From e904de9841a2de07da89e2e77feb9314cc950323 Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Mon, 17 Jun 2024 10:08:20 +0100 Subject: [PATCH 1/2] fix(cloudformation): false positives on query API Gateway V2 Stage Access Logging Settings Not Defined --- .../query.rego | 136 ++++++++++-------- .../test/negative5.yaml | 21 +++ .../test/negative6.yaml | 18 +++ .../test/negative7.json | 19 +++ .../test/{positive15.yaml => negative8.yaml} | 4 +- .../test/{positive4.json => negative9.json} | 7 +- .../test/positive10.json | 24 ---- .../test/positive10.yaml | 15 ++ .../test/positive11.yaml | 24 ++-- .../test/positive12.json | 29 ---- .../test/positive12.yaml | 21 +++ .../test/positive13.yaml | 28 ++-- .../test/positive2.json | 40 +++--- .../test/positive3.json | 24 +--- .../test/{positive17.yaml => positive4.yaml} | 10 +- .../test/positive5.json | 15 +- .../test/positive6.json | 25 ---- .../test/{positive16.yaml => positive6.yaml} | 6 +- .../test/positive7.json | 18 ++- .../test/positive8.yaml | 4 +- .../test/positive9.yaml | 8 +- .../test/positive_expected_result.json | 72 ++++------ 22 files changed, 298 insertions(+), 270 deletions(-) create mode 100644 assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative5.yaml create mode 100644 assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative6.yaml create mode 100644 assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative7.json rename assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/{positive15.yaml => negative8.yaml} (80%) rename assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/{positive4.json => negative9.json} (83%) delete mode 100644 assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive10.json create mode 100644 assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive10.yaml delete mode 100644 assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive12.json create mode 100644 assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive12.yaml rename assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/{positive17.yaml => positive4.yaml} (52%) delete mode 100644 assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive6.json rename assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/{positive16.yaml => positive6.yaml} (68%) diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/query.rego b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/query.rego index 6212b3fdcb2..757a1acd720 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/query.rego +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/query.rego @@ -3,18 +3,64 @@ package Cx import data.generic.common as common_lib import data.generic.cloudformation as cf_lib +# Checks if Properties.AccessLogSettings exists for "AWS::ApiGatewayV2::Stage" CxPolicy[result] { - document := input.document - resource = document[i].Resources[name] + doc := input.document[i] + resource := doc.Resources[stage] resource.Type == "AWS::ApiGatewayV2::Stage" + + properties := resource.Properties + not properties.DefaultRouteSettings + not properties.AccessLogSettings + + result := { + "documentId": doc.id, + "issueType": "MissingAttribute", + "keyExpectedValue": "'AccessLogSettings' should be defined", + "keyActualValue": "'AccessLogSettings' is not defined", + "resourceType": resource.Type, + "resourceName": cf_lib.get_resource_name(resource, stage), + "searchKey": sprintf("Resources.%s.Properties", [stage]), + } +} +# Checks if Properties.AccessLogSettings exists for "AWS::ApiGateway::Stage" +CxPolicy[result] { + doc := input.document[i] + resource := doc.Resources[stage] + resource.Type == "AWS::ApiGateway::Stage" properties := resource.Properties - searchKeyValid := common_lib.valid_non_empty_key(properties, "DefaultRouteSettings") + + not properties.AccessLogSetting result := { - "documentId": input.document[i].id, + "documentId": doc.id, + "issueType": "MissingAttribute", + "keyExpectedValue": "'AccessLogSetting' should be defined", + "keyActualValue": "'AccessLogSetting' is not defined", "resourceType": resource.Type, - "resourceName": cf_lib.get_resource_name(resource, name), + "resourceName": cf_lib.get_resource_name(resource, stage), + "searchKey": sprintf("Resources.