diff --git a/.github/workflows/manual-trigger.yml b/.github/workflows/manual-trigger.yml new file mode 100644 index 0000000..92724c0 --- /dev/null +++ b/.github/workflows/manual-trigger.yml @@ -0,0 +1,44 @@ +name: Regula testgen Workflow +on: + workflow_dispatch: + inputs: + input_file_path: + description: 'Path to the input file' + required: true + type: string + output_file_path: + description: 'Path to the output file' + required: true + type: string + pipeline_token: + description: 'Pipeline token' + required: true + type: string + anthropic_api_key: + description: 'Cluade API key' + required: true + type: string + openai_api_key: + description: 'OpenAI API key' + required: true + type: string + +jobs: + run-testgen: + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + - name: Run Non-functional Test Agent + uses: docker://docker.io/pranayc/codegen:github-action + env: + INPUT_FILE_PATH: ${{ inputs.input_file_path }} + OUTPUT_FILE_PATH: ${{ inputs.output_file_path }} + PIPELINE_TOKEN: ${{ inputs.pipeline_token }} + ANTHROPIC_API_KEY: ${{ inputs.anthropic_api_key }} + OPENAI_API_KEY: ${{ inputs.openai_api_key }} + FORCE_COLOR: 1 + MODEL: "sonnet" + NODE_OPTIONS: --no-warnings + OUTPUTDIR: ${{ inputs.output_file_path }} diff --git a/.github/workflows/pr-review.yml b/.github/workflows/pr-review.yml new file mode 100644 index 0000000..28bd552 --- /dev/null +++ b/.github/workflows/pr-review.yml @@ -0,0 +1,30 @@ +name: PR Review Mode + +on: + issue_comment: + types: [created] + +jobs: + process-pr-comment: + if: github.event.issue.pull_request && contains(github.event.comment.body, '/review') + runs-on: ubuntu-latest + + steps: + - name: Checkout PR + uses: actions/checkout@v3 + with: + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + + - name: Run Non-functional Test Agent + uses: docker://docker.io/pranayc/codegen:github-action + env: + INPUT_FILE_PATH: ${{ github.workspace }} + OUTPUT_FILE_PATH: ${{ github.workspace }}/review-output + PIPELINE_TOKEN: ${{ secrets.PIPELINE_TOKEN }} + ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }} + OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }} + FORCE_COLOR: 1 + MODEL: "sonnet" + NODE_OPTIONS: --no-warnings + PR_WORKFLOW: "true" diff --git a/output/1731344141643_checkpoint.json b/output/1731344141643_checkpoint.json new file mode 100644 index 0000000..c0eb1e1 --- /dev/null +++ b/output/1731344141643_checkpoint.json @@ -0,0 +1 @@ +{"checkpoint":{"v":1,"id":"1efa04df-c389-6fb0-8008-df969fb9bf18","ts":"2024-11-11T16:57:07.627Z","channel_values":{"messages":[{"lc":1,"type":"constructor","id":["langchain_core","messages","HumanMessage"],"kwargs":{"content":" [Autoscaling.5] Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses https://docs.aws.amazon.com/securityhub/latest/userguide/autoscaling-controls.html#autoscaling-5 TODO ","additional_kwargs":{},"response_metadata":{}}},{"lc":1,"type":"constructor","id":["langchain_core","messages","AIMessage"],"kwargs":{"content":[{"type":"text","text":"Let me fetch the content from the provided URL and create a summary."},{"type":"tool_use","id":"toolu_01WPbN1BXH7ARRUBBcLgmPEv","name":"staticWebScraperTool","input":{"url":"https://docs.aws.amazon.com/securityhub/latest/userguide/autoscaling-controls.html#autoscaling-5"}}],"additional_kwargs":{"id":"msg_01YASUocJGphxxpYFZGP9GLX","type":"message","role":"assistant","model":"claude-3-5-sonnet-20241022","stop_reason":"tool_use","stop_sequence":null,"usage":{"input_tokens":676,"output_tokens":105}},"tool_calls":[{"name":"staticWebScraperTool","args":{"url":"https://docs.aws.amazon.com/securityhub/latest/userguide/autoscaling-controls.html#autoscaling-5"},"id":"toolu_01WPbN1BXH7ARRUBBcLgmPEv","type":"tool_call"}],"usage_metadata":{"input_tokens":676,"output_tokens":105,"total_tokens":781},"response_metadata":{"id":"msg_01YASUocJGphxxpYFZGP9GLX","model":"claude-3-5-sonnet-20241022","stop_reason":"tool_use","stop_sequence":null,"usage":{"input_tokens":676,"output_tokens":105},"type":"message","role":"assistant"},"id":"msg_01YASUocJGphxxpYFZGP9GLX","invalid_tool_calls":[]}},{"lc":1,"type":"constructor","id":["langchain_core","messages","ToolMessage"],"kwargs":{"content":"{\"fullContent\":\"Security Hub controls for Auto Scaling - AWS Security HubAWSDocumentationAWS Security HubUser Guide[AutoScaling.1] Auto Scaling groups associated with a load balancer should use ELB health checks[AutoScaling.2] Amazon EC2 Auto Scaling group should cover multiple Availability Zones[AutoScaling.3] Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)[AutoScaling.4] Auto Scaling group launch configuration should not have a metadata response hop limit greater than 1[Autoscaling.5] Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses[AutoScaling.6] Auto Scaling groups should use multiple instance types in multiple Availability Zones[AutoScaling.9] Amazon EC2 Auto Scaling groups should use Amazon EC2 launch templates[AutoScaling.10] EC2 Auto Scaling groups should be taggedSecurity Hub controls for Auto ScalingThese Security Hub controls evaluate the Amazon EC2 Auto Scaling service and resources.These controls may not be available in all AWS Regions. For more information, see Availability of controls by Region. [AutoScaling.1] Auto Scaling groups associated with a load balancer should use ELB health checks Related requirements: PCI DSS v3.2.1/2.2, NIST.800-53.r5 CA-7, NIST.800-53.r5 CP-2(2), NIST.800-53.r5 SI-2 Category: Identify > Inventory Severity: Low Resource type: AWS::AutoScaling::AutoScalingGroup AWS Config rule: autoscaling-group-elb-healthcheck-required Schedule type: Change triggered Parameters: None This control checks whether an Amazon EC2 Auto Scaling group that is associated with a load balancer uses Elastic Load Balancing (ELB) health checks. The control fails if the Auto Scaling group doesn't use ELB health checks. ELB health checks help ensure that an Auto Scaling group can determine an instance's health based on additional tests provided by the load balancer. Using Elastic Load Balancing health checks also helps support the availability of applications that use EC2 Auto Scaling groups. Remediation To add Elastic Load Balancing health checks, see Add Elastic Load Balancing health checks in the Amazon EC2 Auto Scaling User Guide. [AutoScaling.2] Amazon EC2 Auto Scaling group should cover multiple Availability Zones Related requirements: NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-2(2), NIST.800-53.r5 CP-6(2), NIST.800-53.r5 SC-36, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-13(5) Category: Recover > Resilience > High availability Severity: Medium Resource type: AWS::AutoScaling::AutoScalingGroup AWS Config rule: autoscaling-multiple-az Schedule type: Change triggered Parameters: Parameter Description Type Allowed custom values Security Hub default value minAvailabilityZones Minimum number of Availability Zones Enum 2, 3, 4, 5, 6 2 This control checks whether an Amazon EC2 Auto Scaling group spans at least the specified number of Availability Zones (AZs). The control fails if an Auto Scaling group doesn't span at least the specified number of AZs. Unless you provide a custom parameter value for the minimum number of AZs, Security Hub uses a default value of two AZs. An Auto Scaling group that doesn't span multiple AZs can't launch instances in another AZ to compensate if the configured single AZ becomes unavailable. However, an Auto Scaling group with a single Availability Zone may be preferred in some use cases, such as batch jobs or when inter-AZ transfer costs need to be kept to a minimum. In such cases, you can disable this control or suppress its findings. Remediation To add AZs to an existing Auto Scaling group, see Add and remove Availability Zones in the Amazon EC2 Auto Scaling User Guide. [AutoScaling.3] Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2) Related requirements: NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(15), NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-6, NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2 Category: Protect > Secure network configuration Severity: High Resource type: AWS::AutoScaling::LaunchConfiguration AWS Config rule: autoscaling-launchconfig-requires-imdsv2 Schedule type: Change triggered Parameters: None This control checks whether IMDSv2 is enabled on all instances launched by Amazon EC2 Auto Scaling groups. The control fails if the Instance Metadata Service (IMDS) version isn't included in the launch configuration or is configured as token optional, which is a setting that allows either IMDSv1 or IMDSv2. IMDS provides data about your instance that you can use to configure or manage the running instance. Version 2 of the IMDS adds new protections that weren't available in IMDSv1 to further safeguard your EC2 instances. Remediation An Auto Scaling group is associated with one launch configuration at a time. You cannot modify a launch configuration after you create it. To change the launch configuration for an Auto Scaling group, use an existing launch configuration as the basis for a new launch configuration with IMDSv2 enabled. For more information, see Configure instance metadata options for new instances in the Amazon EC2 User Guide. [AutoScaling.4] Auto Scaling group launch configuration should not have a metadata response hop limit greater than 1 ImportantSecurity Hub retired this control in April 2024. For more information, see Change log for Security Hub controls. Related requirements: NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2, NIST.800-53.r5 CM-2(2) Category: Protect > Secure network configuration Severity: High Resource type: AWS::AutoScaling::LaunchConfiguration AWS Config rule: autoscaling-launch-config-hop-limit Schedule type: Change triggered Parameters: None This control checks the number of network hops that a metadata token can travel. The control fails if the metadata response hop limit is greater than 1. The Instance Metadata Service (IMDS) provides metadata information about an Amazon EC2 instance and is useful for application configuration. Restricting the HTTP PUT response for the metadata service to only the EC2 instance protects the IMDS from unauthorized use. The Time To Live (TTL) field in the IP packet is reduced by one on every hop. This reduction can be used to ensure that the packet does not travel outside EC2. IMDSv2 protects EC2 instances that may have been misconfigured as open routers, layer 3 firewalls, VPNs, tunnels, or NAT devices, which prevents unauthorized users from retrieving metadata. With IMDSv2, the PUT response that contains the secret token cannot travel outside the instance because the default metadata response hop limit is set to 1. However, if this value is greater than 1, the token can leave the EC2 instance. Remediation To modify the metadata response hop limit for an existing launch configuration, see Modify instance metadata options for existing instances in the Amazon EC2 User Guide. [Autoscaling.5] Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses Related requirements: NIST.800-53.r5 AC-21, NIST.800-53.r5 AC-3, NIST.800-53.r5 AC-3(7), NIST.800-53.r5 AC-4, NIST.800-53.r5 AC-4(21), NIST.800-53.r5 AC-6, NIST.800-53.r5 SC-7, NIST.800-53.r5 SC-7(11), NIST.800-53.r5 SC-7(16), NIST.800-53.r5 SC-7(20), NIST.800-53.r5 SC-7(21), NIST.800-53.r5 SC-7(3), NIST.800-53.r5 SC-7(4), NIST.800-53.r5 SC-7(9) Category: Protect > Secure network configuration > Resources not publicly accessible Severity: High Resource type: AWS::AutoScaling::LaunchConfiguration AWS Config rule: autoscaling-launch-config-public-ip-disabled Schedule type: Change triggered Parameters: None This control checks whether an Auto Scaling group's associated launch configuration assigns a public IP address to the group's instances. The control fails if the associated launch configuration assigns a public IP address. Amazon EC2 instances in an Auto Scaling group launch configuration should not have an associated public IP address, except for in limited edge cases. Amazon EC2 instances should only be accessible from behind a load balancer instead of being directly exposed to the internet. Remediation An Auto Scaling group is associated with one launch configuration at a time. You cannot modify a launch configuration after you create it. To change the launch configuration for an Auto Scaling group, use an existing launch configuration as the basis for a new launch configuration. Then, update the Auto Scaling group to use the new launch configuration. For step-by-step instructions, see Change the launch configuration for an Auto Scaling group in the Amazon EC2 Auto Scaling User Guide. When creating the new launch configuration, under Additional configuration, for Advanced details, IP address type, choose Do not assign a public IP address to any instances. After you change the launch configuration, Auto Scaling launches new instances with the new configuration options. Existing instances aren't affected. To update an existing instance, we recommend that you refresh your instance, or allow automatic scaling to gradually replace older instances with newer instances based on your termination policies. For more information about updating Auto Scaling instances, see Update Auto Scaling instances in the Amazon EC2 Auto Scaling User Guide. [AutoScaling.6] Auto Scaling groups should use multiple instance types in multiple Availability Zones Related requirements: NIST.800-53.r5 CP-10, NIST.800-53.r5 CP-2(2), NIST.800-53.r5 CP-6(2), NIST.800-53.r5 SC-36, NIST.800-53.r5 SC-5(2), NIST.800-53.r5 SI-13(5) Category: Recover > Resilience > High availability Severity: Medium Resource type: AWS::AutoScaling::AutoScalingGroup AWS Config rule: autoscaling-multiple-instance-types Schedule type: Change triggered Parameters: None This control checks whether an Amazon EC2 Auto Scaling group uses multiple instance types. The control fails if the Auto Scaling group has only one instance type defined. You can enhance availability by deploying your application across multiple instance types running in multiple Availability Zones. Security Hub recommends using multiple instance types so that the Auto Scaling group can launch another instance type if there is insufficient instance capacity in your chosen Availability Zones. Remediation To create an Auto Scaling group with multiple instance types, see Auto Scaling groups with multiple instance types and purchase options in the Amazon EC2 Auto Scaling User Guide. [AutoScaling.9] Amazon EC2 Auto Scaling groups should use Amazon EC2 launch templates Related requirements: NIST.800-53.r5 CA-9(1), NIST.800-53.r5 CM-2, NIST.800-53.r5 CM-2(2) Category: Identify > Resource Configuration Severity: Medium Resource type: AWS::AutoScaling::AutoScalingGroup AWS Config rule: autoscaling-launch-template Schedule type: Change triggered Parameters: None This control checks whether an Amazon EC2 Auto Scaling group is created from an EC2 launch template. This control fails if an Amazon EC2 Auto Scaling group is not created with a launch template or if a launch template is not specified in a mixed instances policy. An EC2 Auto Scaling group can be created from either an EC2 launch template or a launch configuration. However, using a launch template to create an Auto Scaling group ensures that you have access to the latest features and improvements. Remediation To create an Auto Scaling group with an EC2 launch template, see Create an Auto Scaling group using a launch template in the Amazon EC2 Auto Scaling User Guide. For information about how to replace a launch configuration with a launch template, see Replace a launch configuration with a launch template