From b4bd5a7efc318aea55d00dc6bbcac03a6095a661 Mon Sep 17 00:00:00 2001
From: cx-henriqueAlvelos <henrique.alvelos@checkmarx.com>
Date: Fri, 11 Aug 2023 17:05:50 +0100
Subject: [PATCH] fix(query): terraform alb_is_not_integrated_with_waf

---
 .../aws/alb_is_not_integrated_with_waf/query.rego    |  9 +++++++--
 .../test/{negative.tf => negative1.tf}               |  0
 .../alb_is_not_integrated_with_waf/test/negative2.tf | 12 ++++++++++++
 .../test/{positive.tf => positive1.tf}               |  0
 .../alb_is_not_integrated_with_waf/test/positive2.tf | 12 ++++++++++++
 .../test/positive_expected_result.json               |  9 ++++++++-
 6 files changed, 39 insertions(+), 3 deletions(-)
 rename assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/{negative.tf => negative1.tf} (100%)
 create mode 100644 assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/negative2.tf
 rename assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/{positive.tf => positive1.tf} (100%)
 create mode 100644 assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive2.tf

diff --git a/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/query.rego b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/query.rego
index 3f0098d019d..5775781d861 100644
--- a/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/query.rego
+++ b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/query.rego
@@ -2,11 +2,16 @@ package Cx
 
 import data.generic.terraform as tf_lib
 
+waf := {
+    "aws_wafv2_web_acl_association",
+    "aws_wafregional_web_acl_association",
+}
+
 CxPolicy[result] {
 	lb := {"aws_alb", "aws_lb"}
 	resource := input.document[i].resource[lb[idx]][name]
 	not is_internal_alb(resource)
-	not associated_waf(name)
+	count({x | x := associated_waf(name); x == false}) == 2
 
 	result := {
 		"documentId": input.document[i].id,
@@ -24,7 +29,7 @@ is_internal_alb(resource) {
 }
 
 associated_waf(name) {
-	waf := input.document[_].resource.aws_wafregional_web_acl_association[waf_name]
+	waf := input.document[_].resource.waf[_][waf_name]
 	attribute := waf.resource_arn
 	attribute_split := split(attribute, ".")
 	options := {"${aws_alb", "${aws_lb"}
diff --git a/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/negative.tf b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/negative1.tf
similarity index 100%
rename from assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/negative.tf
rename to assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/negative1.tf
diff --git a/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/negative2.tf b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/negative2.tf
new file mode 100644
index 00000000000..363bcdeada9
--- /dev/null
+++ b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/negative2.tf
@@ -0,0 +1,12 @@
+resource "aws_lb" "alb" {
+  name               = "test-lb-tf"
+  internal           = false
+  load_balancer_type = "application"
+  security_groups    = [aws_security_group.lb_sg.id]
+  subnets            = [for subnet in aws_subnet.public : subnet.id]
+}
+
+resource "aws_wafv2_web_acl_association" "alb_waf_association" {
+  resource_arn = aws_lb.alb.arn
+  web_acl_arn  = aws_wafv2_web_acl.example.arn
+}
\ No newline at end of file
diff --git a/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive.tf b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive1.tf
similarity index 100%
rename from assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive.tf
rename to assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive1.tf
diff --git a/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive2.tf b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive2.tf
new file mode 100644
index 00000000000..60f8ea2fc87
--- /dev/null
+++ b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive2.tf
@@ -0,0 +1,12 @@
+resource "aws_lb" "alb" {
+  name               = "test-lb-tf"
+  internal           = false
+  load_balancer_type = "application"
+  security_groups    = [aws_security_group.lb_sg.id]
+  subnets            = [for subnet in aws_subnet.public : subnet.id]
+}
+
+resource "aws_wafv2_web_acl_association" "alb_waf_association" {
+  resource_arn = aws_lb.alba.arn
+  web_acl_arn  = aws_wafv2_web_acl.example.arn
+}
\ No newline at end of file
diff --git a/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive_expected_result.json b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive_expected_result.json
index c447e1598d4..412dc085a1f 100644
--- a/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive_expected_result.json
+++ b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive_expected_result.json
@@ -2,6 +2,13 @@
   {
     "queryName": "ALB Is Not Integrated With WAF",
     "severity": "MEDIUM",
-    "line": 1
+    "line": 1,
+    "filename": "positive1.tf"
+  },
+  {
+    "queryName": "ALB Is Not Integrated With WAF",
+    "severity": "MEDIUM",
+    "line": 1,
+    "filename": "positive2.tf"
   }
 ]