search

bridgecrewio / checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
https://www.checkov.io/
Apache License 2.0
7.15k stars 1.12k forks source link

Terraform CKV_AWS_315 does not take into account launch_template configuration inside mixed_instances_policy #6069

Open bozzaj opened 8 months ago

bozzaj commented 8 months ago

Describe the issue The documentation for CKV_AWS_315 - EC2 Auto Scaling groups are not utilizing EC2 launch templates - states to use launch templates over launch configurations. However, auto scaling groups can use launch templates via a LaunchTemplate block, or within a MixedInstancesPolicy. The Terraform check at AutoScalingLaunchTemplate.py only checks for launch_template. When using a mixed_instances_policy, the launch_template definition is within that block. An AutoScaling Group that wants to use different instance types (for instance Graviton and Intel), along with Spot/OnDemand, will use a Mixed Instances Policy and possibly attach multiple Launch Templates. This check should allow for that type of configuration.

Examples Example of a launch template is being used with specific instance types as choices. 

resource "aws_autoscaling_group" "example" {
  mixed_instances_policy {
    instances_distribution {
      on_demand_base_capacity                  = 0
      on_demand_percentage_above_base_capacity = 25
      spot_allocation_strategy                 = "capacity-optimized"
    }

    launch_template {
      launch_template_specification {
        launch_template_id = aws_launch_template.example.id
      }

      override {
        instance_type     = "c4.large"
        weighted_capacity = "3"
      }

      override {
        instance_type     = "c3.large"
        weighted_capacity = "2"
      }
    }
  }
}

Example of multiple launch templates being used to leverage both Intel(AMD) and Graviton instance types.

resource "aws_autoscaling_group" "example" {
  mixed_instances_policy {
    instances_distribution {
      on_demand_base_capacity                  = 0
      on_demand_percentage_above_base_capacity = 25
      spot_allocation_strategy                 = "capacity-optimized"
    }

    launch_template {
      launch_template_specification {
        launch_template_id = aws_launch_template.x86_64.id
      }

      override {
        instance_type     = "c6g.large"
        launch_template_specification {
          launch_template_id = aws_launch_template.arm64.id
        }
      }

      override {
        instance_type     = "c5.large"
      }

      override {
        instance_type     = "c5a.large"
      }
    }
  }
}

In both of the above cases, launch templates (and not launch configurations) are being used, which should be allowed.

Version (please complete the following information):

Additional context While launch templates should always form the basis for autoscaling group configuration, advanced configurations that leverage multiple instance types, different weighted capacities, different architecture, and other advanced configurations need to be done at the autoscaling group layer with the launch template within a deeper block.

timothyclarke commented 7 months ago

Additionally to this you cannot specify both a launch_template AND a mixed_instance_policy.launch_template. Doing so generates aws errors

rafaljanicki commented 2 months ago

Just wanted to say that the issue still exists