Beta - SQL DB Instance With Unrecommended Error Logging Threshold
- Query id: 13de4e49-d407-4277-ba5a-d7f59283902f
- Query name: Beta - SQL DB Instance With Unrecommended Error Logging Threshold
- Platform: Terraform
- Severity: Low
- Category: Observability
- CWE: 779
- Risk score: 1.0
- URL: Github
Description¶
All 'google_sql_database_instance' resources based on POSTGRES should have the 'log_min_error_statement' flag set to 'ERROR' or a higher severity to prevent excessive logging
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "google_sql_database_instance" "positive_1" {
name = "postgres-instance-with-flag"
database_version = "POSTGRES_14"
region = "us-central1"
settings {
database_flags {
name = "sample_flag1"
value = "off"
}
database_flags {
name = "log_min_error_statement"
value = "NOTICE"
} # Flag is set to "NOTICE"
database_flags {
name = "sample_flag2"
value = "off"
}
}
}
resource "google_sql_database_instance" "positive_2" { # Single object support test 1
name = "postgres-instance-with-flag"
database_version = "POSTGRES_13"
region = "us-central1"
settings {
database_flags {
name = "log_min_error_statement"
value = "DEBUG5" # Flag is set to "DEBUG5"
}
}
}
resource "google_sql_database_instance" "positive_3" { # Single object support test 2
name = "postgres-instance-with-flag"
database_version = "POSTGRES_13"
region = "us-central1"
settings {
database_flags {
name = "log_min_error_statement"
value = "DEBUG4" # Flag is set to "DEBUG4"
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "google_sql_database_instance" "negative_1" {
name = "main-instance"
database_version = "MYSQL_8_0" # Is not a POSTGRES instance
region = "us-central1"
settings {
tier = "db-f1-micro"
database_flags {
name = "log_min_error_statement"
value = "DEBUG3"
}
}
}
resource "google_sql_database_instance" "negative_2" {
name = "mysql-instance-without-flag"
database_version = "POSTGRES_17"
region = "us-central1"
# Defaults to "ERROR"
}
resource "google_sql_database_instance" "negative_3" {
name = "postgres-instance-without-flag"
database_version = "POSTGRES_16"
region = "us-central1"
settings {} # Defaults to "ERROR"
}
resource "google_sql_database_instance" "negative_4" {
name = "postgres-instance-without-flag"
database_version = "POSTGRES_15"
region = "us-central1"
settings {
database_flags {
name = "sample_flag1"
value = "off"
}
# Defaults to "ERROR"
}
}
resource "google_sql_database_instance" "negative_5" {
name = "mysql-instance-with-flag"
database_version = "POSTGRES_15"
region = "us-central1"
settings {
tier = "db-f1-micro"
database_flags {
name = "sample_flag1"
value = "off"
}
database_flags {
name = "log_min_error_statement"
value = "ERROR"
} # Has flag set to "ERROR" (minimum)
database_flags {
name = "sample_flag2"
value = "off"
}
}
}
resource "google_sql_database_instance" "negative_6" { # Single object support test 1
name = "mysql-instance-with-flag"
database_version = "POSTGRES_15"
region = "us-central1"
settings {
tier = "db-f1-micro"
database_flags {
name = "log_min_error_statement"
value = "LOG"
} # Has flag set to "LOG"
}
}
resource "google_sql_database_instance" "negative_7" { # Single object support test 1
name = "mysql-instance-with-flag"
database_version = "POSTGRES_15"
region = "us-central1"
settings {
tier = "db-f1-micro"
database_flags {
name = "log_min_error_statement"
value = "FATAL"
} # Has flag set to "FATAL"
}
}
resource "google_sql_database_instance" "negative_8" { # Single object support test 1
name = "mysql-instance-with-flag"
database_version = "POSTGRES_15"
region = "us-central1"
settings {
tier = "db-f1-micro"
database_flags {
name = "log_min_error_statement"
value = "PANIC"
} # Has flag set to "PANIC"
}
}