pg-no-min-statement-logging
Explanation
Logging of statements which could contain sensitive data is not advised, therefore this setting should preclude all statements from being logged.
Possible Impact
Sensitive data could be exposed in the database logs.
Suggested Resolution
Disable minimum duration statement logging completely
Insecure Example
The following example will fail the google-sql-pg-no-min-statement-logging check.
resource "google_sql_database_instance" "db" {
name = "db"
database_version = "POSTGRES_12"
region = "us-central1"
settings {
database_flags {
name = "log_min_duration_statement"
value = "99"
}
}
}
Secure Example
The following example will pass the google-sql-pg-no-min-statement-logging check.
resource "google_sql_database_instance" "db" {
name = "db"
database_version = "POSTGRES_12"
region = "us-central1"
settings {
database_flags {
name = "log_min_duration_statement"
value = "-1"
}
}
}