From 3e20267ce7a86680e50ea24c6646d0b3c733fe39 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Tue, 21 Oct 2025 12:08:53 +0100 Subject: [PATCH 01/12] template --- .../sql_db_instance_template/metadata.json | 14 ++++ .../gcp/sql_db_instance_template/query.rego | 72 +++++++++++++++++++ .../sql_db_instance_template/test/negative.tf | 23 ++++++ .../sql_db_instance_template/test/positive.tf | 41 +++++++++++ .../test/positive_expected_result.json | 22 ++++++ 5 files changed, 172 insertions(+) create mode 100644 assets/queries/terraform/gcp/sql_db_instance_template/metadata.json create mode 100644 assets/queries/terraform/gcp/sql_db_instance_template/query.rego create mode 100644 assets/queries/terraform/gcp/sql_db_instance_template/test/negative.tf create mode 100644 assets/queries/terraform/gcp/sql_db_instance_template/test/positive.tf create mode 100644 assets/queries/terraform/gcp/sql_db_instance_template/test/positive_expected_result.json diff --git a/assets/queries/terraform/gcp/sql_db_instance_template/metadata.json b/assets/queries/terraform/gcp/sql_db_instance_template/metadata.json new file mode 100644 index 00000000000..f4e762c8f09 --- /dev/null +++ b/assets/queries/terraform/gcp/sql_db_instance_template/metadata.json @@ -0,0 +1,14 @@ +{ + "id": "", + "queryName": "Beta - SQL DB Instance Without", + "severity": "MEDIUM", + "category": "Observability", + "descriptionText": "All 'google_sql_database_instance' resources based on POSTGRES should enable the 'X' flag to X", + "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance.html#settings-1", + "platform": "Terraform", + "descriptionID": "", + "cloudProvider": "gcp", + "cwe": "778", + "riskScore": "3.0", + "experimental": "true" +} diff --git a/assets/queries/terraform/gcp/sql_db_instance_template/query.rego b/assets/queries/terraform/gcp/sql_db_instance_template/query.rego new file mode 100644 index 00000000000..f5fc618debc --- /dev/null +++ b/assets/queries/terraform/gcp/sql_db_instance_template/query.rego @@ -0,0 +1,72 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + resource := input.document[i].resource.google_sql_database_instance[name] + + contains(resource.database_version, "POSTGRES") + results := get_results(resource, name) + + result := { + "documentId": input.document[i].id, + "resourceType": "google_sql_database_instance", + "resourceName": tf_lib.get_resource_name(resource, name), + "searchKey": results.searchKey, + "issueType": results.issueType, + "keyExpectedValue": results.keyExpectedValue, + "keyActualValue": results.keyActualValue, + "searchLine": results.searchLine + } +} + +get_results(resource, name) = results { + not common_lib.valid_key(resource, "settings") + + results := { + "searchKey": sprintf("google_sql_database_instance[%s]", [name]), + "issueType": "MissingAttribute", + "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be defined and set 'log_connections' to 'on'", [name]), + "keyActualValue": sprintf("'google_sql_database_instance[%s].settings' is undefined or null", [name]), + "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name], []) + + } +} else = results { + not common_lib.valid_key(resource.settings, "database_flags") + + results := { + "searchKey": sprintf("google_sql_database_instance[%s].settings", [name]), + "issueType": "MissingAttribute", + "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be defined and set 'log_connections' to 'on'", [name]), + "keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' is undefined or null", [name]), + "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings"], []) + } + +} else = results { + not has_flag(resource.settings.database_flags) + + results := { + "searchKey": sprintf("google_sql_database_instance[%s].settings.database_flags", [name]), + "issueType": "MissingAttribute", + "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be defined and set 'log_connections' to 'on'", [name]), + "keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' does not set 'log_connections'", [name]), + "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags"], []) + } + +} else = results { + resource.settings.database_flags[x].name == "log_connections" + resource.settings.database_flags[x].value != "on" + + results := { + "searchKey": sprintf("google_sql_database_instance[%s].settings.database_flags[%d].name", [name, x]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be defined and set 'log_connections' to 'on'", [name]), + "keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' sets 'log_connections' to '%s'", [name, resource.settings.database_flags[x].value]), + "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags", x, "name"], []) + } +} + +has_flag(database_flags) { + database_flags[_].name == "log_connections" +} diff --git a/assets/queries/terraform/gcp/sql_db_instance_template/test/negative.tf b/assets/queries/terraform/gcp/sql_db_instance_template/test/negative.tf new file mode 100644 index 00000000000..11bd6c30c3c --- /dev/null +++ b/assets/queries/terraform/gcp/sql_db_instance_template/test/negative.tf @@ -0,0 +1,23 @@ +resource "google_sql_database_instance" "negative_1" { + name = "main-instance" + database_version = "MYSQL_8_0" # Is not a POSTGRES instance + region = "us-central1" + + settings { + tier = "db-f1-micro" + } +} + +resource "google_sql_database_instance" "negative_2" { + name = "mysql-instance-with-flag" + database_version = "POSTGRES_15" + region = "us-central1" + + settings { + tier = "db-f1-micro" + + database_flags = [ + { name = "log_connections", value = "on" }, # Has flag set to "on" + ] + } +} diff --git a/assets/queries/terraform/gcp/sql_db_instance_template/test/positive.tf b/assets/queries/terraform/gcp/sql_db_instance_template/test/positive.tf new file mode 100644 index 00000000000..f0348de48b8 --- /dev/null +++ b/assets/queries/terraform/gcp/sql_db_instance_template/test/positive.tf @@ -0,0 +1,41 @@ +resource "google_sql_database_instance" "positive_1" { + name = "mysql-instance-without-flag" + database_version = "POSTGRES_17" + region = "us-central1" + + # Missing 'settings' field +} + +resource "google_sql_database_instance" "positive_2" { + name = "postgres-instance-without-flag" + database_version = "POSTGRES_16" + region = "us-central1" + + settings {} # Missing 'database_flags' field +} + +resource "google_sql_database_instance" "positive_3" { + name = "postgres-instance-without-flag" + database_version = "POSTGRES_15" + region = "us-central1" + + settings { + database_flags = [ + # Missing 'log_connections' flag + ] + } +} + +resource "google_sql_database_instance" "positive_4" { + name = "postgres-instance-with-flag" + database_version = "POSTGRES_14" + region = "us-central1" + + settings { + database_flags = [ + { name = "sample_flag1", value = "off" }, + { name = "log_connections", value = "off" }, # Flag is not set to "on" + { name = "sample_flag2", value = "off" } + ] + } +} diff --git a/assets/queries/terraform/gcp/sql_db_instance_template/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_template/test/positive_expected_result.json new file mode 100644 index 00000000000..dd0c9f7dfe8 --- /dev/null +++ b/assets/queries/terraform/gcp/sql_db_instance_template/test/positive_expected_result.json @@ -0,0 +1,22 @@ +[ + { + "queryName": "Beta - SQL DB Instance Without Connections Logging", + "severity": "MEDIUM", + "line": 1 + }, + { + "queryName": "Beta - SQL DB Instance Without Connections Logging", + "severity": "MEDIUM", + "line": 14 + }, + { + "queryName": "Beta - SQL DB Instance Without Connections Logging", + "severity": "MEDIUM", + "line": 23 + }, + { + "queryName": "Beta - SQL DB Instance Without Connections Logging", + "severity": "MEDIUM", + "line": 37 + } +] From 88acaa1378204f1916a486bf35d443843da8c0d0 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Tue, 21 Oct 2025 12:31:47 +0100 Subject: [PATCH 02/12] implementation --- .../sql_db_instance_template/test/negative.tf | 23 ------ .../metadata.json | 12 +-- .../query.rego | 18 ++--- .../test/negative.tf | 79 +++++++++++++++++++ .../test/positive.tf | 16 +++- .../test/positive_expected_result.json | 13 ++- 6 files changed, 117 insertions(+), 44 deletions(-) delete mode 100644 assets/queries/terraform/gcp/sql_db_instance_template/test/negative.tf rename assets/queries/terraform/gcp/{sql_db_instance_template => sql_db_instance_with_unrecommended_logging_treshold}/metadata.json (52%) rename assets/queries/terraform/gcp/{sql_db_instance_template => sql_db_instance_with_unrecommended_logging_treshold}/query.rego (74%) create mode 100644 assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/test/negative.tf rename assets/queries/terraform/gcp/{sql_db_instance_template => sql_db_instance_with_unrecommended_logging_treshold}/test/positive.tf (69%) rename assets/queries/terraform/gcp/{sql_db_instance_template => sql_db_instance_with_unrecommended_logging_treshold}/test/positive_expected_result.json (64%) diff --git a/assets/queries/terraform/gcp/sql_db_instance_template/test/negative.tf b/assets/queries/terraform/gcp/sql_db_instance_template/test/negative.tf deleted file mode 100644 index 11bd6c30c3c..00000000000 --- a/assets/queries/terraform/gcp/sql_db_instance_template/test/negative.tf +++ /dev/null @@ -1,23 +0,0 @@ -resource "google_sql_database_instance" "negative_1" { - name = "main-instance" - database_version = "MYSQL_8_0" # Is not a POSTGRES instance - region = "us-central1" - - settings { - tier = "db-f1-micro" - } -} - -resource "google_sql_database_instance" "negative_2" { - name = "mysql-instance-with-flag" - database_version = "POSTGRES_15" - region = "us-central1" - - settings { - tier = "db-f1-micro" - - database_flags = [ - { name = "log_connections", value = "on" }, # Has flag set to "on" - ] - } -} diff --git a/assets/queries/terraform/gcp/sql_db_instance_template/metadata.json b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/metadata.json similarity index 52% rename from assets/queries/terraform/gcp/sql_db_instance_template/metadata.json rename to assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/metadata.json index f4e762c8f09..881b2c3d9c6 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_template/metadata.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/metadata.json @@ -1,14 +1,14 @@ { - "id": "", - "queryName": "Beta - SQL DB Instance Without", - "severity": "MEDIUM", + "id": "ecbbe763-95dc-47e6-8660-84ff751e5acf", + "queryName": "Beta - SQL DB Instance With Unrecommended Logging Treshold", + "severity": "LOW", "category": "Observability", - "descriptionText": "All 'google_sql_database_instance' resources based on POSTGRES should enable the 'X' flag to X", + "descriptionText": "All 'google_sql_database_instance' resources based on POSTGRES should have the 'log_min_messages' flag set to 'WARNING' or a higher severity", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance.html#settings-1", "platform": "Terraform", - "descriptionID": "", + "descriptionID": "ecbbe763", "cloudProvider": "gcp", "cwe": "778", - "riskScore": "3.0", + "riskScore": "1.0", "experimental": "true" } diff --git a/assets/queries/terraform/gcp/sql_db_instance_template/query.rego b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/query.rego similarity index 74% rename from assets/queries/terraform/gcp/sql_db_instance_template/query.rego rename to assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/query.rego index f5fc618debc..73f22e3a29e 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_template/query.rego +++ b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/query.rego @@ -27,7 +27,7 @@ get_results(resource, name) = results { results := { "searchKey": sprintf("google_sql_database_instance[%s]", [name]), "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be defined and set 'log_connections' to 'on'", [name]), + "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be defined and set 'log_min_messages' to 'WARNING' or a higher severity", [name]), "keyActualValue": sprintf("'google_sql_database_instance[%s].settings' is undefined or null", [name]), "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name], []) @@ -38,7 +38,7 @@ get_results(resource, name) = results { results := { "searchKey": sprintf("google_sql_database_instance[%s].settings", [name]), "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be defined and set 'log_connections' to 'on'", [name]), + "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be defined and set 'log_min_messages' to 'WARNING' or a higher severity", [name]), "keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' is undefined or null", [name]), "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings"], []) } @@ -49,24 +49,24 @@ get_results(resource, name) = results { results := { "searchKey": sprintf("google_sql_database_instance[%s].settings.database_flags", [name]), "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be defined and set 'log_connections' to 