---
title: PostgreSQL logging of temporary files disabled
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > Code Security > Infrastructure as Code (IaC)
  Security > IaC Security Rules > PostgreSQL logging of temporary files disabled
---

# PostgreSQL logging of temporary files disabled

{% callout %}
# Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com

{% alert level="danger" %}
This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}).
{% /alert %}

{% /callout %}

## Metadata{% #metadata %}

**Id:** `ansible-gcp-postgresql-logging-of-temporary-files-disabled` 

**Provider:** GCP

**Platform:** Ansible

**Severity:** Low

**Category:** Observability

#### Learn More{% #learn-more %}

- [Provider Reference](https://docs.ansible.com/ansible/latest/collections/google/cloud/gcp_sql_instance_module.html#parameter-settings/database_flags)

### Description{% #description %}

The PostgreSQL `log_temp_files` flag should be set to `0` so that all temporary file creation is logged. This provides visibility into queries that spill to disk and helps detect potential data exposure or performance issues.

Check Ansible Cloud SQL instance resources using the `google.cloud.gcp_sql_instance` or `gcp_sql_instance` modules. The `settings.database_flags` entry with `name: log_temp_files` must have `value: "0"`. Resources missing this flag or with a different value are flagged. In Ansible, `database_flags` is a list of name/value pairs, so specify the flag explicitly as shown below.

```yaml
- name: Create Cloud SQL instance
  google.cloud.gcp_sql_instance:
    name: my-postgres
    database_version: POSTGRES_13
    settings:
      database_flags:
        - name: log_temp_files
          value: "0"
```

## Compliant Code Examples{% #compliant-code-examples %}

```yaml
- name: sql_instance
  google.cloud.gcp_sql_instance:
    auth_kind: serviceaccount
    database_version: SQLSERVER_13_1
    name: '{{ resource_name }}-2'
    project: test_project
    region: us-central1
    service_account_file: /tmp/auth.pem
    settings:
      database_flags:
      - name: log_temp_files
        value: 0
      tier: db-n1-standard-1
    state: present
```

## Non-Compliant Code Examples{% #non-compliant-code-examples %}

```yaml
- name: sql_instance
  google.cloud.gcp_sql_instance:
    auth_kind: serviceaccount
    database_version: SQLSERVER_13_1
    name: "{{ resource_name }}-2"
    project: test_project
    region: us-central1
    service_account_file: /tmp/auth.pem
    settings:
      database_flags:
      - name: log_temp_files
        value: 1
      tier: db-n1-standard-1
    state: present
```