feat: support pgAudit for PgSQL (#19)

* feat: support pgAudit for PgSQL

* fix: update go dependencies

.github/workflows/terratest.yaml

@@ -18,17 +18,17 @@ env:
 jobs:
   terratest:
     name: terratest
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-20.04
     steps:
       - name: Check out code into the Go module directory
         uses: actions/checkout@v3
         with:
           submodules: true
 
-      - name: Set up Go (1.17)
+      - name: Set up Go (1.18)
         uses: actions/setup-go@v3
         with:
-          go-version: 1.17
+          go-version: 1.18
         id: go
 
       - id: "google-cloud-auth"
@@ -50,7 +50,7 @@ jobs:
         run: |
           cd test
           go clean -testcache
-          go test -v -timeout 60m
+          go test -v -timeout 90m
       - name: Release
         if: github.event_name == 'push'
         uses: cycjimmy/semantic-release-action@v2

.pre-commit-config.yaml

@@ -13,7 +13,7 @@ repos:
       - id: check-yaml
       - id: check-added-large-files
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.74.1 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
+    rev: v1.75.0 # Get the latest from: https://github.com/antonbabenko/pre-commit-terraform/releases
     hooks:
       - id: terraform_fmt
       - id: terraform_docs

examples/create_mysql_instance_with_private_ip/README.md

@@ -7,7 +7,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_random"></a> [random](#provider\_random) | 3.3.2 |
+| <a name="provider_random"></a> [random](#provider\_random) | 3.4.3 |
 
 ## Modules
 

examples/create_mysql_instance_with_public_ip/README.md

@@ -7,7 +7,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_random"></a> [random](#provider\_random) | 3.3.2 |
+| <a name="provider_random"></a> [random](#provider\_random) | 3.4.3 |
 
 ## Modules
 

examples/mysql_instance_with_read_replica/README.md

@@ -7,7 +7,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_random"></a> [random](#provider\_random) | 3.3.2 |
+| <a name="provider_random"></a> [random](#provider\_random) | 3.4.3 |
 
 ## Modules
 

examples/postgres_instance_with_read_replica/README.md

@@ -7,7 +7,7 @@ No requirements.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_random"></a> [random](#provider\_random) | 3.3.2 |
+| <a name="provider_random"></a> [random](#provider\_random) | 3.4.3 |
 
 ## Modules
 

modules/google_sql_database_instance/main.tf

@@ -16,6 +16,11 @@ locals {
   }
 
   postgres_database_flags = {
+    "cloudsql.enable_pgaudit" = "on"
+    "pgaudit.log"             = "all"
+    "pgaudit.log_client"      = "on"
+    "pgaudit.log_level"       = "notice"
+    log_hostname              = "on"
     # google-sql-enable-pg-temp-file-logging
     log_temp_files = "0"
     # google-sql-pg-log-connections
@@ -43,6 +48,10 @@ resource "google_sql_database_instance" "instance" {
   #checkov:skip=CKV_GCP_52:Ensure PostgreSQL database 'log_connections' flag is set to 'on'
   #checkov:skip=CKV_GCP_53:Ensure PostgreSQL database 'log_disconnections' flag is set to 'on'
   #checkov:skip=CKV_GCP_54:Ensure PostgreSQL database 'log_lock_waits' flag is set to 'on'
+  #checkov:skip=CKV_GCP_108:Ensure hostnames are logged for GCP PostgreSQL databases 'log_hostname' flag is set to 'on'
+  #checkov:skip=CKV_GCP_109:Ensure the GCP PostgreSQL database log levels are set to ERROR or lower 'pgaudit.log_level' flag is set to 'notice'
+  #checkov:skip=CKV_GCP_110:Ensure pgAudit is enabled for your GCP PostgreSQL database 'cloudsql.enable_pgaudit' flag is set to 'on'
+  #checkov:skip=CKV_GCP_111:Ensure GCP PostgreSQL logs SQL statements 'pgaudit.log' flag is set to 'all'
 
   database_version = var.database_version
 
@@ -121,6 +130,10 @@ resource "google_sql_database_instance" "read_replica" {
   #checkov:skip=CKV_GCP_52:Ensure PostgreSQL database 'log_connections' flag is set to 'on'
   #checkov:skip=CKV_GCP_53:Ensure PostgreSQL database 'log_disconnections' flag is set to 'on'
   #checkov:skip=CKV_GCP_54:Ensure PostgreSQL database 'log_lock_waits' flag is set to 'on'
+  #checkov:skip=CKV_GCP_108:Ensure hostnames are logged for GCP PostgreSQL databases 'log_hostname' flag is set to 'on'
+  #checkov:skip=CKV_GCP_109:Ensure the GCP PostgreSQL database log levels are set to ERROR or lower 'pgaudit.log_level' flag is set to 'notice'
+  #checkov:skip=CKV_GCP_110:Ensure pgAudit is enabled for your GCP PostgreSQL database 'cloudsql.enable_pgaudit' flag is set to 'on'
+  #checkov:skip=CKV_GCP_111:Ensure GCP PostgreSQL logs SQL statements 'pgaudit.log' flag is set to 'all'
 
   depends_on = [
     google_sql_database_instance.instance

test/go.mod

@@ -1,10 +1,10 @@
 module github.com/honestbank/terraform-gcp-sql
 
-go 1.17
+go 1.18
 
 require (
-	github.com/gruntwork-io/terratest v0.40.17
-	github.com/stretchr/testify v1.7.5
+	github.com/gruntwork-io/terratest v0.40.22
+	github.com/stretchr/testify v1.8.0
 )
 
 require (
@@ -50,7 +50,6 @@ require (
 	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.1 // indirect
-	github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/pquerna/otp v1.2.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
@@ -76,7 +75,6 @@ require (
 	google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c // indirect
 	google.golang.org/grpc v1.38.0 // indirect
 	google.golang.org/protobuf v1.26.0 // indirect
-	gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect