For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/ansible/aws/auto_scaling_group_with_no_associated_elb.md. A documentation index is available at /llms.txt.

Auto Scaling Group with no associated ELB

This product is not supported for your selected Datadog site. ().

Metadata

Id: ansible-aws-auto-scaling-group-with-no-associated-elb

Cloud Provider: AWS

Platform: Ansible

Severity: Medium

Category: Availability

Learn More

Description

Auto Scaling Groups must be associated with a load balancer so new instances receive traffic and health checks can detect and replace unhealthy instances. Without a load balancer, instances may not serve requests, and application availability and scaling behavior can be impacted.

For Ansible autoscaling_group tasks (modules amazon.aws.autoscaling_group and autoscaling_group), the load_balancers property must be defined and set to a non-empty list of Classic ELB names. Tasks missing the load_balancers property or with load_balancers: [] are flagged. If you use Application Load Balancers with target groups instead of Classic ELBs, configure target_group_arns accordingly—this rule only validates the load_balancers attribute.

Secure example:

- name: Create Auto Scaling Group with ELB
  amazon.aws.autoscaling_group:
    name: my-asg
    launch_template: my-launch-template
    min_size: 2
    max_size: 5
    load_balancers:
      - my-classic-elb

Compliant Code Examples

- name: elb12
  amazon.aws.autoscaling_group:
    name: special
    load_balancers: [ 'lb1', 'lb2' ]
    availability_zones: [ 'eu-west-1a', 'eu-west-1b' ]
    launch_config_name: 'lc-1'
    min_size: 1
    max_size: 10
    desired_capacity: 5
    vpc_zone_identifier: [ 'subnet-abcd1234', 'subnet-1a2b3c4d' ]
    tags:
      - environment: production
        propagate_at_launch: no

- name: elb22
  amazon.aws.autoscaling_group:
    name: special
    load_balancers: [ 'lb1', 'lb2' ]
    availability_zones: [ 'eu-west-1a', 'eu-west-1b' ]
    launch_config_name: 'lc-1'
    min_size: 1
    max_size: 10
    desired_capacity: 5
    vpc_zone_identifier: [ 'subnet-abcd1234', 'subnet-1a2b3c4d' ]
    tags:
      - environment: production
        propagate_at_launch: no

Non-Compliant Code Examples

- name: elb2
  amazon.aws.autoscaling_group:
    name: special
    availability_zones: [ 'eu-west-1a', 'eu-west-1b' ]
    launch_config_name: 'lc-1'
    min_size: 1
    max_size: 10
    desired_capacity: 5
    vpc_zone_identifier: [ 'subnet-abcd1234', 'subnet-1a2b3c4d' ]
    tags:
      - environment: production
        propagate_at_launch: no

- name: elb1
  amazon.aws.autoscaling_group:
    name: special
    load_balancers: []
    availability_zones: [ 'eu-west-1a', 'eu-west-1b' ]
    launch_config_name: 'lc-1'
    min_size: 1
    max_size: 10
    desired_capacity: 5
    vpc_zone_identifier: [ 'subnet-abcd1234', 'subnet-1a2b3c4d' ]
    tags:
      - environment: production
        propagate_at_launch: no