terraform.aws.best-practice.aws-elasticache-automatic-backup-not-enabled.aws-elasticache-automatic-backup-not-enabled

semgrep

Author

unknown

Download Count*

LGPL Commons Clause

License

Ensure that Amazon ElastiCache clusters have automatic backup turned on. To fix this, set a snapshot_retention_limit.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: aws-elasticache-automatic-backup-not-enabled
    patterns:
      - pattern-either:
          - patterns:
              - pattern: |
                  resource "aws_elasticache_cluster" $ANYTHING {
                    ...
                  }
              - pattern-not-inside: |
                  resource "aws_elasticache_cluster" $ANYTHING {
                    ...
                    engine = "memcached"
                    ...
                  }
              - pattern-not-inside: |
                  resource "aws_elasticache_cluster" $ANYTHING {
                    ...
                    snapshot_retention_limit = ...
                    ...
                  }
          - patterns:
              - pattern: |
                  resource "aws_elasticache_cluster" $ANYTHING {
                    ...
                    snapshot_retention_limit = $LIMIT
                    ...
                  }
              - metavariable-comparison:
                  metavariable: $LIMIT
                  comparison: $LIMIT == 0
    message: Ensure that Amazon ElastiCache clusters have automatic backup turned
      on. To fix this, set a `snapshot_retention_limit`.
    metadata:
      category: best-practice
      technology:
        - terraform
        - aws
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
    languages:
      - hcl
    severity: WARNING

Examples

aws-elasticache-automatic-backup-not-enabled.tf

# pass

resource "aws_elasticache_cluster" "enabled" {
  cluster_id           = "cluster"
  engine               = "redis"
  node_type            = "cache.m5.large"
  num_cache_nodes      = 1
  parameter_group_name = "default.redis6.x"

  snapshot_retention_limit = 5
}

# failure
# ruleid: aws-elasticache-automatic-backup-not-enabled
resource "aws_elasticache_cluster" "default" {
  cluster_id           = "cluster"
  engine               = "redis"
  node_type            = "cache.m5.large"
  num_cache_nodes      = 1
  parameter_group_name = "default.redis6.x"
}
# ruleid: aws-elasticache-automatic-backup-not-enabled
resource "aws_elasticache_cluster" "disabled" {
  cluster_id           = "cluster"
  engine               = "redis"
  node_type            = "cache.m5.large"
  num_cache_nodes      = 1
  parameter_group_name = "default.redis6.x"

  snapshot_retention_limit = 0
}

# unknown

resource "aws_elasticache_cluster" "memcached" {
  cluster_id           = "cluster"
  engine               = "memcached"
  node_type            = "cache.m5.large"
  num_cache_nodes      = 1
  parameter_group_name = "default.memcached1.6 "
}

Short Link: https://sg.run/x4Dz