Checkmarx · cx-andre-pereira · Apr 7, 2026 · Apr 7, 2026 · Apr 8, 2026 · Apr 8, 2026
diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/metadata.json b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/metadata.json
@@ -4,7 +4,7 @@
   "severity": "HIGH",
   "category": "Encryption",
   "descriptionText": "Cloud SQL Database Instance should have SSL enabled",
-  "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance#require_ssl",
+  "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance#ssl_mode-1",
   "platform": "Terraform",
   "descriptionID": "8983549e",
   "cloudProvider": "gcp",

diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/query.rego b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/query.rego
@@ -3,6 +3,8 @@ package Cx
 import data.generic.common as common_lib
 import data.generic.terraform as tf_lib
 
+allowed_ssl_modes := ["ENCRYPTED_ONLY", "TRUSTED_CLIENT_CERTIFICATE_REQUIRED"]
+
 CxPolicy[result] {
 	settings := input.document[i].resource.google_sql_database_instance[name].settings
 
@@ -26,6 +28,7 @@ CxPolicy[result] {
 	settings := input.document[i].resource.google_sql_database_instance[name].settings
 	ip_configuration := settings.ip_configuration
 
+	not common_lib.valid_key(ip_configuration, "ssl_mode")
 	not common_lib.valid_key(ip_configuration, "require_ssl")
 
 	result := {
@@ -34,17 +37,39 @@ CxPolicy[result] {
 		"resourceName": tf_lib.get_resource_name(input.document[i].resource.google_sql_database_instance[name].settings, name),
 		"searchKey": sprintf("google_sql_database_instance[%s].settings.ip_configuration", [name]),
 		"issueType": "MissingAttribute",
-		"keyExpectedValue": "'settings.ip_configuration.require_ssl' should be defined and not null",
-		"keyActualValue": "'settings.ip_configuration.require_ssl' is undefined or null",
+		"keyExpectedValue": "'settings.ip_configuration.ssl_mode' should be defined and not null",
+		"keyActualValue": "'settings.ip_configuration.ssl_mode' is undefined or null",
 		"searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name],["settings", "ip_configuration"]),
-		"remediation": "require_ssl = true",
+		"remediation": "ssl_mode = TRUSTED_CLIENT_CERTIFICATE_REQUIRED",
 		"remediationType": "addition",
 	}
 }
 
 CxPolicy[result] {
 	settings := input.document[i].resource.google_sql_database_instance[name].settings
 
+	not common_lib.inArray(allowed_ssl_modes, settings.ip_configuration.ssl_mode)
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": "google_sql_database_instance",
+		"resourceName": tf_lib.get_resource_name(input.document[i].resource.google_sql_database_instance[name].settings, name),
+		"searchKey": sprintf("google_sql_database_instance[%s].settings.ip_configuration.ssl_mode", [name]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": "'settings.ip_configuration.ssl_mode' should be set to 'ENCRYPTED_ONLY' or 'TRUSTED_CLIENT_CERTIFICATE_REQUIRED'",
+		"keyActualValue": sprintf("'settings.ip_configuration.ssl_mode' is set to '%s'", [settings.ip_configuration.ssl_mode]),
+		"searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name],["settings", "ip_configuration", "ssl_mode"]),
+		"remediation": json.marshal({
+			"before": settings.ip_configuration.ssl_mode,
+			"after": "TRUSTED_CLIENT_CERTIFICATE_REQUIRED"
+		}),
+		"remediationType": "replacement",
+	}
+}
+
+CxPolicy[result] {																			# legacy support (terraform version < 6.0.1)
+	settings := input.document[i].resource.google_sql_database_instance[name].settings
+
 	settings.ip_configuration.require_ssl == false
 
 	result := {

diff --git a/...stance_with_ssl_disabled/test/negative.tf → ...tance_with_ssl_disabled/test/negative1.tf b/...stance_with_ssl_disabled/test/negative.tf → ...tance_with_ssl_disabled/test/negative1.tf
@@ -1,4 +1,4 @@
-resource "google_sql_database_instance" "negative1" {
+resource "google_sql_database_instance" "negative1" {   # legacy support (terraform version < 6.0.1)
   provider = google-beta
 
   name   = "private-instance-${random_id.db_name_suffix.hex}"

diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/negative2.tf b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/negative2.tf
@@ -0,0 +1,33 @@
+resource "google_sql_database_instance" "negative1" {
+  name   = "private-instance-encrypted"
+  region = "us-central1"
+
+  depends_on = [google_service_networking_connection.private_vpc_connection]
+
+  settings {
+    tier = "db-f1-micro"
+
+    ip_configuration {
+      ipv4_enabled    = false
+      private_network = google_compute_network.private_network.id
+      ssl_mode        = "ENCRYPTED_ONLY"  # Only allows connections encrypted with SSL/TLS
+    }
+  }
+}
+
+resource "google_sql_database_instance" "negative2" {
+  name   = "private-instance-trusted-cert"
+  region = "us-central1"
+
+  depends_on = [google_service_networking_connection.private_vpc_connection]
+
+  settings {
+    tier = "db-f1-micro"
+
+    ip_configuration {
+      ipv4_enabled    = false
+      private_network = google_compute_network.private_network.id
+      ssl_mode        = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED"  # Only allow connections encrypted with SSL/TLS and with valid client certificates
+    }
+  }
+}
diff --git a/...stance_with_ssl_disabled/test/positive.tf → ...tance_with_ssl_disabled/test/positive1.tf b/...stance_with_ssl_disabled/test/positive.tf → ...tance_with_ssl_disabled/test/positive1.tf
@@ -1,4 +1,4 @@
-resource "google_sql_database_instance" "positive1" {
+resource "google_sql_database_instance" "positive1" {   # legacy support (terraform version < 6.0.1)
   provider = google-beta
 
   name   = "private-instance-${random_id.db_name_suffix.hex}"
@@ -7,11 +7,11 @@ resource "google_sql_database_instance" "positive1" {
   depends_on = [google_service_networking_connection.private_vpc_connection]
 
   settings {
-    tier = "db-f1-micro"
+    tier = "db-f1-micro"  # Undefined "ip_configuration"
   }
 }
 
-resource "google_sql_database_instance" "positive2" {
+resource "google_sql_database_instance" "positive2" {   # legacy support (terraform version < 6.0.1)
   provider = google-beta
 
   name   = "private-instance-${random_id.db_name_suffix.hex}"
@@ -24,11 +24,12 @@ resource "google_sql_database_instance" "positive2" {
     ip_configuration {
       ipv4_enabled    = false
       private_network = google_compute_network.private_network.id
+      # Undefined "require_ssl"
     }
   }
 }
 
-resource "google_sql_database_instance" "positive3" {
+resource "google_sql_database_instance" "positive3" {   # legacy support (terraform version < 6.0.1)
   provider = google-beta
 
   name   = "private-instance-${random_id.db_name_suffix.hex}"

diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive2.tf b/assets/queries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive2.tf
@@ -0,0 +1,51 @@
+
+resource "google_sql_database_instance" "positive1" {
+  name   = "private-instance-no-ssl-mode"
+  region = "us-central1"
+
+  depends_on = [google_service_networking_connection.private_vpc_connection]
+
+  settings {
+    tier = "db-f1-micro"
+
+    ip_configuration {
+      ipv4_enabled    = false
+      private_network = google_compute_network.private_network.id
+      # Undefined "ssl_mode"
+    }
+  }
+}
+
+resource "google_sql_database_instance" "positive2" {
+  name   = "private-instance-unspecified"
+  region = "us-central1"
+
+  depends_on = [google_service_networking_connection.private_vpc_connection]
+
+  settings {
+    tier = "db-f1-micro"
+
+    ip_configuration {
+      ipv4_enabled    = false
+      private_network = google_compute_network.private_network.id
+      ssl_mode        = "SSL_MODE_UNSPECIFIED"  # Unexpected value
+    }
+  }
+}
+
+resource "google_sql_database_instance" "positive3" {
+  name   = "private-instance-unencrypted"
+  region = "us-central1"
+
+  depends_on = [google_service_networking_connection.private_vpc_connection]
+
+  settings {
+    tier = "db-f1-micro"
+
+    ip_configuration {
+      ipv4_enabled    = false
+      private_network = google_compute_network.private_network.id
+      ssl_mode        = "ALLOW_UNENCRYPTED_AND_ENCRYPTED"  # Allows unencrypted (non-SSL/non-TLS) connections
+    }
+  }
+}
diff --git a/...ueries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json b/...ueries/terraform/gcp/sql_db_instance_with_ssl_disabled/test/positive_expected_result.json
@@ -2,16 +2,37 @@
   {
     "queryName": "SQL DB Instance With SSL Disabled",
     "severity": "HIGH",
-    "line": 9
+    "line": 9,
+    "fileName": "positive1.tf"
   },
   {
     "queryName": "SQL DB Instance With SSL Disabled",
     "severity": "HIGH",
-    "line": 24
+    "line": 24,
+    "fileName": "positive1.tf"
   },
   {
     "queryName": "SQL DB Instance With SSL Disabled",
     "severity": "HIGH",
-    "line": 44
+    "line": 45,
+    "fileName": "positive1.tf"
+  },
+  {
+    "queryName": "SQL DB Instance With SSL Disabled",
+    "severity": "HIGH",
+    "line": 11,
+    "fileName": "positive2.tf"
+  },
+  {
+    "queryName": "SQL DB Instance With SSL Disabled",
+    "severity": "HIGH",
+    "line": 31,
+    "fileName": "positive2.tf"
+  },
+  {
+    "queryName": "SQL DB Instance With SSL Disabled",
+    "severity": "HIGH",
+    "line": 48,
+    "fileName": "positive2.tf"
   }
 ]