---
title: MySQL SSL connection disabled
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > MySQL SSL connection disabled
---

# MySQL SSL connection disabled

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ().
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `2a901825-0f3b-4655-a0fe-e0470e50f8e6`

**Cloud Provider:** Azure

**Platform:** Ansible

**Severity:** Medium

**Category:** Encryption

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_mysqlserver_module.html)

### Description{% #description %}

MySQL servers must enforce SSL/TLS connections to protect data in transit and prevent interception or man-in-the-middle attacks. For Ansible tasks using the `azure.azcollection.azure_rm_mysqlserver` or `azure_rm_mysqlserver` modules, the `enforce_ssl` property must be defined and set to `true` so the server requires TLS for client connections.

Resources missing this property or with `enforce_ssl: false` (the default) are flagged. Use Ansible boolean values such as `true` or `yes` to enable this setting. The rule treats Ansible truthy values as valid.

```yaml
- name: Create Azure MySQL server with SSL enforced
  azure.azcollection.azure_rm_mysqlserver:
    name: my-mysql-server
    resource_group: my-rg
    location: eastus
    sku: B_Gen5_1
    version: "5.7"
    administrator_login: adminuser
    administrator_login_password: "{{ mysql_password }}"
    enforce_ssl: true
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
- name: Create (or update) MySQL Server
  azure.azcollection.azure_rm_mysqlserver:
    resource_group: myResourceGroup
    name: testserver
    sku:
      name: B_Gen5_1
      tier: Basic
    location: eastus
    storage_mb: 1024
    enforce_ssl: true
    version: 5.6
    admin_username: cloudsa
    admin_password: password
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
---
- name: Create (or update) MySQL Server
  azure.azcollection.azure_rm_mysqlserver:
    resource_group: myResourceGroup
    name: testserver
    sku:
      name: B_Gen5_1
      tier: Basic
    location: eastus
    storage_mb: 1024
    version: 5.6
    admin_username: cloudsa
    admin_password: password
- name: Create (or update) MySQL Server2
  azure.azcollection.azure_rm_mysqlserver:
    resource_group: myResourceGroup
    name: testserver
    sku:
      name: B_Gen5_1
      tier: Basic
    location: eastus
    storage_mb: 1024
    enforce_ssl: false
    version: 5.6
    admin_username: cloudsa
    admin_password: password
```