Checkov 在 Terraform for GCP PostgreSQL 的数据标志上失败:`pgAudit` 和 `log_min_messages`

问题描述 投票:0回答:1

我得到了以下 3 个 Chokov 失败的测试:

Check: CKV_GCP_109: "Ensure the GCP PostgreSQL database log levels are set to ERROR or lower"
    FAILED for resource: google_sql_database_instance.cloud_sql
    File: /cloud_sql.tf:1-74
    Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-google-cloud-109

        Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_110: "Ensure pgAudit is enabled for your GCP PostgreSQL database"
    FAILED for resource: google_sql_database_instance.cloud_sql
    File: /cloud_sql.tf:1-74
    Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-google-cloud-110

        Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_55: "Ensure PostgreSQL database 'log_min_messages' flag is set to a valid value"
    FAILED for resource: google_sql_database_instance.cloud_sql
    File: /cloud_sql.tf:1-74
    Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/cloud-sql-policies/bc-gcp-sql-6

我按照 Pao Alto 的链接并相应地更改了我的代码:

resource "google_sql_database_instance" "cloud_sql" {
  name             = "cloud-sql"
  database_version = "POSTGRES_15"
  region           = var.region
  project          = var.project_id

  settings {
    tier = "db-f1-micro"

    backup_configuration {
      enabled = true
    }
    ip_configuration {
      ipv4_enabled = false
      require_ssl     = false
      private_network = "projects/${var.project_id}/global/networks/${var.network}"
    }
    database_flags {
      name  = "log_statement"
      value = "all"
    }
    database_flags {
      name  = "log_lock_waits"
      value = "on"
    }
    database_flags {
      name  = "log_connections"
      value = "on"
    }
    database_flags {
      name  = "log_checkpoints"
      value = "on"
    }
    database_flags {
      name  = "log_disconnections"
      value = "on"
    }
    database_flags {
      name  = "log_hostname"
      value = "on"
    }
    database_flags {
      name  = "log_min_error_statement"
      value = "ERROR"
    }
    database_flags {
      name  = "log_min_messages"
      value = "ERROR"
    }
#    database_flags {
#      name  = "log_min_messages"
#      value = "DEBUG5"
#    }
#    database_flags {
#      name  = "enable_pgaudit"
#      value = "on"
#    }
    database_flags {
      name  = "pgaudit.log"
      value = "'all'"
    }
    database_flags {
      name  = "log_duration"
      value = "on"
    }
  }
  deletion_protection = false
  depends_on          = [google_service_networking_connection.private_vpc_connection]
}

然而,检查仍然失败。

我尝试了一些不同的事情。

对于 CKV_GCP_110 我尝试添加:

    database_flags {
      name  = "enable_pgaudit"
      value = "on"
    }

或删除值中的单引号:

    database_flags {
      name  = "pgaudit.log"
      value = "all"  // was "'all'"
    }

对于CKV_GCP_109CKV_GCP_55我尝试了各种值,例如

ERROR
DEBUG5
。 我也尝试添加:

    database_flags {
      name  = "log_min_error_statement"
      value = "ERROR"
    }

检查仍然失败。

postgresql logging terraform google-cloud-sql checkov
1个回答
0
投票

因此,要传递 CKV_GCP_109CKV_GCP_55,以下两个标志都是必需的,且值均为小写。

   database_flags {
      name  = "log_min_error_statement"
      value = "error"
    }
    database_flags {
      name  = "log_min_messages"
      value = "error"
    }

对于 CKV_GCP_110 以下两个标志都是必需的(注意值中的引号):

database_flags {
  name  = "enable_pgaudit"
  value = "on"
}
database_flags {
  name  = "pgaudit.log"
  value = "'all'"
}

参考资料:

https://github.com/bridgecrewio/checkov/issues/6057 https://github.com/bridgecrewio/checkov/issues/6058

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.