terraform.aws.best-practice.missing-autoscaling-group-tags.missing-autoscaling-group-tags

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

There are missing tags for an AWS Auto Scaling group. Tags help track costs, allow for filtering for Auto Scaling groups, help with access control, and aid in organizing AWS resources. Add: tag { key = "key" value = "value" propagate_at_launch = boolean } See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group for more details.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: missing-autoscaling-group-tags
    patterns:
      - patterns:
          - patterns:
              - pattern: resource "aws_autoscaling_group" $ANYTHING {...}
              - pattern-not-inside: |
                  resource "aws_autoscaling_group" $ANYTHING {
                    ...
                    tag {...}
                    ...
                  }
          - patterns:
              - pattern: resource "aws_autoscaling_group" $ANYTHING {...}
              - pattern-not-inside: |
                  resource "aws_autoscaling_group" $ANYTHING {
                    ...
                    tags = concat(...)
                    ...
                  }
    message: >-
      There are missing tags for an AWS Auto Scaling group. Tags help track
      costs, allow for filtering for Auto Scaling groups, help with access
      control, and aid in organizing AWS resources. Add: `tag {
        key = "key"
        value = "value"
        propagate_at_launch = boolean
      }` See https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/autoscaling_group for more details.
    languages:
      - hcl
    severity: WARNING
    metadata:
      technology:
        - aws
        - terraform
      category: best-practice
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

Examples

missing-autoscaling-group-tags.tf

#failure
# ruleid: missing-autoscaling-group-tags
resource "aws_autoscaling_group" "fail" {
  name                 = "foobar3-terraform-test"
  max_size             = 5
  min_size             = 2
  launch_configuration = aws_launch_configuration.foobar.name
  vpc_zone_identifier  = [aws_subnet.example1.id, aws_subnet.example2.id]
}

#pass
# ok: missing-autoscaling-group-tags
resource "aws_autoscaling_group" "passtag" {
  name                      = "foobar3-terraform-test"
  max_size                  = 5
  min_size                  = 2
  health_check_grace_period = 300
  health_check_type         = "ELB"
  desired_capacity          = 4
  force_delete              = true
  placement_group           = aws_placement_group.test.id
  launch_configuration      = aws_launch_configuration.foobar.name
  vpc_zone_identifier       = [aws_subnet.example1.id, aws_subnet.example2.id]

  tag {
    key                 = "foo"
    value               = "bar"
    propagate_at_launch = true
  }

  tag {
    key                 = "lorem"
    value               = "ipsum"
    propagate_at_launch = false
  }
}

# ok: missing-autoscaling-group-tags
resource "aws_autoscaling_group" "passtags" {
  name                 = "foobar3-terraform-test"
  max_size             = 5
  min_size             = 2
  launch_configuration = aws_launch_configuration.foobar.name
  vpc_zone_identifier  = [aws_subnet.example1.id, aws_subnet.example2.id]

  tags = concat(
    [
      {
        "key"                 = "interpolation1"
        "value"               = "value3"
        "propagate_at_launch" = true
      },
      {
        "key"                 = "interpolation2"
        "value"               = "value4"
        "propagate_at_launch" = true
      },
    ],
    var.extra_tags,
  )
}