I am getting the 3 below Chokov's failed tests:
Check: CKV_GCP_109: "Ensure the GCP PostgreSQL database log levels are set to ERROR or lower"
FAILED for resource: google_sql_database_instance.cloud_sql
File: /cloud_sql.tf:1-74
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-google-cloud-109
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_110: "Ensure pgAudit is enabled for your GCP PostgreSQL database"
FAILED for resource: google_sql_database_instance.cloud_sql
File: /cloud_sql.tf:1-74
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-google-cloud-110
Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_55: "Ensure PostgreSQL database 'log_min_messages' flag is set to a valid value"
FAILED for resource: google_sql_database_instance.cloud_sql
File: /cloud_sql.tf:1-74
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/cloud-sql-policies/bc-gcp-sql-6
I followed the Pao Alto's links and changed my code accordingly:
resource "google_sql_database_instance" "cloud_sql" {
name = "cloud-sql"
database_version = "POSTGRES_15"
region = var.region
project = var.project_id
settings {
tier = "db-f1-micro"
backup_configuration {
enabled = true
}
ip_configuration {
ipv4_enabled = false
require_ssl = false
private_network = "projects/${var.project_id}/global/networks/${var.network}"
}
database_flags {
name = "log_statement"
value = "all"
}
database_flags {
name = "log_lock_waits"
value = "on"
}
database_flags {
name = "log_connections"
value = "on"
}
database_flags {
name = "log_checkpoints"
value = "on"
}
database_flags {
name = "log_disconnections"
value = "on"
}
database_flags {
name = "log_hostname"
value = "on"
}
database_flags {
name = "log_min_error_statement"
value = "ERROR"
}
database_flags {
name = "log_min_messages"
value = "ERROR"
}
# database_flags {
# name = "log_min_messages"
# value = "DEBUG5"
# }
# database_flags {
# name = "enable_pgaudit"
# value = "on"
# }
database_flags {
name = "pgaudit.log"
value = "'all'"
}
database_flags {
name = "log_duration"
value = "on"
}
}
deletion_protection = false
depends_on = [google_service_networking_connection.private_vpc_connection]
}
However, the checks are still failing.
I have tried a few different things.
For CKV_GCP_110 I tried adding:
database_flags {
name = "enable_pgaudit"
value = "on"
}
or removing a single quotation in value:
database_flags {
name = "pgaudit.log"
value = "all" // was "'all'"
}
For CKV_GCP_109 and CKV_GCP_55 I tried various values like ERROR or DEBUG5.
I also tried adding:
database_flags {
name = "log_min_error_statement"
value = "ERROR"
}
The checks are still failing.
So to pass CKV_GCP_109 and CKV_GCP_55 both of the below flags are necessary with values in lowercase.
database_flags {
name = "log_min_error_statement"
value = "error"
}
database_flags {
name = "log_min_messages"
value = "error"
}
For CKV_GCP_110 both of the below flags are necessary(pay attention to quotation marks in values):
database_flags {
name = "enable_pgaudit"
value = "on"
}
database_flags {
name = "pgaudit.log"
value = "'all'"
}
References:
https://github.com/bridgecrewio/checkov/issues/6057 https://github.com/bridgecrewio/checkov/issues/6058