GCP PostgreSQL instance database flag log_duration is not set to on
Description
This policy verifies if the 'log_duration' flag is set to 'on' for a PostgreSQL database in Google Cloud Platform (GCP). The 'log_duration' flag, when turned on, logs the duration of each completed SQL command that was run on the PostgreSQL instance.
If this configuration is not enabled, it could lead to less visibility in monitoring and diagnosing database performance issues. This lack of insight can introduce difficulties when trying to troubleshoot or optimize performance because durations of SQL commands are crucial to understanding where potential slowdowns or bottlenecks may lie. So, leaving 'log_duration' off can limit the ability to effectively manage the database.
Code Example
resource "google_sql_database_instance" "db" {
name = "db-instance"
database_version = "POSTGRES_9_6"
region = "us-central1"
settings {
database_flags {
name = "log_duration"
value = "on"
}
}
}Remediation
Terraform
- Resource: google_sql_database_instance
- Arguments: settings.database_flags
To fix this issue, you need to ensure that the 'log_duration' flag in the PostgreSQL database is set to 'on'.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0998 |
| Severity | INFO |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV2_GCP_13 |