feat(query): implements "Beta - SQL DB Instance With Unrecommended Logging Threshold" (#7782)

cx-andre-pereira · web-flow · commit b41fea57888f · 2025-11-19T15:41:07.000Z
* implements query to ensure query to ensure that a "google_sql_database_instance" resource has the 'log_min_messages' flag set to a valid severity
diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/metadata.json b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/metadata.json
@@ -0,0 +1,14 @@
+{
+  "id": "ecbbe763-95dc-47e6-8660-84ff751e5acf",
+  "queryName": "Beta - SQL DB Instance With Unrecommended Logging Threshold",
+  "severity": "LOW",
+  "category": "Observability",
+  "descriptionText": "All 'google_sql_database_instance' resources based on POSTGRES should have the 'log_min_messages' flag set to 'WARNING' or a higher severity to prevent excessive logging",
+  "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance.html#settings-1",
+  "platform": "Terraform",
+  "descriptionID": "ecbbe763",
+  "cloudProvider": "gcp",
+  "cwe": "779",
+  "riskScore": "1.0",
+  "experimental": "true"
+}
diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/query.rego b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/query.rego
@@ -0,0 +1,42 @@
+package Cx
+
+import data.generic.common as common_lib
+import data.generic.terraform as tf_lib
+
+CxPolicy[result] {
+	resource := input.document[i].resource.google_sql_database_instance[name]
+
+	contains(resource.database_version, "POSTGRES")
+	results := get_results(resource, name)
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": "google_sql_database_instance",
+		"resourceName": tf_lib.get_resource_name(resource, name),
+		"searchKey": results.searchKey,
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should set 'log_min_messages' to 'WARNING' or a higher severity", [name]),
+		"keyActualValue" : sprintf("'google_sql_database_instance[%s].settings.database_flags' sets 'log_min_messages' to '%s'", [name, results.value]),
+		"searchLine": results.searchLine
+	}
+}
+
+get_results(resource, name) = results {  # array
+	resource.settings.database_flags[x].name  == "log_min_messages"
+	not common_lib.inArray(["WARNING", "ERROR", "LOG", "FATAL", "PANIC"], resource.settings.database_flags[x].value)
+
+	results := {
+		"searchKey" : sprintf("google_sql_database_instance[%s].settings.database_flags[%d].name", [name, x]),
+		"searchLine" : common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags", x, "name"], []),
+		"value" : resource.settings.database_flags[x].value
+	}
+} else = results { # single object
+	resource.settings.database_flags.name  == "log_min_messages"
+	not common_lib.inArray(["WARNING", "ERROR", "LOG", "FATAL", "PANIC"], resource.settings.database_flags.value)
+
+	results := {
+		"searchKey" : sprintf("google_sql_database_instance[%s].settings.database_flags.name", [name]),
+		"searchLine" : common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags", "name"], []),
+		"value" : resource.settings.database_flags.value
+	}
+}
diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/test/negative.tf b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/test/negative.tf
@@ -0,0 +1,129 @@
+resource "google_sql_database_instance" "negative_1" {
+  name             = "main-instance"
+  database_version = "MYSQL_8_0"      # Is not a POSTGRES instance
+  region           = "us-central1"
+
+  settings {
+    tier = "db-f1-micro"
+
+    database_flags {
+      name = "log_min_messages"
+      value = "DEBUG3"
+    }
+  }
+}
+
+resource "google_sql_database_instance" "negative_2" {
+  name             = "mysql-instance-without-flag"
+  database_version = "POSTGRES_17"
+  region           = "us-central1"
+
+  # Defaults to "ERROR"
+}
+
+resource "google_sql_database_instance" "negative_3" {
+  name             = "postgres-instance-without-flag"
+  database_version = "POSTGRES_16"
+  region           = "us-central1"
+
+  settings {}  # Defaults to "ERROR"
+}
+
+resource "google_sql_database_instance" "negative_4" {
+  name             = "postgres-instance-without-flag"
+  database_version = "POSTGRES_15"
+  region           = "us-central1"
+
+  settings {
+    database_flags {
+      name = "sample_flag1"
+      value = "DEBUG3"
+    }
+      # Defaults to "ERROR"
+  }
+}
+
