SQL DB instance backup disabled

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > SQL DB instance backup disabled

Metadata

Id: 0c82eae2-aca0-401f-93e4-fb37a0f9e5e8

Cloud Provider: GCP

Platform: Ansible

Severity: Medium

Category: Backup

Learn More

Provider Reference

Description

Cloud SQL instances must have backups enabled so you can recover from accidental deletion, data corruption, or ransomware. Without backups, data loss can be permanent and service restoration time increases.

For Ansible resources using google.cloud.gcp_sql_instance or gcp_sql_instance, ensure the settings.backup_configuration.enabled property is present and set to true. Resources missing settings, settings.backup_configuration, or settings.backup_configuration.enabled, or where enabled is false, are flagged.

Secure configuration example:

- name: Create Cloud SQL instance with backups enabled
  google.cloud.gcp_sql_instance:
    name: my-instance
    settings:
      tier: db-f1-micro
      backup_configuration:
        enabled: true
        start_time: "03:00"

Compliant Code Examples

- name: create a instance
  google.cloud.gcp_sql_instance:
    name: '{{ resource_name }}-2'
    settings:
      backup_configuration:
        binary_log_enabled: yes
        enabled: yes
      tier: db-n1-standard-1
    region: us-central1
    project: test_project
    auth_kind: serviceaccount
    service_account_file: /tmp/auth.pem
    state: present

Non-Compliant Code Examples

---
- name: create a instance
  google.cloud.gcp_sql_instance:
    name: "{{ resource_name }}-2"
    region: us-central1
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
- name: create a second instance
  google.cloud.gcp_sql_instance:
    name: "{{ resource_name }}-2"
    settings:
      tier: db-n1-standard-1
    region: us-central1
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
- name: create a third instance
  google.cloud.gcp_sql_instance:
    name: "{{ resource_name }}-2"
    settings:
      backup_configuration:
        binary_log_enabled: yes
      tier: db-n1-standard-1
    region: us-central1
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
- name: create a forth instance
  google.cloud.gcp_sql_instance:
    name: "{{ resource_name }}-2"
    settings:
      backup_configuration:
        binary_log_enabled: yes
        enabled: no
      tier: db-n1-standard-1
    region: us-central1
    project: test_project
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present