Ensure GCP PostgreSQL instance database flag log_disconnections is enabled

Error: GCP PostgreSQL instance database flag log_disconnections is disabled

Bridgecrew Policy ID: BC_GCP_SQL_4
Checkov Check ID: CKV_GCP_53
Severity: LOW

GCP PostgreSQL instance database flag log_disconnections is disabled

Description

Enabling the log_disconnections database flag logs the end of each session, including the session duration. PostgreSQL does not log session details by default, including duration and session end details. Enabling the log_disconnections database flag creates log entries at the end of each session, useful when troubleshooting issues and determining unusual activity across a time period.

The log_disconnections and log_connections work hand in hand and usually the pair would be enabled/disabled together.

We recommended you set the log_disconnections flag for a PostgreSQL instance to On.

Fix - Runtime

GCP Console

To change the policy using the GCP Console, follow these steps:

  1. Log in to the GCP Console at https://console.cloud.google.com.
  2. Navigate to Cloud SQL Instances.
  3. Select the PostgreSQL instance where the database flag needs to be enabled.
  4. Click Edit.
  5. Scroll down to the Flags section.
  6. To set a flag that has not been set on the instance before, click Add item.
  7. Select the flag log_disconnections from the drop-down menu, and set its value to On.
  8. Click Save.
  9. Confirm the changes in the Flags section on the Overview page.

CLI Command

  1. List all Cloud SQL database Instances using the following command:
    gcloud sql instances list
  2. Configure the log_disconnections database flag for every Cloud SQL PosgreSQL database instance using the below command:
    gcloud sql instances patch INSTANCE_NAME --database-flags log_disconnections=on

📘

Note

This command will overwrite all previously set database flags. To keep those flags, and add new ones, include the values for all flags to be set on the instance. Any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign (=).

Fix - Buildtime

Terraform

  • Resource: google_sql_database_instance
  • Arguments:
    databaseversion = "POSTGRES* "
    settings::database_flags: key:"log_disconnections", value: by default set to "off"
resource "google_sql_database_instance" "default" {
  name             = "master-instance"
  database_version = "POSTGRES_11"
  region           = "us-central1"

  settings {
+         database_flags {
+            name  = "log_disconnections"
+            value = "on"
          }
  }
}