should not open the database to the whole internet

[matthewfischer]

I'd like to remove this bit of code from the external SQL:

authorized_networks = [ { name = "all" value = "0.0.0.0/0" }, ]

There are a few ways to do this. First is that we should create NAT instances for externally bound traffic. This implies other changes. Secondly we could wait until Cloud SQL can do internal IPs and fix it then. Opening this for discussion.

[cf-gitbot]

We have created an issue in Pivotal Tracker to manage this. Unfortunately, the Pivotal Tracker project is private so you may be unable to view the contents of the story.

The labels on this github issue will be updated when the story is started.

[matthewfischer]

Two things to consider:

1. Private IP Cloud SQL is in beta
2. If we do this we should use NAT GWs and not NAT Instances - but I don't believe they are as yet doable with terraform. (Also NAT GWs are also still in beta)

Perhaps by EOY we can re-evaluate both of these conditions. My preference would be do to both, default SQL to Private IP and yet also add optional NAT GWs.

[matthewfischer]

CC @cdutra

[zachgersh]

@matthewfischer - can we try working in the private IPs first and then when NAT GWs become a thing introducing those? Seems like at least the Private IPs would be more secure in the short term.

Would you be open to making a PR for this?

[tybritten]

Wouldn't a shorter fix be to use the public ip assigned to the opsman instead since terraform knows it?