sql

Sample rules

A few rules that use objects from this package:

non_car_gcp_sql_database_ssl_required

from typing import List, Dict

from cloudrail.knowledge.context.gcp.gcp_environment_context import GcpEnvironmentContext
from cloudrail.knowledge.rules.base_rule import Issue
from cloudrail.knowledge.rules.gcp.gcp_base_rule import GcpBaseRule
from cloudrail.knowledge.rules.rule_parameters.base_paramerter import ParameterType


class SqlDatabaseSslRequiredRule(GcpBaseRule):
    def get_id(self) -> str:
        return 'non_car_gcp_sql_database_ssl_required'

    def execute(self, env_context: GcpEnvironmentContext, parameters: Dict[ParameterType, any]) -> List[Issue]:
        issues: List[Issue] = []
        for sql_db_instance in env_context.sql_database_instances:
            if sql_db_instance.settings and not sql_db_instance.settings.ip_configuration.require_ssl:
                issues.append(
                    Issue(
                        f"The {sql_db_instance.get_type()} `{sql_db_instance.get_friendly_name()}` is not enforcing SSL connections",
                        sql_db_instance,
                        sql_db_instance))
        return issues

    def should_run_rule(self, environment_context: GcpEnvironmentContext) -> bool:
        return bool(environment_context.sql_database_instances)

non_car_cloud_sql_database_instance_no_public_ip

from typing import List, Dict

from cloudrail.knowledge.context.gcp.gcp_environment_context import GcpEnvironmentContext
from cloudrail.knowledge.rules.base_rule import Issue
from cloudrail.knowledge.rules.gcp.gcp_base_rule import GcpBaseRule
from cloudrail.knowledge.rules.rule_parameters.base_paramerter import ParameterType


class SqlDatabaseNoPublicIpRule(GcpBaseRule):
    def get_id(self) -> str:
        return 'non_car_cloud_sql_database_instance_no_public_ip'

    def execute(self, env_context: GcpEnvironmentContext, parameters: Dict[ParameterType, any]) -> List[Issue]:
        issues: List[Issue] = []
        for sql_db_instance in env_context.sql_database_instances:
            if sql_db_instance.settings and sql_db_instance.settings.ip_configuration.ipv4_enabled:
                issues.append(
                    Issue(
                        f"The Google Cloud database instance `{sql_db_instance.name}` has ipv4_enabled attribute set to true.",
                        sql_db_instance,
                        sql_db_instance))
        return issues

    def should_run_rule(self, environment_context: GcpEnvironmentContext) -> bool:
        return bool(environment_context.sql_database_instances)

`GcpSqlDBInstanceIPConfigAuthNetworks` `dataclass`

Attributes:

Name	Type	Description
`expiration_time`	`Optional[datetime.datetime]`	(Optional) The RFC 3339 formatted date time string indicating when this whitelist expires.
`name`	`Optional[str]`	(Optional) A name for this whitelist entry.
`value`	`str`	(Required) A CIDR notation IPv4 or IPv6 address that is allowed to access this instance. Must be set even if other two attributes are not for the whitelist to become active.

`GcpSqlDBInstanceSettings` `dataclass`

Attributes:

Name	Type	Description
`tier`	`str`	(Required) The machine type to use.
`database_flags`	`Optional[List[cloudrail.knowledge.context.gcp.resources.sql.gcp_sql_database_instance.GcpSqlDBInstanceSettingsDBFlags]]`	(Optional) A sublist to support database flags. A "name" and "value" are required.
`backup_configuration`	`Optional[cloudrail.knowledge.context.gcp.resources.sql.gcp_sql_database_instance.GcpSqlDBInstanceSettingsBackupConfig]`	(Optional) A subblock of backup configuration parameters.
`ip_configuration`	`Optional[cloudrail.knowledge.context.gcp.resources.sql.gcp_sql_database_instance.GcpSqlDBInstanceSettingsIPConfig]`	(Optional) A sublock of IP configuration parameters.