in the Amazon EC2 User Guide. [AutoScaling.10] EC2 Auto Scaling groups should be tagged Category: Identify > Inventory > Tagging Severity: Low Resource type: AWS::AutoScaling::AutoScalingGroup AWS Config rule: tagged-autoscaling-autoscalinggroup (custom Security Hub rule) Schedule type: Change triggered Parameters: Parameter Description Type Allowed custom values Security Hub default value requiredTagKeys List of non-system tag keys that the evaluated resource must contain. Tag keys are case sensitive. StringList List of tags that meet AWS requirements No default value This control checks whether an Amazon EC2 Auto Scaling group has tags with the specific keys defined in the parameter requiredTagKeys. The control fails if the Auto Scaling group doesn’t have any tag keys or if it doesn’t have all the keys specified in the parameter requiredTagKeys. If the parameter requiredTagKeys isn't provided, the control only checks for the existence of a tag key and fails if the Auto Scaling group isn't tagged with any key. System tags, which are automatically applied and begin with aws:, are ignored. A tag is a label that you assign to an AWS resource, and it consists of a key and an optional value. You can create tags to categorize resources by purpose, owner, environment, or other criteria. Tags can help you identify, organize, search for, and filter resources. Tagging also helps you track accountable resource owners for actions and notifications. When you use tagging, you can implement attribute-based access control (ABAC) as an authorization strategy, which defines permissions based on tags. You can attach tags to IAM entities (users or roles) and to AWS resources. You can create a single ABAC policy or a separate set of policies for your IAM principals. You can design these ABAC policies to allow operations when the principal's tag matches the resource tag. For more information, see What is ABAC for AWS? in the IAM User Guide. NoteDon’t add personally identifiable information (PII) or other confidential or sensitive information in tags. Tags are accessible to many AWS services, including AWS Billing. For more tagging best practices, see Tagging your AWS resources in the AWS General Reference. Remediation To add tags to an Auto Scaling group, see Tag Auto Scaling groups and instances in the Amazon EC2 Auto Scaling User Guide.

\\\"Warning\\\" Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document ConventionsAmazon EC2 controlsAmazon ECR controlsDid this page help you? - YesThanks for letting us know we're doing a good job!If you've got a moment, please tell us what we did right so we can do more of it.Did this page help you? - NoThanks for letting us know this page needs work. We're sorry we let you down.If you've got a moment, please tell us how we can make the documentation better.\",\"relevantLinks\":[{\"text\":\"\",\"href\":\"/pdfs/securityhub/latest/userguide/securityhub.pdf#autoscaling-controls\"},{\"text\":\"AWS\",\"href\":\"https://aws.amazon.com\"},{\"text\":\"Documentation\",\"href\":\"/index.html\"},{\"text\":\"AWS Security Hub\",\"href\":\"/securityhub/index.html\"},{\"text\":\"User Guide\",\"href\":\"what-is-securityhub.html\"},{\"text\":\"[AutoScaling.1] Auto Scaling groups associated with a load balancer should use ELB health checks\",\"href\":\"#autoscaling-1\"},{\"text\":\"[AutoScaling.2] Amazon EC2 Auto Scaling group should cover multiple Availability Zones\",\"href\":\"#autoscaling-2\"},{\"text\":\"[AutoScaling.3] Auto Scaling group launch configurations should configure EC2 instances to require Instance Metadata Service Version 2 (IMDSv2)\",\"href\":\"#autoscaling-3\"},{\"text\":\"[AutoScaling.4] Auto Scaling group launch configuration should not have a metadata response hop limit greater than 1\",\"href\":\"#autoscaling-4\"},{\"text\":\"[Autoscaling.5] Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses\",\"href\":\"#autoscaling-5\"},{\"text\":\"[AutoScaling.6] Auto Scaling groups should use multiple instance types in multiple Availability Zones\",\"href\":\"#autoscaling-6\"},{\"text\":\"[AutoScaling.9] Amazon EC2 Auto Scaling groups should use Amazon EC2 launch templates\",\"href\":\"#autoscaling-9\"},{\"text\":\"[AutoScaling.10] EC2 Auto Scaling groups should be tagged\",\"href\":\"#autoscaling-10\"},{\"text\":\"Availability of controls by\\n Region\",\"href\":\"./securityhub-regions.html#securityhub-regions-control-support\"},{\"text\":\"autoscaling-group-elb-healthcheck-required\",\"href\":\"https://docs.aws.amazon.com/config/latest/developerguide/autoscaling-group-elb-healthcheck-required.html\"},{\"text\":\"Add Elastic Load Balancing health checks\",\"href\":\"https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-add-elb-healthcheck.html#as-add-elb-healthcheck-console\"},{\"text\":\"autoscaling-multiple-az\",\"href\":\"https://docs.aws.amazon.com/config/latest/developerguide/autoscaling-multiple-az.html\"},{\"text\":\"Add and remove Availability Zones\",\"href\":\"https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-add-availability-zone.html\"},{\"text\":\"autoscaling-launchconfig-requires-imdsv2\",\"href\":\"https://docs.aws.amazon.com/config/latest/developerguide/autoscaling-launchconfig-requires-imdsv2.html\"},{\"text\":\"Configure instance metadata options for new instances\",\"href\":\"https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-IMDS-new-instances.html\"},{\"text\":\"Change log for Security Hub controls\",\"href\":\"./controls-change-log.html\"},{\"text\":\"autoscaling-launch-config-hop-limit\",\"href\":\"https://docs.aws.amazon.com/config/latest/developerguide/autoscaling-launch-config-hop-limit.html\"},{\"text\":\"Modify instance metadata options for existing instances\",\"href\":\"https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-options.html#configuring-IMDS-existing-instances\"},{\"text\":\"autoscaling-launch-config-public-ip-disabled\",\"href\":\"https://docs.aws.amazon.com/config/latest/developerguide/autoscaling-launch-config-public-ip-disabled.html\"},{\"text\":\"public IP address\",\"href\":\"https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-instance-addressing.html#public-ip-addresses\"},{\"text\":\"Change the launch configuration for an Auto Scaling group\",\"href\":\"https://docs.aws.amazon.com/autoscaling/ec2/userguide/change-launch-config.html\"},{\"text\":\"Update Auto Scaling instances\",\"href\":\"https://docs.aws.amazon.com/autoscaling/ec2/userguide/update-auto-scaling-group.html#update-auto-scaling-instances\"},{\"text\":\"autoscaling-multiple-instance-types\",\"href\":\"https://docs.aws.amazon.com/config/latest/developerguide/autoscaling-multiple-instance-types.html\"},{\"text\":\"Auto Scaling groups with multiple instance types and purchase options\",\"href\":\"https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-mixed-instances-groups.html\"},{\"text\":\"autoscaling-launch-template\",\"href\":\"https://docs.aws.amazon.com/config/latest/developerguide/autoscaling-launch-template.html\"},{\"text\":\"Create an Auto Scaling group using a launch template\",\"href\":\"https://docs.aws.amazon.com/autoscaling/ec2/userguide/create-asg-launch-template.html\"},{\"text\":\"Replace a launch configuration with a launch template\",\"href\":\"https://docs.aws.amazon.com/autoscaling/ec2/userguide/replace-launch-config.html\"},{\"text\":\"AWS requirements\",\"href\":\"https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-conventions\"},{\"text\":\"What is ABAC for AWS?\",\"href\":\"https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html\"},{\"text\":\"Tagging your AWS resources\",\"href\":\"https://docs.aws.amazon.com/tag-editor/latest/userguide/tagging.html#tag-best-practices\"},{\"text\":\"Tag Auto Scaling groups and instances\",\"href\":\"https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-tagging.html\"},{\"text\":\"Document Conventions\",\"href\":\"/general/latest/gr/docconventions.html\"}]}","tool_call_id":"toolu_01WPbN1BXH7ARRUBBcLgmPEv","name":"staticWebScraperTool","additional_kwargs":{},"response_metadata":{}}},{"lc":1,"type":"constructor","id":["langchain_core","messages","HumanMessage"],"kwargs":{"lc_serializable":true,"lc_kwargs":{"lc_serializable":true,"lc_kwargs":{"content":"TASK: Write regula rule for below content\n\nONE SENTENCE SUMMARY:\nAuto Scaling group launch configurations must not assign public IP addresses to EC2 instances for enhanced security.\n\nMAIN POINTS:\n1. Control checks if Auto Scaling group's launch configuration assigns public IP addresses to instances\n2. Fails if launch configuration assigns public IP addresses to instances\n3. Severity level is rated as High\n4. EC2 instances should only be accessible through load balancers\n5. Instances should not be directly exposed to the internet\n6. AWS Config rule: autoscaling-launch-config-public-ip-disabled is used for monitoring\n7. Launch configurations cannot be modified after creation\n8. New launch configuration needed to change IP address settings\n9. Existing instances aren't automatically affected by configuration changes\n10. Complies with multiple NIST security requirements including AC-3, SC-7","additional_kwargs":{"id":"msg_01Uo5LXFhWvgPt1cR8CTHVGQ","type":"message","role":"assistant","model":"claude-3-5-sonnet-20241022","stop_reason":"end_turn","stop_sequence":null,"usage":{"input_tokens":6044,"output_tokens":201}},"usage_metadata":{"input_tokens":6044,"output_tokens":201,"total_tokens":6245},"response_metadata":{"id":"msg_01Uo5LXFhWvgPt1cR8CTHVGQ","type":"message","role":"assistant","model":"claude-3-5-sonnet-20241022","stop_reason":"end_turn","stop_sequence":null,"usage":{"input_tokens":6044,"output_tokens":201}},"id":"msg_01Uo5LXFhWvgPt1cR8CTHVGQ","tool_calls":[],"invalid_tool_calls":[]},"lc_namespace":["langchain_core","messages"],"content":"TASK: Write regula rule for below content\n\nONE SENTENCE SUMMARY:\nAuto Scaling group launch configurations must not assign public IP addresses to EC2 instances for enhanced security.\n\nMAIN POINTS:\n1. Control checks if Auto Scaling group's launch configuration assigns public IP addresses to instances\n2. Fails if launch configuration assigns public IP addresses to instances\n3. Severity level is rated as High\n4. EC2 instances should only be accessible through load balancers\n5. Instances should not be directly exposed to the internet\n6. AWS Config rule: autoscaling-launch-config-public-ip-disabled is used for monitoring\n7. Launch configurations cannot be modified after creation\n8. New launch configuration needed to change IP address settings\n9. Existing instances aren't automatically affected by configuration changes\n10. Complies with multiple NIST security requirements including AC-3, SC-7","name":"RuleSummariser","additional_kwargs":{"id":"msg_01Uo5LXFhWvgPt1cR8CTHVGQ","type":"message","role":"assistant","model":"claude-3-5-sonnet-20241022","stop_reason":"end_turn","stop_sequence":null,"usage":{"input_tokens":6044,"output_tokens":201}},"response_metadata":{"id":"msg_01Uo5LXFhWvgPt1cR8CTHVGQ","model":"claude-3-5-sonnet-20241022","stop_reason":"end_turn","stop_sequence":null,"usage":{"input_tokens":6044,"output_tokens":201},"type":"message","role":"assistant"},"id":"msg_01Uo5LXFhWvgPt1cR8CTHVGQ","tool_calls":[],"invalid_tool_calls":[],"usage_metadata":{"input_tokens":6044,"output_tokens":201,"total_tokens":6245}},"lc_namespace":["langchain_core","messages"],"content":"TASK: Write regula rule for below content\n\nONE SENTENCE SUMMARY:\nAuto Scaling group launch configurations must not assign public IP addresses to EC2 instances for enhanced security.\n\nMAIN POINTS:\n1. Control checks if Auto Scaling group's launch configuration assigns public IP addresses to instances\n2. Fails if launch configuration assigns public IP addresses to instances\n3. Severity level is rated as High\n4. EC2 instances should only be accessible through load balancers\n5. Instances should not be directly exposed to the internet\n6. AWS Config rule: autoscaling-launch-config-public-ip-disabled is used for monitoring\n7. Launch configurations cannot be modified after creation\n8. New launch configuration needed to change IP address settings\n9. Existing instances aren't automatically affected by configuration changes\n10. Complies with multiple NIST security requirements including AC-3, SC-7","name":"RuleSummariser","additional_kwargs":{"id":"msg_01Uo5LXFhWvgPt1cR8CTHVGQ","type":"message","role":"assistant","model":"claude-3-5-sonnet-20241022","stop_reason":"end_turn","stop_sequence":null,"usage":{"input_tokens":6044,"output_tokens":201}},"response_metadata":{"id":"msg_01Uo5LXFhWvgPt1cR8CTHVGQ","model":"claude-3-5-sonnet-20241022","stop_reason":"end_turn","stop_sequence":null,"usage":{"input_tokens":6044,"output_tokens":201},"type":"message","role":"assistant"},"id":"msg_01Uo5LXFhWvgPt1cR8CTHVGQ","tool_calls":[],"invalid_tool_calls":[],"usage_metadata":{"input_tokens":6044,"output_tokens":201,"total_tokens":6245}}},{"lc":1,"type":"constructor","id":["langchain_core","messages","HumanMessage"],"kwargs":{"lc_serializable":true,"lc_kwargs":{"lc_serializable":true,"lc_kwargs":{"content":"{\n \"rego_code\": \"package rules.autoscaling_launch_config_public_ip\\n\\nimport data.fugue\\n\\n__rego__metadoc__ := {\\n \\\"id\\\": \\\"Autoscaling.5\\\",\\n \\\"title\\\": \\\"Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses\\\",\\n \\\"description\\\": \\\"Auto Scaling group launch configurations must not assign public IP addresses to EC2 instances for enhanced security. Instances should only be accessible through load balancers and not directly exposed to the internet.