terraform.aws.best-practice.missing-aws-cross-zone-lb.missing-aws-cross-zone-lb

profile photo of semgrepsemgrep
Author
unknown
Download Count*

The AWS cross zone load balancing is not enabled.

Run Locally

Run in CI

Defintion

rules:
  - id: missing-aws-cross-zone-lb
    patterns:
      - pattern-either:
          - pattern: |
              resource "aws_lb" $ANYTHING {
                ...
                load_balancer_type = ...
                ...
              }
          - pattern: |
              resource "aws_alb" $ANYTHING {
                ...
                load_balancer_type = ...
                ...
              }
      - pattern-not-inside: |
          resource $ANYLB $ANYTHING {
            ...
            enable_cross_zone_load_balancing = true
            ...
          }
      - pattern-not-inside: |
          resource $ANYLB $ANYTHING {
            ...
            load_balancer_type = "application"
            ...
          }
    message: The AWS cross zone load balancing is not enabled.
    languages:
      - hcl
    severity: WARNING
    metadata:
      category: best-practice
      technology:
        - terraform
        - aws
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

Examples

missing-aws-cross-zone-lb.tf

# pass

resource "aws_lb" "enabled" {
  internal           = false
  load_balancer_type = "network"
  name               = "nlb"
  subnets            = var.public_subnet_ids

  enable_cross_zone_load_balancing = true
}

resource "aws_alb" "enabled" {
  load_balancer_type = "gateway"
  name               = "glb"

  enable_cross_zone_load_balancing = true

  subnet_mapping {
    subnet_id = var.subnet_id
  }
}

# failure
# ruleid: missing-aws-cross-zone-lb
resource "aws_lb" "default" {
  internal           = false
  load_balancer_type = "network"
  name               = "nlb"
  subnets            = var.public_subnet_ids
}
# ruleid: missing-aws-cross-zone-lb
resource "aws_alb" "default" {
  load_balancer_type = "gateway"
  name               = "glb"

  subnet_mapping {
    subnet_id = var.subnet_id
  }
}
# ruleid: missing-aws-cross-zone-lb
resource "aws_lb" "disabled" {
  internal           = false
  load_balancer_type = "network"
  name               = "nlb"
  subnets            = var.public_subnet_ids

  enable_cross_zone_load_balancing = false
}
# ruleid: missing-aws-cross-zone-lb
resource "aws_alb" "disabled" {
  load_balancer_type = "gateway"
  name               = "glb"

  enable_cross_zone_load_balancing = false

  subnet_mapping {
    subnet_id = var.subnet_id
  }
}

# unknown

resource "aws_lb" "application" {
  internal           = false
  load_balancer_type = "application"
  name               = "alb"
  subnets            = var.public_subnet_ids
}

resource "aws_lb" "default_type" {
  internal           = false
  name               = "alb"
  subnets            = var.public_subnet_ids
}