bug(terraform): false positive for SQLDatabaseSSLDisabled in google terraform provider >=6.0.1

[henrythor]

Expected Behavior

A google_sql_database_instance with settings.ip_configuration[].ssl_mode set to "TRUSTED_CLIENT_CERTIFICATE_REQUIRED" or "ENCRYPTED_ONLY" should be a negative. settings.ip_configuration[].require_ssl is deprecated and removed from provider as of version 6.0.1.

Actual Behavior

kics is looking for deprecated attribute settings.ip_configuration[].require_ssl and returning a false positive in its absence

Steps to Reproduce the Problem

Use the following file

resource "google_sql_database_instance" "psql" {
  name             = "test-psql-database"
  region           = "europe-west1"
  database_version = "POSTGRES_15"
  project          = "my-project"

  settings {
    activation_policy = "ALWAYS"
    availability_type = "REGIONAL"
    disk_autoresize   = true

    ip_configuration {
      ipv4_enabled                                  = false
      private_network                               = var.vpc_id
      enable_private_path_for_google_cloud_services = true
      ssl_mode                                      = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED"
    }
    backup_configuration {
      binary_log_enabled             = var.binary_log_enabled
      enabled                        = var.backup_enabled
      location                       = var.region
      point_in_time_recovery_enabled = var.point_in_time_recovery_enabled
      start_time                     = var.backup_start_time
      transaction_log_retention_days = var.transaction_log_retention_days

      backup_retention_settings {
        retained_backups = var.retained_backups
      }
    }
  }
}

Run the following command:

docker run -t -v $PWD:/path checkmarx/kics:latest scan -p /path -o "/path/"

Get the following output:

...
Scanning with Keeping Infrastructure as Code Secure v2.1.2


Preparing Scan Assets: Done                                                                                             
Executing queries: [---------------------------------------------------] 100.00%



SQL DB Instance With SSL Disabled, Severity: HIGH, Results: 1
Description: Cloud SQL Database Instance should have SSL enabled
Platform: Terraform
Learn more about this vulnerability: https://docs.kics.io/latest/queries/terraform-queries/gcp/02474449-71aa-40a1-87ae-e14497747b00

	[1]: ../../path/cloud_sql.tf:13

		012: 
		013:     ip_configuration {
		014:       ipv4_enabled                                  = false



Results Summary:
CRITICAL: 0
HIGH: 1
MEDIUM: 0
LOW: 0
INFO: 0
TOTAL: 1

Generating Reports: Done       

Specifications

N/A

[yaronuliel]

Any updates on this issue?

[cx-andre-pereira]

Hello @henrythor, thank you for your feedback, the details were spot on.

I have implemented a fix for the lacking support on newer versions of terraform (6.0.1) to prevent this type of False Positive results in #8029 , once it is merged it should fix it and support all possible 'ssl_mode' values as of provider version 7.26.0.

Thanks again for reporting this and helping us improve KICS 🚀