cartography icon indicating copy to clipboard operation
cartography copied to clipboard
verified publisher icon lyft

[Feature] Add support for GCP Cloud SQL

Open kunaals opened this issue 2 weeks ago • 0 comments

Summary

Add support for ingesting GCP Cloud SQL resources into Cartography. Cloud SQL is Google Cloud's fully managed relational database service supporting MySQL, PostgreSQL, and SQL Server. This feature would allow Cartography to track Cloud SQL instances, databases, users, and their network/security configurations.

Motivation

GCP Cloud SQL is a foundational data service used across many organizations and represents a critical target for security analysis. By ingesting Cloud SQL resources, Cartography can surface:

  • Database instances and their configurations
  • Network connectivity (public IPs, private IPs, authorized networks)
  • SSL/TLS enforcement settings
  • Backup configurations and retention
  • Database users and their authentication methods
  • Replica configurations and failover settings

This unlocks graph-based security analysis such as:

  • Identifying databases with public IP addresses
  • Detecting instances without SSL enforcement
  • Finding databases with weak authorized network configurations (0.0.0.0/0)
  • Auditing backup retention compliance
  • Mapping which GCE instances or Cloud Run services can connect to databases
  • Tracking service account access to Cloud SQL

Proposed Solution

Extend the GCP intel module to call the Cloud SQL Admin APIs and model the following resources:

New Nodes:

  • GCPCloudSQLInstance - Database instances
  • GCPCloudSQLDatabase - Individual databases within instances
  • GCPCloudSQLUser - Database users
  • GCPCloudSQLBackup - Backup configurations

New Relationships:

  • (:GCPProject)-[:RESOURCE]->(:GCPCloudSQLInstance)
  • (:GCPCloudSQLInstance)-[:CONTAINS]->(:GCPCloudSQLDatabase)
  • (:GCPCloudSQLInstance)-[:HAS_USER]->(:GCPCloudSQLUser)
  • (:GCPCloudSQLInstance)-[:REPLICA_OF]->(:GCPCloudSQLInstance)
  • (:GCPCloudSQLInstance)-[:IN_NETWORK]->(:GCPVpc) (for private IP)
  • (:GCPCloudSQLInstance)-[:HAS_BACKUP_CONFIG]->(:GCPCloudSQLBackup)

Key Properties to capture on GCPCloudSQLInstance:

  • database_version (MYSQL_8_0, POSTGRES_15, SQLSERVER_2019_STANDARD, etc.)
  • tier (machine type)
  • ip_addresses (public and private)
  • authorized_networks (CIDR ranges allowed to connect)
  • ssl_mode (require SSL or not)
  • backup_enabled
  • availability_type (ZONAL, REGIONAL)
  • maintenance_window

GCP APIs to integrate:

  • sqladmin.googleapis.com - Cloud SQL Admin API
    • sql.instances.list
    • sql.databases.list
    • sql.users.list
    • sql.backupRuns.list

Alternatives Considered

  • Using Cloud Asset Inventory - CAI provides instance metadata but misses database-level details and user information
  • Focusing only on instances - misses the database and user-level granularity needed for access analysis

Relevant Links

kunaals avatar Dec 08 '25 19:12 kunaals