Ensure Azure PostgreSQL database server with log connections parameter is enabled

Error: Azure PostgreSQL database server with log connections parameter is disabled

Bridgecrew Policy ID: BC_AZR_NETWORKING_12
Checkov Check ID: [CKV_AZURE_31] (https://github.com/bridgecrewio/checkov/tree/master/checkov/terraform/checks/resource/azure/PostgreSQLServerLogConnectionsEnabled.py)
Severity: MEDIUM

Azure PostgreSQL database server with log connections parameter is disabled

Description

Enabling log_connections allows a PostgreSQL Database to log attempted connections to the
server in addition to logging the successful completion of client authentication. Log data can be used to identify, troubleshoot, repair configuration errors, and identify sub-optimal performance issues.

We recommend you set log_connections to On for PostgreSQL Server Databases.

Fix - Runtime

Azure Portal

To change the policy using the Azure Portal, follow these steps:

  1. Log in to the Azure Portal at https://portal.azure.com.
  2. Navigate to Azure Database for PostgreSQL server.
  3. For each database:
    a) Click Server parameters.
    b) Navigate to log_connections.
    c) Click On.
    d) Click Save.

CLI Command

To update the log_connections configuration, use the following command:

az postgres server configuration set 
--resource-group <resourceGroupName> 
--server-name <serverName> 
--name log_connections 
--value on

Fix - Buildtime

Terraform

  • Resource: azurerm_postgresql_configuration
  • Argument: name + value
- resource "azurerm_postgresql_configuration" "example" {
-    name                = "log_connections"
-    resource_group_name = data.azurerm_resource_group.example.name
-    server_name         = azurerm_postgresql_server.example.name
-    value               = "off"
}