Skip to content

pg-no-min-statement-logging

Explanation

Logging of statements which could contain sensitive data is not advised, therefore this setting should preclude all statements from being logged.

Possible Impact

Sensitive data could be exposed in the database logs.

Suggested Resolution

Disable minimum duration statement logging completely

Insecure Example

The following example will fail the google-sql-pg-no-min-statement-logging check.

resource "google_sql_database_instance" "db" {
    name             = "db"
    database_version = "POSTGRES_12"
    region           = "us-central1"
    settings {
        database_flags {
            name  = "log_min_duration_statement"
            value = "99"
        }
    }
}

Secure Example

The following example will pass the google-sql-pg-no-min-statement-logging check.

resource "google_sql_database_instance" "db" {
    name             = "db"
    database_version = "POSTGRES_12"
    region           = "us-central1"
    settings {
        database_flags {
            name  = "log_min_duration_statement"
            value = "-1"
        }
    }
}