Ensure auto scaling groups associated with a load balancer use elastic load balancing health checks

Error: Auto scaling groups associated with a load balancer do not use elastic load balancing health checks

Bridgecrew Policy ID: BC_AWS_NETWORKING_46
Checkov Check ID: CKV2_AWS_15
Severity: LOW

Auto scaling groups associated with a load balancer do not use elastic load balancing health checks

Description

To maintain the availability of the compute resources in the event of a failure and provide an evenly distributed application load ,ensure that your Amazon Auto Scaling Groups (ASGs) have associated Elastic Load Balancers in order.

Fix - Buildtime

Terraform

  • Resource: aws_autoscaling_group, aws_autoscaling_attachment, aws_elb
  • Argument: autoscaling_group_name and elb of aws_autoscaling_attachment
resource "aws_autoscaling_group" "autoscalling_ok" {
  max_size                  = 5
  min_size                  = 2
  health_check_grace_period = 300
  health_check_type         = "ELB"
  desired_capacity          = 4
  force_delete              = true

  lifecycle {
    ignore_changes = [load_balancers, target_group_arns]
  }
}

resource "aws_autoscaling_attachment" "test_ok_attachment" {
  autoscaling_group_name = aws_autoscaling_group.autoscalling_ok.id
  elb                    = aws_elb.test_ok.id
}

resource "aws_elb" "test_ok" {
  name               = "foobar-terraform-elb"
  availability_zones = ["us-west-2a", "us-west-2b", "us-west-2c"]

  access_logs {
    bucket        = "foo"
    bucket_prefix = "bar"
    interval      = 60
  }

  listener {
    instance_port     = 8000
    instance_protocol = "http"
    lb_port           = 80
    lb_protocol       = "http"
  }

  listener {
    instance_port      = 8000
    instance_protocol  = "http"
    lb_port            = 443
    lb_protocol        = "https"
    ssl_certificate_id = "arn:aws:iam::123456789012:server-certificate/certName"
  }

  health_check {
    healthy_threshold   = 2
    unhealthy_threshold = 2
    timeout             = 3
    target              = "HTTP:8000/"
    interval            = 30
  }

  instances                   = [aws_instance.foo.id]
  cross_zone_load_balancing   = true
  idle_timeout                = 400
  connection_draining         = true
  connection_draining_timeout = 400

  tags = {
    Name = "foobar-terraform-elb"
  }
}