%s.Properties", [stage]), + } +} + +# Checks if ProtocolType == WEBSOCKET for AWS::ApiGatewayV2::Api & Properties.DefaultRouteSettings Key exists for "AWS::ApiGatewayV2::Stage" +CxPolicy[result] { + document := input.document + api_resource := document[i].Resources[_] + api_resource.Type == "AWS::ApiGatewayV2::Api" + api_resource.Properties.ProtocolType == "WEBSOCKET" + + stage_resource := document[i].Resources[name] + stage_resource.Type == "AWS::ApiGatewayV2::Stage" + properties := stage_resource.Properties + not properties.AccessLogSettings + searchKeyValid := common_lib.valid_non_empty_key(properties, "DefaultRouteSettings") + + result := { + "documentId": input.document[i].id, + "resourceType": stage_resource.Type, + "resourceName": cf_lib.get_resource_name(stage_resource, name), "searchKey": sprintf("Resources.%s.Properties%s", [name, searchKeyValid]), "issueType": "MissingAttribute", "keyExpectedValue": sprintf("Resources.%s.Properties.DefaultRouteSettings should be defined and not null", [name]), @@ -22,19 +68,23 @@ CxPolicy[result] { } } +# Checks if ProtocolType == WEBSOCKET for AWS::ApiGatewayV2::Api & Properties.DefaultRouteSettings.LoggingLevel Key exists for "AWS::ApiGatewayV2::Stage" CxPolicy[result] { document := input.document - resource = document[i].Resources[name] - resource.Type == "AWS::ApiGatewayV2::Stage" - - properties := resource.Properties + api_resource := document[i].Resources[_] + api_resource.Type == "AWS::ApiGatewayV2::Api" + api_resource.Properties.ProtocolType == "WEBSOCKET" + + stage_resource := document[i].Resources[name] + stage_resource.Type == "AWS::ApiGatewayV2::Stage" + properties := stage_resource.Properties defaultRouteSettings := properties.DefaultRouteSettings searchKeyValid := common_lib.valid_non_empty_key(defaultRouteSettings, "LoggingLevel") result := { "documentId": input.document[i].id, - "resourceType": resource.Type, - "resourceName": cf_lib.get_resource_name(resource, name), + "resourceType": stage_resource.Type, + "resourceName": cf_lib.get_resource_name(stage_resource, name), "searchKey": sprintf("Resources.%s.Properties.DefaultRouteSettings%s", [name, searchKeyValid]), "issueType": "MissingAttribute", "keyExpectedValue": sprintf("Resources.%s.Properties.DefaultRouteSettings.LoggingLevel should be defined and not null", [name]), @@ -42,26 +92,32 @@ CxPolicy[result] { } } +# Checks if ProtocolType == WEBSOCKET for AWS::ApiGatewayV2::Api & properties.DefaultRouteSettings.LoggingLevel == OFF for "AWS::ApiGatewayV2::Stage" CxPolicy[result] { document := input.document - resource = document[i].Resources[name] - resource.Type == "AWS::ApiGatewayV2::Stage" - - properties := resource.Properties - loggingLevel := properties.DefaultRouteSettings.LoggingLevel - loggingLevel == "OFF" + + api_resource := document[i].Resources[_] + api_resource.Type == "AWS::ApiGatewayV2::Api" + api_resource.Properties.ProtocolType == "WEBSOCKET" + + stage_resource := document[i].Resources[name] + stage_resource.Type == "AWS::ApiGatewayV2::Stage" + stage_properties := stage_resource.Properties + stage_properties.DefaultRouteSettings.LoggingLevel == "OFF" + not stage_properties.AccessLogSettings result := { "documentId": input.document[i].id, - "resourceType": resource.Type, - "resourceName": cf_lib.get_resource_name(resource, name), + "resourceType": stage_resource.Type, + "resourceName": cf_lib.get_resource_name(stage_resource, name), "searchKey": sprintf("Resources.%s.Properties.DefaultRouteSettings.LoggingLevel", [name]), "issueType": "IncorrectValue", - "keyExpectedValue": sprintf("Resources.%s.Properties.DefaultRouteSettings.LoggingLevel should not be set to OFF", [name]), + "keyExpectedValue": sprintf("Resources.%s.Properties.DefaultRouteSettings.LoggingLevel should be defined and not null", [name]), "keyActualValue": sprintf("Resources.