---
title: Google Compute subnetwork logging disabled
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > Google Compute subnetwork logging disabled
---

# Google Compute subnetwork logging disabled

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `terraform-gcp-google-compute-subnetwork-logging-disabled` 

**Provider:** GCP

**Platform:** Terraform

**Severity:** Medium

**Category:** Observability

#### Learn More{% #learn-more %}

- [Provider Reference](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/compute_subnetwork)

### Description{% #description %}

This check verifies whether VPC flow logs are enabled for a `google_compute_subnetwork` resource by ensuring a `log_config` block is included in the Terraform configuration. Without flow logs enabled, as shown below, critical network traffic information is not captured, making it difficult to monitor, detect, or investigate suspicious activity within the network.

```
resource "google_compute_subnetwork" "example" {
  // ...subnetwork configuration...

  log_config {
    aggregation_interval = "INTERVAL_10_MIN"
    flow_sampling        = 0.5
    metadata             = "INCLUDE_ALL_METADATA"
  }
}
```

Failure to enable logging can lead to security gaps, reducing visibility into potential breaches and making compliance with auditing requirements more challenging.

## Compliant Code Examples{% #compliant-code-examples %}

```terraform
resource "google_compute_subnetwork" "negative1" {
  name          = "log-test-subnetwork"
  ip_cidr_range = "10.2.0.0/16"
  region        = "us-central1"
  network       = google_compute_network.custom-test.id

  log_config {
    aggregation_interval = "INTERVAL_10_MIN"
    flow_sampling        = 0.5
    metadata             = "INCLUDE_ALL_METADATA"
  }
}
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```terraform
resource "google_compute_subnetwork" "positive1" {
  name          = "log-test-subnetwork"
  ip_cidr_range = "10.2.0.0/16"
  region        = "us-central1"
  network       = google_compute_network.custom-test.id
}
```