\\\",\\n \\\"custom\\\": {\\n \\\"controls\\\": {\\\"AWS-Foundational-Security-Best-Practices_v1.0.0\\\": [\\\"AWS-Foundational-Security-Best-Practices_v1.0.0_Autoscaling.5\\\"]},\\n \\\"severity\\\": \\\"High\\\"\\n }\\n}\\n\\nresource_type := \\\"MULTIPLE\\\"\\n\\n# Get all launch configurations\\nlaunch_configs = fugue.resources(\\\"aws_launch_configuration\\\")\\n\\n# Helper function to check if public IP is disabled\\nis_public_ip_disabled(config) {\\n config.associate_public_ip_address == false\\n}\\n\\nis_public_ip_disabled(config) {\\n not config.associate_public_ip_address\\n}\\n\\n# Allow configurations with public IP disabled\\npolicy[p] {\\n config := launch_configs[_]\\n is_public_ip_disabled(config)\\n p = fugue.allow_resource(config)\\n}\\n\\n# Deny configurations with public IP enabled\\npolicy[p] {\\n config := launch_configs[_]\\n not is_public_ip_disabled(config)\\n p = fugue.deny_resource_with_message(\\n config,\\n \\\"Launch configuration should not assign public IP addresses to EC2 instances\\\"\\n )\\n}\\n\",\n \"fail_tf_code\": \"provider \\\"aws\\\" {\\n alias = \\\"fail_aws\\\"\\n region = \\\"us-west-2\\\"\\n}\\n\\n# Create a non-compliant launch configuration with public IP enabled\\nresource \\\"aws_launch_configuration\\\" \\\"fail_config\\\" {\\n provider = aws.fail_aws\\n name_prefix = \\\"fail-launch-config\\\"\\n image_id = \\\"ami-0c55b159cbfafe1f0\\\"\\n instance_type = \\\"t2.micro\\\"\\n \\n # Non-compliant: Explicitly enabling public IP\\n associate_public_ip_address = true\\n \\n security_groups = [\\\"sg-12345678\\\"]\\n \\n root_block_device {\\n volume_size = 8\\n volume_type = \\\"gp2\\\"\\n }\\n \\n lifecycle {\\n create_before_destroy = true\\n }\\n}\\n\\n# Create autoscaling group using the non-compliant launch configuration\\nresource \\\"aws_autoscaling_group\\\" \\\"fail_asg\\\" {\\n provider = aws.fail_aws\\n name = \\\"fail-asg\\\"\\n max_size = 3\\n min_size = 1\\n desired_capacity = 1\\n launch_configuration = aws_launch_configuration.fail_config.name\\n vpc_zone_identifier = [\\\"subnet-12345678\\\"]\\n}\\n\",\n \"pass_tf_code\": \"provider \\\"aws\\\" {\\n alias = \\\"pass_aws\\\"\\n region = \\\"us-west-2\\\"\\n}\\n\\n# Create a compliant launch configuration with public IP disabled\\nresource \\\"aws_launch_configuration\\\" \\\"pass_config\\\" {\\n provider = aws.pass_aws\\n name_prefix = \\\"pass-launch-config\\\"\\n image_id = \\\"ami-0c55b159cbfafe1f0\\\"\\n instance_type = \\\"t2.micro\\\"\\n \\n # Compliant: Explicitly disabling public IP\\n associate_public_ip_address = false\\n \\n security_groups = [\\\"sg-12345678\\\"]\\n \\n root_block_device {\\n volume_size = 8\\n volume_type = \\\"gp2\\\"\\n encrypted = true\\n }\\n \\n lifecycle {\\n create_before_destroy = true\\n }\\n}\\n\\n# Create autoscaling group using the compliant launch configuration\\nresource \\\"aws_autoscaling_group\\\" \\\"pass_asg\\\" {\\n provider = aws.pass_aws\\n name = \\\"pass-asg\\\"\\n max_size = 3\\n min_size = 1\\n desired_capacity = 1\\n launch_configuration = aws_launch_configuration.pass_config.name\\n vpc_zone_identifier = [\\\"subnet-12345678\\\"]\\n \\n tag {\\n key = \\\"Environment\\\"\\n value = \\\"Production\\\"\\n propagate_at_launch = true\\n }\\n}\\n\"\n}","additional_kwargs":{"id":"msg_01RzJ73Tf27aAhPXNLQ1H2ao","type":"message","role":"assistant","model":"claude-3-5-sonnet-20241022","stop_reason":"end_turn","stop_sequence":null,"usage":{"input_tokens":5639,"output_tokens":1265}},"usage_metadata":{"input_tokens":5639,"output_tokens":1265,"total_tokens":6904},"response_metadata":{"id":"msg_01RzJ73Tf27aAhPXNLQ1H2ao","type":"message","role":"assistant","model":"claude-3-5-sonnet-20241022","stop_reason":"end_turn","stop_sequence":null,"usage":{"input_tokens":5639,"output_tokens":1265}},"id":"msg_01RzJ73Tf27aAhPXNLQ1H2ao","tool_calls":[],"invalid_tool_calls":[]},"lc_namespace":["langchain_core","messages"],"content":"{\n \"rego_code\": \"package rules.autoscaling_launch_config_public_ip\\n\\nimport data.fugue\\n\\n__rego__metadoc__ := {\\n \\\"id\\\": \\\"Autoscaling.5\\\",\\n \\\"title\\\": \\\"Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses\\\",\\n \\\"description\\\": \\\"Auto Scaling group launch configurations must not assign public IP addresses to EC2 instances for enhanced security. Instances should only be accessible through load balancers and not directly exposed to the internet.\\\",\\n \\\"custom\\\": {\\n \\\"controls\\\": {\\\"AWS-Foundational-Security-Best-Practices_v1.0.0\\\": [\\\"AWS-Foundational-Security-Best-Practices_v1.0.0_Autoscaling.5\\\"]},\\n \\\"severity\\\": \\\"High\\\"\\n }\\n}\\n\\nresource_type := \\\"MULTIPLE\\\"\\n\\n# Get all launch configurations\\nlaunch_configs = fugue.resources(\\\"aws_launch_configuration\\\")\\n\\n# Helper function to check if public IP is disabled\\nis_public_ip_disabled(config) {\\n config.associate_public_ip_address == false\\n}\\n\\nis_public_ip_disabled(config) {\\n not config.associate_public_ip_address\\n}\\n\\n# Allow configurations with public IP disabled\\npolicy[p] {\\n config := launch_configs[_]\\n is_public_ip_disabled(config)\\n p = fugue.allow_resource(config)\\n}\\n\\n# Deny configurations with public IP enabled\\npolicy[p] {\\n config := launch_configs[_]\\n not is_public_ip_disabled(config)\\n p = fugue.deny_resource_with_message(\\n config,\\n \\\"Launch configuration should not assign public IP addresses to EC2 instances\\\"\\n )\\n}\\n\",\n \"fail_tf_code\": \"provider \\\"aws\\\" {\\n alias = \\\"fail_aws\\\"\\n region = \\\"us-west-2\\\"\\n}\\n\\n# Create a non-compliant launch configuration with public IP enabled\\nresource \\\"aws_launch_configuration\\\" \\\"fail_config\\\" {\\n provider = aws.fail_aws\\n name_prefix = \\\"fail-launch-config\\\"\\n image_id = \\\"ami-0c55b159cbfafe1f0\\\"\\n instance_type = \\\"t2.micro\\\"\\n \\n # Non-compliant: Explicitly enabling public IP\\n associate_public_ip_address = true\\n \\n security_groups = [\\\"sg-12345678\\\"]\\n \\n root_block_device {\\n volume_size = 8\\n volume_type = \\\"gp2\\\"\\n }\\n \\n lifecycle {\\n create_before_destroy = true\\n }\\n}\\n\\n# Create autoscaling group using the non-compliant launch configuration\\nresource \\\"aws_autoscaling_group\\\" \\\"fail_asg\\\" {\\n provider = aws.fail_aws\\n name = \\\"fail-asg\\\"\\n max_size = 3\\n min_size = 1\\n desired_capacity = 1\\n launch_configuration = aws_launch_configuration.fail_config.name\\n vpc_zone_identifier = [\\\"subnet-12345678\\\"]\\n}\\n\",\n \"pass_tf_code\": \"provider \\\"aws\\\" {\\n alias = \\\"pass_aws\\\"\\n region = \\\"us-west-2\\\"\\n}\\n\\n# Create a compliant launch configuration with public IP disabled\\nresource \\\"aws_launch_configuration\\\" \\\"pass_config\\\" {\\n provider = aws.pass_aws\\n name_prefix = \\\"pass-launch-config\\\"\\n image_id = \\\"ami-0c55b159cbfafe1f0\\\"\\n instance_type = \\\"t2.micro\\\"\\n \\n # Compliant: Explicitly disabling public IP\\n associate_public_ip_address = false\\n \\n security_groups = [\\\"sg-12345678\\\"]\\n \\n root_block_device {\\n volume_size = 8\\n volume_type = \\\"gp2\\\"\\n encrypted = true\\n }\\n \\n lifecycle {\\n create_before_destroy = true\\n }\\n}\\n\\n# Create autoscaling group using the compliant launch configuration\\nresource \\\"aws_autoscaling_group\\\" \\\"pass_asg\\\" {\\n provider = aws.pass_aws\\n name = \\\"pass-asg\\\"\\n max_size = 3\\n min_size = 1\\n desired_capacity = 1\\n launch_configuration = aws_launch_configuration.pass_config.name\\n vpc_zone_identifier = [\\\"subnet-12345678\\\"]\\n \\n tag {\\n key = \\\"Environment\\\"\\n value = \\\"Production\\\"\\n propagate_at_launch = true\\n }\\n}\\n\"\n}","name":"RegoWriter","additional_kwargs":{"id":"msg_01RzJ73Tf27aAhPXNLQ1H2ao","type":"message","role":"assistant","model":"claude-3-5-sonnet-20241022","stop_reason":"end_turn","stop_sequence":null,"usage":{"input_tokens":5639,"output_tokens":1265}},"response_metadata":{"id":"msg_01RzJ73Tf27aAhPXNLQ1H2ao","model":"claude-3-5-sonnet-20241022","stop_reason":"end_turn","stop_sequence":null,"usage":{"input_tokens":5639,"output_tokens":1265},"type":"message","role":"assistant"},"id":"msg_01RzJ73Tf27aAhPXNLQ1H2ao","tool_calls":[],"invalid_tool_calls":[],"usage_metadata":{"input_tokens":5639,"output_tokens":1265,"total_tokens":6904}},"lc_namespace":["langchain_core","messages"],"content":"{\n \"rego_code\": \"package rules.autoscaling_launch_config_public_ip\\n\\nimport data.fugue\\n\\n__rego__metadoc__ := {\\n \\\"id\\\": \\\"Autoscaling.5\\\",\\n \\\"title\\\": \\\"Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses\\\",\\n \\\"description\\\": \\\"Auto Scaling group launch configurations must not assign public IP addresses to EC2 instances for enhanced security. Instances should only be accessible through load balancers and not directly exposed to the internet.\\\",\\n \\\"custom\\\": {\\n \\\"controls\\\": {\\\"AWS-Foundational-Security-Best-Practices_v1.0.0\\\": [\\\"AWS-Foundational-Security-Best-Practices_v1.0.0_Autoscaling.5\\\"]},\\n \\\"severity\\\": \\\"High\\\"\\n }\\n}\\n\\nresource_type := \\\"MULTIPLE\\\"\\n\\n# Get all launch configurations\\nlaunch_configs = fugue.resources(\\\"aws_launch_configuration\\\")\\n\\n# Helper function to check if public IP is disabled\\nis_public_ip_disabled(config) {\\n config.associate_public_ip_address == false\\n}\\n\\nis_public_ip_disabled(config) {\\n not config.associate_public_ip_address\\n}\\n\\n# Allow configurations with public IP disabled\\npolicy[p] {\\n config := launch_configs[_]\\n is_public_ip_disabled(config)\\n p = fugue.allow_resource(config)\\n}\\n\\n# Deny configurations with public IP enabled\\npolicy[p] {\\n config := launch_configs[_]\\n not is_public_ip_disabled(config)\\n p = fugue.deny_resource_with_message(\\n config,\\n \\\"Launch configuration should not assign public IP addresses to EC2 instances\\\"\\n )\\n}\\n\",\n \"fail_tf_code\": \"provider \\\"aws\\\" {\\n alias = \\\"fail_aws\\\"\\n region = \\\"us-west-2\\\"\\n}\\n\\n# Create a non-compliant launch configuration with public IP enabled\\nresource \\\"aws_launch_configuration\\\" \\\"fail_config\\\" {\\n provider = aws.fail_aws\\n name_prefix = \\\"fail-launch-config\\\"\\n image_id = \\\"ami-0c55b159cbfafe1f0\\\"\\n instance_type = \\\"t2.micro\\\"\\n \\n # Non-compliant: Explicitly enabling public IP\\n associate_public_ip_address = true\\n \\n security_groups = [\\\"sg-12345678\\\"]\\n \\n root_block_device {\\n volume_size = 8\\n volume_type = \\\"gp2\\\"\\n }\\n \\n lifecycle {\\n create_before_destroy = true\\n }\\n}\\n\\n# Create autoscaling group using the non-compliant launch configuration\\nresource \\\"aws_autoscaling_group\\\" \\\"fail_asg\\\" {\\n provider = aws.fail_aws\\n name = \\\"fail-asg\\\"\\n max_size = 3\\n min_size = 1\\n desired_capacity = 1\\n launch_configuration = aws_launch_configuration.fail_config.name\\n vpc_zone_identifier = [\\\"subnet-12345678\\\"]\\n}\\n\",\n \"pass_tf_code\": \"provider \\\"aws\\\" {\\n alias = \\\"pass_aws\\\"\\n region = \\\"us-west-2\\\"\\n}\\n\\n# Create a compliant launch configuration with public IP disabled\\nresource \\\"aws_launch_configuration\\\" \\\"pass_config\\\" {\\n provider = aws.pass_aws\\n name_prefix = \\\"pass-launch-config\\\"\\n image_id = \\\"ami-0c55b159cbfafe1f0\\\"\\n instance_type = \\\"t2.micro\\\"\\n \\n # Compliant: Explicitly disabling public IP\\n associate_public_ip_address = false\\n \\n security_groups = [\\\"sg-12345678\\\"]\\n \\n root_block_device {\\n volume_size = 8\\n volume_type = \\\"gp2\\\"\\n encrypted = true\\n }\\n \\n lifecycle {\\n create_before_destroy = true\\n }\\n}\\n\\n# Create autoscaling group using the compliant launch configuration\\nresource \\\"aws_autoscaling_group\\\" \\\"pass_asg\\\" {\\n provider = aws.pass_aws\\n name = \\\"pass-asg\\\"\\n max_size = 3\\n min_size = 1\\n desired_capacity = 1\\n launch_configuration = aws_launch_configuration.pass_config.name\\n vpc_zone_identifier = [\\\"subnet-12345678\\\"]\\n \\n tag {\\n key = \\\"Environment\\\"\\n value = \\\"Production\\\"\\n propagate_at_launch = true\\n }\\n}\\n\"\n}","name":"RegoWriter","additional_kwargs":{"id":"msg_01RzJ73Tf27aAhPXNLQ1H2ao","type":"message","role":"assistant","model":"claude-3-5-sonnet-20241022","stop_reason":"end_turn","stop_sequence":null,"usage":{"input_tokens":5639,"output_tokens":1265}},"response_metadata":{"id":"msg_01RzJ73Tf27aAhPXNLQ1H2ao","model":"claude-3-5-sonnet-20241022","stop_reason":"end_turn","stop_sequence":null,"usage":{"input_tokens":5639,"output_tokens":1265},"type":"message","role":"assistant"},"id":"msg_01RzJ73Tf27aAhPXNLQ1H2ao","tool_calls":[],"invalid_tool_calls":[],"usage_metadata":{"input_tokens":5639,"output_tokens":1265,"total_tokens":6904}}},{"lc":1,"type":"constructor","id":["langchain_core","messages","AIMessage"],"kwargs":{"content":[{"type":"text","text":"I'll help you test the Regula rule using the regoRunTool."},{"type":"tool_use","id":"toolu_01CcNykpnMNMbcVFzGrAmk5G","name":"regoRunTool","input":{"rego_code":"package rules.autoscaling_launch_config_public_ip\n\nimport data.fugue\n\n__rego__metadoc__ := {\n \"id\": \"Autoscaling.5\",\n \"title\": \"Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses\",\n \"description\": \"Auto Scaling group launch configurations must not assign public IP addresses to EC2 instances for enhanced security. Instances should only be accessible through load balancers and not directly exposed to the internet.\",\n \"custom\": {\n \"controls\": {\"AWS-Foundational-Security-Best-Practices_v1.0.0\": [\"AWS-Foundational-Security-Best-Practices_v1.0.0_Autoscaling.5\"]},\n \"severity\": \"High\"\n }\n}\n\nresource_type := \"MULTIPLE\"\n\n# Get all launch configurations\nlaunch_configs = fugue.resources(\"aws_launch_configuration\")\n\n# Helper function to check if public IP is disabled\nis_public_ip_disabled(config) {\n config.associate_public_ip_address == false\n}\n\nis_public_ip_disabled(config) {\n not config.associate_public_ip_address\n}\n\n# Allow configurations with public IP disabled\npolicy[p] {\n config := launch_configs[_]\n is_public_ip_disabled(config)\n p = fugue.allow_resource(config)\n}\n\n# Deny configurations with public IP enabled\npolicy[p] {\n config := launch_configs[_]\n not is_public_ip_disabled(config)\n p = fugue.deny_resource_with_message(\n config,\n \"Launch configuration should not assign public IP addresses to EC2 instances\"\n )\n}","fail_tf_code":"provider \"aws\" {\n alias = \"fail_aws\"\n region = \"us-west-2\"\n}\n\n# Create a non-compliant launch configuration with public IP enabled\nresource \"aws_launch_configuration\" \"fail_config\" {\n provider = aws.fail_aws\n name_prefix = \"fail-launch-config\"\n image_id = \"ami-0c55b159cbfafe1f0\"\n instance_type = \"t2.micro\"\n \n # Non-compliant: Explicitly enabling public IP\n associate_public_ip_address = true\n \n security_groups = [\"sg-12345678\"]\n \n root_block_device {\n volume_size = 8\n volume_type = \"gp2\"\n }\n \n lifecycle {\n create_before_destroy = true\n }\n}\n\n# Create autoscaling group using the non-compliant launch configuration\nresource \"aws_autoscaling_group\" \"fail_asg\" {\n provider = aws.fail_aws\n name = \"fail-asg\"\n max_size = 3\n min_size = 1\n desired_capacity = 1\n launch_configuration = aws_launch_configuration.fail_config.name\n vpc_zone_identifier = [\"subnet-12345678\"]\n}","pass_tf_code":"provider \"aws\" {\n alias = \"pass_aws\"\n region = \"us-west-2\"\n}\n\n# Create a compliant launch configuration with public IP disabled\nresource \"aws_launch_configuration\" \"pass_config\" {\n provider = aws.pass_aws\n name_prefix = \"pass-launch-config\"\n image_id = \"ami-0c55b159cbfafe1f0\"\n instance_type = \"t2.micro\"\n \n # Compliant: Explicitly disabling public IP\n associate_public_ip_address = false\n \n security_groups = [\"sg-12345678\"]\n \n root_block_device {\n volume_size = 8\n volume_type = \"gp2\"\n encrypted = true\n }\n \n lifecycle {\n create_before_destroy = true\n }\n}\n\n# Create autoscaling group using the compliant launch configuration\nresource \"aws_autoscaling_group\" \"pass_asg\" {\n provider = aws.pass_aws\n name = \"pass-asg\"\n max_size = 3\n min_size = 1\n desired_capacity = 1\n launch_configuration = aws_launch_configuration.pass_config.name\n vpc_zone_identifier = [\"subnet-12345678\"]\n \n tag {\n key = \"Environment\"\n value = \"Production\"\n propagate_at_launch = true\n }\n}"}}],"additional_kwargs":{"id":"msg_01P6F2fbEqCjVPZo9GZwEevc","type":"message","role":"assistant","model":"claude-3-5-sonnet-20241022","stop_reason":"tool_use","stop_sequence":null,"usage":{"input_tokens":7719,"output_tokens":1193}},"tool_calls":[{"name":"regoRunTool","args":{"rego_code":"package rules.autoscaling_launch_config_public_ip\n\nimport data.fugue\n\n__rego__metadoc__ := {\n \"id\": \"Autoscaling.5\",\n \"title\": \"Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses\",\n \"description\": \"Auto Scaling group launch configurations must not assign public IP addresses to EC2 instances for enhanced security. Instances should only be accessible through load balancers and not directly exposed to the internet.