Ensure GCP PostgreSQL instance database flag log_temp_files is set to 0

Error: GCP PostgreSQL instance database flag log_temp_files is not set to 0

Bridgecrew Policy ID: BC_GCP_SQL_7
Checkov Check ID: CKV_GCP_56
Severity: LOW

GCP PostgreSQL instance database flag log_temp_files is not set to 0

Description

PostgreSQL can create a temporary file for actions such as sorting, hashing and temporary query results when these operations exceed work_mem. The log_temp_files flag controls logging names and the file size when it is deleted. Configuring log_temp_files to zero (0) causes all temporary file information to be logged, while positive values log only files whose size are greater than or equal to the specified number of kilobytes. A value of -1 disables temporary file information logging.

We recommend you set the log_temp_files database flag for Cloud SQL PostgreSQL instances is set to zero (0). If temporary files are not logged, it may be difficult to identify potential performance issues caused by either poor application coding, or deliberate resource starvation attempts.

Fix - Runtime

GCP Console

To change the policy using the GCP Console, follow these steps:

  1. Log in to the GCP Console at https://console.cloud.google.com.
  2. Navigate to Cloud SQL Instances.
  3. Select the PostgreSQL instance where the database flag needs to be enabled.
  4. Click Edit.
  5. Scroll down to the Flags section.
  6. To set a flag that has not been set on the instance before, click Add item.
  7. Select the flag log_temp_files from the drop-down menu, and set its value to 0.
  8. Click Save.
  9. Confirm the changes in the Flags section on the Overview page.

CLI Command

  1. List all Cloud SQL database instances using the following command:
    gcloud sql instances list
  2. Configure the log_temp_files database flag for every Cloud SQL PosgreSQL database instance using the below command.
    gcloud sql instances patch INSTANCE_NAME --database-flags log_temp_files=0``
    Note: This command will overwrite all database flags previously set. To keep those and add new ones, include the values for all flags to be set on the instance; any flag not specifically included is set to its default value. For flags that do not take a value, specify the flag name followed by an equals sign ("=").

Fix - Buildtime

Terraform

  • Resource: google_sql_database_instance
  • Arguments:
    databaseversion = "POSTGRES* "
    settings::database_flags: key:"log_temp_files", value: by default set to "-1"
resource "google_sql_database_instance" "default" {
  name             = "master-instance"
  database_version = "POSTGRES_11"
  region           = "us-central1"

  settings {
+         database_flags {
+            name  = "log_temp_files"
+            value = "0"
          }
  }
}