Control: ELB application and classic load balancer logging should be enabled

powerpipe control run terraform_aws_compliance.control.elb_application_classic_network_lb_logging_enabled

powerpipe login
powerpipe control run terraform_aws_compliance.control.elb_application_classic_network_lb_logging_enabled --share

(
  select
    address as resource,
    case
    --The Gateway Load Balancer does not generate access logs since it is a transparent layer 3 load balancer that does not terminate flows.
    --Boolean to enable / disable access_logs. Defaults to false, even when bucket is specified.
      when (attributes_std ->> 'load_balancer_type') = 'gateway' then 'skip'
      when (attributes_std -> 'access_logs') is null then 'alarm'
      when (attributes_std -> 'access_logs' -> 'enabled')::bool then 'ok'
      else 'alarm'
    end status,
    split_part(address, '.', 2) || case
      when (attributes_std ->> 'load_balancer_type') = 'gateway' then ' load balancer is of ' || (attributes_std ->> 'load_balancer_type') || ' type'
      when (attributes_std -> 'access_logs') is null then ' logging disabled'
      when (attributes_std -> 'access_logs' -> 'enabled')::bool then ' logging enabled'
      else ' logging disabled'
    end || '.' as reason
    
    , path || ':' || start_line
  from
    terraform_resource
  where
    type in ('aws_lb', 'aws_alb')
)
union
(
  select
    address as resource,
    case
      when (attributes_std -> 'access_logs') is null then 'alarm'
      when (attributes_std -> 'access_logs' -> 'enabled')::bool then 'ok'
      else 'alarm'
    end status,
    split_part(address, '.', 2) || case
      when (attributes_std -> 'access_logs') is null then ' logging disabled'
      when (attributes_std -> 'access_logs' -> 'enabled')::bool then ' logging enabled'
      else ' logging disabled'
      end || '.' reason
      
      , path || ':' || start_line
  from
    terraform_resource
  where
    type = 'aws_elb'
);