\",\n \"custom\": {\n \"controls\": {\"AWS-Foundational-Security-Best-Practices_v1.0.0\": [\"AWS-Foundational-Security-Best-Practices_v1.0.0_Autoscaling.5\"]},\n \"severity\": \"High\"\n }\n}\n\nresource_type := \"MULTIPLE\"\n\n# Get all launch configurations\nlaunch_configs = fugue.resources(\"aws_launch_configuration\")\n\n# Helper function to check if public IP is disabled\nis_public_ip_disabled(config) {\n config.associate_public_ip_address == false\n}\n\nis_public_ip_disabled(config) {\n not config.associate_public_ip_address\n}\n\n# Allow configurations with public IP disabled\npolicy[p] {\n config := launch_configs[_]\n is_public_ip_disabled(config)\n p = fugue.allow_resource(config)\n}\n\n# Deny configurations with public IP enabled\npolicy[p] {\n config := launch_configs[_]\n not is_public_ip_disabled(config)\n p = fugue.deny_resource_with_message(\n config,\n \"Launch configuration should not assign public IP addresses to EC2 instances\"\n )\n}","fail_tf_code":"provider \"aws\" {\n alias = \"fail_aws\"\n region = \"us-west-2\"\n}\n\n# Create a non-compliant launch configuration with public IP enabled\nresource \"aws_launch_configuration\" \"fail_config\" {\n provider = aws.fail_aws\n name_prefix = \"fail-launch-config\"\n image_id = \"ami-0c55b159cbfafe1f0\"\n instance_type = \"t2.micro\"\n \n # Non-compliant: Explicitly enabling public IP\n associate_public_ip_address = true\n \n security_groups = [\"sg-12345678\"]\n \n root_block_device {\n volume_size = 8\n volume_type = \"gp2\"\n }\n \n lifecycle {\n create_before_destroy = true\n }\n}\n\n# Create autoscaling group using the non-compliant launch configuration\nresource \"aws_autoscaling_group\" \"fail_asg\" {\n provider = aws.fail_aws\n name = \"fail-asg\"\n max_size = 3\n min_size = 1\n desired_capacity = 1\n launch_configuration = aws_launch_configuration.fail_config.name\n vpc_zone_identifier = [\"subnet-12345678\"]\n}","pass_tf_code":"provider \"aws\" {\n alias = \"pass_aws\"\n region = \"us-west-2\"\n}\n\n# Create a compliant launch configuration with public IP disabled\nresource \"aws_launch_configuration\" \"pass_config\" {\n provider = aws.pass_aws\n name_prefix = \"pass-launch-config\"\n image_id = \"ami-0c55b159cbfafe1f0\"\n instance_type = \"t2.micro\"\n \n # Compliant: Explicitly disabling public IP\n associate_public_ip_address = false\n \n security_groups = [\"sg-12345678\"]\n \n root_block_device {\n volume_size = 8\n volume_type = \"gp2\"\n encrypted = true\n }\n \n lifecycle {\n create_before_destroy = true\n }\n}\n\n# Create autoscaling group using the compliant launch configuration\nresource \"aws_autoscaling_group\" \"pass_asg\" {\n provider = aws.pass_aws\n name = \"pass-asg\"\n max_size = 3\n min_size = 1\n desired_capacity = 1\n launch_configuration = aws_launch_configuration.pass_config.name\n vpc_zone_identifier = [\"subnet-12345678\"]\n \n tag {\n key = \"Environment\"\n value = \"Production\"\n propagate_at_launch = true\n }\n}"},"id":"toolu_01CcNykpnMNMbcVFzGrAmk5G","type":"tool_call"}],"usage_metadata":{"input_tokens":7719,"output_tokens":1193,"total_tokens":8912},"response_metadata":{"id":"msg_01P6F2fbEqCjVPZo9GZwEevc","model":"claude-3-5-sonnet-20241022","stop_reason":"tool_use","stop_sequence":null,"usage":{"input_tokens":7719,"output_tokens":1193},"type":"message","role":"assistant"},"id":"msg_01P6F2fbEqCjVPZo9GZwEevc","invalid_tool_calls":[]}},{"lc":1,"type":"constructor","id":["langchain_core","messages","ToolMessage"],"kwargs":{"content":"\"{\\n \\\"rule_results\\\": [\\n {\\n \\\"controls\\\": [\\n \\\"AWS-Foundational-Security-Best-Practices_v1.0.0_Autoscaling.5\\\"\\n ],\\n \\\"families\\\": [\\n \\\"AWS-Foundational-Security-Best-Practices_v1.0.0\\\"\\n ],\\n \\\"filepath\\\": \\\"LZOYUC/fail_tf_main.tf\\\",\\n \\\"input_type\\\": \\\"tf\\\",\\n \\\"provider\\\": \\\"aws.fail_aws\\\",\\n \\\"resource_id\\\": \\\"aws_launch_configuration.fail_config\\\",\\n \\\"resource_type\\\": \\\"aws_launch_configuration\\\",\\n \\\"resource_tags\\\": {},\\n \\\"rule_description\\\": \\\"Auto Scaling group launch configurations must not assign public IP addresses to EC2 instances for enhanced security. Instances should only be accessible through load balancers and not directly exposed to the internet.\\\",\\n \\\"rule_id\\\": \\\"Autoscaling.5\\\",\\n \\\"rule_message\\\": \\\"Launch configuration should not assign public IP addresses to EC2 instances\\\",\\n \\\"rule_name\\\": \\\"autoscaling_launch_config_public_ip\\\",\\n \\\"rule_raw_result\\\": false,\\n \\\"rule_result\\\": \\\"FAIL\\\",\\n \\\"rule_severity\\\": \\\"High\\\",\\n \\\"rule_summary\\\": \\\"Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses\\\",\\n \\\"source_location\\\": [\\n {\\n \\\"path\\\": \\\"LZOYUC/fail_tf_main.tf\\\",\\n \\\"line\\\": 7,\\n \\\"column\\\": 1\\n }\\n ]\\n },\\n {\\n \\\"controls\\\": [\\n \\\"AWS-Foundational-Security-Best-Practices_v1.0.0_Autoscaling.5\\\"\\n ],\\n \\\"families\\\": [\\n \\\"AWS-Foundational-Security-Best-Practices_v1.0.0\\\"\\n ],\\n \\\"filepath\\\": \\\"LZOYUC/pass_tf_main.tf\\\",\\n \\\"input_type\\\": \\\"tf\\\",\\n \\\"provider\\\": \\\"aws.pass_aws\\\",\\n \\\"resource_id\\\": \\\"aws_launch_configuration.pass_config\\\",\\n \\\"resource_type\\\": \\\"aws_launch_configuration\\\",\\n \\\"resource_tags\\\": {},\\n \\\"rule_description\\\": \\\"Auto Scaling group launch configurations must not assign public IP addresses to EC2 instances for enhanced security. Instances should only be accessible through load balancers and not directly exposed to the internet.\\\",\\n \\\"rule_id\\\": \\\"Autoscaling.5\\\",\\n \\\"rule_message\\\": \\\"\\\",\\n \\\"rule_name\\\": \\\"autoscaling_launch_config_public_ip\\\",\\n \\\"rule_raw_result\\\": true,\\n \\\"rule_result\\\": \\\"PASS\\\",\\n \\\"rule_severity\\\": \\\"High\\\",\\n \\\"rule_summary\\\": \\\"Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses\\\",\\n \\\"source_location\\\": [\\n {\\n \\\"path\\\": \\\"LZOYUC/pass_tf_main.tf\\\",\\n \\\"line\\\": 7,\\n \\\"column\\\": 1\\n }\\n ]\\n }\\n ],\\n \\\"summary\\\": {\\n \\\"filepaths\\\": [\\n \\\"LZOYUC/fail_tf_main.tf\\\",\\n \\\"LZOYUC/pass_tf_main.tf\\\"\\n ],\\n \\\"rule_results\\\": {\\n \\\"FAIL\\\": 1,\\n \\\"PASS\\\": 1,\\n \\\"WAIVED\\\": 0\\n },\\n \\\"severities\\\": {\\n \\\"Critical\\\": 0,\\n \\\"High\\\": 1,\\n \\\"Informational\\\": 0,\\n \\\"Low\\\": 0,\\n \\\"Medium\\\": 0,\\n \\\"Unknown\\\": 0\\n }\\n }\\n}\"","tool_call_id":"toolu_01CcNykpnMNMbcVFzGrAmk5G","name":"regoRunTool","additional_kwargs":{},"response_metadata":{}}},{"lc":1,"type":"constructor","id":["langchain_core","messages","HumanMessage"],"kwargs":{"lc_serializable":true,"lc_kwargs":{"lc_serializable":true,"lc_kwargs":{"content":"Based on the test results, I'll provide the analysis in JSON format:\n\n{\n \"feedback\": \"TO_REVIEWER\",\n \"analysis\": {\n \"rule_results\": {\n \"PASS\": 1,\n \"FAIL\": 1,\n \"WAIVED\": 0\n },\n \"test_summary\": {\n \"pass_case\": \"Launch configuration with associate_public_ip_address = false passed as expected\",\n \"fail_case\": \"Launch configuration with associate_public_ip_address = true failed as expected\",\n \"rule_effectiveness\": \"The rule successfully identifies and flags launch configurations that assign public IP addresses to EC2 instances\"\n }\n }\n}\n\nThe Regula rule is working as expected because:\n1. It correctly passed the compliant configuration where public IP is disabled\n2. It correctly failed the non-compliant configuration where public IP is enabled\n3. The rule results show exactly 1 PASS and 1 FAIL as required\n4. The rule properly implements the security requirement to prevent public IP assignment in Auto Scaling group launch configurations","additional_kwargs":{"id":"msg_012iGZdP3GSNdfRWayL6eBg4","type":"message","role":"assistant","model":"claude-3-5-sonnet-20241022","stop_reason":"end_turn","stop_sequence":null,"usage":{"input_tokens":9987,"output_tokens":254}},"usage_metadata":{"input_tokens":9987,"output_tokens":254,"total_tokens":10241},"response_metadata":{"id":"msg_012iGZdP3GSNdfRWayL6eBg4","type":"message","role":"assistant","model":"claude-3-5-sonnet-20241022","stop_reason":"end_turn","stop_sequence":null,"usage":{"input_tokens":9987,"output_tokens":254}},"id":"msg_012iGZdP3GSNdfRWayL6eBg4","tool_calls":[],"invalid_tool_calls":[]},"lc_namespace":["langchain_core","messages"],"content":"Based on the test results, I'll provide the analysis in JSON format:\n\n{\n \"feedback\": \"TO_REVIEWER\",\n \"analysis\": {\n \"rule_results\": {\n \"PASS\": 1,\n \"FAIL\": 1,\n \"WAIVED\": 0\n },\n \"test_summary\": {\n \"pass_case\": \"Launch configuration with associate_public_ip_address = false passed as expected\",\n \"fail_case\": \"Launch configuration with associate_public_ip_address = true failed as expected\",\n \"rule_effectiveness\": \"The rule successfully identifies and flags launch configurations that assign public IP addresses to EC2 instances\"\n }\n }\n}\n\nThe Regula rule is working as expected because:\n1. It correctly passed the compliant configuration where public IP is disabled\n2. It correctly failed the non-compliant configuration where public IP is enabled\n3. The rule results show exactly 1 PASS and 1 FAIL as required\n4. The rule properly implements the security requirement to prevent public IP assignment in Auto Scaling group launch configurations","name":"RegoRunner","additional_kwargs":{"id":"msg_012iGZdP3GSNdfRWayL6eBg4","type":"message","role":"assistant","model":"claude-3-5-sonnet-20241022","stop_reason":"end_turn","stop_sequence":null,"usage":{"input_tokens":9987,"output_tokens":254}},"response_metadata":{"id":"msg_012iGZdP3GSNdfRWayL6eBg4","model":"claude-3-5-sonnet-20241022","stop_reason":"end_turn","stop_sequence":null,"usage":{"input_tokens":9987,"output_tokens":254},"type":"message","role":"assistant"},"id":"msg_012iGZdP3GSNdfRWayL6eBg4","tool_calls":[],"invalid_tool_calls":[],"usage_metadata":{"input_tokens":9987,"output_tokens":254,"total_tokens":10241}},"lc_namespace":["langchain_core","messages"],"content":"Based on the test results, I'll provide the analysis in JSON format:\n\n{\n \"feedback\": \"TO_REVIEWER\",\n \"analysis\": {\n \"rule_results\": {\n \"PASS\": 1,\n \"FAIL\": 1,\n \"WAIVED\": 0\n },\n \"test_summary\": {\n \"pass_case\": \"Launch configuration with associate_public_ip_address = false passed as expected\",\n \"fail_case\": \"Launch configuration with associate_public_ip_address = true failed as expected\",\n \"rule_effectiveness\": \"The rule successfully identifies and flags launch configurations that assign public IP addresses to EC2 instances\"\n }\n }\n}\n\nThe Regula rule is working as expected because:\n1. It correctly passed the compliant configuration where public IP is disabled\n2. It correctly failed the non-compliant configuration where public IP is enabled\n3. The rule results show exactly 1 PASS and 1 FAIL as required\n4. The rule properly implements the security requirement to prevent public IP assignment in Auto Scaling group launch configurations","name":"RegoRunner","additional_kwargs":{"id":"msg_012iGZdP3GSNdfRWayL6eBg4","type":"message","role":"assistant","model":"claude-3-5-sonnet-20241022","stop_reason":"end_turn","stop_sequence":null,"usage":{"input_tokens":9987,"output_tokens":254}},"response_metadata":{"id":"msg_012iGZdP3GSNdfRWayL6eBg4","model":"claude-3-5-sonnet-20241022","stop_reason":"end_turn","stop_sequence":null,"usage":{"input_tokens":9987,"output_tokens":254},"type":"message","role":"assistant"},"id":"msg_012iGZdP3GSNdfRWayL6eBg4","tool_calls":[],"invalid_tool_calls":[],"usage_metadata":{"input_tokens":9987,"output_tokens":254,"total_tokens":10241}}},{"lc":1,"type":"constructor","id":["langchain_core","messages","AIMessage"],"kwargs":{"content":[{"type":"text","text":"Let me help verify the Terraform resources and provide structured feedback."},{"type":"tool_use","id":"toolu_017SXM39YYPSWck3AvU7mAAM","name":"terraformDocsFetchTool","input":{"resources":["aws_launch_configuration","aws_autoscaling_group"]}}],"additional_kwargs":{"id":"msg_01BNL5SAaz8UEWLm3Pop1FiZ","type":"message","role":"assistant","model":"claude-3-5-sonnet-20241022","stop_reason":"tool_use","stop_sequence":null,"usage":{"input_tokens":10194,"output_tokens":86}},"tool_calls":[{"name":"terraformDocsFetchTool","args":{"resources":["aws_launch_configuration","aws_autoscaling_group"]},"id":"toolu_017SXM39YYPSWck3AvU7mAAM","type":"tool_call"}],"usage_metadata":{"input_tokens":10194,"output_tokens":86,"total_tokens":10280},"response_metadata":{"id":"msg_01BNL5SAaz8UEWLm3Pop1FiZ","model":"claude-3-5-sonnet-20241022","stop_reason":"tool_use","stop_sequence":null,"usage":{"input_tokens":10194,"output_tokens":86},"type":"message","role":"assistant"},"id":"msg_01BNL5SAaz8UEWLm3Pop1FiZ","invalid_tool_calls":[]}},{"lc":1,"type":"constructor","id":["langchain_core","messages","ToolMessage"],"kwargs":{"content":"{\"aws_launch_configuration\":{\"description\":\"## Example Usage\\n\\n```terraform\\ndata \\\"aws_ami\\\" \\\"ubuntu\\\" {\\n most_recent = true\\n\\n filter {\\n name = \\\"name\\\"\\n values = [\\\"ubuntu/images/hvm-ssd/ubuntu-trusty-14.04-amd64-server-*\\\"]\\n }\\n\\n filter {\\n name = \\\"virtualization-type\\\"\\n values = [\\\"hvm\\\"]\\n }\\n\\n owners = [\\\"099720109477\\\"] # Canonical\\n}\\n\\nresource \\\"aws_launch_configuration\\\" \\\"as_conf\\\" {\\n name = \\\"web_config\\\"\\n image_id = data.aws_ami.ubuntu.id\\n instance_type = \\\"t2.micro\\\"\\n}\\n```\\n\\n## Using with AutoScaling Groups\\n\\nLaunch Configurations cannot be updated after creation with the Amazon\\nWeb Service API. In order to update a Launch Configuration, Terraform will\\ndestroy the existing resource and create a replacement. In order to effectively\\nuse a Launch Configuration resource with an [AutoScaling Group resource][1],\\nit's recommended to specify `create_before_destroy` in a [lifecycle][2] block.\\nEither omit the Launch Configuration `name` attribute, or specify a partial name\\nwith `name_prefix`. Example:\\n\\n```terraform\\ndata \\\"aws_ami\\\" \\\"ubuntu\\\" {\\n most_recent = true\\n\\n filter {\\n name = \\\"name\\\"\\n values = [\\\"ubuntu/images/hvm-ssd/ubuntu-trusty-14.04-amd64-server-*\\\"]\\n }\\n\\n filter {\\n name = \\\"virtualization-type\\\"\\n values = [\\\"hvm\\\"]\\n }\\n\\n owners = [\\\"099720109477\\\"] # Canonical\\n}\\n\\nresource \\\"aws_launch_configuration\\\" \\\"as_conf\\\" {\\n name_prefix = \\\"terraform-lc-example-\\\"\\n image_id = data.aws_ami.ubuntu.id\\n instance_type = \\\"t2.micro\\\"\\n\\n lifecycle {\\n create_before_destroy = true\\n }\\n}\\n\\nresource \\\"aws_autoscaling_group\\\" \\\"bar\\\" {\\n name = \\\"terraform-asg-example\\\"\\n launch_configuration = aws_launch_configuration.as_conf.name\\n min_size = 1\\n max_size = 2\\n\\n lifecycle {\\n create_before_destroy = true\\n }\\n}\\n```\\n\\nWith this setup Terraform generates a unique name for your Launch\\nConfiguration and can then update the AutoScaling Group without conflict before\\ndestroying the previous Launch Configuration.\\n\\n## Using with Spot Instances\\n\\nLaunch configurations can set the spot instance pricing to be used for the\\nAuto Scaling Group to reserve instances. Simply specifying the `spot_price`\\nparameter will set the price on the Launch Configuration which will attempt to\\nreserve your instances at this price. See the [AWS Spot Instance\\ndocumentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-spot-instances.html)\\nfor more information or how to launch [Spot Instances][3] with Terraform.\\n\\n```terraform\\ndata \\\"aws_ami\\\" \\\"ubuntu\\\" {\\n most_recent = true\\n\\n filter {\\n name = \\\"name\\\"\\n values = [\\\"ubuntu/images/hvm-ssd/ubuntu-trusty-14.04-amd64-server-*\\\"]\\n }\\n\\n filter {\\n name = \\\"virtualization-type\\\"\\n values = [\\\"hvm\\\"]\\n }\\n\\n owners = [\\\"099720109477\\\"] # Canonical\\n}\\n\\nresource \\\"aws_launch_configuration\\\" \\\"as_conf\\\" {\\n image_id = data.aws_ami.ubuntu.id\\n instance_type = \\\"m4.large\\\"\\n spot_price = \\\"0.001\\\"\\n\\n lifecycle {\\n create_before_destroy = true\\n }\\n}\\n\\nresource \\\"aws_autoscaling_group\\\" \\\"bar\\\" {\\n name = \\\"terraform-asg-example\\\"\\n launch_configuration = aws_launch_configuration.as_conf.name\\n}\\n```\",\"argumentReference\":\"## Argument Reference\\n\\nThe following arguments are required:\\n\\n* `image_id` - (Required) The EC2 image ID to launch.