Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarLint
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarCloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube

Secrets
ABAP
Apex
C
C++
CloudFormation
COBOL
C#
CSS
Docker
Flex
Go
HTML
Java
JavaScript
Kotlin
Kubernetes
Objective C
PHP
PL/I
PL/SQL
Python
RPG
Ruby
Scala
Swift
Terraform
Text
TypeScript
T-SQL
VB.NET
VB6
XML

Terraform static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your TERRAFORM code

Tags

Creating public APIs is security-sensitive
Security Hotspot
Allowing public network access to cloud resources is security-sensitive
Security Hotspot
Policies granting access to all resources of an account are security-sensitive
Security Hotspot
Policies granting all privileges are security-sensitive
Security Hotspot
Policies authorizing public access to resources are security-sensitive
Security Hotspot
Granting access to S3 buckets to all or authenticated users is security-sensitive
Security Hotspot
AWS IAM policies should not allow privilege escalation
Vulnerability
Weak SSL/TLS protocols should not be used
Vulnerability
Allowing public ACLs or policies on a S3 bucket is security-sensitive
Security Hotspot
Authorizing HTTP communications with S3 buckets is security-sensitive
Security Hotspot
Using clear-text protocols is security-sensitive
Security Hotspot
Google Cloud load balancers SSL policies should not offer weak cipher suites
Vulnerability
Azure custom roles should not grant subscription Owner capabilities
Vulnerability
Excluding users or groups activities from audit logs is security-sensitive
Security Hotspot
Defining a short log retention duration is security-sensitive
Security Hotspot
Enabling Attribute-Based Access Control for Kubernetes is security-sensitive
Security Hotspot
Creating custom roles allowing privilege escalation is security-sensitive
Security Hotspot
Creating App Engine handlers without requiring TLS is security-sensitive
Security Hotspot
Excessive granting of GCP IAM permissions is security-sensitive
Security Hotspot
Enabling project-wide SSH keys to access VM instances is security-sensitive
Security Hotspot
Granting public access to GCP resources is security-sensitive
Security Hotspot
Creating GCP SQL instances without requiring TLS is security-sensitive
Security Hotspot
Creating DNS zones without DNSSEC enabled is security-sensitive
Security Hotspot
Creating keys without a rotation period is security-sensitive
Security Hotspot
Granting highly privileged GCP resource rights is security-sensitive
Security Hotspot
Using unencrypted cloud storages is security-sensitive
Security Hotspot
Azure role assignments that grant access to all resources of a subscription are security-sensitive
Security Hotspot
Disabling Role-Based Access Control on Azure resources is security-sensitive
Security Hotspot
Disabling certificate-based authentication is security-sensitive
Security Hotspot
Assigning high privileges Azure Resource Manager built-in roles is security-sensitive
Security Hotspot
Authorizing anonymous access to Azure resources is security-sensitive
Security Hotspot
Enabling Azure resource-specific admin accounts is security-sensitive
Security Hotspot
Disabling Managed Identities for Azure resources is security-sensitive
Security Hotspot
Assigning high privileges Azure Active Directory built-in roles is security-sensitive
Security Hotspot
Defining a short backup retention duration is security-sensitive
Security Hotspot
Using unencrypted EFS file systems is security-sensitive
Security Hotspot
Using unencrypted SQS queues is security-sensitive
Security Hotspot
Using unencrypted SNS topics is security-sensitive
Security Hotspot
Using unencrypted SageMaker notebook instances is security-sensitive
Security Hotspot
Using unencrypted Elasticsearch domains is security-sensitive
Security Hotspot
Using unencrypted RDS DB resources is security-sensitive
Security Hotspot
Using unencrypted EBS volumes is security-sensitive
Security Hotspot
Disabling logging is security-sensitive
Security Hotspot
Administration services access should be restricted to specific IP addresses
Vulnerability
Unversioned Google Cloud Storage buckets are security-sensitive
Security Hotspot
Disabling S3 bucket MFA delete is security-sensitive
Security Hotspot
Disabling versioning of S3 buckets is security-sensitive
Security Hotspot
Disabling server-side encryption of S3 buckets is security-sensitive
Security Hotspot
AWS tag keys should comply with a naming convention
Code Smell
Track uses of "TODO" tags
Code Smell
Terraform parsing failure
Code Smell

AWS tag keys should comply with a naming convention

Code Smell

MinorSonarSource default severity
click to learn more

aws
convention

Why is this an issue?

Shared conventions allow teams to collaborate effectively. This rule allows to check that all tag keys match a provided regular expression.

Noncompliant code example

With default provided regular expression ^([A-Z]:)([A-Z][A-Za-z]*)$:

resource "aws_s3_bucket" "mynoncompliantbucket" {
  bucket = "mybucketname"

  tags = {
    "anycompany:cost-center" = "Accounting" # Noncompliant
  }
}

Compliant solution

resource "aws_s3_bucket" "mycompliantbucket" {
  bucket = "mybucketname"

  tags = {
    "AnyCompany:CostCenter" = "Accounting"
  }
}

Resources

AWS Documentation: Adopt a Standardized Approach for Tag Names

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

© 2008-2023 SonarSource S.A., Switzerland. All content is copyright protected. SONAR, SONARSOURCE, SONARLINT, SONARQUBE, and SONARCLOUD are trademarks of SonarSource S.A. All other trademarks and copyrights are the property of their respective owners. All rights are expressly reserved.
Privacy Policy

In-IDE

SaaS

Self-Hosted