'on'", [name]), - "keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' does not set 'log_connections'", [name]), + "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be defined and set 'log_min_messages' to 'WARNING' or a higher severity", [name]), + "keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' does not set 'log_min_messages'", [name]), "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags"], []) } } else = results { - resource.settings.database_flags[x].name == "log_connections" - resource.settings.database_flags[x].value != "on" + resource.settings.database_flags[x].name == "log_min_messages" + not common_lib.inArray(["WARNING", "ERROR", "LOG", "FATAL", "PANIC"], resource.settings.database_flags[x].value) results := { "searchKey": sprintf("google_sql_database_instance[%s].settings.database_flags[%d].name", [name, x]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be defined and set 'log_connections' to 'on'", [name]), - "keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' sets 'log_connections' to '%s'", [name, resource.settings.database_flags[x].value]), + "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be defined and set 'log_min_messages' to 'WARNING' or a higher severity", [name]), + "keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' sets 'log_min_messages' to '%s'", [name, resource.settings.database_flags[x].value]), "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags", x, "name"], []) } } has_flag(database_flags) { - database_flags[_].name == "log_connections" + database_flags[_].name == "log_min_messages" } diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/test/negative.tf b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/test/negative.tf new file mode 100644 index 00000000000..9e184e164e8 --- /dev/null +++ b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/test/negative.tf @@ -0,0 +1,79 @@ +resource "google_sql_database_instance" "negative_1" { + name = "main-instance" + database_version = "MYSQL_8_0" # Is not a POSTGRES instance + region = "us-central1" + + settings { + tier = "db-f1-micro" + } +} + +resource "google_sql_database_instance" "negative_2" { + name = "mysql-instance-with-flag" + database_version = "POSTGRES_15" + region = "us-central1" + + settings { + tier = "db-f1-micro" + + database_flags = [ + { name = "log_min_messages", value = "WARNING" }, # Has flag set to "WARNING" + ] + } +} + +resource "google_sql_database_instance" "negative_3" { + name = "mysql-instance-with-flag" + database_version = "POSTGRES_15" + region = "us-central1" + + settings { + tier = "db-f1-micro" + + database_flags = [ + { name = "log_min_messages", value = "ERROR" }, # Has flag set to "ERROR" + ] + } +} + +resource "google_sql_database_instance" "negative_4" { + name = "mysql-instance-with-flag" + database_version = "POSTGRES_15" + region = "us-central1" + + settings { + tier = "db-f1-micro" + + database_flags = [ + { name = "log_min_messages", value = "LOG" }, # Has flag set to "LOG" + ] + } +} + +resource "google_sql_database_instance" "negative_5" { + name = "mysql-instance-with-flag" + database_version = "POSTGRES_15" + region = "us-central1" + + settings { + tier = "db-f1-micro" + + database_flags = [ + { name = "log_min_messages", value = "FATAL" }, # Has flag set to "FATAL" + ] + } +} + +resource "google_sql_database_instance" "negative_6" { + name = "mysql-instance-with-flag" + database_version = "POSTGRES_15" + region = "us-central1" + + settings { + tier = "db-f1-micro" + + database_flags = [ + { name = "log_min_messages", value = "PANIC" }, # Has flag set to "PANIC" + ] + } +} diff --git a/assets/queries/terraform/gcp/sql_db_instance_template/test/positive.tf b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/test/positive.tf similarity index 69% rename from assets/queries/terraform/gcp/sql_db_instance_template/test/positive.tf rename to assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/test/positive.tf index f0348de48b8..8a13ae5781d 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_template/test/positive.tf +++ b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/test/positive.tf @@ -21,7 +21,7 @@ resource "google_sql_database_instance" "positive_3" { settings { database_flags = [ - # Missing 'log_connections' flag + # Missing 'log_min_messages' flag ] } } @@ -34,8 +34,20 @@ resource "google_sql_database_instance" "positive_4" { settings { database_flags = [ { name = "sample_flag1", value = "off" }, - { name = "log_connections", value = "off" }, # Flag is not set to "on" + { name = "log_min_messages", value = "NOTICE" }, # Flag is set to "NOTICE" { name = "sample_flag2", value = "off" } ] } } + +resource "google_sql_database_instance" "positive_5" { + name = "postgres-instance-with-flag" + database_version = "POSTGRES_13" + region = "us-central1" + + settings { + database_flags = [ + { name = "log_min_messages", value = "DEBUG5" }, # Flag is set to "DEBUG5" + ] + } +} diff --git a/assets/queries/terraform/gcp/sql_db_instance_template/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/test/positive_expected_result.json similarity index 64% rename from assets/queries/terraform/gcp/sql_db_instance_template/test/positive_expected_result.json rename to assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/test/positive_expected_result.json index dd0c9f7dfe8..e027e7864fd 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_template/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/test/positive_expected_result.json @@ -1,22 +1,27 @@ [ { "queryName": "Beta - SQL DB Instance Without Connections Logging", - "severity": "MEDIUM", + "severity": "LOW", "line": 1 }, { "queryName": "Beta - SQL DB Instance Without Connections Logging", - "severity": "MEDIUM", + "severity": "LOW", "line": 14 }, { "queryName": "Beta - SQL DB Instance Without Connections Logging", - "severity": "MEDIUM", + "severity": "LOW", "line": 23 }, { "queryName": "Beta - SQL DB Instance Without Connections Logging", - "severity": "MEDIUM", + "severity": "LOW", "line": 37 + }, + { + "queryName": "Beta - SQL DB Instance Without Connections Logging", + "severity": "LOW", + "line": 50 } ] From a4604dac341a9050a9ee849bbb3f8cb857e5d44f Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Tue, 21 Oct 2025 12:47:53 +0100 Subject: [PATCH 03/12] query name fix and cwe updated --- .../test/positive_expected_result.json | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/test/positive_expected_result.json index e027e7864fd..94b4f44535c 