False positive for CKV2_GCP_20 on GCP Cloud SQL (MySQL) replica

[lucaspierru-convelio]

Describe the issue
Check CKV2_GCP_20: "Ensure MySQL DB instance has point-in-time recovery backup configured" is raising as false positive on MySQL replica resource. A db replica can't have any backup configuration, yet this check doesn't discriminate between a regular instance and a replica. A potential solution would be to condition this check to the absence of master_instance_name attribute in the google_sql_database_instance resource (thus ignoring replica instances).

Examples
Terraform resource with backup configuration:

resource "google_sql_database_instance" "replica" {
  name                 = "${google_sql_database_instance.default.name}-replica"
  database_version     = google_sql_database_instance.default.database_version
  region               = google_sql_database_instance.default.region
  project              = google_sql_database_instance.default.project
  master_instance_name = google_sql_database_instance.default.name

  settings {
    tier      = var.cloudsql_replica_machine_type
    disk_size = 40
    ip_configuration {
      ipv4_enabled    = true
      private_network = data.google_compute_network.default.id
    }
    database_flags {
      name  = "innodb_lock_wait_timeout"
      value = "240"
    }
    backup_configuration {
      binary_log_enabled             = true
      enabled                        = true
      location                       = "eu"
      start_time                     = "04:42"
      backup_retention_settings {
        retention_unit   = "COUNT"
        retained_backups = 7
      }
    }
  }
  deletion_protection = true
}

This code fails on terraform apply with the following error:

╷
│ Error: Error, failed to update instance settings for : googleapi: Error 400: Invalid request: Invalid flag for instance role: Backups cannot be enabled for read replica instance.., invalid
│ 
│   with module.api_core.google_sql_database_instance.replica,
│   on ../../module/default/cloudsql.tf line 62, in resource "google_sql_database_instance" "replica":
│   62: resource "google_sql_database_instance" "replica" {
│ 
╵

When removing the backup_configuration block, terraform apply works but check CKV2_GCP_20: "Ensure MySQL DB instance has point-in-time recovery backup configured" fails on this resource. This should not be the case and this check shouldn't be run on replicas.

Version:

• Dockerized Checkov using latest version (3.2.200 at the time of writing)
• OpenTofu v1.6.2 with google-beta provider in version 5.31.1

[stale]

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at codifiedsecurity.slack.com
Thanks!

[stale]

Closing issue due to inactivity. If you feel this is in error, please re-open, or reach out to the community via slack: codifiedsecurity.slack.com Thanks!