AWS CloudFormation Linter

Unencrypted storage bucket foundTF-GCP002 Legacy `ABAC` permissions are enabledTF-GCP005 Potentially sensitive data stored in block attributeTF-GEN003 Invalid AWS S3 bucket regionTF-L0052 Invalid AWS DB instance typeTF-L0006 Ensure all Cloud SQL database instance requires all incoming connections to use SSLTF-S2006 Ensure that Cloud SQL database instances are not open to the worldTF-S2011 Azure instance is using basic authenticationTF-S1001 Azure AKS is not using RBACTF-S1005 Ensure no HTTPS or SSL proxy load balancers permit SSL policies with weak cipher suitesTF-S2004 Kubernetes Engine Cluster authentication missing client certificateTF-S2013 Kubernetes Engine Cluster missing Network PolicyTF-S2012 Ensure Google compute firewall ingress does not allow unrestricted ssh accessTF-S2002 Ensure Google compute firewall ingress does not allow unrestricted RDP accessTF-S2003 Ensure Legacy Authorization is set to Disabled on Kubernetes Engine ClustersTF-S2007 Exposed BigQuery datasetsTF-S2015 Found usage of RSASHA1 for the zone-signing and key-signing keys in Cloud DNS DNSSECTF-S2017 Detected password authentication instead of `SSH` keysTF-AZU005 Unencrypted data lake store foundTF-AZU004 Potentially sensitive data stored in `default` value of variableTF-GEN001 Potentially sensitive data stored in local valueTF-GEN002 Deprecated interpolationTF-L0037 Use of default AWS DB parameter groupTF-L0034 Use of an old generation AWS elasticache cluster node typeTF-L0035 Use of default AWS elasticache parameter groupTF-L0036 Legacy dot index syntaxTF-L0038 Unused declarationTF-L0039 Missing routing target in `aws_route` resourceTF-L0030 Use of previous generation AWS instance typeTF-L0032 Cloud DNS has DNSSEC disabledTF-S2016 Ensure 'Automatic node repair' is enabled for Kubernetes ClustersTF-S2009 AKS API server does not define authorized IP rangesTF-S1006 Unencrypted Azure managed disk foundTF-S1002 `supportsHttpsTrafficOnly` is not set to `true`TF-S1003 AKS logging is not configured with Azure MonitoringTF-S1004 Cloud SQL database found with backup configuration disabledTF-S2014 An inbound firewall rule allows traffic from `/0`TF-GCP003 Invalid AWS MQ broker engine typeTF-L0050 Load balancer is exposed to the internetTF-AWS005 An outdated SSL policy is in use by a load balancerTF-AWS010 A resource is marked as publicly accessibleTF-AWS011 Unencrypted SQS queueTF-AWS015 Use of plain `HTTP`TF-AWS004 Unencrypted managed disk detectedTF-AZU003 AWS instance with invalid AMI IDTF-L0015 AWS launch configuration with invalid AMI IDTF-L0021 Invalid `excess_capacity_termination_policy`TF-L0053 Unrestricted RDP accessTF-S1009 Invalid AWS Load Banancer subnet IDTF-L0002 Invalid AWS DB subnet group nameTF-L0003 Invalid ACL value for AWS S3 bucketTF-L0051 Module doesn't comply with Terraform Standard Module StructureTF-L0048 Invalid AWS Application Load Balancer security groupTF-L0001 Invalid `ParameterGroupName` for AWS DB instanceTF-L0005 Route definition has multiple routing targetsTF-L0031 Unrestricted access to Kubernetes dashboardTF-S1008 Unrestricted SSH accessTF-S1010 SQL Databases allows ingress from `0.0.0.0/0`TF-S1011 Unprotected AKS cluster detectedTF-S1007 Standard pricing tier is not selectedTF-S1019 App Service Authentication is not enabled on Azure App ServiceTF-S1013 Register with Azure Active Directory is not enabled on Azure App ServiceTF-S1016 Security contact phone number not setTF-S1020 Send email notification for high severity alerts is disabledTF-S1021 Incoming client certificates are disabledTF-S1017 HTTP version being used is outdatedTF-S1018 Web application does not redirect all HTTP traffic to HTTPS in Azure App ServiceTF-S1014 Web application is not using TLS 1.2 on Azure App ServiceTF-S1015 Send email notification for high severity alerts to administrator is disabledTF-S1022 'Auditing' is not 'Enabled' for SQL serversTF-S1023 An ingress security group rule allows traffic from `/0`TF-AWS006 An egress security group rule allows traffic to `/0`TF-AWS007 An inline ingress security group rule allows traffic from `/0`TF-AWS008 An inline egress security group rule allows traffic to `/0`TF-AWS009 Task definition defines sensitive environment variable(s)TF-AWS013 Launch configuration with unencrypted block deviceTF-AWS014 Unencrypted SNS topicTF-AWS016 Unencrypted S3 bucketTF-AWS017 Missing description for security group/security group ruleTF-AWS018 An inbound network security rule allows traffic from `/0`TF-AZU001 S3 Bucket does not have logging enabledTF-AWS002 AWS Classic resource usageTF-AWS003 Unencrypted compute disk foundTF-GCP001 An outbound firewall rule allows traffic to `/0`TF-GCP004 An outbound network security rule allows traffic from /0TF-AZU002 S3 Bucket has an ACL defined which allows public accessTF-AWS001 Elasticsearch domain endpoint is using outdated TLS policyTF-AWS034 EKS should have the encryption of secrets enabledTF-AWS066 S3 Access block should block public ACLTF-AWS074 AWS IAM policy document has