%s.Properties.DefaultRouteSettings.LoggingLevel is OFF", [name]), } } +# Checks if properties.MethodSettings Key exists for "AWS::ApiGateway::Stage" CxPolicy[result] { document := input.document resource = document[i].Resources[name] @@ -81,6 +137,7 @@ CxPolicy[result] { } } +# Checks if properties.MethodSettings.LoggingLevel Key exists for "AWS::ApiGateway::Stage" CxPolicy[result] { document := input.document resource = document[i].Resources[name] @@ -101,6 +158,7 @@ CxPolicy[result] { } } +# Checks if properties.MethodSettings.LoggingLevel == OFF for "AWS::ApiGateway::Stage" CxPolicy[result] { document := input.document resource = document[i].Resources[name] @@ -120,41 +178,3 @@ CxPolicy[result] { "keyActualValue": sprintf("Resources.%s.Properties.MethodSettings.LoggingLevel is OFF", [name]), } } - -CxPolicy[result] { - doc := input.document[i] - resource := doc.Resources[stage] - resource.Type == "AWS::ApiGatewayV2::Stage" - properties := resource.Properties - - not properties.AccessLogSettings - - result := { - "documentId": doc.id, - "issueType": "MissingAttribute", - "keyExpectedValue": "'AccessLogSettings' should be defined", - "keyActualValue": "'AccessLogSettings' is not defined", - "resourceType": resource.Type, - "resourceName": cf_lib.get_resource_name(resource, stage), - "searchKey": sprintf("Resources.%s.Properties", [stage]), - } -} - -CxPolicy[result] { - doc := input.document[i] - resource := doc.Resources[stage] - resource.Type == "AWS::ApiGateway::Stage" - properties := resource.Properties - - not properties.AccessLogSetting - - result := { - "documentId": doc.id, - "issueType": "MissingAttribute", - "keyExpectedValue": "'AccessLogSetting' should be defined", - "keyActualValue": "'AccessLogSetting' is not defined", - "resourceType": resource.Type, - "resourceName": cf_lib.get_resource_name(resource, stage), - "searchKey": sprintf("Resources.%s.Properties", [stage]), - } -} diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative5.yaml b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative5.yaml new file mode 100644 index 00000000000..2ccdcecde5b --- /dev/null +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative5.yaml @@ -0,0 +1,21 @@ +AWSTemplateFormatVersion: "2010-09-09" +# line 8, defines API of WEBSOCKET protocol but there's DefaultRouteSettings in Stage (line 11) already defined +Resources: + ApiGatewayRestApi: + Type: AWS::ApiGatewayV2::Api + Properties: + ProtocolType: WEBSOCKET + Description: Test websocket API + ApiGatewayStage: + Type: AWS::ApiGatewayV2::Stage + Properties: + DeploymentId: !Ref ApiGatewayDeployment + Description: Lambda API Stage v0 + ApiId: !Ref ApiGatewayRestApi + StageName: "v0" + DefaultRouteSettings: + DetailedMetricsEnabled: true + LoggingLevel: INFO + DataTraceEnabled: false + ThrottlingBurstLimit: 10 + ThrottlingRateLimit: 10 \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative6.yaml b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative6.yaml new file mode 100644 index 00000000000..b6d2d90a700 --- /dev/null +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative6.yaml @@ -0,0 +1,18 @@ +AWSTemplateFormatVersion: "2010-09-09" +# line 8, defines API of WEBSOCKET protocol but there's AccessLogSettings in Stage (line 11) already defined +Resources: + ApiGatewayRestApi: + Type: AWS::ApiGatewayV2::Api + Properties: + ProtocolType: WEBSOCKET + Description: Test websocket API + ApiGatewayStage: + Type: AWS::ApiGatewayV2::Stage + Properties: + DeploymentId: !Ref ApiGatewayDeployment + Description: Lambda API Stage v0 + ApiId: !Ref ApiGatewayRestApi + StageName: "v0" + AccessLogSettings: + DestinationArn: "dest" + Format: "format" \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative7.json b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative7.json new file mode 100644 index 00000000000..1798ea0f8e8 --- /dev/null +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative7.json @@ -0,0 +1,19 @@ +{ + "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Router53", + "Resources": { + "MyStage": { + "Type": "AWS::ApiGatewayV2::Stage", + "Properties": { + "Description": "Prod Stage", + "AccessLogSettings": { + "DestinationArn": "dest", + "Format": "format" + }, + "DeploymentId": "MyDeployment", + "ApiId": "CFNWebSocket", + "StageName": "Prod" + } + } + } +} diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive15.yaml b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative8.yaml similarity index 80% rename from assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive15.yaml rename to assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative8.yaml index c5de550b2a9..cde2ef542eb 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive15.yaml +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative8.yaml @@ -10,6 +10,4 @@ Resources: RestApiId: !Ref MyRestApi DeploymentId: !Ref TestDeployment DocumentationVersion: "" - ApiId: "teste" - DefaultRouteSettings: - LoggingLevel: "OFF" \ No newline at end of file + ApiId: "teste" \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive4.json b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative9.json similarity index 83% rename from assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive4.json rename to assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative9.json index 0b8f2b89c0c..0b3f72e21f8 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive4.json +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative9.json @@ -6,10 +6,6 @@ "Properties": { "StageName": "Prod", "Description": "Prod Stage", - "AccessLogSettings": { - "DestinationArn": "dest", - "Format": "format" - }, "DeploymentId": { "Ref": "MyDeployment" }, @@ -18,6 +14,7 @@ }, "DefaultRouteSettings": { "DetailedMetricsEnabled": true, + "LoggingLevel": "INFO", "DataTraceEnabled": false, "ThrottlingBurstLimit": 10, "ThrottlingRateLimit": 10 @@ -25,4 +22,4 @@ } } } -} +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive10.json b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive10.json deleted file mode 100644 index 8dd532335a1..00000000000 --- a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive10.json +++ /dev/null @@ -1,24 +0,0 @@ -{ - "AWSTemplateFormatVersion": "2010-09-09", - "Resources": { - "MyStage": { - "Type": "AWS::ApiGateway::Stage", - "Properties": { - "StageName": "Prod", - "Description": "Prod Stage", - "AccessLogSetting": { - "DestinationArn": "dest", - "Format": "format" - }, - "DeploymentId": { - "Ref": "MyDeployment" - }, - "RestApiId": { - "Ref": "CFNWebSocket" - }, - "MethodSettings": { - } - } - } - } -} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive10.yaml b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive10.yaml new file mode 100644 index 00000000000..59e732a6550 --- /dev/null +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive10.yaml @@ -0,0 +1,15 @@ +AWSTemplateFormatVersion: "2010-09-09" +# line 8, defines API of Websocket protocol and there's no AccessLogSettings nor DefaultRouteSettings.LoggingLevel in Stage (line 11) +Resources: + ApiGatewayRestApi: + Type: AWS::ApiGatewayV2::Api + Properties: + ProtocolType: WEBSOCKET + Description: Test websocket API + ApiGatewayStage: + Type: AWS::ApiGatewayV2::Stage + Properties: + DeploymentId: !Ref ApiGatewayDeployment + Description: Lambda API Stage v0 + ApiId: !Ref ApiGatewayRestApi + StageName: "v0" \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive11.yaml b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive11.yaml index 4adf05d2a6c..8f3646c71fc 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive11.yaml +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive11.yaml @@ -1,13 +1,15 @@ +AWSTemplateFormatVersion: "2010-09-09" +# line 8, defines API of HTTP protocol and there's no AccessLogSettings in Stage (line 11) Resources: - Prod: - Type: AWS::ApiGateway::Stage + ApiGatewayRestApi: + Type: AWS::ApiGatewayV2::Api Properties: - StageName: