terraform.aws.best-practice.missing-aws-lb-deletion-protection.missing-aws-lb-deletion-protection

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

The AWS LoadBalancer deletion protection is not enabled.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - id: missing-aws-lb-deletion-protection
    patterns:
      - pattern-either:
          - pattern-inside: |
              resource "aws_alb" "..." {
              ...
              }
          - pattern-inside: |
              resource "aws_lb" "..." {
              ...
              }
      - pattern-not-inside: |
          resource $ANYLB $ANYTHING {
            ...
            enable_deletion_protection = true
            ...
          }
    message: The AWS LoadBalancer deletion protection is not enabled.
    languages:
      - hcl
    severity: WARNING
    metadata:
      category: best-practice
      references:
        - https://aws.amazon.com/what-is/load-balancing/#seo-faq-pairs#benefits-lb
        - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lb
      technology:
        - terraform
        - aws
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

Examples

missing-aws-lb-deletion-protection.tf

# pass

resource "aws_lb" "enabled" {
  internal           = false
  load_balancer_type = "application"
  name               = "alb"
  subnets            = var.public_subnet_ids

  enable_deletion_protection = true
}

resource "aws_alb" "enabled" {
  internal           = false
  load_balancer_type = "application"
  name               = "alb"
  subnets            = var.public_subnet_ids

  enable_deletion_protection = true
}

# failure
# ruleid: missing-aws-lb-deletion-protection
resource "aws_lb" "default" {
  internal           = false
  load_balancer_type = "application"
  name               = "alb"
  subnets            = var.public_subnet_ids
}
# ruleid: missing-aws-lb-deletion-protection
resource "aws_alb" "default" {
  internal           = false
  load_balancer_type = "application"
  name               = "alb"
  subnets            = var.public_subnet_ids
}
# ruleid: missing-aws-lb-deletion-protection
resource "aws_lb" "disabled" {
  internal           = false
  load_balancer_type = "application"
  name               = "alb"
  subnets            = var.public_subnet_ids

  enable_deletion_protection = false
}
# ruleid: missing-aws-lb-deletion-protection
resource "aws_alb" "disabled" {
  internal           = false
  load_balancer_type = "application"
  name               = "alb"
  subnets            = var.public_subnet_ids

  enable_deletion_protection = false
}