wildcard action statementTF-AWS046 A resource has a public IP addressTF-AWS012 A KMS key is not configured to auto-rotateTF-AWS019 ECR repository has image scans disabledTF-AWS023 API Gateway domain name uses outdated SSL/TLS protocolsTF-AWS025 Elasticsearch domain isn't encrypted at restTF-AWS031 Elasticsearch doesn't enforce HTTPS trafficTF-AWS033 Unencrypted Elasticache Replication GroupTF-AWS035 IAM Password policy should have requirement for at least one lowercase characterTF-AWS042 AWS SQS policy document has wildcard action statementTF-AWS047 RDS encryption has not been enabled at a database Instance levelTF-AWS052 Encryption for RDS Performance Insights should be enabledTF-AWS053 ElasticSearch nodes should communicate with node to node encryption enabledTF-AWS055 Ensure that lambda function permission has a source arn specifiedTF-AWS058 API Gateway stages for V1 and V2 should have access logging enabledTF-AWS061 User data for EC2 instances must not contain sensitive AWS keysTF-AWS062 CloudTrail should be encrypted at rest to secure access to sensitive trail dataTF-AWS065 `aws_instance` resource should activate session tokens for Instance Metadata ServiceTF-AWS079 EKS Clusters should have cluster control plane logging turned onTF-AWS067 Viewer Protocol Policy in CloudFront Distribution Cache should always be set to HTTPSTF-AWS072 S3 Access block should block public policyTF-AWS076 CodeBuild Project artifacts encryption should not be disabledTF-AWS080 Amazon DynamoDB Accelerator Cluster should always encrypt data at restTF-AWS081 Use of previous generation AWS database instanceTF-L0033 Detected a git or mercurial repository as a module source without pinning to a versionTF-L0044 Audit: `terraform.workspace` used with a `remote` backend with remote executionTF-L0049 There is no encryption specified or encryption is disabled on the RDS ClusterTF-AWS051 Athena databases and workgroup configurations are created unencrypted at rest by default, they should be encryptedTF-AWS059 IAM Password policy should prevent password reuseTF-AWS037 IAM Password policy should have expiry less than or equal to 90 daysTF-AWS038 IAM Password policy should have requirement for at least one symbol in the passwordTF-AWS040 IAM Password policy should have requirement for at least one number in the passwordTF-AWS041 An ingress Network ACL rule allows specific ports from `/0`TF-AWS049 ElasticSearch domains should enforce HTTPSTF-AWS054 Domain logging should be enabled for ElasticSearch domainsTF-AWS057 Athena workgroups should enforce configuration to prevent client disabling encryptionTF-AWS060 CloudTrail should be enabled in all regions, regardless of where your AWS resources are generally locatedTF-AWS063 EKS Clusters should have the public access disabledTF-AWS069 AWS ElasticSearch Domain should have logging enabledTF-AWS070 CloudFront distribution should have Access Logging configuredTF-AWS071 S3 Access Block should Ignore Public ACLTF-AWS073 S3 Access block should restrict public bucket to limit accessTF-AWS075 S3 Data should be versionedTF-AWS077 ECR images tags shouldn't be mutableTF-AWS078 Invalid AWS DB `OptionGroupName`TF-L0004 Invalid AWS VPC Security GroupTF-L0007 `terraform` declarations without `require_version`TF-L0046 Provider doesn't have version constraintTF-L0047 CloudFront distribution allows unencrypted (HTTP) communicationsTF-AWS020 CloudFront distribution uses outdated SSL/TLS protocolsTF-AWS021 A MSK cluster allows unencrypted data in transitTF-AWS022 Ensure Stackdriver Logging is set to Enabled on Kubernetes Engine ClustersTF-S2001 Ensure 'Automatic node upgrade' is enabled for Kubernetes ClustersTF-S2010 Kinesis stream is unencryptedTF-AWS024 CloudFront distribution does not have a WAF in frontTF-AWS045 EFS Encryption has not been enabledTF-AWS048 CloudTrail log validation should be enabled to prevent tampering of log dataTF-AWS064 EKS cluster should not have open CIDR range for public accessTF-AWS068 Ensure Stackdriver Monitoring is set to Enabled on Kubernetes Engine ClustersTF-S2008 Elasticsearch domain uses plaintext traffic for node to node communicationTF-AWS032 AWS provider has access credentials specifiedTF-AWS044 Elasticache Replication Group uses unencrypted trafficTF-AWS036 IAM Password policy should have minimum password length of 14 or more charactersTF-AWS039 IAM Password policy should have requirement for at least one uppercase characterTF-AWS043 An ingress Network ACL rule allows ALL ports from `/0`TF-AWS050 Master authorized networks are not enabled in GKE clustersTF-S2019 GCP Kubernetes engine clusters have basic authentication enabledTF-S2018 Consider using `#` for commentsTF-L0040 Output declaration without descriptionTF-L0041 `variable` declaration without descriptionTF-L0042 `variable` declaration without typeTF-L0043

Terraform

Static Analysis, SAST, Code Coverage, Code Complexity

Sample Configuration

.deepsource.toml

version = 1

[[analyzers]]
name = "terraform"

Explore the docs for all configuration options.