PostgreSQL log_checkpoints flag not set to on
This product is not supported for your selected
Datadog site. (
).
Id: 89afe3f0-4681-4ce3-89ed-896cebd4277c
Cloud Provider: GCP
Platform: Ansible
Severity: Medium
Category: Observability
Learn More
Description
PostgreSQL Cloud SQL instances must have the log_checkpoints flag enabled so checkpoint events are recorded. Without these logs, crash recovery and forensic analysis are hindered, making it harder to detect or investigate anomalous or destructive activity.
For Ansible tasks using google.cloud.gcp_sql_instance or gcp_sql_instance, the settings.databaseFlags list must include an entry with name: log_checkpoints and value: on. Tasks that omit the settings block, omit databaseFlags, or have log_checkpoints set to any value other than on are flagged.
Secure example configuration in an Ansible task:
- name: Create Cloud SQL PostgreSQL instance with checkpoint logging
google.cloud.gcp_sql_instance:
name: my-postgres-instance
database_version: POSTGRES_13
settings:
databaseFlags:
- name: log_checkpoints
value: on
Compliant Code Examples
- name: create a instance
google.cloud.gcp_sql_instance:
name: GCP instance
settings:
databaseFlags:
- name: log_checkpoints
value: on
tier: db-n1-standard-1
region: us-central1
project: test_project
database_version: POSTGRES_9_6
auth_kind: serviceaccount
service_account_file: /tmp/auth.pem
state: present
Non-Compliant Code Examples
- name: create instance
google.cloud.gcp_sql_instance:
name: GCP instance
settings:
databaseFlags:
- name: log_checkpoints
value: off
tier: db-n1-standard-1
region: us-central1
project: test_project
database_version: POSTGRES_9_6
auth_kind: serviceaccount
service_account_file: "/tmp/auth.pem"
state: present
- name: create another instance
google.cloud.gcp_sql_instance:
name: GCP instance 2
settings:
tier: db-n1-standard-1
region: us-central1
project: test_project
database_version: POSTGRES_9_6
auth_kind: serviceaccount
service_account_file: "/tmp/auth.pem"
state: present
