diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/query.rego b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/query.rego index 3596a1b00eb..a0421a9a34f 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/query.rego +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/query.rego @@ -114,8 +114,8 @@ CxPolicy[result] { resource.Type == "AWS::ApiGateway::Stage" properties := resource.Properties - methodSettings := properties.MethodSettings - not common_lib.valid_key(methodSettings, "LoggingLevel") + methodSetting := properties.MethodSettings[j] + not common_lib.valid_key(methodSetting, "LoggingLevel") result := { "documentId": input.document[i].id, @@ -123,9 +123,9 @@ CxPolicy[result] { "resourceName": cf_lib.get_resource_name(resource, name), "searchKey": sprintf("Resources.%s.Properties.MethodSettings", [name]), "issueType": "MissingAttribute", - "keyExpectedValue": sprintf("Resources.%s.Properties.MethodSettings.LoggingLevel should be defined and not null", [name]), - "keyActualValue": sprintf("Resources.%s.Properties.MethodSettings.LoggingLevel are undefined or null", [name]), - "searchLine": common_lib.build_search_line(["Resources", name, "Properties", "MethodSettings"], []), + "keyExpectedValue": sprintf("Resources.%s.Properties.MethodSettings[%d].LoggingLevel should be defined and not null", [name, j]), + "keyActualValue": sprintf("Resources.%s.Properties.MethodSettings[%d].LoggingLevel is undefined or null", [name, j]), + "searchLine": common_lib.build_search_line(["Resources", name, "Properties", "MethodSettings", j], []), } } @@ -135,18 +135,18 @@ CxPolicy[result] { resource.Type == "AWS::ApiGateway::Stage" properties := resource.Properties - loggingLevel := properties.MethodSettings.LoggingLevel + loggingLevel := properties.MethodSettings[j].LoggingLevel loggingLevel == "" result := { "documentId": input.document[i].id, "resourceType": resource.Type, "resourceName": cf_lib.get_resource_name(resource, name), - "searchKey": sprintf("Resources.%s.Properties.MethodSettings.LoggingLevel", [name]), + "searchKey": sprintf("Resources.%s.Properties.MethodSettings[%d].LoggingLevel", [name, j]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("Resources.%s.Properties.MethodSettings.LoggingLevel should be not be empty", [name]), - "keyActualValue": sprintf("Resources.%s.Properties.MethodSettings.LoggingLevel is empty", [name]), - "searchLine": common_lib.build_search_line(["Resources", name, "Properties", "MethodSettings", "LoggingLevel"], []), + "keyExpectedValue": sprintf("Resources.%s.Properties.MethodSettings[%d].LoggingLevel should not be empty", [name, j]), + "keyActualValue": sprintf("Resources.%s.Properties.MethodSettings[%d].LoggingLevel is empty", [name, j]), + "searchLine": common_lib.build_search_line(["Resources", name, "Properties", "MethodSettings", j, "LoggingLevel"], []), } } @@ -156,18 +156,18 @@ CxPolicy[result] { resource.Type == "AWS::ApiGateway::Stage" properties := resource.Properties - loggingLevel := properties.MethodSettings.LoggingLevel + loggingLevel := properties.MethodSettings[j].LoggingLevel loggingLevel == "OFF" result := { "documentId": input.document[i].id, "resourceType": resource.Type, "resourceName": cf_lib.get_resource_name(resource, name), - "searchKey": sprintf("Resources.%s.Properties.MethodSettings.LoggingLevel", [name]), + "searchKey": sprintf("Resources.%s.Properties.MethodSettings[%d].LoggingLevel", [name, j]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("Resources.%s.Properties.MethodSettings.LoggingLevel should not be set to OFF", [name]), - "keyActualValue": sprintf("Resources.%s.Properties.MethodSettings.LoggingLevel is OFF", [name]), - "searchLine": common_lib.build_search_line(["Resources", name, "Properties", "MethodSettings", "LoggingLevel"], []), + "keyExpectedValue": sprintf("Resources.%s.Properties.MethodSettings[%d].LoggingLevel should not be set to OFF", [name, j]), + "keyActualValue": sprintf("Resources.