fix: checkov security error

padok-team · Nov 19, 2024 · 75c672a · 75c672a
1 parent aa340fa
commit 75c672a
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 12 deletions.
diff --git a/modules/mysql/sql.tf b/modules/mysql/sql.tf
@@ -3,13 +3,29 @@ resource "random_id" "this" {
   byte_length = 4
 }
 
+resource "google_storage_bucket" "logging_bucket" {
+  name          = "bucket-access-logs"
+  location      = "europe-west3"
+  project       = var.project_id
+  force_destroy = true
+}
+
 resource "google_storage_bucket" "script" {
-  count                    = var.init_custom_sql_script != "" ? 1 : 0
-  name                     = "sql-script-${random_id.this[0].hex}"
-  location                 = "europe-west3"
-  force_destroy            = true
-  project                  = var.project_id
-  public_access_prevention = "enforced"
+  count                       = var.init_custom_sql_script != "" ? 1 : 0
+  name                        = "sql-script-${random_id.this[0].hex}"
+  location                    = "europe-west3"
+  force_destroy               = true
+  project                     = var.project_id
+  public_access_prevention    = "enforced"
+  uniform_bucket_level_access = true
+  versioning {
+    enabled = true
+  }
+
+  logging {
+    log_bucket        = google_storage_bucket.logging_bucket.name
+    log_object_prefix = "access_logs/"
+  }
 }
 
 resource "google_storage_bucket_object" "sql_script" {

diff --git a/modules/postgresql/sql.tf b/modules/postgresql/sql.tf
@@ -3,13 +3,29 @@ resource "random_id" "this" {
   byte_length = 4
 }
 
+resource "google_storage_bucket" "logging_bucket" {
+  name          = "bucket-access-logs"
+  location      = "europe-west3"
+  project       = var.project_id
+  force_destroy = true
+}
+
 resource "google_storage_bucket" "script" {
-  count                    = var.init_custom_sql_script != "" ? 1 : 0
-  name                     = "sql-script-${random_id.this[0].hex}"
-  location                 = "europe-west3"
-  force_destroy            = true
-  project                  = var.project_id
-  public_access_prevention = "enforced"
+  count                       = var.init_custom_sql_script != "" ? 1 : 0
+  name                        = "sql-script-${random_id.this[0].hex}"
+  location                    = "europe-west3"
+  force_destroy               = true
+  project                     = var.project_id
+  public_access_prevention    = "enforced"
+  uniform_bucket_level_access = true
+  versioning {
+    enabled = true
+  }
+
+  logging {
+    log_bucket        = google_storage_bucket.logging_bucket.name
+    log_object_prefix = "access_logs/"
+  }
 }
 
 resource "google_storage_bucket_object" "sql_script" {