PostgreSQL logging of temporary files disabled
This product is not supported for your selected
Datadog site. (
).
Id: d6fae5b6-ada9-46c0-8b36-3108a2a2f77b
Cloud Provider: GCP
Platform: Ansible
Severity: Low
Category: Observability
Learn More
Description
The PostgreSQL log_temp_files flag should be set to 0 so that all temporary file creation is logged. This provides visibility into queries that spill to disk and helps detect potential data exposure or performance issues.
Check Ansible Cloud SQL instance resources using the google.cloud.gcp_sql_instance or gcp_sql_instance modules. The settings.database_flags entry with name: log_temp_files must have value: "0". Resources missing this flag or with a different value are flagged. In Ansible, database_flags is a list of name/value pairs, so specify the flag explicitly as shown below.
- name: Create Cloud SQL instance
google.cloud.gcp_sql_instance:
name: my-postgres
database_version: POSTGRES_13
settings:
database_flags:
- name: log_temp_files
value: "0"
Compliant Code Examples
- name: sql_instance
google.cloud.gcp_sql_instance:
auth_kind: serviceaccount
database_version: SQLSERVER_13_1
name: '{{ resource_name }}-2'
project: test_project
region: us-central1
service_account_file: /tmp/auth.pem
settings:
database_flags:
- name: log_temp_files
value: 0
tier: db-n1-standard-1
state: present
Non-Compliant Code Examples
- name: sql_instance
google.cloud.gcp_sql_instance:
auth_kind: serviceaccount
database_version: SQLSERVER_13_1
name: "{{ resource_name }}-2"
project: test_project
region: us-central1
service_account_file: /tmp/auth.pem
settings:
database_flags:
- name: log_temp_files
value: 1
tier: db-n1-standard-1
state: present