%s.Properties.MethodSettings[%d].LoggingLevel is OFF", [name, j]), + "searchLine": common_lib.build_search_line(["Resources", name, "Properties", "MethodSettings", j, "LoggingLevel"], []), } } diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative3.json b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative3.json index 9d769ca6ee0..b4a43668a20 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative3.json +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative3.json @@ -13,13 +13,22 @@ "DeploymentId": { "Ref": "MyDeployment" }, - "MethodSettings": { - "DetailedMetricsEnabled": true, - "LoggingLevel": "INFO", - "DataTraceEnabled": false, - "ThrottlingBurstLimit": 10, - "ThrottlingRateLimit": 10 - }, + "MethodSettings": [ + { + "DetailedMetricsEnabled": true, + "LoggingLevel": "INFO", + "DataTraceEnabled": false, + "ThrottlingBurstLimit": 10, + "ThrottlingRateLimit": 10 + }, + { + "DetailedMetricsEnabled": true, + "LoggingLevel": "ERROR", + "DataTraceEnabled": false, + "ThrottlingBurstLimit": 10, + "ThrottlingRateLimit": 10 + } + ], "RestApiId": { "Ref": "CFNWebSocket" } diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative4.yaml b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative4.yaml index 1785d620fae..ffde6a7d86d 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative4.yaml +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative4.yaml @@ -8,7 +8,10 @@ Resources: DeploymentId: !Ref TestDeployment DocumentationVersion: "" MethodSettings: - LoggingLevel: "ON" + - LoggingLevel: "INFO" + DataTraceEnabled: False + - DataTraceEnabled: False + LoggingLevel: "ERROR" AccessLogSetting: DestinationArn: "dest" Format: "format" \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive1.yaml b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive1.yaml index 4942cc4d81a..bfefb8a3dd6 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive1.yaml +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive1.yaml @@ -18,7 +18,8 @@ Resources: HttpMethod: GET MetricsEnabled: false DataTraceEnabled: false - - ResourcePath: /stack + - LoggingLevel: "OFF" + ResourcePath: /stack HttpMethod: POST MetricsEnabled: false DataTraceEnabled: false @@ -26,3 +27,4 @@ Resources: HttpMethod: GET MetricsEnabled: true DataTraceEnabled: false + LoggingLevel: "INFO" diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive10.json b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive10.json index 8dd532335a1..c00f49747f1 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive10.json +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive10.json @@ -16,8 +16,16 @@ "RestApiId": { "Ref": "CFNWebSocket" }, - "MethodSettings": { - } + "MethodSettings": [ + {}, + { + "DetailedMetricsEnabled": true, + "LoggingLevel": "INFO", + "DataTraceEnabled": false, + "ThrottlingBurstLimit": 10, + "ThrottlingRateLimit": 10 + } + ] } } } diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive12.json b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive12.json index 3bbd4b22c77..5aec1ee59fe 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive12.json +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive12.json @@ -16,13 +16,29 @@ "RestApiId": { "Ref": "CFNWebSocket" }, - "MethodSettings": { - "DetailedMetricsEnabled": true, - "LoggingLevel": "OFF", - "DataTraceEnabled": false, - "ThrottlingBurstLimit": 10, - "ThrottlingRateLimit": 10 - } + "MethodSettings": [ + { + "DetailedMetricsEnabled": true, + "LoggingLevel": "OFF", + "DataTraceEnabled": false, + "ThrottlingBurstLimit": 10, + "ThrottlingRateLimit": 10 + }, + { + "DetailedMetricsEnabled": true, + "LoggingLevel": "", + "DataTraceEnabled": false, + "ThrottlingBurstLimit": 10, + "ThrottlingRateLimit": 10 + }, + { + "DetailedMetricsEnabled": true, + "LoggingLevel": "INFO", + "DataTraceEnabled": false, + "ThrottlingBurstLimit": 10, + "ThrottlingRateLimit": 10 + } + ] } } } diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive14.yaml b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive14.yaml index 91e68e12d8f..c9b45ef5533 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive14.yaml +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive14.yaml @@ -11,4 +11,7 @@ Resources: DeploymentId: !Ref TestDeployment DocumentationVersion: "" MethodSettings: - LoggingLevel: "OFF" \ No newline at end of file + - LoggingLevel: "OFF" + DataTraceEnabled: False + - DataTraceEnabled: False + LoggingLevel: "INFO" \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive16.yaml b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive16.yaml index 11ebeedb967..1344328c997 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive16.yaml +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive16.yaml @@ -8,4 +8,7 @@ Resources: DeploymentId: !Ref TestDeployment DocumentationVersion: "" MethodSettings: - LoggingLevel: "ON" \ No newline at end of file + - LoggingLevel: "INFO" + DataTraceEnabled: False + - DataTraceEnabled: False + LoggingLevel: "ERROR" \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive18.json b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive18.json new file mode 100644 index 00000000000..0e6985fd957 --- /dev/null +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive18.json @@ -0,0 +1,44 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "MyStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "StageName": "Prod", + "Description": "Prod Stage", + "AccessLogSetting": { + "DestinationArn": "dest", + "Format": "format" + }, + "DeploymentId": { + "Ref": "MyDeployment" + }, + "RestApiId": { + "Ref": "CFNWebSocket" + }, + "MethodSettings": [ + { + "DetailedMetricsEnabled": true, + "LoggingLevel": "OFF", + "DataTraceEnabled": false, + "ThrottlingBurstLimit": 10, + "ThrottlingRateLimit": 10 + }, + { + "DetailedMetricsEnabled": true, + "LoggingLevel": "INFO", + "DataTraceEnabled": false, + "ThrottlingBurstLimit": 10, + "ThrottlingRateLimit": 10 + }, + { + "DetailedMetricsEnabled": true, + "DataTraceEnabled": false, + "ThrottlingBurstLimit": 10, + "ThrottlingRateLimit": 10 + } + ] + } + } + } +} diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive19.yaml b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive19.yaml new file mode 100644 index 00000000000..db94648f31e --- /dev/null +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive19.yaml @@ -0,0 +1,19 @@ +Resources: + Prod: + Type: AWS::ApiGateway::Stage + Properties: + StageName: Prod + Description: Prod Stage + AccessLogSetting: + DestinationArn: "dest" + Format: "format" + RestApiId: !Ref MyRestApi + DeploymentId: !Ref TestDeployment + DocumentationVersion: "" + MethodSettings: + - DataTraceEnabled: False + LoggingLevel: "OFF" + - DataTraceEnabled: False + LoggingLevel: "" + - LoggingLevel: "INFO" + DataTraceEnabled: False diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive6.json b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive6.json index 2133df7f76a..832f2d52e92 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive6.json +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive6.json @@ -9,13 +9,22 @@ "DeploymentId": { "Ref": "MyDeployment" }, - "MethodSettings": { - "DetailedMetricsEnabled": true, - "LoggingLevel": "INFO", - "DataTraceEnabled": false, - "ThrottlingBurstLimit": 10, - "ThrottlingRateLimit": 10 - }, + "MethodSettings": [ + { + "DetailedMetricsEnabled": true, + "LoggingLevel": "INFO", + "DataTraceEnabled": false, + "ThrottlingBurstLimit": 10, + "ThrottlingRateLimit": 10 + }, + { + "DetailedMetricsEnabled": true, + "LoggingLevel": "ERROR", + "DataTraceEnabled": false, + "ThrottlingBurstLimit": 10, + "ThrottlingRateLimit": 10 + } + ], "RestApiId": { "Ref": "CFNWebSocket" } diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json index 4038d0f764d..6373a0259a9 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json @@ -2,7 +2,13 @@ { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 16, + "line": 17, + "fileName": "positive1.yaml" + }, + { + "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", + "severity": "MEDIUM", + "line": 21, "fileName": "positive1.yaml" }, { @@ -56,7 +62,7 @@ { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 19, + "line": 22, "fileName": "positive10.json" }, { @@ -68,13 +74,13 @@ { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 13, - "fileName": "positive11.yaml" + "line": 22, + "fileName": "positive12.json" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 21, + "line": 29, "fileName": "positive12.json" }, { @@ -112,5 +118,29 @@ "severity": "MEDIUM", "line": 4, "fileName": "positive17.yaml" + }, + { + "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", + "severity": "MEDIUM", + "line": 22, + "fileName": "positive18.json" + }, + { + "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", + "severity": "MEDIUM", + "line": 35, + "fileName": "positive18.json" + }, + { + "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", + "severity": "MEDIUM", + "line": 15, + "fileName": "positive19.yaml" + }, + { + "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", + "severity": "MEDIUM", + "line": 17, + "fileName": "positive19.yaml" } ] diff --git a/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/query.rego b/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/query.rego index 95fe06edad4..469622b1abe 100644 --- a/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/query.rego +++ b/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/query.rego @@ -3,7 +3,7 @@ package Cx import data.generic.common as common_lib import data.generic.pulumi as plm_lib -valid_types := ["aws:apigateway:Stage","aws:apigatewayv2:Stage"] +valid_types := ["aws:apigateway:Stage", "aws:apigatewayv2:Stage"] CxPolicy[result] { resource := input.document[i].resources[name] @@ -22,3 +22,155 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resources", name, "properties"], []), } } + +CxPolicy[result] { + resource := input.document[i].resources[name] + resource.type == "aws:apigatewayv2:Stage" + + not common_lib.valid_key(resource.properties, "defaultRouteSettings") + + result := { + "documentId": input.document[i].id, + "resourceType": resource.type, + "resourceName": plm_lib.getResourceName(resource, name), + "searchKey": sprintf("resources[%s].properties", [name]), + "searchValue": "defaultRouteSettings", + "issueType": "MissingAttribute", + "keyExpectedValue": "Attribute 'defaultRouteSettings' should be defined", + "keyActualValue": "Attribute 'defaultRouteSettings' is not defined", + "searchLine": common_lib.build_search_line(["resources", name, "properties"], []), + } +} + +CxPolicy[result] { + resource := input.document[i].resources[name] + resource.type == "aws:apigatewayv2:Stage" + + defaultRouteSettings := resource.properties.defaultRouteSettings + not common_lib.valid_key(defaultRouteSettings, "loggingLevel") + + result := { + "documentId": input.document[i].id, + "resourceType": resource.type, + "resourceName": plm_lib.getResourceName(resource, name), + "searchKey": sprintf("resources[%s].properties.defaultRouteSettings", [name]), + "issueType": "MissingAttribute", + "keyExpectedValue": "Attribute 'defaultRouteSettings.loggingLevel' should be defined", + "keyActualValue": "Attribute 'defaultRouteSettings.loggingLevel' is not defined", + "searchLine": common_lib.build_search_line(["resources", name, "properties", "defaultRouteSettings"], []), + } +} + +CxPolicy[result] { + resource := input.document[i].resources[name] + resource.type == "aws:apigatewayv2:Stage" + + loggingLevel := resource.properties.defaultRouteSettings.loggingLevel + loggingLevel == "" + + result := { + "documentId": input.document[i].id, + "resourceType": resource.type, + "resourceName": plm_lib.getResourceName(resource, name), + "searchKey": sprintf("resources[%s].properties.defaultRouteSettings.loggingLevel", [name]), + "issueType": "IncorrectValue", + "keyExpectedValue": "Attribute 'defaultRouteSettings.loggingLevel' should not be empty", + "keyActualValue": "Attribute 'defaultRouteSettings.loggingLevel' is empty", + "searchLine": common_lib.build_search_line(["resources", name, "properties", "defaultRouteSettings", "loggingLevel"], []), + } +} + +CxPolicy[result] { + resource := input.document[i].resources[name] + resource.type == "aws:apigatewayv2:Stage" + + loggingLevel := resource.properties.defaultRouteSettings.loggingLevel + loggingLevel == "OFF" + + result := { + "documentId": input.document[i].id, + "resourceType": resource.type, + "resourceName": plm_lib.getResourceName(resource, name), + "searchKey": sprintf("resources[%s].properties.defaultRouteSettings.loggingLevel", [name]), + "issueType": "IncorrectValue", + "keyExpectedValue": "Attribute 