diff --git a/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogCheckpoints.py b/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogCheckpoints.py index 41673173477..c24d26adbfa 100644 --- a/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogCheckpoints.py +++ b/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogCheckpoints.py @@ -34,13 +34,13 @@ def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult: else: # treating use cases of the following database_flags parsing (list of dictionaries with arrays): 'database_flags': [{'name': [''], 'value': ['']},{'name': [''], 'value': ['']}] flags = [{key: flag[key][0] for key in flag} for flag in flags] for flag in flags: - if (flag['name'] == 'log_checkpoints') and (flag['value'] == 'off'): + if (flag['name'] == 'log_checkpoints') and (flag['value'] == 'on'): # Must be explicitly set for check to pass self.evaluated_keys = ['database_version/[0]/POSTGRES', f'{evaluated_keys_prefix}/[{flags.index(flag)}]/name', f'{evaluated_keys_prefix}/[{flags.index(flag)}]/value'] - return CheckResult.FAILED + return CheckResult.PASSED self.evaluated_keys = ['database_version/[0]/POSTGRES', 'settings/[0]/database_flags'] - return CheckResult.PASSED + return CheckResult.FAILED return CheckResult.UNKNOWN diff --git a/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogConnection.py b/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogConnection.py index e7cb4afb3e1..b60ba3b4a52 100644 --- a/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogConnection.py +++ b/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogConnection.py @@ -30,14 +30,14 @@ def scan_resource_conf(self, conf): else: # treating use cases of the following database_flags parsing (list of dictionaries with arrays): 'database_flags': [{'name': [''], 'value': ['']},{'name': [''], 'value': ['']}] flags = [{key: flag[key][0] for key in flag} for flag in flags] for flag in flags: - if (flag['name'] == 'log_connections') and (flag['value'] == 'off'): + if (flag['name'] == 'log_connections') and (flag['value'] == 'on'): # Must be explicitly set for check to pass self.evaluated_keys = ['database_version/[0]/POSTGRES', f'{evaluated_keys_prefix}/[{flags.index(flag)}]/name', f'{evaluated_keys_prefix}/[{flags.index(flag)}]/value'] - return CheckResult.FAILED + return CheckResult.PASSED self.evaluated_keys = ['database_version/[0]/POSTGRES', 'settings/[0]/database_flags'] - return CheckResult.PASSED + return CheckResult.FAILED return CheckResult.UNKNOWN diff --git a/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogDisconnection.py b/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogDisconnection.py index f4c1c69340c..fb00f8f0428 100644 --- a/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogDisconnection.py +++ b/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogDisconnection.py @@ -36,14 +36,14 @@ def scan_resource_conf(self, conf): # [{'name': [''], 'value': ['']},{'name': [''], 'value': ['']}] flags = [{key: flag[key][0] for key in flag} for flag in flags] for flag in flags: - if (flag['name'] == 'log_disconnections') and (flag['value'] == 'off'): + if (flag['name'] == 'log_disconnections') and (flag['value'] == 'on'): # Must be explicitly set for check to pass self.evaluated_keys = ['database_version/[0]/POSTGRES', f'{evaluated_keys_prefix}/[{flags.index(flag)}]/name', f'{evaluated_keys_prefix}/[{flags.index(flag)}]/value'] - return CheckResult.FAILED + return CheckResult.PASSED self.evaluated_keys = ['database_version/[0]/POSTGRES', 'settings/[0]/database_flags'] - return