PostgreSQL log connections disabled

Ce produit n'est pas pris en charge par le site Datadog que vous avez sélectionné. ().
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Metadata

Id: d7a5616f-0a3f-4d43-bc2b-29d1a183e317

Cloud Provider: GCP

Platform: Ansible

Severity: Medium

Category: Observability

Learn More

Description

PostgreSQL Cloud SQL instances must have the log_connections flag set to on so connection events are recorded for auditing and to help detect suspicious or unauthorized access. For Ansible resources using google.cloud.gcp_sql_instance or gcp_sql_instance, the settings.databaseFlags property must include an entry with name: log_connections and value: on. Resources missing settings or settings.databaseFlags, or where log_connections is absent or set to off, are flagged.

Secure Ansible example:

- name: Create PostgreSQL Cloud SQL instance with connection logging enabled
  google.cloud.gcp_sql_instance:
    name: my-postgres-instance
    database_version: POSTGRES_13
    settings:
      tier: db-custom-1-3840
      databaseFlags:
        - name: log_connections
          value: "on"

Compliant Code Examples

- name: create a instance
  google.cloud.gcp_sql_instance:
    name: GCP instance
    settings:
      databaseFlags:
      - name: log_connections
        value: on
      tier: db-n1-standard-1
    region: us-central1
    project: test_project
    database_version: POSTGRES_9_6
    auth_kind: serviceaccount
    service_account_file: /tmp/auth.pem
    state: present

Non-Compliant Code Examples

- name: create instance
  google.cloud.gcp_sql_instance:
    name: GCP instance
    settings:
      databaseFlags:
      - name: log_connections
        value: off
      tier: db-n1-standard-1
    region: us-central1
    project: test_project
    database_version: POSTGRES_9_6
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
- name: create another instance
  google.cloud.gcp_sql_instance:
    name: GCP instance 2
    settings:
      tier: db-n1-standard-1
    region: us-central1
    project: test_project
    database_version: POSTGRES_9_6
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present