_sql_instance: auth_kind: serviceaccount name: "{{ resource_name }}-2" project: test_project region: us-central1 service_account_file: /tmp/auth.pem settings: tier: db-n1-standard-1 state: present ```