terraforming-gcp icon indicating copy to clipboard operation
terraforming-gcp copied to clipboard

should not open the database to the whole internet

Open matthewfischer opened this issue 6 years ago • 5 comments

I'd like to remove this bit of code from the external SQL:

authorized_networks = [ { name = "all" value = "0.0.0.0/0" }, ]

There are a few ways to do this. First is that we should create NAT instances for externally bound traffic. This implies other changes. Secondly we could wait until Cloud SQL can do internal IPs and fix it then. Opening this for discussion.

matthewfischer avatar Sep 21 '18 19:09 matthewfischer

We have created an issue in Pivotal Tracker to manage this. Unfortunately, the Pivotal Tracker project is private so you may be unable to view the contents of the story.

The labels on this github issue will be updated when the story is started.

cf-gitbot avatar Sep 21 '18 19:09 cf-gitbot

Two things to consider:

  1. Private IP Cloud SQL is in beta
  2. If we do this we should use NAT GWs and not NAT Instances - but I don't believe they are as yet doable with terraform. (Also NAT GWs are also still in beta)

Perhaps by EOY we can re-evaluate both of these conditions. My preference would be do to both, default SQL to Private IP and yet also add optional NAT GWs.

matthewfischer avatar Nov 04 '18 23:11 matthewfischer

CC @cdutra

matthewfischer avatar Nov 04 '18 23:11 matthewfischer

@matthewfischer - can we try working in the private IPs first and then when NAT GWs become a thing introducing those? Seems like at least the Private IPs would be more secure in the short term.

Would you be open to making a PR for this?

zachgersh avatar Feb 08 '19 19:02 zachgersh

Wouldn't a shorter fix be to use the public ip assigned to the opsman instead since terraform knows it?

tybritten avatar Mar 26 '19 13:03 tybritten