\\n* `instance_type` - (Required) The size of instance to launch.\\n\\nThe following arguments are optional:\\n\\n* `associate_public_ip_address` - (Optional) Associate a public ip address with an instance in a VPC.\\n* `ebs_block_device` - (Optional) Additional EBS block devices to attach to the instance. See [Block Devices](#block-devices) below for details.\\n* `ebs_optimized` - (Optional) If true, the launched EC2 instance will be EBS-optimized.\\n* `enable_monitoring` - (Optional) Enables/disables detailed monitoring. This is enabled by default.\\n* `ephemeral_block_device` - (Optional) Customize Ephemeral (also known as \\\"Instance Store\\\") volumes on the instance. See [Block Devices](#block-devices) below for details.\\n* `iam_instance_profile` - (Optional) The name attribute of the IAM instance profile to associate with launched instances.\\n* `key_name` - (Optional) The key name that should be used for the instance.\\n* `metadata_options` - The metadata options for the instance.\\n * `http_endpoint` - The state of the metadata service: `enabled`, `disabled`.\\n * `http_tokens` - If session tokens are required: `optional`, `required`.\\n * `http_put_response_hop_limit` - The desired HTTP PUT response hop limit for instance metadata requests.\\n* `name` - (Optional) The name of the launch configuration. If you leave this blank, Terraform will auto-generate a unique name. Conflicts with `name_prefix`.\\n* `name_prefix` - (Optional) Creates a unique name beginning with the specified prefix. Conflicts with `name`.\\n* `security_groups` - (Optional) A list of associated security group IDS.\\n* `placement_tenancy` - (Optional) The tenancy of the instance. Valid values are `default` or `dedicated`, see [AWS's Create Launch Configuration](http://docs.aws.amazon.com/AutoScaling/latest/APIReference/API_CreateLaunchConfiguration.html) for more details.\\n* `root_block_device` - (Optional) Customize details about the root block device of the instance. See [Block Devices](#block-devices) below for details.\\n* `spot_price` - (Optional; Default: On-demand price) The maximum price to use for reserving spot instances.\\n* `user_data` - (Optional) The user data to provide when launching the instance. Do not pass gzip-compressed data via this argument; see `user_data_base64` instead.\\n* `user_data_base64` - (Optional) Can be used instead of `user_data` to pass base64-encoded binary data directly. Use this instead of `user_data` whenever the value is not a valid UTF-8 string. For example, gzip-encoded user data must be base64-encoded and passed via this argument to avoid corruption.\\n\\n## Block devices\\n\\nEach of the `*_block_device` attributes controls a portion of the AWS\\nLaunch Configuration's \\\"Block Device Mapping\\\". It's a good idea to familiarize yourself with [AWS's Block Device\\nMapping docs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/block-device-mapping-concepts.html)\\nto understand the implications of using these attributes.\\n\\nEach AWS Instance type has a different set of Instance Store block devices\\navailable for attachment. AWS [publishes a\\nlist](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/InstanceStorage.html#StorageOnInstanceTypes)\\nof which ephemeral devices are available on each type. The devices are always\\nidentified by the `virtual_name` in the format `ephemeral{0..N}`.\\n\\n~> **NOTE:** Changes to `*_block_device` configuration of _existing_ resources\\ncannot currently be detected by Terraform. After updating to block device\\nconfiguration, resource recreation can be manually triggered by using the\\n[`taint` command](https://www.terraform.io/docs/commands/taint.html).\\n \\n### ebs_block_device\\n\\nModifying any of the `ebs_block_device` settings requires resource replacement.\\n\\n* `device_name` - (Required) The name of the device to mount.\\n* `snapshot_id` - (Optional) The Snapshot ID to mount.\\n* `volume_type` - (Optional) The type of volume. Can be `standard`, `gp2`, `gp3`, `st1`, `sc1` or `io1`.\\n* `volume_size` - (Optional) The size of the volume in gigabytes.\\n* `iops` - (Optional) The amount of provisioned\\n [IOPS](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-io-characteristics.html).\\n This must be set with a `volume_type` of `\\\"io1\\\"`.\\n* `throughput` - (Optional) The throughput (MiBps) to provision for a `gp3` volume.\\n* `delete_on_termination` - (Optional) Whether the volume should be destroyed\\n on instance termination (Default: `true`).\\n* `encrypted` - (Optional) Whether the volume should be encrypted or not. Defaults to `false`.\\n* `no_device` - (Optional) Whether the device in the block device mapping of the AMI is suppressed.\\n\\n### ephemeral_block_device\\n\\n* `device_name` - (Required) The name of the block device to mount on the instance.\\n* `no_device` - (Optional) Whether the device in the block device mapping of the AMI is suppressed.\\n* `virtual_name` - (Optional) The [Instance Store Device Name](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/InstanceStorage.html#InstanceStoreDeviceNames).\\n\\n### root_block_device\\n\\n-> Modifying any of the `root_block_device` settings requires resource replacement.\\n\\n* `delete_on_termination` - (Optional) Whether the volume should be destroyed on instance termination. Defaults to `true`.\\n* `encrypted` - (Optional) Whether the volume should be encrypted or not. Defaults to `false`.\\n* `iops` - (Optional) The amount of provisioned [IOPS](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-io-characteristics.html). This must be set with a `volume_type` of `io1`.\\n* `throughput` - (Optional) The throughput (MiBps) to provision for a `gp3` volume.\\n* `volume_size` - (Optional) The size of the volume in gigabytes.\\n* `volume_type` - (Optional) The type of volume. Can be `standard`, `gp2`, `gp3`, `st1`, `sc1` or `io1`.\",\"attributeReference\":\"## Attribute Reference\\n\\nThis resource exports the following attributes in addition to the arguments above:\\n\\n* `id` - The ID of the launch configuration.\\n* `arn` - The Amazon Resource Name of the launch configuration.\\n* `name` - The name of the launch configuration.\\n\\n[1]: /docs/providers/aws/r/autoscaling_group.html\\n[2]: https://www.terraform.io/docs/configuration/meta-arguments/lifecycle.html\\n[3]: /docs/providers/aws/r/spot_instance_request.html\",\"import\":\"## Import\\n\\nIn Terraform v1.5.0 and later, use an [`import` block](https://developer.hashicorp.com/terraform/language/import) to import launch configurations using the `name`. For example:\\n\\n```terraform\\nimport {\\n to = aws_launch_configuration.as_conf\\n id = \\\"terraform-lg-123456\\\"\\n}\\n```\\n\\nUsing `terraform import`, import launch configurations using the `name`. For example:\\n\\n```console\\n% terraform import aws_launch_configuration.as_conf terraform-lg-123456\\n```\"},\"aws_autoscaling_group\":{\"description\":\"## Example Usage\\n\\n```terraform\\nresource \\\"aws_placement_group\\\" \\\"test\\\" {\\n name = \\\"test\\\"\\n strategy = \\\"cluster\\\"\\n}\\n\\nresource \\\"aws_autoscaling_group\\\" \\\"bar\\\" {\\n name = \\\"foobar3-terraform-test\\\"\\n max_size = 5\\n min_size = 2\\n health_check_grace_period = 300\\n health_check_type = \\\"ELB\\\"\\n desired_capacity = 4\\n force_delete = true\\n placement_group = aws_placement_group.test.id\\n launch_configuration = aws_launch_configuration.foobar.name\\n vpc_zone_identifier = [aws_subnet.example1.id, aws_subnet.example2.id]\\n\\n instance_maintenance_policy {\\n min_healthy_percentage = 90\\n max_healthy_percentage = 120\\n }\\n\\n initial_lifecycle_hook {\\n name = \\\"foobar\\\"\\n default_result = \\\"CONTINUE\\\"\\n heartbeat_timeout = 2000\\n lifecycle_transition = \\\"autoscaling:EC2_INSTANCE_LAUNCHING\\\"\\n\\n notification_metadata = jsonencode({\\n foo = \\\"bar\\\"\\n })\\n\\n notification_target_arn = \\\"arn:aws:sqs:us-east-1:444455556666:queue1*\\\"\\n role_arn = \\\"arn:aws:iam::123456789012:role/S3Access\\\"\\n }\\n\\n tag {\\n key = \\\"foo\\\"\\n value = \\\"bar\\\"\\n propagate_at_launch = true\\n }\\n\\n timeouts {\\n delete = \\\"15m\\\"\\n }\\n\\n tag {\\n key = \\\"lorem\\\"\\n value = \\\"ipsum\\\"\\n propagate_at_launch = false\\n }\\n}\\n```\\n\\n### With Latest Version Of Launch Template\\n\\n```terraform\\nresource \\\"aws_launch_template\\\" \\\"foobar\\\" {\\n name_prefix = \\\"foobar\\\"\\n image_id = \\\"ami-1a2b3c\\\"\\n instance_type = \\\"t2.micro\\\"\\n}\\n\\nresource \\\"aws_autoscaling_group\\\" \\\"bar\\\" {\\n availability_zones = [\\\"us-east-1a\\\"]\\n desired_capacity = 1\\n max_size = 1\\n min_size = 1\\n\\n launch_template {\\n id = aws_launch_template.foobar.id\\n version = \\\"$Latest\\\"\\n }\\n}\\n```\\n\\n### Mixed Instances Policy\\n\\n```terraform\\nresource \\\"aws_launch_template\\\" \\\"example\\\" {\\n name_prefix = \\\"example\\\"\\n image_id = data.aws_ami.example.id\\n instance_type = \\\"c5.large\\\"\\n}\\n\\nresource \\\"aws_autoscaling_group\\\" \\\"example\\\" {\\n availability_zones = [\\\"us-east-1a\\\"]\\n desired_capacity = 1\\n max_size = 1\\n min_size = 1\\n\\n mixed_instances_policy {\\n launch_template {\\n launch_template_specification {\\n launch_template_id = aws_launch_template.example.id\\n }\\n\\n override {\\n instance_type = \\\"c4.large\\\"\\n weighted_capacity = \\\"3\\\"\\n }\\n\\n override {\\n instance_type = \\\"c3.large\\\"\\n weighted_capacity = \\\"2\\\"\\n }\\n }\\n }\\n}\\n```\\n\\n### Mixed Instances Policy with Spot Instances and Capacity Rebalance\\n\\n```terraform\\nresource \\\"aws_launch_template\\\" \\\"example\\\" {\\n name_prefix = \\\"example\\\"\\n image_id = data.aws_ami.example.id\\n instance_type = \\\"c5.large\\\"\\n}\\n\\nresource \\\"aws_autoscaling_group\\\" \\\"example\\\" {\\n capacity_rebalance = true\\n desired_capacity = 12\\n max_size = 15\\n min_size = 12\\n vpc_zone_identifier = [aws_subnet.example1.id, aws_subnet.example2.id]\\n\\n mixed_instances_policy {\\n instances_distribution {\\n on_demand_base_capacity = 0\\n on_demand_percentage_above_base_capacity = 25\\n spot_allocation_strategy = \\\"capacity-optimized\\\"\\n }\\n\\n launch_template {\\n launch_template_specification {\\n launch_template_id = aws_launch_template.example.id\\n }\\n\\n override {\\n instance_type = \\\"c4.large\\\"\\n weighted_capacity = \\\"3\\\"\\n }\\n\\n override {\\n instance_type = \\\"c3.large\\\"\\n weighted_capacity = \\\"2\\\"\\n }\\n }\\n }\\n}\\n```\\n\\n### Mixed Instances Policy with Instance level LaunchTemplateSpecification Overrides\\n\\nWhen using a diverse instance set, some instance types might require a launch template with configuration values unique to that instance type such as a different AMI (Graviton2), architecture specific user data script, different EBS configuration, or different networking configuration.\\n\\n```terraform\\nresource \\\"aws_launch_template\\\" \\\"example\\\" {\\n name_prefix = \\\"example\\\"\\n image_id = data.aws_ami.example.id\\n instance_type = \\\"c5.large\\\"\\n}\\n\\nresource \\\"aws_launch_template\\\" \\\"example2\\\" {\\n name_prefix = \\\"example2\\\"\\n image_id = data.aws_ami.example2.id\\n}\\n\\nresource \\\"aws_autoscaling_group\\\" \\\"example\\\" {\\n availability_zones = [\\\"us-east-1a\\\"]\\n desired_capacity = 1\\n max_size = 1\\n min_size = 1\\n\\n mixed_instances_policy {\\n launch_template {\\n launch_template_specification {\\n launch_template_id = aws_launch_template.example.id\\n }\\n\\n override {\\n instance_type = \\\"c4.large\\\"\\n weighted_capacity = \\\"3\\\"\\n }\\n\\n override {\\n instance_type = \\\"c6g.large\\\"\\n launch_template_specification {\\n launch_template_id = aws_launch_template.example2.id\\n }\\n weighted_capacity = \\\"2\\\"\\n }\\n }\\n }\\n}\\n```\\n\\n### Mixed Instances Policy with Attribute-based Instance Type Selection\\n\\nAs an alternative to manually choosing instance types when creating a mixed instances group, you can specify a set of instance attributes that describe your compute requirements.\\n\\n```terraform\\nresource \\\"aws_launch_template\\\" \\\"example\\\" {\\n name_prefix = \\\"example\\\"\\n image_id = data.aws_ami.example.id\\n instance_type = \\\"c5.large\\\"\\n}\\n\\nresource \\\"aws_autoscaling_group\\\" \\\"example\\\" {\\n availability_zones = [\\\"us-east-1a\\\"]\\n desired_capacity = 1\\n max_size = 1\\n min_size = 1\\n\\n mixed_instances_policy {\\n launch_template {\\n launch_template_specification {\\n launch_template_id = aws_launch_template.example.id\\n }\\n\\n override {\\n instance_requirements {\\n memory_mib {\\n min = 1000\\n }\\n\\n vcpu_count {\\n min = 4\\n }\\n }\\n }\\n }\\n }\\n}\\n```\\n\\n### Dynamic tagging\\n\\n```terraform\\nvariable \\\"extra_tags\\\" {\\n default = [\\n {\\n key = \\\"Foo\\\"\\n value = \\\"Bar\\\"\\n propagate_at_launch = true\\n },\\n {\\n key = \\\"Baz\\\"\\n value = \\\"Bam\\\"\\n propagate_at_launch = true\\n },\\n ]\\n}\\n\\nresource \\\"aws_autoscaling_group\\\" \\\"test\\\" {\\n name = \\\"foobar3-terraform-test\\\"\\n max_size = 5\\n min_size = 2\\n launch_configuration = aws_launch_configuration.foobar.name\\n vpc_zone_identifier = [aws_subnet.example1.id, aws_subnet.example2.id]\\n\\n tag {\\n key = \\\"explicit1\\\"\\n value = \\\"value1\\\"\\n propagate_at_launch = true\\n }\\n tag {\\n key = \\\"explicit2\\\"\\n value = \\\"value2\\\"\\n propagate_at_launch = true\\n }\\n\\n dynamic \\\"tag\\\" {\\n for_each = var.extra_tags\\n content {\\n key = tag.value.key\\n propagate_at_launch = tag.value.propagate_at_launch\\n value = tag.value.value\\n }\\n }\\n}\\n```\\n\\n### Automatically refresh all instances after the group is updated\\n\\n```terraform\\nresource \\\"aws_autoscaling_group\\\" \\\"example\\\" {\\n availability_zones = [\\\"us-east-1a\\\"]\\n desired_capacity = 1\\n max_size = 2\\n min_size = 1\\n\\n launch_template {\\n id = aws_launch_template.example.id\\n version = aws_launch_template.example.latest_version\\n }\\n\\n tag {\\n key = \\\"Key\\\"\\n value = \\\"Value\\\"\\n propagate_at_launch = true\\n }\\n\\n instance_refresh {\\n strategy = \\\"Rolling\\\"\\n preferences {\\n min_healthy_percentage = 50\\n }\\n triggers = [\\\"tag\\\"]\\n }\\n}\\n\\ndata \\\"aws_ami\\\" \\\"example\\\" {\\n most_recent = true\\n owners = [\\\"amazon\\\"]\\n\\n filter {\\n name = \\\"name\\\"\\n values = [\\\"amzn-ami-hvm-*-x86_64-gp2\\\"]\\n }\\n}\\n\\nresource \\\"aws_launch_template\\\" \\\"example\\\" {\\n image_id = data.aws_ami.example.id\\n instance_type = \\\"t3.nano\\\"\\n}\\n```\\n\\n### Auto Scaling group with Warm Pool\\n\\n```terraform\\nresource \\\"aws_launch_template\\\" \\\"example\\\" {\\n name_prefix = \\\"example\\\"\\n image_id = data.aws_ami.example.id\\n instance_type = \\\"c5.large\\\"\\n}\\n\\nresource \\\"aws_autoscaling_group\\\" \\\"example\\\" {\\n availability_zones = [\\\"us-east-1a\\\"]\\n desired_capacity = 1\\n max_size = 5\\n min_size = 1\\n\\n warm_pool {\\n pool_state = \\\"Hibernated\\\"\\n min_size = 1\\n max_group_prepared_capacity = 10\\n\\n instance_reuse_policy {\\n reuse_on_scale_in = true\\n }\\n }\\n}\\n```\\n\\n### Auto Scaling group with Traffic Sources\\n\\n```terraform\\nresource \\\"aws_autoscaling_group\\\" \\\"test\\\" {\\n vpc_zone_identifier = aws_subnet.test.id\\n max_size = 1\\n min_size = 1\\n\\n force_delete = true\\n dynamic \\\"traffic_source\\\" {\\n for_each = aws_vpclattice_target_group.test[*]\\n content {\\n identifier = traffic_source.value.arn\\n type = \\\"vpc-lattice\\\"\\n }\\n }\\n\\n}\\n```\",\"argumentReference\":\"## Argument Reference\\n\\nThis resource supports the following arguments:\\n\\n- `name` - (Optional) Name of the Auto Scaling Group. By default generated by Terraform. Conflicts with `name_prefix`.