+resource "google_sql_database_instance" "negative_5" {
+  name             = "mysql-instance-with-flag"
+  database_version = "POSTGRES_15"
+  region           = "us-central1"
+
+  settings {
+    tier = "db-f1-micro"
+
+    database_flags {
+       name = "sample_flag1"
+       value = "off"
+      }
+
+    database_flags {
+       name = "log_min_messages"
+       value = "FATAL"
+      }   # Has flag set to "FATAL"
+
+    database_flags {
+       name = "sample_flag2"
+       value = "off"
+      }
+  }
+}
+
+resource "google_sql_database_instance" "negative_6" {
+  name             = "mysql-instance-with-flag"
+  database_version = "POSTGRES_15"
+  region           = "us-central1"
+
+  settings {
+    tier = "db-f1-micro"
+
+    database_flags {
+       name = "log_min_messages"
+       value = "ERROR"
+      }   # Has flag set to "ERROR"
+  }
+}
+
+resource "google_sql_database_instance" "negative_7" {
+  name             = "mysql-instance-with-flag"
+  database_version = "POSTGRES_15"
+  region           = "us-central1"
+
+  settings {
+    tier = "db-f1-micro"
+
+    database_flags {
+       name = "log_min_messages"
+       value = "LOG"
+      }   # Has flag set to "LOG"
+  }
+}
+
+resource "google_sql_database_instance" "negative_8" {
+  name             = "mysql-instance-with-flag"
+  database_version = "POSTGRES_15"
+  region           = "us-central1"
+
+  settings {
+    tier = "db-f1-micro"
+
+    database_flags {
+       name = "log_min_messages"
+       value = "WARNING"
+       }   # Has flag set to "WARNING" (minimum)
+  }
+}
+
+resource "google_sql_database_instance" "negative_9" {
+  name             = "mysql-instance-with-flag"
+  database_version = "POSTGRES_15"
+  region           = "us-central1"
+
+  settings {
+    tier = "db-f1-micro"
+
+    database_flags {
+       name = "log_min_messages"
+       value = "PANIC"
+       }   # Has flag set to "PANIC"
+  }
+}
diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/test/positive.tf b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/test/positive.tf
@@ -0,0 +1,48 @@
+resource "google_sql_database_instance" "positive_1" {
+  name             = "postgres-instance-with-flag"
+  database_version = "POSTGRES_14"
+  region           = "us-central1"
+
+  settings {
+    database_flags {
+      name = "sample_flag1"
+      value = "off"
+      }
+
+    database_flags {
+      name = "log_min_messages"
+      value = "NOTICE"
+      } # Flag is set to "NOTICE"
+
+    database_flags {
+      name = "sample_flag2"
+      value = "off"
+      }
+  }
+}
+
+resource "google_sql_database_instance" "positive_2" {
+  name             = "postgres-instance-with-flag"
+  database_version = "POSTGRES_13"
+  region           = "us-central1"
+
+  settings {
+    database_flags {
+      name = "log_min_messages"
+      value = "DEBUG5"
+    }  # Flag is set to "DEBUG5"
+  }
+}
+
+resource "google_sql_database_instance" "positive_3" {
+  name             = "postgres-instance-with-flag"
+  database_version = "POSTGRES_13"
+  region           = "us-central1"
+
+  settings {
+    database_flags {
+      name = "log_min_messages"
+      value = "INFO"
+      }  # Flag is set to "INFO"
+  }
+}
diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/test/positive_expected_result.json
@@ -0,0 +1,17 @@
+[
+  {
+    "queryName": "Beta - SQL DB Instance With Unrecommended Logging Threshold",
+    "severity": "LOW",
+    "line": 13
+  },
+  {
+    "queryName": "Beta - SQL DB Instance With Unrecommended Logging Threshold",
+    "severity": "LOW",
+    "line": 31
+  },
+  {
+    "queryName": "Beta - SQL DB Instance With Unrecommended Logging Threshold",
+    "severity": "LOW",
+    "line": 44
+  }
+]
diff --git a/assets/similarityID_transition/terraform_gcp.yaml b/assets/similarityID_transition/terraform_gcp.yaml
@@ -3,6 +3,10 @@ similarityIDChangeList:
       queryName: Beta - Google DNS Policy Logging Disabled
       observations: ""
       change: 2
+    - queryId: ecbbe763-95dc-47e6-8660-84ff751e5acf
+      queryName: Beta - SQL DB Instance With Unrecommended Logging Threshold
+      observations: ""
+      change: 2
     - queryId: c3655703-569b-42ec-8027-ef8835d989c0
       queryName: Beta - SQL DB Instance With Contained Database Authentication
       observations: ""
