#@ load("/constraints.lib.star", "build_constraint") #@ constraint = build_constraint("cloudsqlRequireSQLServerDatabaseFlags") #@ if constraint.to_generate(): name: #@ constraint.constraint_name() resourceTypes: - sqladmin.googleapis.com/Instance methodTypes: - CREATE - UPDATE #! external scripts, set to off by default #! cross db ownership chaining, set to off by default (deprecated) #! contained database authentication, set to off by default #! user connections, default to 0. Any non 0 value should be blocked #! user options, default to 0. Any non 0 value should be blocked #! remote access, set to on by default #! trace 3625, unsure if enabled by default, ensure value provided is on condition: >- resource.databaseVersion.startsWith('SQLSERVER') && ( resource.settings.databaseFlags.exists(flag, flag.name == 'external scripts enabled' && flag.value == 'on') || resource.settings.databaseFlags.exists(flag, flag.name == 'cross db ownership chaining' && flag.value == 'on') || resource.settings.databaseFlags.exists(flag, flag.name == 'contained database authentication' && flag.value == 'on') || resource.settings.databaseFlags.exists(flag, flag.name == 'user connections' && flag.value != '0') || resource.settings.databaseFlags.exists(flag, flag.name == 'user options' && flag.value != '0') || !resource.settings.databaseFlags.exists(flag, flag.name == 'remote access' && flag.value == 'off') || !resource.settings.databaseFlags.exists(flag, flag.name == '3625' && flag.value == 'on') ) actionType: DENY display_name: Require Cloud SQL for SQLServer instance database flags to be configured correctly (e.g external scripts enabled ...) description: Ensure Cloud SQL for SQLServer instance database flags are set correctly (e.g external scripts enabled ...) #@ end