terraform.gcp.best-practice.gcp-postgresql-log-temp.gcp-postgresql-log-temp

profile photo of semgrepsemgrep
Author
unknown
Download Count*

Ensure PostgreSQL database 'log_temp_files' flag is set to '0'

Run Locally

Run in CI

Defintion

rules:
  - id: gcp-postgresql-log-temp
    patterns:
      - pattern: resource
      - pattern-inside: |
          resource "google_sql_database_instance" "..." {
            ...
            database_flags {
              ...
            }
            ...
          }
      - pattern-not-inside: |
          resource "google_sql_database_instance" "..." {
            ...
            database_flags {
              ...
              name  = "log_temp_files"
              value = "0"
              ...
            }
            ...
          }
    message: Ensure PostgreSQL database 'log_temp_files' flag is set to '0'
    metadata:
      category: best-practice
      technology:
        - terraform
        - gcp
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - hcl
    severity: WARNING

Examples

gcp-postgresql-log-temp.tf

# fail
# ruleid: gcp-postgresql-log-temp
resource "google_sql_database_instance" "fail" {
  database_version = "POSTGRES_12"
  name             = "general-pos121"
  project          = "gcp-bridgecrew-deployment"
  region           = "us-central1"
  settings {
    activation_policy = "ALWAYS"
    availability_type = "ZONAL"
    database_flags {
      name  = "log_checkpoints"
      value = "on"
    }
    database_flags {
      name  = "log_connections"
      value = "on"
    }
    database_flags {
      name  = "log_disconnections"
      value = "off"
    }
    database_flags {
      name  = "log_min_messages"
      value = "debug6"
    }
    database_flags {
      name  = "log_lock_waits"
      value = "off"
    }
    database_flags {
      name  = "log_temp_files"
      value = "30"
    }
    database_flags {
      name  = "log_min_duration_statement"
      value = "1"
    }
    pricing_plan = "PER_USE"

    tier = "db-custom-1-3840"
  }
}

# ok: gcp-postgresql-log-temp
resource "google_sql_database_instance" "pass" {
  database_version = "POSTGRES_12"
  name             = "general-pos121"
  project          = "gcp-bridgecrew-deployment"
  region           = "us-central1"
  settings {
    activation_policy = "ALWAYS"
    availability_type = "ZONAL"
    database_flags {
      name  = "log_checkpoints"
      value = "off"
    }
    database_flags {
      name  = "log_connections"
      value = "on"
    }
    database_flags {
      name  = "log_disconnections"
      value = "on"
    }
    database_flags {
      name  = "log_min_messages"
      value = "debug5"
    }
    database_flags {
      name  = "log_lock_waits"
      value = "on"
    }
    database_flags {
      name  = "log_temp_files"
      value = "0"
    }
    database_flags {
      name  = "log_min_duration_statement"
      value = "1"
    }
    pricing_plan = "PER_USE"

    tier = "db-custom-1-3840"
  }
}

# ok: gcp-postgresql-log-temp
resource "google_sql_database_instance" "pass2" {
  database_version = "POSTGRES_14"
  name             = "general-pos121"
  project          = "gcp-bridgecrew-deployment"
  region           = "us-central1"
  settings {
    activation_policy = "ALWAYS"
    availability_type = "ZONAL"
    database_flags {
      name  = "log_checkpoints"
      value = "on"
    }
    database_flags {
      name  = "log_connections"
      value = "off"
    }
    database_flags {
      name  = "log_disconnections"
      value = "on"
    }
    database_flags {
      name  = "log_min_messages"
      value = "debug6"
    }
    database_flags {
      name  = "log_lock_waits"
      value = "on"
    }
    database_flags {
      name  = "log_temp_files"
      value = "0"
    }
    database_flags {
      name  = "log_min_duration_statement"
      value = "1"
    }
    pricing_plan = "PER_USE"
    tier         = "db-custom-1-3840"
  }
}