Force CIS related PostgreSQL database flags (#19)

osinfra-io · Jan 20, 2024 · e4bb460 · e4bb460
1 parent fe75bee
commit e4bb460
Show file tree

Hide file tree

Showing 9 changed files with 66 additions and 37 deletions.
diff --git a/.coderabbit.yaml b/.coderabbit.yaml
@@ -0,0 +1,12 @@
+# CodeRabbit Configuration File
+# yaml-language-server: $schema=https://coderabbit.ai/integrations/coderabbit-overrides.v2.json
+# https://coderabbit.ai/docs/get-started/customize-coderabbit
+
+early_access: true
+reviews:
+  request_changes_workflow: true
+  auto_review:
+    enabled: true
+  poem: false
+chat:
+  auto_reply: true
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -21,7 +21,7 @@ repos:
         verbose: false
 
   - repo: https://github.com/antonbabenko/pre-commit-terraform
-    rev: v1.83.6
+    rev: v1.86.0
     hooks:
       - id: terraform_fmt
 

diff --git a/regional/README.md b/regional/README.md
@@ -34,7 +34,6 @@ No modules.
 | <a name="input_backup_start_time"></a> [backup\_start\_time](#input\_backup\_start\_time) | Time indicating when backup configuration starts | `string` | `"04:00"` | no |
 | <a name="input_client_certs"></a> [client\_certs](#input\_client\_certs) | A set of client cert names, note: 10 max per instance | `set(string)` | `[]` | no |
 | <a name="input_cost_center"></a> [cost\_center](#input\_cost\_center) | The cost center to use for resource labels | `string` | n/a | yes |
-| <a name="input_database_flags"></a> [database\_flags](#input\_database\_flags) | The database flags for Cloud SQL. See [PostgreSQL Flags](https://cloud.google.com/sql/docs/postgres/flags) | <pre>list(object({<br>    name  = string<br>    value = string<br>  }))</pre> | `[]` | no |
 | <a name="input_database_version"></a> [database\_version](#input\_database\_version) | The MySQL, PostgreSQL or SQL Server version to use. | `string` | `"POSTGRES_15"` | no |
 | <a name="input_deletion_protection"></a> [deletion\_protection](#input\_deletion\_protection) | Whether or not to allow Terraform to destroy the instance | `bool` | `true` | no |
 | <a name="input_host_project_id"></a> [host\_project\_id](#input\_host\_project\_id) | Host project ID for the shared VPC | `string` | `""` | no |
@@ -45,6 +44,7 @@ No modules.
 | <a name="input_mw_hour"></a> [mw\_hour](#input\_mw\_hour) | Maintenance window hour | `number` | `17` | no |
 | <a name="input_network"></a> [network](#input\_network) | The VPC network from which the Cloud SQL instance is accessible for private IP | `string` | n/a | yes |
 | <a name="input_point_in_time_recovery_enabled"></a> [point\_in\_time\_recovery\_enabled](#input\_point\_in\_time\_recovery\_enabled) | True if Point-in-time recovery is enabled. Will restart database if enabled after instance creation. Valid only for PostgreSQL instances | `bool` | `false` | no |
+| <a name="input_postgres_database_flags"></a> [postgres\_database\_flags](#input\_postgres\_database\_flags) | The database flags for Cloud SQL. See [PostgreSQL Flags](https://cloud.google.com/sql/docs/postgres/flags) | <pre>list(object({<br>    name  = string<br>    value = string<br>  }))</pre> | `[]` | no |
 | <a name="input_project_id"></a> [project\_id](#input\_project\_id) | The ID of the project in which the resource belongs | `string` | n/a | yes |
 | <a name="input_query_insights_enabled"></a> [query\_insights\_enabled](#input\_query\_insights\_enabled) | True if Query Insights feature is enabled | `bool` | `true` | no |
 | <a name="input_query_plans_per_minute"></a> [query\_plans\_per\_minute](#input\_query\_plans\_per\_minute) | Number of query execution plans captured by Insights per minute for all queries combined. Between 0 and 20 | `number` | `5` | no |

