For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/ansible-azure-postgresql-log-checkpoints-disabled.md. A documentation index is available at /llms.txt.

PostgreSQL log checkpoints disabled

This product is not supported for your selected Datadog site. ().

Metadata

Id: ansible-azure-postgresql-log-checkpoints-disabled

Provider: Azure

Platform: Ansible

Severity: Medium

Category: Observability

Learn More

Description

PostgreSQL’s log_checkpoints should be enabled to record checkpoint activity. This improves visibility into I/O behavior and aids detection and troubleshooting of performance or recovery issues.

In Ansible Azure PostgreSQL configuration resources (azure.azcollection.azure_rm_postgresqlconfiguration or azure_rm_postgresqlconfiguration), when the name property is log_checkpoints, the value property must be set to ON (case-insensitive). Resources missing this setting or with value not equal to ON are flagged as misconfigured.

Secure configuration example:

- name: Ensure log_checkpoints is enabled
  azure.azcollection.azure_rm_postgresqlconfiguration:
    resource_group: my-rg
    server_name: my-pg-server
    name: log_checkpoints
    value: "ON"
    state: present

Compliant Code Examples

- name: Update PostgreSQL Server setting
  azure.azcollection.azure_rm_postgresqlconfiguration:
    resource_group: myResourceGroup
    server_name: myServer
    name: log_checkpoints
    value: on
- name: Update PostgreSQL Server setting2
  azure.azcollection.azure_rm_postgresqlconfiguration:
    resource_group: myResourceGroup
    server_name: myServer
    name: log_checkpoints
    value: On
- name: Update PostgreSQL Server setting3
  azure.azcollection.azure_rm_postgresqlconfiguration:
    resource_group: myResourceGroup
    server_name: myServer
    name: log_checkpoints
    value: ON
- name: Update PostgreSQL Server setting4
  azure.azcollection.azure_rm_postgresqlconfiguration:
    resource_group: myResourceGroup
    server_name: myServer
    name: log_checkpoints
    value: on
- name: Update PostgreSQL Server setting5
  azure.azcollection.azure_rm_postgresqlconfiguration:
    resource_group: myResourceGroup
    server_name: myServer
    name: log_checkpoints
    value: On
- name: Update PostgreSQL Server setting6
  azure.azcollection.azure_rm_postgresqlconfiguration:
    resource_group: myResourceGroup
    server_name: myServer
    name: log_checkpoints
    value: ON

Non-Compliant Code Examples

---
- name: Update PostgreSQL Server setting
  azure.azcollection.azure_rm_postgresqlconfiguration:
    resource_group: myResourceGroup
    server_name: myServer
    name: log_checkpoints
    value: off
- name: Update PostgreSQL Server setting2
  azure.azcollection.azure_rm_postgresqlconfiguration:
    resource_group: myResourceGroup
    server_name: myServer
    name: log_checkpoints
    value: Off
- name: Update PostgreSQL Server setting3
  azure.azcollection.azure_rm_postgresqlconfiguration:
    resource_group: myResourceGroup
    server_name: myServer
    name: log_checkpoints
    value: OFF
- name: Update PostgreSQL Server setting4
  azure.azcollection.azure_rm_postgresqlconfiguration:
    resource_group: myResourceGroup
    server_name: myServer
    name: log_checkpoints
    value: "off"
- name: Update PostgreSQL Server setting5
  azure.azcollection.azure_rm_postgresqlconfiguration:
    resource_group: myResourceGroup
    server_name: myServer
    name: log_checkpoints
    value: "Off"
- name: Update PostgreSQL Server setting6
  azure.azcollection.azure_rm_postgresqlconfiguration:
    resource_group: myResourceGroup
    server_name: myServer
    name: log_checkpoints
    value: "OFF"