---
title: PostgreSQL log_checkpoints flag not set to on
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > PostgreSQL log_checkpoints flag not set to on
---

# PostgreSQL log_checkpoints flag not set to on

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `ansible-gcp-postgresql-log-checkpoints-flag-not-set-to-on` 

**Provider:** GCP

**Platform:** Ansible

**Severity:** Medium

**Category:** Observability

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_sql_instance_module.html#parameter-settings/database_flags)

### Description{% #description %}

PostgreSQL Cloud SQL instances must have the `log_checkpoints` flag enabled so checkpoint events are recorded. Without these logs, crash recovery and forensic analysis are hindered, making it harder to detect or investigate anomalous or destructive activity.

For Ansible tasks using `google.cloud.gcp_sql_instance` or `gcp_sql_instance`, the `settings.databaseFlags` list must include an entry with `name: log_checkpoints` and `value: on`. Tasks that omit the `settings` block, omit `databaseFlags`, or have `log_checkpoints` set to any value other than `on` are flagged.

Secure example configuration in an Ansible task:

```yaml
- name: Create Cloud SQL PostgreSQL instance with checkpoint logging
  google.cloud.gcp_sql_instance:
    name: my-postgres-instance
    database_version: POSTGRES_13
    settings:
      databaseFlags:
        - name: log_checkpoints
          value: on
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
- name: create a instance
  google.cloud.gcp_sql_instance:
    name: my-postgres-instance
    settings:
      databaseFlags:
      - name: log_checkpoints
        value: on
      tier: db-n1-standard-1
    region: us-central1
    project: test_project
    database_version: POSTGRES_9_6
    auth_kind: serviceaccount
    service_account_file: /tmp/auth.pem
    state: present
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
- name: create instance
  google.cloud.gcp_sql_instance:
    name: my-postgres-instance
    settings:
      databaseFlags:
      - name: log_checkpoints
        value: off
      tier: db-n1-standard-1
    region: us-central1
    project: test_project
    database_version: POSTGRES_9_6
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
- name: create another instance
  google.cloud.gcp_sql_instance:
    name: my-postgres-instance-2
    settings:
      tier: db-n1-standard-1
    region: us-central1
    project: test_project
    database_version: POSTGRES_9_6
    auth_kind: serviceaccount
    service_account_file: "/tmp/auth.pem"
    state: present
```