`GcpSqlDBInstanceSettingsBackupConfig` `dataclass`

Attributes:

Name	Type	Description
`binary_log_enabled`	`Optional[bool]`	(Optional) True if binary logging is enabled. Applicable for MySql only.
`enabled`	`Optional[bool]`	(Optional) True if backup configuration is enabled.
`start_time`	`Optional[datetime.datetime]`	(Optional) HH:MM format time indicating when backup configuration starts.
`point_in_time_recovery_enabled`	`Optional[bool]`	(Optional) True if Point-in-time recovery is enabled. Applicable for PostGres only.
`location`	`Optional[str]`	(Optional) The region where the backup will be stored.
`transaction_log_retention_days`	`Optional[int]`	(Optional) The number of days of transaction logs retained for point in time restore, from 1-7.
`backup_retention_settings`	`Optional[cloudrail.knowledge.context.gcp.resources.sql.gcp_sql_database_instance.GcpSqlDBInstanceSettingsBackupRetention]`	(Optional) A subblock of backup retention configuration parameters.

`GcpSqlDBInstanceSettingsBackupRetention` `dataclass`

Attributes:

Name	Type	Description
`retained_backups`	`int`	(Required) Depending on the value of retention_unit, this is used to determine if a backup needs to be deleted.
`retention_unit`	`Optional[str]`	(Optional) The unit that 'retained_backups' represents. Defaults to COUNT.

`GcpSqlDBInstanceSettingsDBFlags` `dataclass`

Attributes:

Name	Type	Description
`name`	`str`	(Required) Name of the flag.
`value`	`str`	(Required) Value of the flag.

`GcpSqlDBInstanceSettingsIPConfig` `dataclass`

Attributes:

Name	Type	Description
`ipv4_enabled`	`Optional[bool]`	(Optional) If the Sql instance should be assigned a public ipv4 address. Either ipv4_enabled must be enabled or a private_network must be configured.
`private_network`	`Optional[str]`	(Optional) The VPC network from which the Cloud SQL instance is accessible for private IP.
`require_ssl`	`Optional[bool]`	(Optional) An indication if this instance requires SSL or not.
`authorized_networks`	`Optional[List[cloudrail.knowledge.context.gcp.resources.sql.gcp_sql_database_instance.GcpSqlDBInstanceIPConfigAuthNetworks]]`	(Optional) A sublist that specifies networks authorized to access the resources.

`GcpSqlDBInstanceType (Enum)`

An enumeration.

`GcpSqlDBInstanceVersion (Enum)`

An enumeration.

`GcpSqlDatabaseInstance (GcpResource)`

Attributes:

Name	Type	Description
`name`	`Optional[str]`	(Optional, Computed) The name of this SQL database instance.
`region`	`Optional[str]`	(Optional) The region where this instance resides.
`settings`	`Optional[GcpSqlDBInstanceSettings]`	(Optional) The settings used for the sql instance.
`database_version`	`Optional[GcpSqlDBInstanceVersion]`	(Optional, Default: MYSQL_5_6) The version of the sql database.

`custom_invalidation(self)` `inherited`

A list of manual reasons why this resource should be invalidated

`exclude_from_invalidation(self)` `inherited`

A list of attributes that should be excluded from the invalidation process

sql

Sample rules

GcpSqlDBInstanceIPConfigAuthNetworks dataclass

GcpSqlDBInstanceSettings dataclass

GcpSqlDBInstanceSettingsBackupConfig dataclass

GcpSqlDBInstanceSettingsBackupRetention dataclass

GcpSqlDBInstanceSettingsDBFlags dataclass

GcpSqlDBInstanceSettingsIPConfig dataclass

GcpSqlDBInstanceType (Enum)

GcpSqlDBInstanceVersion (Enum)

GcpSqlDatabaseInstance (GcpResource)

custom_invalidation(self) inherited

exclude_from_invalidation(self) inherited

`GcpSqlDBInstanceIPConfigAuthNetworks` `dataclass`

`GcpSqlDBInstanceSettings` `dataclass`

`GcpSqlDBInstanceSettingsBackupConfig` `dataclass`

`GcpSqlDBInstanceSettingsBackupRetention` `dataclass`

`GcpSqlDBInstanceSettingsDBFlags` `dataclass`

`GcpSqlDBInstanceSettingsIPConfig` `dataclass`

`GcpSqlDBInstanceType (Enum)`

`GcpSqlDBInstanceVersion (Enum)`

`GcpSqlDatabaseInstance (GcpResource)`

`custom_invalidation(self)` `inherited`

`exclude_from_invalidation(self)` `inherited`