\\n- `name_prefix` - (Optional) Creates a unique name beginning with the specified\\n prefix. Conflicts with `name`.\\n- `max_size` - (Required) Maximum size of the Auto Scaling Group.\\n- `min_size` - (Required) Minimum size of the Auto Scaling Group.\\n (See also [Waiting for Capacity](#waiting-for-capacity) below.)\\n- `availability_zones` - (Optional) A list of Availability Zones where instances in the Auto Scaling group can be created. Used for launching into the default VPC subnet in each Availability Zone when not using the `vpc_zone_identifier` attribute, or for attaching a network interface when an existing network interface ID is specified in a launch template. Conflicts with `vpc_zone_identifier`.\\n- `capacity_rebalance` - (Optional) Whether capacity rebalance is enabled. Otherwise, capacity rebalance is disabled.\\n- `context` - (Optional) Reserved.\\n- `default_cooldown` - (Optional) Amount of time, in seconds, after a scaling activity completes before another scaling activity can start.\\n- `default_instance_warmup` - (Optional) Amount of time, in seconds, until a newly launched instance can contribute to the Amazon CloudWatch metrics. This delay lets an instance finish initializing before Amazon EC2 Auto Scaling aggregates instance metrics, resulting in more reliable usage data. Set this value equal to the amount of time that it takes for resource consumption to become stable after an instance reaches the InService state. (See [Set the default instance warmup for an Auto Scaling group](https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-default-instance-warmup.html))\\n- `launch_configuration` - (Optional) Name of the launch configuration to use.\\n- `launch_template` - (Optional) Nested argument with Launch template specification to use to launch instances. See [Launch Template](#launch_template) below for more details.\\n- `mixed_instances_policy` - (Optional) Configuration block containing settings to define launch targets for Auto Scaling groups. See [Mixed Instances Policy](#mixed_instances_policy) below for more details.\\n- `ignore_failed_scaling_activities` - (Optional) Whether to ignore failed [Auto Scaling scaling activities](https://docs.aws.amazon.com/autoscaling/ec2/userguide/as-verify-scaling-activity.html) while [waiting for capacity](#waiting-for-capacity). The default is `false` -- failed scaling activities cause errors to be returned.\\n- `initial_lifecycle_hook` - (Optional) One or more\\n [Lifecycle Hooks](http://docs.aws.amazon.com/autoscaling/latest/userguide/lifecycle-hooks.html)\\n to attach to the Auto Scaling Group **before** instances are launched. The\\n syntax is exactly the same as the separate\\n [`aws_autoscaling_lifecycle_hook`](/docs/providers/aws/r/autoscaling_lifecycle_hook.html)\\n resource, without the `autoscaling_group_name` attribute. Please note that this will only work when creating\\n a new Auto Scaling Group. For all other use-cases, please use `aws_autoscaling_lifecycle_hook` resource.\\n- `health_check_grace_period` - (Optional, Default: 300) Time (in seconds) after instance comes into service before checking health.\\n- `health_check_type` - (Optional) \\\"EC2\\\" or \\\"ELB\\\". Controls how health checking is done.\\n- `instance_maintenance_policy` - (Optional) If this block is configured, add a instance maintenance policy to the specified Auto Scaling group. Defined [below](#instance_maintenance_policy).\\n- `desired_capacity` - (Optional) Number of Amazon EC2 instances that\\n should be running in the group. (See also [Waiting for\\n Capacity](#waiting-for-capacity) below.)\\n- `desired_capacity_type` - (Optional) The unit of measurement for the value specified for `desired_capacity`. Supported for attribute-based instance type selection only. Valid values: `\\\"units\\\"`, `\\\"vcpu\\\"`, `\\\"memory-mib\\\"`.\\n- `force_delete` - (Optional) Allows deleting the Auto Scaling Group without waiting\\n for all instances in the pool to terminate. You can force an Auto Scaling Group to delete\\n even if it's in the process of scaling a resource. Normally, Terraform\\n drains all the instances before deleting the group. This bypasses that\\n behavior and potentially leaves resources dangling.\\n- `load_balancers` - (Optional) List of elastic load balancer names to add to the autoscaling\\n group names. Only valid for classic load balancers. For ALBs, use `target_group_arns` instead. To remove all load balancer attachments an empty list should be specified.\\n- `traffic_source` - (Optional) Attaches one or more traffic sources to the specified Auto Scaling group.\\n- `vpc_zone_identifier` - (Optional) List of subnet IDs to launch resources in. Subnets automatically determine which availability zones the group will reside. Conflicts with `availability_zones`.\\n- `target_group_arns` - (Optional) Set of `aws_alb_target_group` ARNs, for use with Application or Network Load Balancing. To remove all target group attachments an empty list should be specified.\\n- `termination_policies` - (Optional) List of policies to decide how the instances in the Auto Scaling Group should be terminated. The allowed values are `OldestInstance`, `NewestInstance`, `OldestLaunchConfiguration`, `ClosestToNextInstanceHour`, `OldestLaunchTemplate`, `AllocationStrategy`, `Default`. Additionally, the ARN of a Lambda function can be specified for custom termination policies.\\n- `suspended_processes` - (Optional) List of processes to suspend for the Auto Scaling Group. The allowed values are `Launch`, `Terminate`, `HealthCheck`, `ReplaceUnhealthy`, `AZRebalance`, `AlarmNotification`, `ScheduledActions`, `AddToLoadBalancer`, `InstanceRefresh`.\\n Note that if you suspend either the `Launch` or `Terminate` process types, it can prevent your Auto Scaling Group from functioning properly.\\n- `tag` - (Optional) Configuration block(s) containing resource tags. See [Tag](#tag) below for more details.\\n- `placement_group` - (Optional) Name of the placement group into which you'll launch your instances, if any.\\n- `metrics_granularity` - (Optional) Granularity to associate with the metrics to collect. The only valid value is `1Minute`. Default is `1Minute`.\\n- `enabled_metrics` - (Optional) List of metrics to collect. The allowed values are defined by the [underlying AWS API](https://docs.aws.amazon.com/autoscaling/ec2/APIReference/API_EnableMetricsCollection.html).\\n- `wait_for_capacity_timeout` - (Optional, Default: \\\"10m\\\") Maximum\\n [duration](https://golang.org/pkg/time/#ParseDuration) that Terraform should\\n wait for ASG instances to be healthy before timing out. (See also [Waiting\\n for Capacity](#waiting-for-capacity) below.) Setting this to \\\"0\\\" causes\\n Terraform to skip all Capacity Waiting behavior.\\n- `min_elb_capacity` - (Optional) Setting this causes Terraform to wait for\\n this number of instances from this Auto Scaling Group to show up healthy in the\\n ELB only on creation. Updates will not wait on ELB instance number changes.\\n (See also [Waiting for Capacity](#waiting-for-capacity) below.)\\n- `wait_for_elb_capacity` - (Optional) Setting this will cause Terraform to wait\\n for exactly this number of healthy instances from this Auto Scaling Group in\\n all attached load balancers on both create and update operations. (Takes\\n precedence over `min_elb_capacity` behavior.)\\n (See also [Waiting for Capacity](#waiting-for-capacity) below.)\\n- `protect_from_scale_in` - (Optional) Whether newly launched instances\\n are automatically protected from termination by Amazon EC2 Auto Scaling when\\n scaling in. For more information about preventing instances from terminating\\n on scale in, see [Using instance scale-in protection](https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-instance-protection.html)\\n in the Amazon EC2 Auto Scaling User Guide.\\n- `service_linked_role_arn` - (Optional) ARN of the service-linked role that the ASG will use to call other AWS services\\n- `max_instance_lifetime` - (Optional) Maximum amount of time, in seconds, that an instance can be in service, values must be either equal to 0 or between 86400 and 31536000 seconds.\\n- `instance_refresh` - (Optional) If this block is configured, start an\\n [Instance Refresh](https://docs.aws.amazon.com/autoscaling/ec2/userguide/asg-instance-refresh.html)\\n when this Auto Scaling Group is updated. Defined [below](#instance_refresh).\\n- `warm_pool` - (Optional) If this block is configured, add a [Warm Pool](https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-warm-pools.html)\\n to the specified Auto Scaling group. Defined [below](#warm_pool)\\n- `force_delete_warm_pool` - (Optional) Allows deleting the Auto Scaling Group without waiting for all instances in the warm pool to terminate.\\n\\n### launch_template\\n\\n~> **NOTE:** Either `id` or `name` must be specified.\\n\\nThe top-level `launch_template` block supports the following:\\n\\n- `id` - (Optional) ID of the launch template. Conflicts with `name`.\\n- `name` - (Optional) Name of the launch template. Conflicts with `id`.\\n- `version` - (Optional) Template version. Can be version number, `$Latest`, or `$Default`. (Default: `$Default`).\\n\\n### mixed_instances_policy\\n\\n- `instances_distribution` - (Optional) Nested argument containing settings on how to mix on-demand and Spot instances in the Auto Scaling group. Defined below.\\n- `launch_template` - (Required) Nested argument containing launch template settings along with the overrides to specify multiple instance types and weights. Defined below.\\n\\n#### mixed_instances_policy instances_distribution\\n\\nThis configuration block supports the following:\\n\\n- `on_demand_allocation_strategy` - (Optional) Strategy to use when launching on-demand instances. Valid values: `prioritized`, `lowest-price`. Default: `prioritized`.\\n- `on_demand_base_capacity` - (Optional) Absolute minimum amount of desired capacity that must be fulfilled by on-demand instances. Default: `0`.\\n- `on_demand_percentage_above_base_capacity` - (Optional) Percentage split between on-demand and Spot instances above the base on-demand capacity. Default: `100`.\\n- `spot_allocation_strategy` - (Optional) How to allocate capacity across the Spot pools. Valid values: `lowest-price`, `capacity-optimized`, `capacity-optimized-prioritized`, and `price-capacity-optimized`. Default: `lowest-price`.\\n- `spot_instance_pools` - (Optional) Number of Spot pools per availability zone to allocate capacity. EC2 Auto Scaling selects the cheapest Spot pools and evenly allocates Spot capacity across the number of Spot pools that you specify. Only available with `spot_allocation_strategy` set to `lowest-price`. Otherwise it must be set to `0`, if it has been defined before. Default: `2`.\\n- `spot_max_price` - (Optional) Maximum price per unit hour that the user is willing to pay for the Spot instances. Default: an empty string which means the on-demand price.\\n\\n#### mixed_instances_policy launch_template\\n\\nThis configuration block supports the following:\\n\\n- `launch_template_specification` - (Required) Nested argument defines the Launch Template. Defined below.\\n- `override` - (Optional) List of nested arguments provides the ability to specify multiple instance types. This will override the same parameter in the launch template. For on-demand instances, Auto Scaling considers the order of preference of instance types to launch based on the order specified in the overrides list. Defined below.\\n\\n##### mixed_instances_policy launch_template launch_template_specification\\n\\n~> **NOTE:** Either `launch_template_id` or `launch_template_name` must be specified.\\n\\nThis configuration block supports the following:\\n\\n- `launch_template_id` - (Optional) ID of the launch template. Conflicts with `launch_template_name`.\\n- `launch_template_name` - (Optional) Name of the launch template. Conflicts with `launch_template_id`.\\n- `version` - (Optional) Template version. Can be version number, `$Latest`, or `$Default`. (Default: `$Default`).\\n\\n##### mixed_instances_policy launch_template override\\n\\nThis configuration block supports the following:\\n\\n- `instance_type` - (Optional) Override the instance type in the Launch Template.\\n- `instance_requirements` - (Optional) Override the instance type in the Launch Template with instance types that satisfy the requirements.\\n- `launch_template_specification` - (Optional) Override the instance launch template specification in the Launch Template.\\n- `weighted_capacity` - (Optional) Number of capacity units, which gives the instance type a proportional weight to other instance types.\\n\\n###### mixed_instances_policy launch_template override instance_requirements\\n\\nThis configuration block supports the following:\\n\\n~> **NOTE:** Both `memory_mib.min` and `vcpu_count.min` must be specified.\\n\\n- `accelerator_count` - (Optional) Block describing the minimum and maximum number of accelerators (GPUs, FPGAs, or AWS Inferentia chips). Default is no minimum or maximum.\\n - `min` - (Optional) Minimum.\\n - `max` - (Optional) Maximum. Set to `0` to exclude instance types with accelerators.\\n- `accelerator_manufacturers` - (Optional) List of accelerator manufacturer names. Default is any manufacturer.\\n\\n ```\\n Valid names:\\n * amazon-web-services\\n * amd\\n * nvidia\\n * xilinx\\n ```\\n\\n- `accelerator_names` - (Optional) List of accelerator names. Default is any acclerator.\\n\\n ```\\n Valid names:\\n * a100 - NVIDIA A100 GPUs\\n * v100 - NVIDIA V100 GPUs\\n * k80 - NVIDIA K80 GPUs\\n * t4 - NVIDIA T4 GPUs\\n * m60 - NVIDIA M60 GPUs\\n * radeon-pro-v520 - AMD Radeon Pro V520 GPUs\\n * vu9p - Xilinx VU9P FPGAs\\n ```\\n\\n- `accelerator_total_memory_mib` - (Optional) Block describing the minimum and maximum total memory of the accelerators. Default is no minimum or maximum.\\n\\n - `min` - (Optional) Minimum.\\n - `max` - (Optional) Maximum.\\n\\n- `accelerator_types` - (Optional) List of accelerator types. Default is any accelerator type.\\n\\n ```\\n Valid types:\\n * fpga\\n * gpu\\n * inference\\n ```\\n\\n- `allowed_instance_types` - (Optional) List of instance types to apply your specified attributes against. All other instance types are ignored, even if they match your specified attributes. You can use strings with one or more wild cards, represented by an asterisk (\\\\*), to allow an instance type, size, or generation. The following are examples: `m5.8xlarge`, `c5*.*`, `m5a.*`, `r*`, `*3*`. For example, if you specify `c5*`, you are allowing the entire C5 instance family, which includes all C5a and C5n instance types. If you specify `m5a.*`, you are allowing all the M5a instance types, but not the M5n instance types. Maximum of 400 entries in the list; each entry is limited to 30 characters. Default is all instance types.\\n\\n ~> **NOTE:** If you specify `allowed_instance_types`, you can't specify `excluded_instance_types`.\\n\\n- `bare_metal` - (Optional) Indicate whether bare metal instace types should be `included`, `excluded`, or `required`. Default is `excluded`.\\n- `baseline_ebs_bandwidth_mbps` - (Optional) Block describing the minimum and maximum baseline EBS bandwidth, in Mbps. Default is no minimum or maximum.\\n - `min` - (Optional) Minimum.