Skip to main content

More Info:

Determine if the SQL instances provisioned in the account are only of the type desired by the organization and nothing else.

Risk Level

Medium

Address

Operational Maturity

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

The following are the step-by-step instructions to remediate the misconfiguration “Determine SQL Instances Provisioned are of Desired Type” for GCP using GCP console:
  1. Open the Google Cloud Console and navigate to the SQL Instances page.
  2. Identify the SQL instances that are not of the desired type.
  3. Click on the name of the SQL instance that needs to be remediated.
  4. In the Instance details page, click on the Edit button at the top of the page.
  5. In the Edit page, scroll down to the Configuration Options section.
  6. In the Configuration Options section, select the desired SQL type from the drop-down menu.
  7. Click on the Save button at the bottom of the page to save the changes.
  8. Repeat the above steps for all the SQL instances that are not of the desired type.
  9. Verify that all the SQL instances are now of the desired type by checking the Instance details page for each SQL instance.
By following the above steps, you can remediate the misconfiguration “Determine SQL Instances Provisioned are of Desired Type” for GCP using GCP console.

The first step in remediating this misconfiguration is to identify all the SQL instances that are currently provisioned in your GCP environment and verify that they are of the desired type. Follow these steps to remediate this issue using the GCP CLI:
  1. Open the Cloud Shell in your GCP account.
  2. Run the following command to list all the SQL instances in your project: 
    gcloud sql instances list
  3. Review the output from the above command to identify the SQL instances that are currently provisioned in your project.
  4. Run the following command to describe a specific SQL instance: 
    gcloud sql instances describe INSTANCE_NAME
    Replace INSTANCE_NAME with the name of the SQL instance that you want to describe.
  5. Review the output from the above command to verify that the SQL instance is of the desired type.
If you find that any SQL instances are not of the desired type, you will need to create a new instance of the desired type and migrate your data to the new instance. Here are the steps to create a new SQL instance:
  1. Run the following command to create a new SQL instance: 
    gcloud sql instances create NEW_INSTANCE_NAME --tier=TIER --region=REGION
    Replace NEW_INSTANCE_NAME with a unique name for the new SQL instance, TIER with the desired tier (e.g. db-n1-standard-2) and REGION with the desired region (e.g. us-central1).
  2. Run the following command to set the root password for the new SQL instance: 
    gcloud sql users set-password root --host % --instance=NEW_INSTANCE_NAME --password=NEW_PASSWORD
    Replace NEW_INSTANCE_NAME with the name of the new SQL instance and NEW_PASSWORD with a strong password for the root user.
  3. Run the following command to create a new database in the new SQL instance: 
    gcloud sql databases create NEW_DATABASE_NAME --instance=NEW_INSTANCE_NAME
    Replace NEW_INSTANCE_NAME with the name of the new SQL instance and NEW_DATABASE_NAME with a unique name for the new database.
  4. Finally, you will need to migrate your data from the old SQL instance to the new SQL instance. You can use the Cloud SQL Admin API or a third-party tool to perform the migration. Once the migration is complete, you can delete the old SQL instance using the following command: 
    gcloud sql instances delete OLD_INSTANCE_NAME
    Replace OLD_INSTANCE_NAME with the name of the old SQL instance.
The misconfiguration “Determine SQL Instances Provisioned are of Desired Type” in GCP can be remediated using the following steps in Python:
  1. Import the necessary libraries:
from google.cloud import bigquery
from google.oauth2 import service_account
  1. Create a service account and authenticate using the JSON key file:
credentials = service_account.Credentials.from_service_account_file('path/to/key.json')
  1. Set the project ID and create a BigQuery client:
project_id = 'your-project-id'
client = bigquery.Client(project=project_id, credentials=credentials)
  1. Define the query to check for SQL instances that are not of the desired type:
query = """
SELECT
  project_id,
  name,
  settings.database_version
FROM
  `your-project-id`.region-us-central1.sqladmin.instances
WHERE
  settings.database_version != 'MYSQL_5_7'
  AND settings.database_version != 'POSTGRES_9_6'
"""
  1. Run the query and check the results:
query_job = client.query(query)

if query_job.result():
  print('There are SQL instances that are not of the desired type.')
  for row in query_job:
    print(f"Project ID: {row.project_id}, Instance Name: {row.name}, Database Version: {row.settings.database_version}")
else:
  print('All SQL instances are of the desired type.')
  1. If there are instances that are not of the desired type, you can update them using the Cloud SQL API:
from googleapiclient.discovery import build
from google.oauth2 import service_account

credentials = service_account.Credentials.from_service_account_file('path/to/key.json')

service = build('sqladmin', 'v1beta4', credentials=credentials)

project_id = 'your-project-id'
instance_name = 'your-instance-name'
instance_type = 'MYSQL_5_7' # or 'POSTGRES_9_6'

request = service.instances().patch(
    project=project_id,
    instance=instance_name,
    body={
        'settings': {
            'databaseVersion': instance_type
        }
    }
)

response = request.execute()
Note: Make sure to replace ‘path/to/key.json’, ‘your-project-id’, ‘your-instance-name’, ‘MYSQL_5_7’, and ‘POSTGRES_9_6’ with the correct values for your environment.