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/test/positive_expected_result.json @@ -1,26 +1,26 @@ [ { - "queryName": "Beta - SQL DB Instance Without Connections Logging", + "queryName": "Beta - SQL DB Instance With Unrecommended Logging Treshold", "severity": "LOW", "line": 1 }, { - "queryName": "Beta - SQL DB Instance Without Connections Logging", + "queryName": "Beta - SQL DB Instance With Unrecommended Logging Treshold", "severity": "LOW", "line": 14 }, { - "queryName": "Beta - SQL DB Instance Without Connections Logging", + "queryName": "Beta - SQL DB Instance With Unrecommended Logging Treshold", "severity": "LOW", "line": 23 }, { - "queryName": "Beta - SQL DB Instance Without Connections Logging", + "queryName": "Beta - SQL DB Instance With Unrecommended Logging Treshold", "severity": "LOW", "line": 37 }, { - "queryName": "Beta - SQL DB Instance Without Connections Logging", + "queryName": "Beta - SQL DB Instance With Unrecommended Logging Treshold", "severity": "LOW", "line": 50 } From 21e877ab197d58a4b7bc27afa8c2df3a5d2ee8dc Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Tue, 21 Oct 2025 13:30:31 +0100 Subject: [PATCH 04/12] minor metadata change --- .../metadata.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/metadata.json b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/metadata.json index 881b2c3d9c6..5a390c5d7e1 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/metadata.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/metadata.json @@ -3,12 +3,12 @@ "queryName": "Beta - SQL DB Instance With Unrecommended Logging Treshold", "severity": "LOW", "category": "Observability", - "descriptionText": "All 'google_sql_database_instance' resources based on POSTGRES should have the 'log_min_messages' flag set to 'WARNING' or a higher severity", + "descriptionText": "All 'google_sql_database_instance' resources based on POSTGRES should have the 'log_min_messages' flag set to 'WARNING' or a higher severity to prevent excessively logging", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance.html#settings-1", "platform": "Terraform", "descriptionID": "ecbbe763", "cloudProvider": "gcp", - "cwe": "778", + "cwe": "779", "riskScore": "1.0", "experimental": "true" } From fbbc385f24cc55881dd8c984c6376a19d27b7deb Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Tue, 21 Oct 2025 15:15:06 +0100 Subject: [PATCH 05/12] adjusted tests and logic for default value of ERROR --- .../query.rego | 51 ++----------------- .../test/negative.tf | 36 +++++++++++-- .../test/positive.tf | 28 ---------- .../test/positive_expected_result.json | 19 +------ 4 files changed, 37 insertions(+), 97 deletions(-) diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/query.rego b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/query.rego index 73f22e3a29e..843aad22f59 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/query.rego +++ b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/query.rego @@ -7,61 +7,16 @@ CxPolicy[result] { resource := input.document[i].resource.google_sql_database_instance[name] contains(resource.database_version, "POSTGRES") - results := get_results(resource, name) + resource.settings.database_flags[x].name == "log_min_messages" + not common_lib.inArray(["WARNING", "ERROR", "LOG", "FATAL", "PANIC"], resource.settings.database_flags[x].value) result := { "documentId": input.document[i].id, "resourceType": "google_sql_database_instance", "resourceName": tf_lib.get_resource_name(resource, name), - "searchKey": results.searchKey, - "issueType": results.issueType, - "keyExpectedValue": results.keyExpectedValue, - "keyActualValue": results.keyActualValue, - "searchLine": results.searchLine - } -} - -get_results(resource, name) = results { - not common_lib.valid_key(resource, "settings") - - results := { - "searchKey": sprintf("google_sql_database_instance[%s]", [name]), - "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be defined and set 'log_min_messages' to 'WARNING' or a higher severity", [name]), - "keyActualValue": sprintf("'google_sql_database_instance[%s].settings' is undefined or null", [name]), - "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name], []) - - } -} else = results { - not common_lib.valid_key(resource.settings, "database_flags") - - results := { - "searchKey": sprintf("google_sql_database_instance[%s].settings", [name]), - "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be defined and set 'log_min_messages' to 'WARNING' or a higher severity", [name]), - "keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' is undefined or null", [name]), - "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings"], []) - } - -} else = results { - not has_flag(resource.settings.database_flags) - - results := { - "searchKey": sprintf("google_sql_database_instance[%s].settings.database_flags", [name]), - "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be defined and set 'log_min_messages' to 'WARNING' or a higher severity", [name]), - "keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' does not set 'log_min_messages'", [name]), - "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags"], []) - } - -} else = results { - resource.settings.database_flags[x].name == "log_min_messages" - not common_lib.inArray(["WARNING", "ERROR", "LOG", "FATAL", "PANIC"], resource.settings.database_flags[x].value) - - results := { "searchKey": sprintf("google_sql_database_instance[%s].settings.database_flags[%d].name", [name, x]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should be defined and set 'log_min_messages' to 'WARNING' or a higher severity", [name]), + "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should set 'log_min_messages' to 'WARNING' or a higher severity", [name]), "keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' sets 'log_min_messages' to '%s'", [name, resource.settings.database_flags[x].value]), "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags", x, "name"], []) } diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/test/negative.tf b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/test/negative.tf index 9e184e164e8..0ef30a8ef2b 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/test/negative.tf +++ b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/test/negative.tf @@ -9,6 +9,34 @@ resource "google_sql_database_instance" "negative_1" { } resource "google_sql_database_instance" "negative_2" { + name = "mysql-instance-without-flag" + database_version = "POSTGRES_17" + region = "us-central1" + + # Defaults to "ERROR" +} + +resource "google_sql_database_instance" "negative_3" { + name = "postgres-instance-without-flag" + database_version = "POSTGRES_16" + region = "us-central1" + + settings {} # Defaults to "ERROR" +} + +resource "google_sql_database_instance" "negative_4" { + name = "postgres-instance-without-flag" + database_version = "POSTGRES_15" + region = "us-central1" + + settings { + database_flags = [ + # Defaults to "ERROR" + ] + } +} + +resource "google_sql_database_instance" "negative_5" { name = "mysql-instance-with-flag" database_version = "POSTGRES_15" region = "us-central1" @@ -22,7 +50,7 @@ resource "google_sql_database_instance" "negative_2" { } } -resource "google_sql_database_instance" "negative_3" { +resource "google_sql_database_instance" "negative_6" { name = "mysql-instance-with-flag" database_version = "POSTGRES_15" region = "us-central1" @@ -36,7 +64,7 @@ resource "google_sql_database_instance" "negative_3" { } } -resource "google_sql_database_instance" "negative_4" { +resource "google_sql_database_instance" "negative_7" { name = "mysql-instance-with-flag" database_version = "POSTGRES_15" region = "us-central1" @@ -50,7 +78,7 @@ resource "google_sql_database_instance" "negative_4" { } } -resource "google_sql_database_instance" "negative_5" { +resource "google_sql_database_instance" "negative_8" { name = "mysql-instance-with-flag" database_version = "POSTGRES_15" region = "us-central1" @@ -64,7 +92,7 @@ resource "google_sql_database_instance" "negative_5" { } } -resource "google_sql_database_instance" "negative_6" { +resource "google_sql_database_instance" "negative_9" { name = "mysql-instance-with-flag" database_version = "POSTGRES_15" region = "us-central1" diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/test/positive.tf b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/test/positive.tf index 8a13ae5781d..fdc3c307aeb 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/test/positive.tf +++ b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/test/positive.tf @@ -1,31 +1,3 @@ -resource "google_sql_database_instance" "positive_1" { - name = "mysql-instance-without-flag" - database_version = "POSTGRES_17" - region = "us-central1" - - # Missing 'settings' field -} - -resource "google_sql_database_instance" "positive_2" { - name = "postgres-instance-without-flag" - database_version = "POSTGRES_16" - region = "us-central1" - - settings {} # Missing 'database_flags' field -} - -resource "google_sql_database_instance" "positive_3" { - name = "postgres-instance-without-flag" - database_version = "POSTGRES_15" - region = "us-central1" - - settings { - database_flags = [ - # Missing 'log_min_messages' flag - ] - } -} - resource "google_sql_database_instance" "positive_4" { name = "postgres-instance-with-flag" database_version = "POSTGRES_14" diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/test/positive_expected_result.json index 94b4f44535c..cb82f51d1bf 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/test/positive_expected_result.json @@ -2,26 +2,11 @@ { "queryName": "Beta - SQL DB Instance With Unrecommended Logging Treshold", "severity": "LOW", - "line": 1 + "line": 9 }, { "queryName": "Beta - SQL DB Instance With Unrecommended Logging Treshold", "severity": "LOW", - "line": 14 - }, - { - "queryName": "Beta - SQL DB Instance With Unrecommended Logging Treshold", - "severity": "LOW", - "line": 23 - }, - { - "queryName": "Beta - SQL DB Instance With Unrecommended Logging Treshold", - "severity": "LOW", - "line": 37 - }, - { - "queryName": "Beta - SQL DB Instance With Unrecommended Logging Treshold", - "severity": "LOW", - "line": 50 + "line": 22 } ] From 4da793a7d6de0361adebb7a9653d73ee0ab4837e Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Wed, 22 Oct 2025 11:17:46 +0100 Subject: [PATCH 06/12] added single object support and typo fix --- .../metadata.json | 2 +- .../query.rego | 42 +++++++++++++++ .../test/negative.tf | 52 ++++++------------- .../test/positive.tf | 17 +++++- .../test/positive_expected_result.json | 5 ++ .../query.rego | 27 ---------- 6 files changed, 78 insertions(+), 67 deletions(-) rename assets/queries/terraform/gcp/{sql_db_instance_with_unrecommended_logging_treshold => sql_db_instance_with_unrecommended_logging_threshold}/metadata.json (97%) create mode 100644 assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/query.rego rename assets/queries/terraform/gcp/{sql_db_instance_with_unrecommended_logging_treshold => sql_db_instance_with_unrecommended_logging_threshold}/test/negative.tf (60%) rename assets/queries/terraform/gcp/{sql_db_instance_with_unrecommended_logging_treshold => sql_db_instance_with_unrecommended_logging_threshold}/test/positive.tf (57%) rename assets/queries/terraform/gcp/{sql_db_instance_with_unrecommended_logging_treshold => sql_db_instance_with_unrecommended_logging_threshold}/test/positive_expected_result.json (66%) delete mode 100644 assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/query.rego diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/metadata.json b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/metadata.json similarity index 97% rename from assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/metadata.json rename to assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/metadata.json index 5a390c5d7e1..8d8de651273 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/metadata.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/metadata.json @@ -1,6 +1,6 @@ { "id": "ecbbe763-95dc-47e6-8660-84ff751e5acf", - "queryName": "Beta - SQL DB Instance With Unrecommended Logging Treshold", + "queryName": "Beta - SQL DB Instance With Unrecommended Logging Threshold", "severity": "LOW", "category": "Observability", "descriptionText": "All 'google_sql_database_instance' resources based on POSTGRES should have the 'log_min_messages' flag set to 'WARNING' or a higher severity to prevent excessively logging", diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/query.rego b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/query.rego new file mode 100644 index 00000000000..f736a426683 --- /dev/null +++ b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/query.rego @@ -0,0 +1,42 @@ +package Cx + +import data.generic.common as common_lib +import data.generic.terraform as tf_lib + +CxPolicy[result] { + resource := input.document[i].resource.google_sql_database_instance[name] + + contains(resource.database_version, "POSTGRES") + results := get_results(resource, name) + + result := { + "documentId": input.document[i].id, + "resourceType": "google_sql_database_instance", + "resourceName": tf_lib.get_resource_name(resource, name), + "searchKey": results.searchKey, + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should set 'log_min_messages' to 'WARNING' or a higher severity", [name]), + "keyActualValue": results.keyActualValue, + "searchLine": results.searchLine + } +} + +get_results(resource, name) = results { # array + resource.settings.database_flags[x].name == "log_min_messages" + not common_lib.inArray(["WARNING", "ERROR", "LOG", "FATAL", "PANIC"], resource.settings.database_flags[x].value) + + results := { + "searchKey" : sprintf("google_sql_database_instance[%s].settings.database_flags[%d].name", [name, x]), + "keyActualValue" : sprintf("'google_sql_database_instance[%s].settings.database_flags' sets 'log_min_messages' to '%s'", [name, resource.settings.database_flags[x].value]), + "searchLine" : common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags", x, "name"], []) + } +} else = results { # single object + resource.settings.database_flags.name == "log_min_messages" + not common_lib.inArray(["WARNING", "ERROR", "LOG", "FATAL", "PANIC"], resource.settings.database_flags.value) + + results := { + "searchKey" : sprintf("google_sql_database_instance[%s].settings.database_flags.name", [name]), + "keyActualValue" : sprintf("'google_sql_database_instance[%s].settings.database_flags' sets 'log_min_messages' to '%s'", [name, resource.settings.database_flags.value]), + "searchLine" : common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags", "name"], []) + } +} diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/test/negative.tf b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/test/negative.tf similarity index 60% rename from assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/test/negative.tf rename to assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/test/negative.tf index 0ef30a8ef2b..01962868c38 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/test/negative.tf +++ b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/test/negative.tf @@ -45,12 +45,16 @@ resource "google_sql_database_instance" "negative_5" { tier = "db-f1-micro" database_flags = [ - { name = "log_min_messages", value = "WARNING" }, # Has flag set to "WARNING" + { name = "log_min_messages", value = "WARNING" }, # Has flag set to "WARNING" (minimum) + { name = "log_min_messages", value = "ERROR" }, # Has flag set to "ERROR" + { name = "log_min_messages", value = "LOG" }, # Has flag set to "LOG" + { name = "log_min_messages", value = "FATAL" }, # Has flag set to "FATAL" + { name = "log_min_messages", value = "PANIC" }, # Has flag set to "PANIC" ] } } -resource "google_sql_database_instance" "negative_6" { +resource "google_sql_database_instance" "negative_6" { # Single object support test 1 name = "mysql-instance-with-flag" database_version = "POSTGRES_15" region = "us-central1" @@ -58,27 +62,14 @@ resource "google_sql_database_instance" "negative_6" { settings { tier = "db-f1-micro" - database_flags = [ - { name = "log_min_messages", value = "ERROR" }, # Has flag set to "ERROR" - ] - } -} - -resource "google_sql_database_instance" "negative_7" { - name = "mysql-instance-with-flag" - database_version = "POSTGRES_15" - region = "us-central1" - - settings { - tier = "db-f1-micro" - - database_flags = [ - { name = "log_min_messages", value = "LOG" }, # Has flag set to "LOG" - ] + database_flags { + name = "log_min_messages" + value = "WARNING" + } # Has flag set to "WARNING" (minimum) } } -resource "google_sql_database_instance" "negative_8" { +resource "google_sql_database_instance" "negative_7" { # Single object support test 2 name = "mysql-instance-with-flag" database_version = "POSTGRES_15" region = "us-central1" @@ -86,22 +77,9 @@ resource "google_sql_database_instance" "negative_8" { settings { tier = "db-f1-micro" - database_flags = [ - { name = "log_min_messages", value = "FATAL" }, # Has flag set to "FATAL" - ] - } -} - -resource "google_sql_database_instance" "negative_9" { - name = "mysql-instance-with-flag" - database_version = "POSTGRES_15" - region = "us-central1" - - settings { - tier = "db-f1-micro" - - database_flags = [ - { name = "log_min_messages", value = "PANIC" }, # Has flag set to "PANIC" - ] + database_flags { + name = "log_min_messages" + value = "PANIC" + } # Has flag set to "PANIC" } } diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/test/positive.tf b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/test/positive.tf similarity index 57% rename from assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/test/positive.tf rename to assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/test/positive.tf index fdc3c307aeb..c4a79ce5894 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/test/positive.tf +++ b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/test/positive.tf @@ -1,4 +1,4 @@ -resource "google_sql_database_instance" "positive_4" { +resource "google_sql_database_instance" "positive_1" { name = "postgres-instance-with-flag" database_version = "POSTGRES_14" region = "us-central1" @@ -12,7 +12,7 @@ resource "google_sql_database_instance" "positive_4" { } } -resource "google_sql_database_instance" "positive_5" { +resource "google_sql_database_instance" "positive_2" { name = "postgres-instance-with-flag" database_version = "POSTGRES_13" region = "us-central1" @@ -23,3 +23,16 @@ resource "google_sql_database_instance" "positive_5" { ] } } + +resource "google_sql_database_instance" "positive_3" { # Single object support test + name = "postgres-instance-with-flag" + database_version = "POSTGRES_13" + region = "us-central1" + + settings { + database_flags { + name = "log_min_messages" + value = "INFO" + } # Flag is set to "INFO" + } +} diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/test/positive_expected_result.json similarity index 66% rename from assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/test/positive_expected_result.json rename to assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/test/positive_expected_result.json index cb82f51d1bf..96af1af645b 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/test/positive_expected_result.json @@ -8,5 +8,10 @@ "queryName": "Beta - SQL DB Instance With Unrecommended Logging Treshold", "severity": "LOW", "line": 22 + }, + { + "queryName": "Beta - SQL DB Instance