CKV_GCP_109, CKV_GCP_55 tests still fail after recomended changes for PostrgeSQL's database_flag for log levels (Terraform and GCP)

[marcin-kulik]

Tests still fail after recommended changes

My terraform code fails on the above 2 tests:

Check: CKV_GCP_109: "Ensure the GCP PostgreSQL database log levels are set to ERROR or lower"
    FAILED for resource: google_sql_database_instance. cloud_sql
    File: /cloud_sql.tf:1-74
    Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/logging-policies-1/bc-google-cloud-109
        Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_GCP_55: "Ensure PostgreSQL database 'log_min_messages' flag is set to a valid value"
    FAILED for resource: google_sql_database_instance. cloud_sql
    File: /cloud_sql.tf:1-74
    Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/cloud-sql-policies/bc-gcp-sql-6

My code was changed accordingly with the advice
I tried both ERROR and DEBUG5 with no success.

resource "google_sql_database_instance" "cloud_sql" {
  name             = "cloud-sql"
  database_version = "POSTGRES_15"
  region           = var.region
  project          = var.project_id

  settings {
    tier = "db-f1-micro"

    backup_configuration {
      enabled = true
    }
    ip_configuration {
      ipv4_enabled = false
      require_ssl     = false
      private_network = "projects/${var.project_id}/global/networks/${var.network}"
    }
    database_flags {
      name  = "log_statement"
      value = "all"
    }
    database_flags {
      name  = "log_lock_waits"
      value = "on"
    }
    database_flags {
      name  = "log_connections"
      value = "on"
    }
    database_flags {
      name  = "log_checkpoints"
      value = "on"
    }
    database_flags {
      name  = "log_disconnections"
      value = "on"
    }
    database_flags {
      name  = "log_hostname"
      value = "on"
    }
    database_flags {
      name  = "log_min_error_statement"
      value = "ERROR"
    }
    database_flags {
      name  = "log_min_messages"
      value = "ERROR"
    }
#    database_flags {
#      name  = "log_min_messages"
#      value = "DEBUG5"
#    }
#    database_flags {
#      name  = "enable_pgaudit"
#      value = "on"
#    }
    database_flags {
      name  = "pgaudit.log"
      value = "'all'"
    }
    database_flags {
      name  = "log_duration"
      value = "on"
    }
  }
  deletion_protection = false
  depends_on          = [google_service_networking_connection.private_vpc_connection]
}

Version:
Checkov 3.2.25

Additional context
I am running checkov from the Azure DevOps pipeline on Ubuntu 20.04.
Most of the checks behave normally.

Here are Azure DevOps tasks:

          - task: Bash@3
            displayName: 'Install checkov 3.2.25'
            inputs:
              targetType: 'inline'
              script: |
                pip3 install checkov==3.2.25

          - task: Bash@3
            displayName: 'Run checkov'
            inputs:
              targetType: 'filePath'
              filePath: ${{ parameters.rootDirectory }}/pipeline-templates/gcp/scripts/run_checkov.sh
              arguments: >
                ${{ parameters.rootDirectory }}/${{ parameters.repositoryName }}/${{ parameters.terraformFolder }}
                ${{ parameters.checkovSkipCheck }}

Here is my bash script to run checkov:

#!/bin/bash

terraform_working_directory="$1"
skip_check="$2"

echo "Terraform Working Directory: $1"
echo "Skip Check: $2"

python3 -m venv .venv
source .venv/bin/activate
pip3 install --upgrade pip
pip3 install --upgrade checkov

echo "Executing Checkov with skip checks"
echo "checkov -d \"$terraform_working_directory\" --download-external-modules true --skip-check \"$skip_check\" --output cli"
echo "Skip checks to be passed to Checkov: \"$skip_check\""

checkov -d "$terraform_working_directory" --download-external-modules true --skip-check $skip_check --output cli
checkov_exit_code=$?

if [ $checkov_exit_code -ne 0 ]; then
  echo "Checkov identified issues."
  exit $checkov_exit_code
else
  echo "Checkov completed successfully with no issues."
fi

[gruebel]

hey @marcin-kulik thanks for reaching out.

The reason your resource fails to comply is quite simple, we are checking for lower case values not upper case like it is written in the official GCP docs https://cloud.google.com/sql/docs/postgres/flags#postgres-l

enumeration
debug5 | debug4 | debug3 | debug2 | debug1 | info | notice | warning | error | log | fatal | panic

if it is valid to set the values as upper case, then the check can be extended accordingly.

[marcin-kulik]

I tried it before with the lowercase but without the log_min_error_statement flag. Looks like both of them are necessary for that to work.

   database_flags {
      name  = "log_min_error_statement"
      value = "error"
    }
    database_flags {
      name  = "log_min_messages"
      value = "error"
    }

It is passing now, thank you so much for your help!