no-contained-db-auth
Default Severity: medium
Explanation
Users with ALTER permissions on users can grant access to a contained database without the knowledge of an administrator
Possible Impact
Access can be granted without knowledge of the database administrator
Suggested Resolution
Disable contained database authentication
Insecure Example
The following example will fail the google-sql-no-contained-db-auth check.
resource "google_sql_database_instance" "db" {
name = "db"
database_version = "SQLSERVER_2017_STANDARD"
region = "us-central1"
}
Secure Example
The following example will pass the google-sql-no-contained-db-auth check.
resource "google_sql_database_instance" "db" {
name = "db"
database_version = "SQLSERVER_2017_STANDARD"
region = "us-central1"
settings {
database_flags {
name = "contained database authentication"
value = "off"
}
}
}