Skip to content

Ensure that logging of lock waits is enabled.

Default Severity: medium

Explanation

Lock waits are often an indication of poor performance and often an indicator of a potential denial of service vulnerability, therefore occurrences should be logged for analysis.

Possible Impact

Issues leading to denial of service may not be identified.

Suggested Resolution

Enable lock wait logging.

Insecure Example

The following example will fail the google-sql-pg-log-lock-waits check.

 resource "google_sql_database_instance" "db" {
    name             = "db"
    database_version = "POSTGRES_12"
    region           = "us-central1"
    settings {
        database_flags {
            name  = "log_lock_waits"
            value = "off"
        }
    }
 }

Secure Example

The following example will pass the google-sql-pg-log-lock-waits check.

 resource "google_sql_database_instance" "db" {
    name             = "db"
    database_version = "POSTGRES_12"
    region           = "us-central1"
    settings {
        database_flags {
            name  = "log_lock_waits"
            value = "on"
        }
    }
 }