diff --git a/regional/locals.tf b/regional/locals.tf
@@ -10,4 +10,45 @@ locals {
   )
 
   network = "projects/${var.host_project_id}/global/networks/${var.network}"
+
+  # These flags are required for CIS GCP v1.3.0 compliance
+
+  postgres_database_flags = concat([
+    {
+      name  = "cloudsql.enable_pgaudit"
+      value = "on"
+    },
+    {
+      name  = "log_checkpoints"
+      value = "on"
+    },
+    {
+      name  = "log_connections"
+      value = "on"
+    },
+    {
+      name  = "log_disconnections"
+      value = "on"
+    },
+    {
+      name  = "log_hostname"
+      value = "on"
+    },
+    {
+      name  = "log_lock_waits"
+      value = "on"
+    },
+    {
+      name  = "log_min_duration_statement"
+      value = "-1"
+    },
+    {
+      name  = "log_min_messages"
+      value = "error"
+    },
+    {
+      name  = "log_statement"
+      value = "ddl"
+    }
+  ], var.postgres_database_flags)
 }
diff --git a/regional/main.tf b/regional/main.tf
@@ -19,7 +19,7 @@ resource "google_sql_database_instance" "this" {
     }
 
     dynamic "database_flags" {
-      for_each = var.database_flags
+      for_each = startswith(var.database_version, "POSTGRES_") ? local.postgres_database_flags : []
       content {
         name  = database_flags.value.name
         value = database_flags.value.value

diff --git a/regional/outputs.tf b/regional/outputs.tf
@@ -3,11 +3,13 @@ output "client_cert" {
   value = {
     for cert in var.client_certs : cert => google_sql_ssl_cert.this[cert].cert
   }
+  sensitive = true
 }
 
 output "instance_server_ca_cert" {
   description = "The SQL instance server CA certificate"
   value       = google_sql_database_instance.this.server_ca_cert[0].cert
+  sensitive   = true
 }
 
 output "private_key" {

diff --git a/regional/variables.tf b/regional/variables.tf
@@ -21,7 +21,7 @@ variable "cost_center" {
   type        = string
 }
 
-variable "database_flags" {
+variable "postgres_database_flags" {
   description = "The database flags for Cloud SQL. See [PostgreSQL Flags](https://cloud.google.com/sql/docs/postgres/flags)"
   type = list(object({
     name  = string

diff --git a/test/fixtures/default_cloud_sql/main.tf b/test/fixtures/default_cloud_sql/main.tf
@@ -4,42 +4,14 @@ module "test" {
   client_certs = var.client_certs
   cost_center  = "x000"
 
-  database_flags = [
+  postgres_database_flags = [
     {
-      name  = "cloudsql.enable_pgaudit"
+      name  = "autovacuum"
       value = "on"
     },
     {
-      name  = "log_checkpoints"
-      value = "on"
-    },
-    {
-      name  = "log_connections"
-      value = "on"
-    },
-    {
-      name  = "log_disconnections"
-      value = "on"
-    },
-    {
-      name  = "log_hostname"
-      value = "on"
-    },
-    {
-      name  = "log_lock_waits"
-      value = "on"
-    },
-    {
-      name  = "log_min_duration_statement"
-      value = "-1"
-    },
-    {
-      name  = "log_min_messages"
-      value = "error"
-    },
-    {
-      name  = "log_statement"
-      value = "ddl"
+      name  = "deadlock_timeout"
+      value = 2000
     }
   ]
 

diff --git a/test/fixtures/shared/outputs.tf b/test/fixtures/shared/outputs.tf
@@ -2,10 +2,12 @@ output "client_cert" {
   value = {
     for cert in var.client_certs : cert => module.test.client_cert[cert]
   }
+  sensitive = true
 }
 
 output "instance_server_ca_cert" {
-  value = module.test.instance_server_ca_cert
+  value     = module.test.instance_server_ca_cert
+  sensitive = true
 }
 
 output "private_key" {