With Unrecommended Logging Treshold", + "severity": "LOW", + "line": 34 } ] diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/query.rego b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/query.rego deleted file mode 100644 index 843aad22f59..00000000000 --- a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_treshold/query.rego +++ /dev/null @@ -1,27 +0,0 @@ -package Cx - -import data.generic.common as common_lib -import data.generic.terraform as tf_lib - -CxPolicy[result] { - resource := input.document[i].resource.google_sql_database_instance[name] - - contains(resource.database_version, "POSTGRES") - resource.settings.database_flags[x].name == "log_min_messages" - not common_lib.inArray(["WARNING", "ERROR", "LOG", "FATAL", "PANIC"], resource.settings.database_flags[x].value) - - result := { - "documentId": input.document[i].id, - "resourceType": "google_sql_database_instance", - "resourceName": tf_lib.get_resource_name(resource, name), - "searchKey": sprintf("google_sql_database_instance[%s].settings.database_flags[%d].name", [name, x]), - "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should set 'log_min_messages' to 'WARNING' or a higher severity", [name]), - "keyActualValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' sets 'log_min_messages' to '%s'", [name, resource.settings.database_flags[x].value]), - "searchLine": common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags", x, "name"], []) - } -} - -has_flag(database_flags) { - database_flags[_].name == "log_min_messages" -} From 621ec9184c19b0e81716e3fd9bb86b638a908c19 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Wed, 22 Oct 2025 11:25:48 +0100 Subject: [PATCH 07/12] logic simplification --- .../query.rego | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/query.rego b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/query.rego index f736a426683..f08602da7fb 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/query.rego +++ b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/query.rego @@ -16,7 +16,7 @@ CxPolicy[result] { "searchKey": results.searchKey, "issueType": "IncorrectValue", "keyExpectedValue": sprintf("'google_sql_database_instance[%s].settings.database_flags' should set 'log_min_messages' to 'WARNING' or a higher severity", [name]), - "keyActualValue": results.keyActualValue, + "keyActualValue" : sprintf("'google_sql_database_instance[%s].settings.database_flags' sets 'log_min_messages' to '%s'", [name, results.value]), "searchLine": results.searchLine } } @@ -27,8 +27,8 @@ get_results(resource, name) = results { # array results := { "searchKey" : sprintf("google_sql_database_instance[%s].settings.database_flags[%d].name", [name, x]), - "keyActualValue" : sprintf("'google_sql_database_instance[%s].settings.database_flags' sets 'log_min_messages' to '%s'", [name, resource.settings.database_flags[x].value]), - "searchLine" : common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags", x, "name"], []) + "searchLine" : common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags", x, "name"], []), + "value" : resource.settings.database_flags[x].value } } else = results { # single object resource.settings.database_flags.name == "log_min_messages" @@ -36,7 +36,7 @@ get_results(resource, name) = results { # array results := { "searchKey" : sprintf("google_sql_database_instance[%s].settings.database_flags.name", [name]), - "keyActualValue" : sprintf("'google_sql_database_instance[%s].settings.database_flags' sets 'log_min_messages' to '%s'", [name, resource.settings.database_flags.value]), - "searchLine" : common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags", "name"], []) + "searchLine" : common_lib.build_search_line(["resource", "google_sql_database_instance", name, "settings", "database_flags", "name"], []), + "value" : resource.settings.database_flags.value } } From 3dfd204836a7f031e6d335231d2bc906656b95a4 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Wed, 22 Oct 2025 11:40:43 +0100 Subject: [PATCH 08/12] typo fix in expected results --- .../test/positive_expected_result.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/test/positive_expected_result.json index 96af1af645b..f95c0ef328e 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/test/positive_expected_result.json @@ -1,16 +1,16 @@ [ { - "queryName": "Beta - SQL DB Instance With Unrecommended Logging Treshold", + "queryName": "Beta - SQL DB Instance With Unrecommended Logging Threshold", "severity": "LOW", "line": 9 }, { - "queryName": "Beta - SQL DB Instance With Unrecommended Logging Treshold", + "queryName": "Beta - SQL DB Instance With Unrecommended Logging Threshold", "severity": "LOW", "line": 22 }, { - "queryName": "Beta - SQL DB Instance With Unrecommended Logging Treshold", + "queryName": "Beta - SQL DB Instance With Unrecommended Logging Threshold", "severity": "LOW", "line": 34 } From 87bc64a8b262051c9bb21120270bcf529440d92b Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Wed, 22 Oct 2025 14:44:36 +0100 Subject: [PATCH 09/12] small negative test improvement --- .../test/negative.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/test/negative.tf b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/test/negative.tf index 01962868c38..bcbeb90489c 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/test/negative.tf +++ b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/test/negative.tf @@ -5,6 +5,10 @@ resource "google_sql_database_instance" "negative_1" { settings { tier = "db-f1-micro" + + database_flags = [ + { name = "log_min_messages", value = "DEBUG3" } + ] } } From 6c2e2fc0be3ff9e451148af04f7a38c5a301ab12 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Mon, 27 Oct 2025 16:20:20 +0000 Subject: [PATCH 10/12] fixed tests and typo --- .../metadata.json | 2 +- .../test/negative.tf | 34 ++++++++++++------- .../test/positive.tf | 30 ++++++++++------ .../test/positive_expected_result.json | 6 ++-- 4 files changed, 46 insertions(+), 26 deletions(-) diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/metadata.json b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/metadata.json index 8d8de651273..295cde8c5a3 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/metadata.