\\n - `max` - (Optional) Maximum.\\n- `burstable_performance` - (Optional) Indicate whether burstable performance instance types should be `included`, `excluded`, or `required`. Default is `excluded`.\\n- `cpu_manufacturers` (Optional) List of CPU manufacturer names. Default is any manufacturer.\\n\\n ~> **NOTE:** Don't confuse the CPU hardware manufacturer with the CPU hardware architecture. Instances will be launched with a compatible CPU architecture based on the Amazon Machine Image (AMI) that you specify in your launch template.\\n\\n ```\\n Valid names:\\n * amazon-web-services\\n * amd\\n * intel\\n ```\\n\\n- `excluded_instance_types` - (Optional) List of instance types to exclude. You can use strings with one or more wild cards, represented by an asterisk (\\\\*), to exclude an instance type, size, or generation. The following are examples: `m5.8xlarge`, `c5*.*`, `m5a.*`, `r*`, `*3*`. For example, if you specify `c5*`, you are excluding the entire C5 instance family, which includes all C5a and C5n instance types. If you specify `m5a.*`, you are excluding all the M5a instance types, but not the M5n instance types. Maximum of 400 entries in the list; each entry is limited to 30 characters. Default is no excluded instance types.\\n\\n ~> **NOTE:** If you specify `excluded_instance_types`, you can't specify `allowed_instance_types`.\\n\\n- `instance_generations` - (Optional) List of instance generation names. Default is any generation.\\n\\n ```\\n Valid names:\\n * current - Recommended for best performance.\\n * previous - For existing applications optimized for older instance types.\\n ```\\n\\n- `local_storage` - (Optional) Indicate whether instance types with local storage volumes are `included`, `excluded`, or `required`. Default is `included`.\\n- `local_storage_types` - (Optional) List of local storage type names. Default any storage type.\\n\\n ```\\n Value names:\\n * hdd - hard disk drive\\n * ssd - solid state drive\\n ```\\n\\n- `max_spot_price_as_percentage_of_optimal_on_demand_price` - (Optional) The price protection threshold for Spot Instances. This is the maximum you’ll pay for a Spot Instance, expressed as a percentage higher than the cheapest M, C, or R instance type with your specified attributes. When Amazon EC2 Auto Scaling selects instance types with your attributes, we will exclude instance types whose price is higher than your threshold. The parameter accepts an integer, which Amazon EC2 Auto Scaling interprets as a percentage. To turn off price protection, specify a high value, such as 999999. Conflicts with `spot_max_price_percentage_over_lowest_price`\\n- `memory_gib_per_vcpu` - (Optional) Block describing the minimum and maximum amount of memory (GiB) per vCPU. Default is no minimum or maximum.\\n - `min` - (Optional) Minimum. May be a decimal number, e.g. `0.5`.\\n - `max` - (Optional) Maximum. May be a decimal number, e.g. `0.5`.\\n- `memory_mib` - (Required) Block describing the minimum and maximum amount of memory (MiB). Default is no maximum.\\n - `min` - (Required) Minimum.\\n - `max` - (Optional) Maximum.\\n- `network_bandwidth_gbps` - (Optional) Block describing the minimum and maximum amount of network bandwidth, in gigabits per second (Gbps). Default is no minimum or maximum.\\n - `min` - (Optional) Minimum.\\n - `max` - (Optional) Maximum.\\n- `network_interface_count` - (Optional) Block describing the minimum and maximum number of network interfaces. Default is no minimum or maximum.\\n - `min` - (Optional) Minimum.\\n - `max` - (Optional) Maximum.\\n- `on_demand_max_price_percentage_over_lowest_price` - (Optional) Price protection threshold for On-Demand Instances. This is the maximum you’ll pay for an On-Demand Instance, expressed as a percentage higher than the cheapest M, C, or R instance type with your specified attributes. When Amazon EC2 Auto Scaling selects instance types with your attributes, we will exclude instance types whose price is higher than your threshold. The parameter accepts an integer, which Amazon EC2 Auto Scaling interprets as a percentage. To turn off price protection, specify a high value, such as 999999. Default is 20.\\n\\n If you set DesiredCapacityType to vcpu or memory-mib, the price protection threshold is applied based on the per vCPU or per memory price instead of the per instance price.\\n\\n- `require_hibernate_support` - (Optional) Indicate whether instance types must support On-Demand Instance Hibernation, either `true` or `false`. Default is `false`.\\n- `spot_max_price_percentage_over_lowest_price` - (Optional) Price protection threshold for Spot Instances. This is the maximum you’ll pay for a Spot Instance, expressed as a percentage higher than the cheapest M, C, or R instance type with your specified attributes. When Amazon EC2 Auto Scaling selects instance types with your attributes, we will exclude instance types whose price is higher than your threshold. The parameter accepts an integer, which Amazon EC2 Auto Scaling interprets as a percentage. To turn off price protection, specify a high value, such as 999999. Default is 100. Conflicts with `max_spot_price_as_percentage_of_optimal_on_demand_price`\\n\\n If you set DesiredCapacityType to vcpu or memory-mib, the price protection threshold is applied based on the per vCPU or per memory price instead of the per instance price.\\n\\n- `total_local_storage_gb` - (Optional) Block describing the minimum and maximum total local storage (GB). Default is no minimum or maximum.\\n - `min` - (Optional) Minimum. May be a decimal number, e.g. `0.5`.\\n - `max` - (Optional) Maximum. May be a decimal number, e.g. `0.5`.\\n- `vcpu_count` - (Required) Block describing the minimum and maximum number of vCPUs. Default is no maximum.\\n - `min` - (Required) Minimum.\\n - `max` - (Optional) Maximum.\\n\\n### tag\\n\\nThe `tag` attribute accepts exactly one tag declaration with the following fields:\\n\\n- `key` - (Required) Key\\n- `value` - (Required) Value\\n- `propagate_at_launch` - (Required) Enables propagation of the tag to\\n Amazon EC2 instances launched via this ASG\\n\\nTo declare multiple tags, additional `tag` blocks can be specified.\\n\\n~> **NOTE:** Other AWS APIs may automatically add special tags to their associated Auto Scaling Group for management purposes, such as ECS Capacity Providers adding the `AmazonECSManaged` tag. These generally should be included in the configuration so Terraform does not attempt to remove them and so if the `min_size` was greater than zero on creation, that these tag(s) are applied to any initial EC2 Instances in the Auto Scaling Group. If these tag(s) were missing in the Auto Scaling Group configuration on creation, affected EC2 Instances missing the tags may require manual intervention of adding the tags to ensure they work properly with the other AWS service.\\n\\n### instance_refresh\\n\\nThis configuration block supports the following:\\n\\n- `strategy` - (Required) Strategy to use for instance refresh. The only allowed value is `Rolling`. See [StartInstanceRefresh Action](https://docs.aws.amazon.com/autoscaling/ec2/APIReference/API_StartInstanceRefresh.html#API_StartInstanceRefresh_RequestParameters) for more information.\\n- `preferences` - (Optional) Override default parameters for Instance Refresh.\\n - `checkpoint_delay` - (Optional) Number of seconds to wait after a checkpoint. Defaults to `3600`.\\n - `checkpoint_percentages` - (Optional) List of percentages for each checkpoint. Values must be unique and in ascending order. To replace all instances, the final number must be `100`.\\n - `instance_warmup` - (Optional) Number of seconds until a newly launched instance is configured and ready to use. Default behavior is to use the Auto Scaling Group's health check grace period.\\n - `max_healthy_percentage` - (Optional) Amount of capacity in the Auto Scaling group that can be in service and healthy, or pending, to support your workload when an instance refresh is in place, as a percentage of the desired capacity of the Auto Scaling group. Values must be between `100` and `200`, defaults to `100`.\\n - `min_healthy_percentage` - (Optional) Amount of capacity in the Auto Scaling group that must remain healthy during an instance refresh to allow the operation to continue, as a percentage of the desired capacity of the Auto Scaling group. Defaults to `90`.\\n - `skip_matching` - (Optional) Replace instances that already have your desired configuration. Defaults to `false`.\\n - `auto_rollback` - (Optional) Automatically rollback if instance refresh fails. Defaults to `false`. This option may only be set to `true` when specifying a `launch_template` or `mixed_instances_policy`.\\n - `alarm_specification` - (Optional) Alarm Specification for Instance Refresh.\\n - `alarms` - (Required) List of Cloudwatch alarms. If any of these alarms goes into ALARM state, Instance Refresh is failed.\\n - `scale_in_protected_instances` - (Optional) Behavior when encountering instances protected from scale in are found. Available behaviors are `Refresh`, `Ignore`, and `Wait`. Default is `Ignore`.\\n - `standby_instances` - (Optional) Behavior when encountering instances in the `Standby` state in are found. Available behaviors are `Terminate`, `Ignore`, and `Wait`. Default is `Ignore`.\\n- `triggers` - (Optional) Set of additional property names that will trigger an Instance Refresh. A refresh will always be triggered by a change in any of `launch_configuration`, `launch_template`, or `mixed_instances_policy`.\\n\\n~> **NOTE:** A refresh is started when any of the following Auto Scaling Group properties change: `launch_configuration`, `launch_template`, `mixed_instances_policy`. Additional properties can be specified in the `triggers` property of `instance_refresh`.\\n\\n~> **NOTE:** A refresh will not start when `version = \\\"$Latest\\\"` is configured in the `launch_template` block. To trigger the instance refresh when a launch template is changed, configure `version` to use the `latest_version` attribute of the `aws_launch_template` resource.\\n\\n~> **NOTE:** Auto Scaling Groups support up to one active instance refresh at a time. When this resource is updated, any existing refresh is cancelled.\\n\\n~> **NOTE:** Depending on health check settings and group size, an instance refresh may take a long time or fail. This resource does not wait for the instance refresh to complete.\\n\\n### warm_pool\\n\\nThis configuration block supports the following:\\n\\n- `instance_reuse_policy` - (Optional) Whether instances in the Auto Scaling group can be returned to the warm pool on scale in. The default is to terminate instances in the Auto Scaling group when the group scales in.\\n- `max_group_prepared_capacity` - (Optional) Total maximum number of instances that are allowed to be in the warm pool or in any state except Terminated for the Auto Scaling group.\\n- `min_size` - (Optional) Minimum number of instances to maintain in the warm pool. This helps you to ensure that there is always a certain number of warmed instances available to handle traffic spikes. Defaults to 0 if not specified.\\n- `pool_state` - (Optional) Sets the instance state to transition to after the lifecycle hooks finish. Valid values are: Stopped (default), Running or Hibernated.\\n\\n### instance_maintenance_policy\\n\\nThis configuration block supports the following:\\n\\n- `min_healthy_percentage` - (Required) Specifies the lower limit on the number of instances that must be in the InService state with a healthy status during an instance replacement activity.\\n- `max_healthy_percentage` - (Required) Specifies the upper limit on the number of instances that are in the InService or Pending state with a healthy status during an instance replacement activity.\\n\\n### traffic_source\\n\\n- `identifier` - Identifies the traffic source. For Application Load Balancers, Gateway Load Balancers, Network Load Balancers, and VPC Lattice, this will be the Amazon Resource Name (ARN) for a target group in this account and Region. For Classic Load Balancers, this will be the name of the Classic Load Balancer in this account and Region.\\n- `type` - Provides additional context for the value of Identifier.\\n The following lists the valid values:\\n `elb` if `identifier` is the name of a Classic Load Balancer.\\n `elbv2` if `identifier` is the ARN of an Application Load Balancer, Gateway Load Balancer, or Network Load Balancer target group.\\n `vpc-lattice` if `identifier` is the ARN of a VPC Lattice target group.\\n\\n##### instance_reuse_policy\\n\\nThis configuration block supports the following:\\n\\n- `reuse_on_scale_in` - (Optional) Whether instances in the Auto Scaling group can be returned to the warm pool on scale in.\",\"attributeReference\":\"## Attribute Reference\\n\\nThis resource exports the following attributes in addition to the arguments above:\\n\\n- `id` - Auto Scaling Group id.\\n- `arn` - ARN for this Auto Scaling Group\\n- `availability_zones` - Availability zones of the Auto Scaling Group.\\n- `min_size` - Minimum size of the Auto Scaling Group\\n- `max_size` - Maximum size of the Auto Scaling Group\\n- `default_cooldown` - Time between a scaling activity and the succeeding scaling activity.\\n- `default_instance_warmup` - The duration of the default instance warmup, in seconds.\\n- `name` - Name of the Auto Scaling Group\\n- `health_check_grace_period` - Time after instance comes into service before checking health.\\n- `health_check_type` - \\\"EC2\\\" or \\\"ELB\\\". Controls how health checking is done.\\n- `desired_capacity` -The number of Amazon EC2 instances that should be running in the group.\\n- `launch_configuration` - The launch configuration of the Auto Scaling Group\\n- `predicted_capacity` - Predicted capacity of the group.\\n- `vpc_zone_identifier` (Optional) - The VPC zone identifier\\n- `warm_pool_size` - Current size of the warm pool.\\n\\n~> **NOTE:** When using `ELB` as the `health_check_type`, `health_check_grace_period` is required.\\n\\n~> **NOTE:** Terraform has two types of ways you can add lifecycle hooks - via\\nthe `initial_lifecycle_hook` attribute from this resource, or via the separate\\n[`aws_autoscaling_lifecycle_hook`](/docs/providers/aws/r/autoscaling_lifecycle_hook.html)\\nresource. `initial_lifecycle_hook` exists here because any lifecycle hooks\\nadded with `aws_autoscaling_lifecycle_hook` will not be added until the\\nAuto Scaling Group has been created, and depending on your\\n[capacity](#waiting-for-capacity) settings, after the initial instances have\\nbeen launched, creating unintended behavior. If you need hooks to run on all\\ninstances, add them with `initial_lifecycle_hook` here, but take\\ncare to not duplicate these hooks in `aws_autoscaling_lifecycle_hook`.\\n\\n## Timeouts\\n\\n[Configuration options](https://developer.hashicorp.com/terraform/language/resources/syntax#operation-timeouts):\\n\\n- `delete` - (Default `10m`)\\n\\n## Waiting for Capacity\\n\\nA newly-created ASG is initially empty and begins to scale to `min_size` (or\\n`desired_capacity`, if specified) by launching instances using the provided\\nLaunch Configuration. These instances take time to launch and boot.\\n\\nOn ASG Update, changes to these values also take time to result in the target\\nnumber of instances providing service.\\n\\nTerraform provides two mechanisms to help consistently manage ASG scale up\\ntime across dependent resources.\\n\\n#### Waiting for ASG Capacity\\n\\nThe first is default behavior. Terraform waits after ASG creation for\\n`min_size` (or `desired_capacity`, if specified) healthy instances to show up\\nin the ASG before continuing.