CheckResult.PASSED + return CheckResult.FAILED return CheckResult.UNKNOWN diff --git a/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogLockWaits.py b/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogLockWaits.py index 2ac74938eed..8f1887d2c60 100644 --- a/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogLockWaits.py +++ b/checkov/terraform/checks/resource/gcp/GoogleCloudPostgreSqlLogLockWaits.py @@ -36,14 +36,14 @@ def scan_resource_conf(self, conf): # [{'name': [''], 'value': ['']},{'name': [''], 'value': ['']}] flags = [{key: flag[key][0] for key in flag} for flag in flags] for flag in flags: - if (flag['name'] == 'log_lock_waits') and (flag['value'] == 'off'): + if (flag['name'] == 'log_lock_waits') and (flag['value'] == 'on'): # Must be explicitly set for check to pass self.evaluated_keys = ['database_version/[0]/POSTGRES', f'{evaluated_keys_prefix}/[{flags.index(flag)}]/name', f'{evaluated_keys_prefix}/[{flags.index(flag)}]/value'] - return CheckResult.FAILED + return CheckResult.PASSED self.evaluated_keys = ['database_version/[0]/POSTGRES', 'settings/[0]/database_flags'] - return CheckResult.PASSED + return CheckResult.FAILED return CheckResult.UNKNOWN diff --git a/tests/terraform/checks/resource/gcp/example_CloudPostgreSQLLogDisconnection/main.tf b/tests/terraform/checks/resource/gcp/example_CloudPostgreSQLLogDisconnection/main.tf index 4cc60249e98..a5d15c4a7e0 100644 --- a/tests/terraform/checks/resource/gcp/example_CloudPostgreSQLLogDisconnection/main.tf +++ b/tests/terraform/checks/resource/gcp/example_CloudPostgreSQLLogDisconnection/main.tf @@ -41,49 +41,7 @@ resource "google_sql_database_instance" "fail" { } } -resource "google_sql_database_instance" "pass3" { - database_version = "POSTGRES_12" - name = "general-pos121" - project = "gcp-bridgecrew-deployment" - region = "us-central1" - settings { - activation_policy = "ALWAYS" - availability_type = "ZONAL" - database_flags { - name = "log_checkpoints" - value = "off" - } - database_flags { - name = "log_connections" - value = "on" - } - database_flags { - name = "log_disconnections" - value = "on" - } - database_flags { - name = "log_min_messages" - value = "debug6" - } - database_flags { - name = "log_lock_waits" - value = "on" - } - database_flags { - name = "log_temp_files" - value = "10" - } - database_flags { - name = "log_min_duration_statement" - value = "1" - } - pricing_plan = "PER_USE" - - tier = "db-custom-1-3840" - } -} - -resource "google_sql_database_instance" "pass2" { +resource "google_sql_database_instance" "fail2" { database_version = "POSTGRES_14" name = "general-pos121" project = "gcp-bridgecrew-deployment" @@ -99,10 +57,6 @@ resource "google_sql_database_instance" "pass2" { name = "log_connections" value = "off" } - database_flags { - name = "log_disconnections" - value = "on" - } database_flags { name = "log_min_messages" value = "debug6" @@ -134,6 +88,10 @@ resource "google_sql_database_instance" "pass" { settings { activation_policy = "ALWAYS" availability_type = "ZONAL" + database_flags { + name = "log_disconnections" + value = "on" + } database_flags { name = "log_min_messages" value = "debug6" diff --git a/tests/terraform/checks/resource/gcp/example_CloudPostgreSqlLogLockWaits/main.tf b/tests/terraform/checks/resource/gcp/example_CloudPostgreSqlLogLockWaits/main.tf index a4da2240854..efbdb7d262b 100644 --- a/tests/terraform/checks/resource/gcp/example_CloudPostgreSqlLogLockWaits/main.tf +++ b/tests/terraform/checks/resource/gcp/example_CloudPostgreSqlLogLockWaits/main.tf @@ -41,7 +41,7 @@ resource "google_sql_database_instance" "fail" { } } -resource "google_sql_database_instance" "pass2" { +resource "google_sql_database_instance" "fail2" { database_version = "POSTGRES_12" name = "general-pos121" project = "gcp-bridgecrew-deployment" @@ -65,10 +65,6 @@ resource "google_sql_database_instance" "pass2" { name = "log_min_messages" value = "debug6" } - database_flags { - name = "log_lock_waits" - value = "on" - } database_flags { name = "log_temp_files" value = "10" @@ -91,6 +87,10 @@ resource "google_sql_database_instance" "pass" { settings { activation_policy = "ALWAYS" availability_type = "ZONAL" + database_flags { + name = "log_lock_waits" + value = "on" + } database_flags { name = "log_min_messages" value = "debug6" diff --git a/tests/terraform/checks/resource/gcp/example_GoogleCloudPostgreSqlLogCheckpoints/main.tf b/tests/terraform/checks/resource/gcp/example_GoogleCloudPostgreSqlLogCheckpoints/main.tf index 34ece8ce4e0..3840b9b1277 100644 --- a/tests/terraform/checks/resource/gcp/example_GoogleCloudPostgreSqlLogCheckpoints/main.tf +++ b/tests/terraform/checks/resource/gcp/example_GoogleCloudPostgreSqlLogCheckpoints/main.tf @@ -43,7 +43,7 @@ resource "google_sql_database_instance" "fail" { } -resource "google_sql_database_instance" "pass2" { +resource "google_sql_database_instance" "fail2" { database_version = "POSTGRES_12" name = "general-pos121" project = "gcp-bridgecrew-deployment" @@ -51,10 +51,6 @@ resource "google_sql_database_instance" "pass2" { settings { activation_policy = "ALWAYS" availability_type = "ZONAL" - database_flags { - name = "log_checkpoints" - value = "on" - } database_flags { name = "log_connections" value = "on" @@ -92,6 +88,10 @@ resource "google_sql_database_instance" "pass" { settings { activation_policy = "ALWAYS" availability_type = "ZONAL" + database_flags { + name = "log_checkpoints" + value = "on" + } database_flags { name = "log_disconnections" value = "on" diff --git a/tests/terraform/checks/resource/gcp/example_GoogleCloudPostgreSqlLogConnection/main.tf b/tests/terraform/checks/resource/gcp/example_GoogleCloudPostgreSqlLogConnection/main.tf index 841878265e7..6c2cbc65041 100644 --- a/tests/terraform/checks/resource/gcp/example_GoogleCloudPostgreSqlLogConnection/main.tf +++ b/tests/terraform/checks/resource/gcp/example_GoogleCloudPostgreSqlLogConnection/main.tf @@ -43,7 +43,7 @@ resource "google_sql_database_instance" "fail" { } -resource "google_sql_database_instance" "pass2" { +resource "google_sql_database_instance" "fail2" { database_version = "POSTGRES_12" name = "general-pos121" project = "gcp-bridgecrew-deployment" @@ -55,10 +55,6 @@ resource "google_sql_database_instance" "pass2" { name = "log_checkpoints" value = "off" } - database_flags { - name = "log_connections" - value = "on" - } database_flags { name = "log_disconnections" value = "on" @@ -92,6 +88,10 @@ resource "google_sql_database_instance" "pass" { settings { activation_policy = "ALWAYS" availability_type = "ZONAL" + database_flags { + name = "log_connections" + value = "on" + } database_flags { name = "log_disconnections" value = "on" diff --git a/tests/terraform/checks/resource/gcp/test_GoogleCloudPostgreSqlLogCheckpoints.py b/tests/terraform/checks/resource/gcp/test_GoogleCloudPostgreSqlLogCheckpoints.py index 3e3f8e8a34f..8ca8943ccad 100644 --- a/tests/terraform/checks/resource/gcp/test_GoogleCloudPostgreSqlLogCheckpoints.py +++ b/tests/terraform/checks/resource/gcp/test_GoogleCloudPostgreSqlLogCheckpoints.py @@ -19,18 +19,18 @@ def test(self): passing_resources = { "google_sql_database_instance.pass", - "google_sql_database_instance.pass2", } failing_resources = { "google_sql_database_instance.fail", + "google_sql_database_instance.fail2", } passed_check_resources = {c.resource for c in report.passed_checks} failed_check_resources = {c.resource for c in report.failed_checks} - self.assertEqual(summary["passed"], 2) - self.assertEqual(summary["failed"], 1) + self.assertEqual(summary["passed"], 1) + self.assertEqual(summary["failed"], 2) self.assertEqual(summary["skipped"], 0) self.assertEqual(summary["parsing_errors"], 0) diff --git a/tests/terraform/checks/resource/gcp/test_GoogleCloudPostgreSqlLogConnection.py b/tests/terraform/checks/resource/gcp/test_GoogleCloudPostgreSqlLogConnection.py index 81175ca0fac..0b50dfe7bd0 100644 --- a/tests/terraform/checks/resource/gcp/test_GoogleCloudPostgreSqlLogConnection.py +++ b/tests/terraform/checks/resource/gcp/test_GoogleCloudPostgreSqlLogConnection.py @@ -19,18 +19,18 @@ def test(self): passing_resources = { "google_sql_database_instance.pass", - "google_sql_database_instance.pass2", } failing_resources = { "google_sql_database_instance.fail", + "google_sql_database_instance.fail2", } passed_check_resources = {c.resource for c in report.passed_checks} failed_check_resources = {c.resource for c in report.failed_checks} - self.assertEqual(summary["passed"], 2) - self.assertEqual(summary["failed"], 1) + self.assertEqual(summary["passed"], 1) + self.assertEqual(summary["failed"], 2) self.assertEqual(summary["skipped"], 0) self.assertEqual(summary["parsing_errors"], 0) diff --git a/tests/terraform/checks/resource/gcp/test_GoogleCloudPostgreSqlLogDisconnection.py b/tests/terraform/checks/resource/gcp/test_GoogleCloudPostgreSqlLogDisconnection.py index 8d5bbcaddf1..d36da7b8fdf 100644 --- a/tests/terraform/checks/resource/gcp/test_GoogleCloudPostgreSqlLogDisconnection.py +++ b/tests/terraform/checks/resource/gcp/test_GoogleCloudPostgreSqlLogDisconnection.py @@ -20,19 +20,18 @@ def test(self): passing_resources = { "google_sql_database_instance.pass", - "google_sql_database_instance.pass2", - "google_sql_database_instance.pass3", } failing_resources = { "google_sql_database_instance.fail", + "google_sql_database_instance.fail2", } passed_check_resources = {c.resource for c in report.passed_checks} failed_check_resources = {c.resource for c in report.failed_checks} - self.assertEqual(summary["passed"], 3) - self.assertEqual(summary["failed"], 1) + self.assertEqual(summary["passed"], 1) + self.assertEqual(summary["failed"], 2) self.assertEqual(summary["skipped"], 0) self.assertEqual(summary["parsing_errors"], 0) diff --git a/tests/terraform/checks/resource/gcp/test_GoogleCloudPostgreSqlLogLockWaits.py b/tests/terraform/checks/resource/gcp/test_GoogleCloudPostgreSqlLogLockWaits.py index 73b85390479..b9efdc44055 100644 --- a/tests/terraform/checks/resource/gcp/test_GoogleCloudPostgreSqlLogLockWaits.py +++ b/tests/terraform/checks/resource/gcp/test_GoogleCloudPostgreSqlLogLockWaits.py @@ -20,18 +20,18 @@ def test(self): passing_resources = { "google_sql_database_instance.pass", - "google_sql_database_instance.pass2", } failing_resources = { "google_sql_database_instance.fail", + "google_sql_database_instance.fail2", } passed_check_resources = {c.resource for c in report.passed_checks} failed_check_resources = {c.resource for c in report.failed_checks} - self.assertEqual(summary["passed"], 2) - self.assertEqual(summary["failed"], 1) + self.assertEqual(summary["passed"], 1) + self.assertEqual(summary["failed"], 2) self.assertEqual(summary["skipped"], 0) self.assertEqual(summary["parsing_errors"], 0)