terraform.aws.best-practice.missing-cloudwatch-log-group-retention.missing-cloudwatch-log-group-retention

profile photo of semgrepsemgrep
Author
unknown
Download Count*

The AWS CloudWatch Log group is missing log retention time. By default, logs are retained indefinitely. Add retention_in_days = <integer> to your resource block.

Run Locally

Run in CI

Defintion

rules:
  - id: missing-cloudwatch-log-group-retention
    patterns:
      - patterns:
          - pattern: resource "aws_cloudwatch_log_group" $ANYTHING {...}
          - pattern-not-inside: |
              resource "aws_cloudwatch_log_group" $ANYTHING {
                ...
                retention_in_days = ...
                ...
              }
    message: The AWS CloudWatch Log group is missing log retention time. By default,
      logs are retained indefinitely. Add `retention_in_days = <integer>` to
      your resource block.
    languages:
      - hcl
    severity: WARNING
    metadata:
      technology:
        - aws
        - terraform
      category: best-practice
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]

Examples

missing-cloudwatch-log-group-retention.tf

# ruleid: missing-cloudwatch-log-group-retention
resource "aws_cloudwatch_log_group" "fail" {}

# ok: missing-cloudwatch-log-group-retention
resource "aws_cloudwatch_log_group" "pass" {
  retention_in_days = 3
}