Skip to content

pg-log-lock-waits

Default Severity: medium

Explanation

Lock waits are often an indication of poor performance and often an indicator of a potential denial of service vulnerability, therefore occurrences should be logged for analysis.

Possible Impact

Issues leading to denial of service may not be identified.

Suggested Resolution

Enable lock wait logging.

Insecure Example

The following example will fail the google-sql-pg-log-lock-waits check.

 resource "google_sql_database_instance" "db" {
    name             = "db"
    database_version = "POSTGRES_12"
    region           = "us-central1"
    settings {
        database_flags {
            name  = "log_lock_waits"
            value = "off"
        }
    }
 }

Secure Example

The following example will pass the google-sql-pg-log-lock-waits check.

 resource "google_sql_database_instance" "db" {
    name             = "db"
    database_version = "POSTGRES_12"
    region           = "us-central1"
    settings {
        database_flags {
            name  = "log_lock_waits"
            value = "on"
        }
    }
 }