diff --git a/checkov/terraform/checks/graph_checks/aws/EIPAllocatedToVPCAttachedEC2.yaml b/checkov/terraform/checks/graph_checks/aws/EIPAllocatedToVPCAttachedEC2.yaml index b0cf814dcd..7ca73bbab8 100644 --- a/checkov/terraform/checks/graph_checks/aws/EIPAllocatedToVPCAttachedEC2.yaml +++ b/checkov/terraform/checks/graph_checks/aws/EIPAllocatedToVPCAttachedEC2.yaml @@ -54,6 +54,13 @@ definition: - aws_transfer_server operator: exists cond_type: connection + - resource_types: + - aws_eip + connected_resource_types: + - aws_lb + - aws_alb + operator: exists + cond_type: connection - cond_type: attribute resource_types: - aws_eip diff --git a/tests/terraform/graph/checks/resources/EIPAllocatedToVPCAttachedEC2/expected.yaml b/tests/terraform/graph/checks/resources/EIPAllocatedToVPCAttachedEC2/expected.yaml index 56f7ea2d53..cbfe52d854 100644 --- a/tests/terraform/graph/checks/resources/EIPAllocatedToVPCAttachedEC2/expected.yaml +++ b/tests/terraform/graph/checks/resources/EIPAllocatedToVPCAttachedEC2/expected.yaml @@ -5,5 +5,6 @@ pass: - "aws_eip.eip_ok_transer_server" - "aws_eip.ok_eip_domain" - "aws_eip.ok_eip_domain_assoc" + - "aws_eip.ok_eip_nlb" fail: - "aws_eip.not_ok_eip" diff --git a/tests/terraform/graph/checks/resources/EIPAllocatedToVPCAttachedEC2/main.tf b/tests/terraform/graph/checks/resources/EIPAllocatedToVPCAttachedEC2/main.tf index d19b82ad0d..1db6b8c1be 100644 --- a/tests/terraform/graph/checks/resources/EIPAllocatedToVPCAttachedEC2/main.tf +++ b/tests/terraform/graph/checks/resources/EIPAllocatedToVPCAttachedEC2/main.tf @@ -112,3 +112,20 @@ resource "aws_eip" "ok_eip_data" { instance = data.aws_instance.id vpc = true } + +# via aws_lb (Network Load Balancer with subnet_mapping) + +resource "aws_eip" "ok_eip_nlb" { + domain = "vpc" +} + +resource "aws_lb" "nlb" { + name = "my-nlb" + internal = false + load_balancer_type = "network" + + subnet_mapping { + subnet_id = "subnet-12345" + allocation_id = aws_eip.ok_eip_nlb.id + } +}