'defaultRouteSettings.loggingLevel' should not be set to OFF", + "keyActualValue": "Attribute 'defaultRouteSettings.loggingLevel' is set to OFF", + "searchLine": common_lib.build_search_line(["resources", name, "properties", "defaultRouteSettings", "loggingLevel"], []), + } +} + +CxPolicy[result] { + resource := input.document[i].resources[name] + resource.type == "aws:apigateway:Stage" + + not common_lib.valid_key(resource.properties, "methodSettings") + + result := { + "documentId": input.document[i].id, + "resourceType": resource.type, + "resourceName": plm_lib.getResourceName(resource, name), + "searchKey": sprintf("resources[%s].properties", [name]), + "searchValue": "methodSettings", + "issueType": "MissingAttribute", + "keyExpectedValue": "Attribute 'methodSettings' should be defined", + "keyActualValue": "Attribute 'methodSettings' is not defined", + "searchLine": common_lib.build_search_line(["resources", name, "properties"], []), + } +} + +CxPolicy[result] { + resource := input.document[i].resources[name] + resource.type == "aws:apigateway:Stage" + + methodSetting := resource.properties.methodSettings[j] + not common_lib.valid_key(methodSetting, "loggingLevel") + + result := { + "documentId": input.document[i].id, + "resourceType": resource.type, + "resourceName": plm_lib.getResourceName(resource, name), + "searchKey": sprintf("resources[%s].properties.methodSettings", [name]), + "issueType": "MissingAttribute", + "keyExpectedValue": sprintf("Attribute 'methodSettings[%d].loggingLevel' should be defined", [j]), + "keyActualValue": sprintf("Attribute 'methodSettings[%d].loggingLevel' is not defined", [j]), + "searchLine": common_lib.build_search_line(["resources", name, "properties", "methodSettings", j], []), + } +} + +CxPolicy[result] { + resource := input.document[i].resources[name] + resource.type == "aws:apigateway:Stage" + + loggingLevel := resource.properties.methodSettings[j].loggingLevel + loggingLevel == "" + + result := { + "documentId": input.document[i].id, + "resourceType": resource.type, + "resourceName": plm_lib.getResourceName(resource, name), + "searchKey": sprintf("resources[%s].properties.methodSettings[%d].loggingLevel", [name, j]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("Attribute 'methodSettings[%d].loggingLevel' should not be empty", [j]), + "keyActualValue": sprintf("Attribute 'methodSettings[%d].loggingLevel' is empty", [j]), + "searchLine": common_lib.build_search_line(["resources", name, "properties", "methodSettings", j, "loggingLevel"], []), + } +} + +CxPolicy[result] { + resource := input.document[i].resources[name] + resource.type == "aws:apigateway:Stage" + + loggingLevel := resource.properties.methodSettings[j].loggingLevel + loggingLevel == "OFF" + + result := { + "documentId": input.document[i].id, + "resourceType": resource.type, + "resourceName": plm_lib.getResourceName(resource, name), + "searchKey": sprintf("resources[%s].properties.methodSettings[%d].loggingLevel", [name, j]), + "issueType": "IncorrectValue", + "keyExpectedValue": sprintf("Attribute 'methodSettings[%d].loggingLevel' should not be set to OFF", [j]), + "keyActualValue": sprintf("Attribute 'methodSettings[%d].loggingLevel' is set to OFF", [j]), + "searchLine": common_lib.build_search_line(["resources", name, "properties", "methodSettings", j, "loggingLevel"], []), + } +} diff --git a/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/test/negative.yaml b/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/test/negative.yaml index da286dbd1e7..ac143d541b5 100644 --- a/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/test/negative.yaml +++ b/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/test/negative.yaml @@ -2,10 +2,24 @@ name: aws-eks runtime: yaml description: An EKS cluster resources: - example: + exampleV2: type: aws:apigatewayv2:Stage properties: apiId: ${aws_apigatewayv2_api.example.id} accessLogSettings: destinationArn: sampleArn format: CLF + defaultRouteSettings: + loggingLevel: INFO + exampleV1: + type: aws:apigateway:Stage + properties: + restApiId: ${aws_api_gateway_rest_api.example.id} + stageName: prod + accessLogSettings: + destinationArn: sampleArn + methodSettings: + - loggingLevel: INFO + dataTraceEnabled: false + - dataTraceEnabled: false + loggingLevel: ERROR diff --git a/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/test/positive2.yaml b/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/test/positive2.yaml new file mode 100644 index 00000000000..1ac6aa879eb --- /dev/null +++ b/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/test/positive2.yaml @@ -0,0 +1,20 @@ +name: aws-eks +runtime: yaml +description: An EKS cluster +resources: + exampleV2: + type: aws:apigatewayv2:Stage + properties: + apiId: ${aws_apigatewayv2_api.example.id} + accessLogSettings: + destinationArn: sampleArn + format: CLF + defaultRouteSettings: + loggingLevel: "OFF" + exampleV1: + type: aws:apigateway:Stage + properties: + restApiId: ${aws_api_gateway_rest_api.example.id} + stageName: prod + accessLogSettings: + destinationArn: sampleArn diff --git a/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/test/positive3.yaml b/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/test/positive3.yaml new file mode 100644 index 00000000000..ad945b1c40f --- /dev/null +++ b/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/test/positive3.yaml @@ -0,0 +1,16 @@ +name: aws-eks +runtime: yaml +description: An EKS cluster +resources: + example: + type: aws:apigateway:Stage + properties: + restApiId: ${aws_api_gateway_rest_api.example.id} + stageName: prod + accessLogSettings: + destinationArn: sampleArn + methodSettings: + - loggingLevel: "OFF" + dataTraceEnabled: false + - dataTraceEnabled: false + loggingLevel: "INFO" diff --git a/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/test/positive4.yaml b/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/test/positive4.yaml new file mode 100644 index 00000000000..2a4f06c52d2 --- /dev/null +++ b/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/test/positive4.yaml @@ -0,0 +1,33 @@ +name: aws-eks +runtime: yaml +description: An EKS cluster +resources: + exampleV2NoLevel: + type: aws:apigatewayv2:Stage + properties: + apiId: ${aws_apigatewayv2_api.example.id} + accessLogSettings: + destinationArn: sampleArn + format: CLF + defaultRouteSettings: + dataTraceEnabled: false + exampleV2EmptyLevel: + type: aws:apigatewayv2:Stage + properties: + apiId: ${aws_apigatewayv2_api.example.id} + accessLogSettings: + destinationArn: sampleArn + format: CLF + defaultRouteSettings: + loggingLevel: "" + exampleV1: + type: aws:apigateway:Stage + properties: + restApiId: ${aws_api_gateway_rest_api.example.id} + stageName: prod + accessLogSettings: + destinationArn: sampleArn + methodSettings: + - dataTraceEnabled: false + - loggingLevel: "" + dataTraceEnabled: false diff --git a/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json b/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json index d93f28a1060..e086e25f301 100644 --- a/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/pulumi/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json @@ -4,5 +4,53 @@ "severity": "MEDIUM", "line": 7, "fileName": "positive.yaml" + }, + { + "queryName": "API Gateway Access Logging Disabled", + "severity": "MEDIUM", + "line": 7, + "fileName": "positive.yaml" + }, + { + "queryName": "API Gateway Access Logging Disabled", + "severity": "MEDIUM", + "line": 13, + "fileName": "positive2.yaml" + }, + { + "queryName": "API Gateway Access Logging Disabled", + "severity": "MEDIUM", + "line": 16, + "fileName": "positive2.yaml" + }, + { + "queryName": "API Gateway Access Logging Disabled", + "severity": "MEDIUM", + "line": 13, + "fileName": "positive3.yaml" + }, + { + "queryName": "API Gateway Access Logging Disabled", + "severity": "MEDIUM", + "line": 12, + "fileName": "positive4.yaml" + }, + { + "queryName": "API Gateway Access Logging Disabled", + "severity": "MEDIUM", + "line": 22, + "fileName": "positive4.yaml" + }, + { + "queryName": "API Gateway Access Logging Disabled", + "severity": "MEDIUM", + "line": 31, + "fileName": "positive4.yaml" + }, + { + "queryName": "API Gateway Access Logging Disabled", + "severity": "MEDIUM", + "line": 32, + "fileName": "positive4.yaml" } ]