Skip to content

tfsec

postgres-configuration-log-connections

aquasecurity/tfsec

postgres-configuration-log-connections

Explanation

Postgresql can generate logs for successful connections to improve visibility for audit and configuration issue resolution.

Possible Impact

No visibility of successful connections

Suggested Resolution

Enable connection logging

Insecure Example

The following example will fail the azure-database-postgres-configuration-log-connections check.

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_postgresql_server" "example" {
  name                = "example-psqlserver"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name

  administrator_login          = "psqladminun"
  administrator_login_password = "H@Sh1CoR3!"

  sku_name   = "GP_Gen5_4"
  version    = "9.6"
  storage_mb = 640000
}

Secure Example

The following example will pass the azure-database-postgres-configuration-log-connections check.

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_postgresql_server" "example" {
  name                = "example-psqlserver"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name

  administrator_login          = "psqladminun"
  administrator_login_password = "H@Sh1CoR3!"

  sku_name   = "GP_Gen5_4"
  version    = "9.6"
  storage_mb = 640000
}

resource "azurerm_postgresql_configuration" "example" {
    name                = "log_connections"
    resource_group_name = azurerm_resource_group.example.name
    server_name         = azurerm_postgresql_server.example.name
    value               = "on"
  }