Skip to content

tfsec

Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server

aquasecurity/tfsec

Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server

Default Severity: medium

Explanation

Postgresql can generate logs for checkpoints to improve visibility for audit and configuration issue resolution.

Possible Impact

No error and query logs generated on checkpoint

Suggested Resolution

Enable checkpoint logging

Insecure Example

The following example will fail the azure-database-postgres-configuration-log-checkpoints check.

 resource "azurerm_resource_group" "example" {
   name     = "example-resources"
   location = "West Europe"
 }

 resource "azurerm_postgresql_server" "example" {
   name                = "example-psqlserver"
   location            = azurerm_resource_group.example.location
   resource_group_name = azurerm_resource_group.example.name

   administrator_login          = "psqladminun"
   administrator_login_password = "H@Sh1CoR3!"

   sku_name   = "GP_Gen5_4"
   version    = "9.6"
   storage_mb = 640000
 }

Secure Example

The following example will pass the azure-database-postgres-configuration-log-checkpoints check.

 resource "azurerm_resource_group" "example" {
   name     = "example-resources"
   location = "West Europe"
 }

 resource "azurerm_postgresql_server" "example" {
   name                = "example-psqlserver"
   location            = azurerm_resource_group.example.location
   resource_group_name = azurerm_resource_group.example.name

   administrator_login          = "psqladminun"
   administrator_login_password = "H@Sh1CoR3!"

   sku_name   = "GP_Gen5_4"
   version    = "9.6"
   storage_mb = 640000
 }

 resource "azurerm_postgresql_configuration" "example" {
   name                = "log_checkpoints"
   resource_group_name = azurerm_resource_group.example.name
   server_name         = azurerm_postgresql_server.example.name
   value               = "on"
 }

Links