\\n\\nIf `min_size` or `desired_capacity` are changed in a subsequent update,\\nTerraform will also wait for the correct number of healthy instances before\\ncontinuing.\\n\\nTerraform considers an instance \\\"healthy\\\" when the ASG reports `HealthStatus:\\n\\\"Healthy\\\"` and `LifecycleState: \\\"InService\\\"`. See the [AWS AutoScaling\\nDocs](https://docs.aws.amazon.com/AutoScaling/latest/DeveloperGuide/AutoScalingGroupLifecycle.html)\\nfor more information on an ASG's lifecycle.\\n\\nTerraform will wait for healthy instances for up to\\n`wait_for_capacity_timeout`. If ASG creation is taking more than a few minutes,\\nit's worth investigating for scaling activity errors, which can be caused by\\nproblems with the selected Launch Configuration.\\n\\nSetting `wait_for_capacity_timeout` to `\\\"0\\\"` disables ASG Capacity waiting.\\n\\n#### Waiting for ELB Capacity\\n\\nThe second mechanism is optional, and affects ASGs with attached ELBs specified\\nvia the `load_balancers` attribute or with ALBs specified with `target_group_arns`.\\n\\nThe `min_elb_capacity` parameter causes Terraform to wait for at least the\\nrequested number of instances to show up `\\\"InService\\\"` in all attached ELBs\\nduring ASG creation. It has no effect on ASG updates.\\n\\nIf `wait_for_elb_capacity` is set, Terraform will wait for exactly that number\\nof Instances to be `\\\"InService\\\"` in all attached ELBs on both creation and\\nupdates.\\n\\nThese parameters can be used to ensure that service is being provided before\\nTerraform moves on. If new instances don't pass the ELB's health checks for any\\nreason, the Terraform apply will time out, and the ASG will be marked as\\ntainted (i.e., marked to be destroyed in a follow up run).\\n\\nAs with ASG Capacity, Terraform will wait for up to `wait_for_capacity_timeout`\\nfor the proper number of instances to be healthy.\\n\\n#### Troubleshooting Capacity Waiting Timeouts\\n\\nIf ASG creation takes more than a few minutes, this could indicate one of a\\nnumber of configuration problems. See the [AWS Docs on Load Balancer\\nTroubleshooting](https://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-troubleshooting.html)\\nfor more information.\",\"import\":\"## Import\\n\\nIn Terraform v1.5.0 and later, use an [`import` block](https://developer.hashicorp.com/terraform/language/import) to import Auto Scaling Groups using the `name`. For example:\\n\\n```terraform\\nimport {\\n to = aws_autoscaling_group.web\\n id = \\\"web-asg\\\"\\n}\\n```\\n\\nUsing `terraform import`, import Auto Scaling Groups using the `name`. For example:\\n\\n```console\\n% terraform import aws_autoscaling_group.web web-asg\\n```\"}}","tool_call_id":"toolu_017SXM39YYPSWck3AvU7mAAM","name":"terraformDocsFetchTool","additional_kwargs":{},"response_metadata":{}}},{"lc":1,"type":"constructor","id":["langchain_core","messages","HumanMessage"],"kwargs":{"lc_serializable":true,"lc_kwargs":{"lc_serializable":true,"lc_kwargs":{"content":"Based on the documentation and test results, I'll provide a structured analysis:\n\n{\n \"feedback\": \"TO_HUMAN_FEEDBACK\",\n \"suggestion\": \"The Regula rule and Terraform configurations are correctly implemented. The rule successfully validates that Auto Scaling group launch configurations do not assign public IP addresses to EC2 instances. The test cases demonstrate proper handling of both compliant and non-compliant configurations. The Terraform code uses documented attributes correctly according to the AWS provider specifications.\",\n \"analysis\": {\n \"terraform_validation\": {\n \"launch_configuration\": {\n \"required_fields_present\": true,\n \"attribute_correctness\": true,\n \"documentation_compliance\": true\n },\n \"autoscaling_group\": {\n \"required_fields_present\": true,\n \"attribute_correctness\": true,\n \"documentation_compliance\": true\n }\n },\n \"regula_rule\": {\n \"effectiveness\": \"The rule correctly identifies and flags launch configurations that assign public IP addresses\",\n \"completeness\": \"The rule covers all necessary checks for public IP assignment in launch configurations\",\n \"accuracy\": \"Test results show accurate detection of both compliant and non-compliant configurations\"\n }\n }\n}\n\nThe implementation is correct and follows best practices because:\n1. The Terraform configurations use documented attributes correctly\n2. The Regula rule properly implements the security requirement\n3. Test cases demonstrate proper validation of the security control\n4. No modifications are needed to the existing code","additional_kwargs":{"id":"msg_01VwEM7n4CpejBBwPKd3DnSG","type":"message","role":"assistant","model":"claude-3-5-sonnet-20241022","stop_reason":"end_turn","stop_sequence":null,"usage":{"input_tokens":25612,"output_tokens":346}},"usage_metadata":{"input_tokens":25612,"output_tokens":346,"total_tokens":25958},"response_metadata":{"id":"msg_01VwEM7n4CpejBBwPKd3DnSG","type":"message","role":"assistant","model":"claude-3-5-sonnet-20241022","stop_reason":"end_turn","stop_sequence":null,"usage":{"input_tokens":25612,"output_tokens":346}},"id":"msg_01VwEM7n4CpejBBwPKd3DnSG","tool_calls":[],"invalid_tool_calls":[]},"lc_namespace":["langchain_core","messages"],"content":"Based on the documentation and test results, I'll provide a structured analysis:\n\n{\n \"feedback\": \"TO_HUMAN_FEEDBACK\",\n \"suggestion\": \"The Regula rule and Terraform configurations are correctly implemented. The rule successfully validates that Auto Scaling group launch configurations do not assign public IP addresses to EC2 instances. The test cases demonstrate proper handling of both compliant and non-compliant configurations. The Terraform code uses documented attributes correctly according to the AWS provider specifications.\",\n \"analysis\": {\n \"terraform_validation\": {\n \"launch_configuration\": {\n \"required_fields_present\": true,\n \"attribute_correctness\": true,\n \"documentation_compliance\": true\n },\n \"autoscaling_group\": {\n \"required_fields_present\": true,\n \"attribute_correctness\": true,\n \"documentation_compliance\": true\n }\n },\n \"regula_rule\": {\n \"effectiveness\": \"The rule correctly identifies and flags launch configurations that assign public IP addresses\",\n \"completeness\": \"The rule covers all necessary checks for public IP assignment in launch configurations\",\n \"accuracy\": \"Test results show accurate detection of both compliant and non-compliant configurations\"\n }\n }\n}\n\nThe implementation is correct and follows best practices because:\n1. The Terraform configurations use documented attributes correctly\n2. The Regula rule properly implements the security requirement\n3. Test cases demonstrate proper validation of the security control\n4. No modifications are needed to the existing code","name":"RegoReviewer","additional_kwargs":{"id":"msg_01VwEM7n4CpejBBwPKd3DnSG","type":"message","role":"assistant","model":"claude-3-5-sonnet-20241022","stop_reason":"end_turn","stop_sequence":null,"usage":{"input_tokens":25612,"output_tokens":346}},"response_metadata":{"id":"msg_01VwEM7n4CpejBBwPKd3DnSG","model":"claude-3-5-sonnet-20241022","stop_reason":"end_turn","stop_sequence":null,"usage":{"input_tokens":25612,"output_tokens":346},"type":"message","role":"assistant"},"id":"msg_01VwEM7n4CpejBBwPKd3DnSG","tool_calls":[],"invalid_tool_calls":[],"usage_metadata":{"input_tokens":25612,"output_tokens":346,"total_tokens":25958}},"lc_namespace":["langchain_core","messages"],"content":"Based on the documentation and test results, I'll provide a structured analysis:\n\n{\n \"feedback\": \"TO_HUMAN_FEEDBACK\",\n \"suggestion\": \"The Regula rule and Terraform configurations are correctly implemented. The rule successfully validates that Auto Scaling group launch configurations do not assign public IP addresses to EC2 instances. The test cases demonstrate proper handling of both compliant and non-compliant configurations. The Terraform code uses documented attributes correctly according to the AWS provider specifications.\",\n \"analysis\": {\n \"terraform_validation\": {\n \"launch_configuration\": {\n \"required_fields_present\": true,\n \"attribute_correctness\": true,\n \"documentation_compliance\": true\n },\n \"autoscaling_group\": {\n \"required_fields_present\": true,\n \"attribute_correctness\": true,\n \"documentation_compliance\": true\n }\n },\n \"regula_rule\": {\n \"effectiveness\": \"The rule correctly identifies and flags launch configurations that assign public IP addresses\",\n \"completeness\": \"The rule covers all necessary checks for public IP assignment in launch configurations\",\n \"accuracy\": \"Test results show accurate detection of both compliant and non-compliant configurations\"\n }\n }\n}\n\nThe implementation is correct and follows best practices because:\n1. The Terraform configurations use documented attributes correctly\n2. The Regula rule properly implements the security requirement\n3. Test cases demonstrate proper validation of the security control\n4. No modifications are needed to the existing code","name":"RegoReviewer","additional_kwargs":{"id":"msg_01VwEM7n4CpejBBwPKd3DnSG","type":"message","role":"assistant","model":"claude-3-5-sonnet-20241022","stop_reason":"end_turn","stop_sequence":null,"usage":{"input_tokens":25612,"output_tokens":346}},"response_metadata":{"id":"msg_01VwEM7n4CpejBBwPKd3DnSG","model":"claude-3-5-sonnet-20241022","stop_reason":"end_turn","stop_sequence":null,"usage":{"input_tokens":25612,"output_tokens":346},"type":"message","role":"assistant"},"id":"msg_01VwEM7n4CpejBBwPKd3DnSG","tool_calls":[],"invalid_tool_calls":[],"usage_metadata":{"input_tokens":25612,"output_tokens":346,"total_tokens":25958}}}],"sender":"RegoReviewer","outputFilePaths":["/output/aws_autoscaling_launch_config_public_ip.rego","/output/aws_autoscaling_launch_config_public_ip_allow.tf","/output/aws_autoscaling_launch_config_public_ip_deny.tf"],"RegoSaver":"RegoSaver"},"channel_versions":{"__start__":2,"messages":9,"sender":9,"outputFilePaths":10,"__start__:RegoWriter":3,"RegoWriter":4,"RegoRunner":7,"branch:RegoRunner:regoRunnerRouter:tools":5,"tools":6,"branch:RegoRunner:regoRunnerRouter:RegoReviewer":7,"RegoReviewer":10,"branch:RegoReviewer:regoReviewerRouter:terraformDocsTool":8,"terraformDocsTool":9,"branch:RegoReviewer:regoReviewerRouter:RegoSaver":10,"RegoSaver":10},"versions_seen":{"__input__":{},"__start__":{"__start__":1},"RegoWriter":{"__start__:RegoWriter":2},"RegoRunner":{"RegoWriter":3,"tools":5},"tools":{"branch:RegoRunner:regoRunnerRouter:tools":4},"RegoReviewer":{"branch:RegoRunner:regoRunnerRouter:RegoReviewer":6,"terraformDocsTool":8},"terraformDocsTool":{"branch:RegoReviewer:regoReviewerRouter:terraformDocsTool":7},"RegoSaver":{"branch:RegoReviewer:regoReviewerRouter:RegoSaver":9}}},"metadata":{"source":"loop","writes":{"RegoSaver":{"outputFilePaths":["/output/aws_autoscaling_launch_config_public_ip.rego","/output/aws_autoscaling_launch_config_public_ip_allow.tf","/output/aws_autoscaling_launch_config_public_ip_deny.tf"]}},"step":8,"parents":{"":"1efa04dc-8f91-6df0-fffe-7535b2ef9d92"}},"checkpointId":"1efa04df-c389-6fb0-8008-df969fb9bf18"} \ No newline at end of file diff --git a/output/aws_autoscaling_launch_config_public_ip.rego b/output/aws_autoscaling_launch_config_public_ip.rego new file mode 100644 index 0000000..8eaa0cd --- /dev/null +++ b/output/aws_autoscaling_launch_config_public_ip.rego @@ -0,0 +1,44 @@ +package rules.autoscaling_launch_config_public_ip + +import data.fugue + +__rego__metadoc__ := { + "id": "Autoscaling.5", + "title": "Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses", + "description": "Auto Scaling group launch configurations must not assign public IP addresses to EC2 instances for enhanced security. Instances should only be accessible through load balancers and not directly exposed to the internet.", + "custom": { + "controls": {"AWS-Foundational-Security-Best-Practices_v1.0.0": ["AWS-Foundational-Security-Best-Practices_v1.0.0_Autoscaling.5"]}, + "severity": "High" + } +} + +resource_type := "MULTIPLE" + +# Get all launch configurations +launch_configs = fugue.resources("aws_launch_configuration") + +# Helper function to check if public IP is disabled +is_public_ip_disabled(config) { + config.associate_public_ip_address == false +} + +is_public_ip_disabled(config) { + not config.associate_public_ip_address +} + +# Allow configurations with public IP disabled +policy[p] { + config := launch_configs[_] + is_public_ip_disabled(config) + p = fugue.allow_resource(config) +} + +# Deny configurations with public IP enabled +policy[p] { + config := launch_configs[_] + not is_public_ip_disabled(config) + p = fugue.deny_resource_with_message( + config, + "Launch configuration should not assign public IP addresses to EC2 instances" + ) +} diff --git a/output/aws_autoscaling_launch_config_public_ip_allow.tf b/output/aws_autoscaling_launch_config_public_ip_allow.tf new file mode 100644 index 0000000..c7a770b --- /dev/null +++ b/output/aws_autoscaling_launch_config_public_ip_allow.tf @@ -0,0 +1,44 @@ +provider "aws" { + alias = "pass_aws" + region = "us-west-2" +} + +# Create a compliant launch configuration with public IP disabled +resource "aws_launch_configuration" "pass_config" { + provider = aws.pass_aws + name_prefix = "pass-launch-config" + image_id = "ami-0c55b159cbfafe1f0" + instance_type = "t2.micro" + + # Compliant: Explicitly disabling public IP + associate_public_ip_address = false + + security_groups = ["sg-12345678"] + + root_block_device { + volume_size = 8 + volume_type = "gp2" + encrypted = true + } + + lifecycle { + create_before_destroy = true + } +} + +# Create autoscaling group using the compliant launch configuration +resource "aws_autoscaling_group" "pass_asg" { + provider = aws.pass_aws + name = "pass-asg" + max_size = 3 + min_size = 1 + desired_capacity = 1 + launch_configuration = aws_launch_configuration.pass_config.name + vpc_zone_identifier = ["subnet-12345678"] + + tag { + key = "Environment" + value = "Production" + propagate_at_launch = true + } +} diff --git a/output/aws_autoscaling_launch_config_public_ip_deny.tf b/output/aws_autoscaling_launch_config_public_ip_deny.tf new file mode 100644 index 0000000..86bd1b4 --- /dev/null +++ b/output/aws_autoscaling_launch_config_public_ip_deny.tf @@ -0,0 +1,37 @@ +provider "aws" { + alias = "fail_aws" + region = "us-west-2" +} + +# Create a non-compliant launch configuration with public IP enabled +resource "aws_launch_configuration" "fail_config" { + provider = aws.fail_aws + name_prefix = "fail-launch-config" + image_id = "ami-0c55b159cbfafe1f0" + instance_type = "t2.micro" + + # Non-compliant: Explicitly enabling public IP + associate_public_ip_address = true + + security_groups = ["sg-12345678"] + + root_block_device { + volume_size = 8 + volume_type = "gp2" + } + + lifecycle { + create_before_destroy = true + } +} + +# Create autoscaling group using the non-compliant launch configuration +resource "aws_autoscaling_group" "fail_asg" { + provider = aws.fail_aws + name = "fail-asg" + max_size = 3 + min_size = 1 + desired_capacity = 1 + launch_configuration = aws_launch_configuration.fail_config.name + vpc_zone_identifier = ["subnet-12345678"] +} diff --git a/test-data/data.csv b/test-data/data.csv new file mode 100644 index 0000000..5839f73 --- /dev/null +++ b/test-data/data.csv @@ -0,0 +1,2 @@ +"title","urls","description","status" +[Autoscaling.5] Amazon EC2 instances launched using Auto Scaling group launch configurations should not have Public IP addresses,https://docs.aws.amazon.com/securityhub/latest/userguide/autoscaling-controls.html#autoscaling-5,TODO