Merge pull request #41734 from hashicorp/security-terraform.aws.secur…

…ity.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention Fix `terraform.aws.security.aws-cloudwatch-log-group-no-retention.aws-cloudwatch-log-group-no-retention` security findings
hashicorp · Mar 7, 2025 · e713509 · e713509
2 parents 1dcc5d7 + 00492e9
commit e713509
Show file tree

Hide file tree

Showing 10 changed files with 22 additions and 2 deletions.
diff --git a/examples/ecs-alb/main.tf b/examples/ecs-alb/main.tf
@@ -289,9 +289,11 @@ resource "aws_alb_listener" "front_end" {
 ## CloudWatch Logs
 
 resource "aws_cloudwatch_log_group" "ecs" {
-  name = "tf-ecs-group/ecs-agent"
+  name              = "tf-ecs-group/ecs-agent"
+  retention_in_days = 1
 }
 
 resource "aws_cloudwatch_log_group" "app" {
-  name = "tf-ecs-group/app-ghost"
+  name              = "tf-ecs-group/app-ghost"
+  retention_in_days = 1
 }
diff --git a/internal/service/logs/testdata/LogGroup/data.tags/main_gen.tf b/internal/service/logs/testdata/LogGroup/data.tags/main_gen.tf
@@ -9,6 +9,8 @@ data "aws_cloudwatch_log_group" "test" {
 resource "aws_cloudwatch_log_group" "test" {
   name = var.rName
 
+  retention_in_days = 1
+
   tags = var.resource_tags
 }
 

diff --git a/internal/service/logs/testdata/LogGroup/data.tags_defaults/main_gen.tf b/internal/service/logs/testdata/LogGroup/data.tags_defaults/main_gen.tf
@@ -15,6 +15,8 @@ data "aws_cloudwatch_log_group" "test" {
 resource "aws_cloudwatch_log_group" "test" {
   name = var.rName
 
+  retention_in_days = 1
+
   tags = var.resource_tags
 }
 

diff --git a/internal/service/logs/testdata/LogGroup/data.tags_ignore/main_gen.tf b/internal/service/logs/testdata/LogGroup/data.tags_ignore/main_gen.tf
@@ -18,6 +18,8 @@ data "aws_cloudwatch_log_group" "test" {
 resource "aws_cloudwatch_log_group" "test" {
   name = var.rName
 
+  retention_in_days = 1
+
   tags = var.resource_tags
 }
 

diff --git a/internal/service/logs/testdata/LogGroup/tags/main_gen.tf b/internal/service/logs/testdata/LogGroup/tags/main_gen.tf
@@ -4,6 +4,8 @@
 resource "aws_cloudwatch_log_group" "test" {
   name = var.rName
 
+  retention_in_days = 1
+
   tags = var.resource_tags
 }
 

diff --git a/internal/service/logs/testdata/LogGroup/tagsComputed1/main_gen.tf b/internal/service/logs/testdata/LogGroup/tagsComputed1/main_gen.tf
@@ -6,6 +6,8 @@ provider "null" {}
 resource "aws_cloudwatch_log_group" "test" {
   name = var.rName
 
+  retention_in_days = 1
+
   tags = {
     (var.unknownTagKey) = null_resource.test.id
   }

diff --git a/internal/service/logs/testdata/LogGroup/tagsComputed2/main_gen.tf b/internal/service/logs/testdata/LogGroup/tagsComputed2/main_gen.tf
@@ -6,6 +6,8 @@ provider "null" {}
 resource "aws_cloudwatch_log_group" "test" {
   name = var.rName
 
+  retention_in_days = 1
+
   tags = {
     (var.unknownTagKey) = null_resource.test.id
     (var.knownTagKey)   = var.knownTagValue

diff --git a/internal/service/logs/testdata/LogGroup/tags_defaults/main_gen.tf b/internal/service/logs/testdata/LogGroup/tags_defaults/main_gen.tf
@@ -10,6 +10,8 @@ provider "aws" {
 resource "aws_cloudwatch_log_group" "test" {
   name = var.rName
 
+  retention_in_days = 1
+
   tags = var.resource_tags
 }
 

diff --git a/internal/service/logs/testdata/LogGroup/tags_ignore/main_gen.tf b/internal/service/logs/testdata/LogGroup/tags_ignore/main_gen.tf
@@ -13,6 +13,8 @@ provider "aws" {
 resource "aws_cloudwatch_log_group" "test" {
   name = var.rName
 
+  retention_in_days = 1
+
   tags = var.resource_tags
 }
 

diff --git a/internal/service/logs/testdata/tmpl/group_tags.gtpl b/internal/service/logs/testdata/tmpl/group_tags.gtpl
@@ -1,5 +1,7 @@
 resource "aws_cloudwatch_log_group" "test" {
   name = var.rName
 
+  retention_in_days = 1
+
 {{- template "tags" . }}
 }