GCP PostgreSQL instance database flag log_min_duration_statement is not set to -1
Description
Logging SQL statements may include sensitive information that should not be recorded in logs. This recommendation is applicable to PostgreSQL database instances. The log_min_duration_statement database flag defines the minimum amount of execution time in milliseconds of a statement where the total duration of the statement is logged. We recommend you ensure the log_min_duration_statement database flag for Cloud SQL PostgreSQL instances is disabled. To achieve this, set the value to -1.
Code Example
resource "google_sql_database_instance" "default" {
name = "master-instance"
database_version = "POSTGRES_11"
region = "us-central1"
settings {
+ database_flags {
+ name = "log_min_duration_statement"
+ value = "-1"
}
}
}Remediation
- GCP Console To change the policy using the GCP Console, follow these steps:*
. Log in to the GCP Console at https://console.cloud.google.com.
. Navigate to https://console.cloud.google.com/sql/instances [Cloud SQL Instances].
. Select the * PostgreSQL instance* where the database flag needs to be enabled.
. Click * Edit*.
. Scroll down to the * Flags* section.
. To set a flag that has not been set on the instance before, click * Add item*.
. Select the flag * og_min_duration_statement* from the drop-down menu, and set its value to * -1*.
. Click * Save*.
. Confirm the changes in the * Flags* section on the * Overview* page.
- CLI Command*
. List all Cloud SQL database instances using the following command: `gcloud sql instances list`
. Configure the `log_min_duration_statement` flag for every Cloud SQL PosgreSQL database instance using the below command: `gcloud sql instances patch INSTANCE_NAME --database-flags log_min_duration_statement=-1` + NOTE: This command will overwrite all database flags previously set. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (=).
=== Fix - Buildtime
Terraform
- Resource: google_sql_database_instance
- Arguments: database_version = "POSTGRES_* " settings::database_flags: key:"log_min_duration_statement", value: by default set to -1
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0916 |
| Severity | INFO |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_GCP_57 |