fix(query): resolve false positive on ALB WAF integration with WAFv2 #7405

Author: cx-prathmesh-borle

assets/queries/cloudFormation/aws/alb_is_not_integrated_with_waf/query.rego

@@ -26,14 +26,28 @@ internal_alb(resource) {
 	scheme == "internal"
 }
 
+waf_association_types := {"AWS::WAFRegional::WebACLAssociation", "AWS::WAFv2::WebACLAssociation"}
+
 associated_waf(target_alb) {
 	resource := input.document[_].Resources[_]
-	resource.Type == "AWS::WAFRegional::WebACLAssociation"
+	waf_association_types[resource.Type]
 	resource.Properties.ResourceArn.Ref == target_alb
 }
 
 associated_waf(target_alb) {
 	resource := input.document[_].Resources[_]
-	resource.Type == "AWS::WAFRegional::WebACLAssociation"
+	waf_association_types[resource.Type]
 	resource.Properties.ResourceArn == target_alb
 }
+
+associated_waf(target_alb) {
+	resource := input.document[_].Resources[_]
+	waf_association_types[resource.Type]
+	resource.Properties.ResourceArn["Fn::GetAtt"][0] == target_alb
+}
+
+associated_waf(target_alb) {
+	resource := input.document[_].Resources[_]
+	waf_association_types[resource.Type]
+	startswith(resource.Properties.ResourceArn, sprintf("%s.", [target_alb]))
+}

assets/queries/cloudFormation/aws/alb_is_not_integrated_with_waf/test/negative3.yaml

@@ -0,0 +1,12 @@
+AWSTemplateFormatVersion: 2010-09-09
+Resources:
+  MyLoadBalancerV2:
+    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
+    Properties:
+      Name: myloadbalancerv2
+      Scheme: internet-facing
+  MyWebACLAssociation:
+    Type: "AWS::WAFv2::WebACLAssociation"
+    Properties:
+      ResourceArn: !GetAtt MyLoadBalancerV2.LoadBalancerArn
+      WebACLArn: !Ref MyWebACL

assets/queries/cloudFormation/aws/alb_is_not_integrated_with_waf/test/negative4.json

@@ -0,0 +1,23 @@
+{
+  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
+  "Resources": {
+    "MyLoadBalancerV2": {
+      "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
+      "Properties": {
+        "Name": "myloadbalancerv2",
+        "Scheme": "internet-facing"
+      }
+    },
+    "MyWebACLAssociation": {
+      "Type": "AWS::WAFv2::WebACLAssociation",
+      "Properties": {
+        "ResourceArn": {
+          "Ref": "MyLoadBalancerV2"
+        },
+        "WebACLArn": {
+          "Ref": "MyWebACL"
+        }
+      }
+    }
+  }
+}

assets/queries/cloudFormation/aws/alb_is_not_integrated_with_waf/test/negative5.yaml

@@ -0,0 +1,12 @@
+AWSTemplateFormatVersion: 2010-09-09
+Resources:
+  MyLoadBalancerV2b:
+    Type: AWS::ElasticLoadBalancingV2::LoadBalancer
+    Properties:
+      Name: myloadbalancerv2b
+      Scheme: internet-facing
+  MyWebACLAssociation:
+    Type: "AWS::WAFv2::WebACLAssociation"
+    Properties:
+      ResourceArn: !Ref MyLoadBalancerV2b
+      WebACLArn: !Ref MyWebACL

assets/queries/cloudFormation/aws/alb_is_not_integrated_with_waf/test/negative6.json

@@ -0,0 +1,23 @@
+{
+  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
+  "Resources": {
+    "MyLoadBalancerV2c": {
+      "Type": "AWS::ElasticLoadBalancingV2::LoadBalancer",
+      "Properties": {
+        "Name": "myloadbalancerv2c",
+        "Scheme": "internet-facing"
+      }
+    },
+    "MyWebACLAssociation": {
+      "Type": "AWS::WAFv2::WebACLAssociation",
+      "Properties": {
+        "ResourceArn": {
+          "Fn::GetAtt": ["MyLoadBalancerV2c", "LoadBalancerArn"]
+        },
+        "WebACLArn": {
+          "Ref": "MyWebACL"
+        }
+      }
+    }
+  }
+}