fix(query): terraform alb_is_not_integrated_with_waf

Checkmarx · Aug 11, 2023 · b4bd5a7 · b4bd5a7
1 parent 45deb5d
commit b4bd5a7
Show file tree

Hide file tree

Showing 6 changed files with 39 additions and 3 deletions.
diff --git a/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/query.rego b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/query.rego
@@ -2,11 +2,16 @@ package Cx
 
 import data.generic.terraform as tf_lib
 
+waf := {
+    "aws_wafv2_web_acl_association",
+    "aws_wafregional_web_acl_association",
+}
+
 CxPolicy[result] {
 	lb := {"aws_alb", "aws_lb"}
 	resource := input.document[i].resource[lb[idx]][name]
 	not is_internal_alb(resource)
-	not associated_waf(name)
+	count({x | x := associated_waf(name); x == false}) == 2
 
 	result := {
 		"documentId": input.document[i].id,
@@ -24,7 +29,7 @@ is_internal_alb(resource) {
 }
 
 associated_waf(name) {
-	waf := input.document[_].resource.aws_wafregional_web_acl_association[waf_name]
+	waf := input.document[_].resource.waf[_][waf_name]
 	attribute := waf.resource_arn
 	attribute_split := split(attribute, ".")
 	options := {"${aws_alb", "${aws_lb"}

diff --git a/..._not_integrated_with_waf/test/negative.tf → ...not_integrated_with_waf/test/negative1.tf b/..._not_integrated_with_waf/test/negative.tf → ...not_integrated_with_waf/test/negative1.tf
diff --git a/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/negative2.tf b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/negative2.tf
@@ -0,0 +1,12 @@
+resource "aws_lb" "alb" {
+  name               = "test-lb-tf"
+  internal           = false
+  load_balancer_type = "application"
+  security_groups    = [aws_security_group.lb_sg.id]
+  subnets            = [for subnet in aws_subnet.public : subnet.id]
+}
+
+resource "aws_wafv2_web_acl_association" "alb_waf_association" {
+  resource_arn = aws_lb.alb.arn
+  web_acl_arn  = aws_wafv2_web_acl.example.arn
+}
diff --git a/..._not_integrated_with_waf/test/positive.tf → ...not_integrated_with_waf/test/positive1.tf b/..._not_integrated_with_waf/test/positive.tf → ...not_integrated_with_waf/test/positive1.tf
diff --git a/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive2.tf b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive2.tf
@@ -0,0 +1,12 @@
+resource "aws_lb" "alb" {
+  name               = "test-lb-tf"
+  internal           = false
+  load_balancer_type = "application"
+  security_groups    = [aws_security_group.lb_sg.id]
+  subnets            = [for subnet in aws_subnet.public : subnet.id]
+}
+
+resource "aws_wafv2_web_acl_association" "alb_waf_association" {
+  resource_arn = aws_lb.alba.arn
+  web_acl_arn  = aws_wafv2_web_acl.example.arn
+}
diff --git a/...s/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive_expected_result.json b/...s/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive_expected_result.json
@@ -2,6 +2,13 @@
   {
     "queryName": "ALB Is Not Integrated With WAF",
     "severity": "MEDIUM",
-    "line": 1
+    "line": 1,
+    "filename": "positive1.tf"
+  },
+  {
+    "queryName": "ALB Is Not Integrated With WAF",
+    "severity": "MEDIUM",
+    "line": 1,
+    "filename": "positive2.tf"
   }
 ]