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/metadata.json @@ -3,7 +3,7 @@ "queryName": "Beta - SQL DB Instance With Unrecommended Logging Threshold", "severity": "LOW", "category": "Observability", - "descriptionText": "All 'google_sql_database_instance' resources based on POSTGRES should have the 'log_min_messages' flag set to 'WARNING' or a higher severity to prevent excessively logging", + "descriptionText": "All 'google_sql_database_instance' resources based on POSTGRES should have the 'log_min_messages' flag set to 'WARNING' or a higher severity to prevent excessive logging", "descriptionUrl": "https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance.html#settings-1", "platform": "Terraform", "descriptionID": "ecbbe763", diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/test/negative.tf b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/test/negative.tf index bcbeb90489c..8bbb638d36c 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/test/negative.tf +++ b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/test/negative.tf @@ -6,9 +6,10 @@ resource "google_sql_database_instance" "negative_1" { settings { tier = "db-f1-micro" - database_flags = [ - { name = "log_min_messages", value = "DEBUG3" } - ] + database_flags { + name = "log_min_messages" + value = "DEBUG3" + } } } @@ -34,9 +35,11 @@ resource "google_sql_database_instance" "negative_4" { region = "us-central1" settings { - database_flags = [ + database_flags { + name = "sample_flag1" + value = "DEBUG3" + } # Defaults to "ERROR" - ] } } @@ -48,13 +51,20 @@ resource "google_sql_database_instance" "negative_5" { settings { tier = "db-f1-micro" - database_flags = [ - { name = "log_min_messages", value = "WARNING" }, # Has flag set to "WARNING" (minimum) - { name = "log_min_messages", value = "ERROR" }, # Has flag set to "ERROR" - { name = "log_min_messages", value = "LOG" }, # Has flag set to "LOG" - { name = "log_min_messages", value = "FATAL" }, # Has flag set to "FATAL" - { name = "log_min_messages", value = "PANIC" }, # Has flag set to "PANIC" - ] + database_flags { + name = "log_min_messages" + value = "ERROR" + } # Has flag set to "ERROR" + + database_flags { + name = "log_min_messages" + value = "FATAL" + } # Has flag set to "FATAL" + + database_flags { + name = "log_min_messages" + value = "LOG" + } # Has flag set to "LOG" } } diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/test/positive.tf b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/test/positive.tf index c4a79ce5894..d3f89892cbd 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/test/positive.tf +++ b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/test/positive.tf @@ -4,27 +4,37 @@ resource "google_sql_database_instance" "positive_1" { region = "us-central1" settings { - database_flags = [ - { name = "sample_flag1", value = "off" }, - { name = "log_min_messages", value = "NOTICE" }, # Flag is set to "NOTICE" - { name = "sample_flag2", value = "off" } - ] + database_flags { + name = "sample_flag1" + value = "off" + } + + database_flags { # Flag is set to "NOTICE" + name = "log_min_messages" + value = "NOTICE" + } + + database_flags { + name = "sample_flag2" + value = "off" + } } } -resource "google_sql_database_instance" "positive_2" { +resource "google_sql_database_instance" "positive_2" { # Single object support test 1 name = "postgres-instance-with-flag" database_version = "POSTGRES_13" region = "us-central1" settings { - database_flags = [ - { name = "log_min_messages", value = "DEBUG5" }, # Flag is set to "DEBUG5" - ] + database_flags { + name = "log_min_messages" + value = "DEBUG5" + } # Flag is set to "DEBUG5" } } -resource "google_sql_database_instance" "positive_3" { # Single object support test +resource "google_sql_database_instance" "positive_3" { # Single object support test 2 name = "postgres-instance-with-flag" database_version = "POSTGRES_13" region = "us-central1" diff --git a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/test/positive_expected_result.json b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/test/positive_expected_result.json index f95c0ef328e..970ae9b2077 100644 --- a/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/test/positive_expected_result.json +++ b/assets/queries/terraform/gcp/sql_db_instance_with_unrecommended_logging_threshold/test/positive_expected_result.json @@ -2,16 +2,16 @@ { "queryName": "Beta - SQL DB Instance With Unrecommended Logging Threshold", "severity": "LOW", - "line": 9 + "line": 13 }, { "queryName": "Beta - SQL DB Instance With Unrecommended Logging Threshold", "severity": "LOW", - "line": 22 + "line": 31 }, { "queryName": "Beta - SQL DB Instance With Unrecommended Logging Threshold", "severity": "LOW", - "line": 34 + "line": 44 } ] From 183289ea060245030151800796e0f8b2ec84d21f Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Tue, 28 Oct 2025 13:54:01 +0000 Subject: [PATCH 11/12] simId transition update --- assets/similarityID_transition/terraform_gcp.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/assets/similarityID_transition/terraform_gcp.yaml b/assets/similarityID_transition/terraform_gcp.yaml index c3eeee7d298..97903a6a5c0 100644 --- a/assets/similarityID_transition/terraform_gcp.yaml +++ b/assets/similarityID_transition/terraform_gcp.yaml @@ -3,3 +3,7 @@ similarityIDChangeList: queryName: Beta - Google DNS Policy Logging Disabled observations: "" change: 2 + - queryId: ecbbe763-95dc-47e6-8660-84ff751e5acf + queryName: Beta - SQL DB Instance With Unrecommended Logging Threshold + observations: "" + change: 2 From 3cf60776a3e8c4c58d7497fd96f5a15f492e8c28 Mon Sep 17 00:00:00 2001 From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com> Date: Wed, 5 Nov 2025 12:09:22 +0000 Subject: [PATCH 12/12] fix simId file --- assets/similarityID_transition/terraform_gcp.yaml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/assets/similarityID_transition/terraform_gcp.yaml b/assets/similarityID_transition/terraform_gcp.yaml index 2d13c903fd0..56b430accd7 100644 --- a/assets/similarityID_transition/terraform_gcp.yaml +++ b/assets/similarityID_transition/terraform_gcp.yaml @@ -3,16 +3,15 @@ similarityIDChangeList: queryName: Beta - Google DNS Policy Logging Disabled observations: "" change: 2 -<<<<<<< HEAD - queryId: ecbbe763-95dc-47e6-8660-84ff751e5acf queryName: Beta - SQL DB Instance With Unrecommended Logging Threshold -======= + observations: "" + change: 2 - queryId: 51a2c34d-dfd0-436f-aa34-e8f796e052fd queryName: Beta - SQL DB Instance With Local Data Loading Enabled observations: "" change: 2 - queryId: b5b70198-2a34-4792-b0d9-ce99abe485bb queryName: Beta - SQL DB Instance With Exposed Show Privileges ->>>>>>> 67c75db65aa3c1c204b37ea6325eb211aed3159d observations: "" change: 2