Prod - Description: Prod Stage - AccessLogSetting: - DestinationArn: "dest" - Format: "format" - RestApiId: !Ref MyRestApi - DeploymentId: !Ref TestDeployment - DocumentationVersion: "" - MethodSettings: \ No newline at end of file + ProtocolType: HTTP + Description: Test websocket API + ApiGatewayStage: + Type: AWS::ApiGatewayV2::Stage + Properties: + DeploymentId: !Ref ApiGatewayDeployment + Description: Lambda API Stage v0 + ApiId: !Ref ApiGatewayRestApi + StageName: "v0" \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive12.json b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive12.json deleted file mode 100644 index 3bbd4b22c77..00000000000 --- a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive12.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "AWSTemplateFormatVersion": "2010-09-09", - "Resources": { - "MyStage": { - "Type": "AWS::ApiGateway::Stage", - "Properties": { - "StageName": "Prod", - "Description": "Prod Stage", - "AccessLogSetting": { - "DestinationArn": "dest", - "Format": "format" - }, - "DeploymentId": { - "Ref": "MyDeployment" - }, - "RestApiId": { - "Ref": "CFNWebSocket" - }, - "MethodSettings": { - "DetailedMetricsEnabled": true, - "LoggingLevel": "OFF", - "DataTraceEnabled": false, - "ThrottlingBurstLimit": 10, - "ThrottlingRateLimit": 10 - } - } - } - } -} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive12.yaml b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive12.yaml new file mode 100644 index 00000000000..ddc291a73c2 --- /dev/null +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive12.yaml @@ -0,0 +1,21 @@ +AWSTemplateFormatVersion: "2010-09-09" +# line 8, defines API of HTTP protocol and there's no AccessLogSettings in Stage (line 11) +Resources: + ApiGatewayRestApi: + Type: AWS::ApiGatewayV2::Api + Properties: + ProtocolType: WEBSOCKET + Description: Test websocket API + ApiGatewayStage: + Type: AWS::ApiGatewayV2::Stage + Properties: + DeploymentId: !Ref ApiGatewayDeployment + Description: Lambda API Stage v0 + ApiId: !Ref ApiGatewayRestApi + StageName: "v0" + DefaultRouteSettings: + DetailedMetricsEnabled: true + LoggingLevel: "OFF" + DataTraceEnabled: false + ThrottlingBurstLimit: 10 + ThrottlingRateLimit: 10 \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive13.yaml b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive13.yaml index 860851c6626..96eb5dd90e9 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive13.yaml +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive13.yaml @@ -1,14 +1,20 @@ +AWSTemplateFormatVersion: "2010-09-09" +# line 8, defines API of HTTP protocol and there's no AccessLogSettings in Stage (line 11) Resources: - Prod: + ApiGatewayRestApi: + Type: AWS::ApiGatewayV2::Api + Properties: + ProtocolType: WEBSOCKET + Description: Test websocket API + ApiGatewayStage: Type: AWS::ApiGatewayV2::Stage Properties: - StageName: Prod - Description: Prod Stage - AccessLogSettings: - DestinationArn: "dest" - Format: "format" - RestApiId: !Ref MyRestApi - DeploymentId: !Ref TestDeployment - DocumentationVersion: "" - ApiId: "teste" - DefaultRouteSettings: \ No newline at end of file + DeploymentId: !Ref ApiGatewayDeployment + Description: Lambda API Stage v0 + ApiId: !Ref ApiGatewayRestApi + StageName: "v0" + DefaultRouteSettings: + DetailedMetricsEnabled: true + DataTraceEnabled: false + ThrottlingBurstLimit: 10 + ThrottlingRateLimit: 10 \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive2.json b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive2.json index 1798ea0f8e8..2133df7f76a 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive2.json +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive2.json @@ -1,19 +1,25 @@ { - "AWSTemplateFormatVersion": "2010-09-09", - "Description": "Router53", - "Resources": { - "MyStage": { - "Type": "AWS::ApiGatewayV2::Stage", - "Properties": { - "Description": "Prod Stage", - "AccessLogSettings": { - "DestinationArn": "dest", - "Format": "format" - }, - "DeploymentId": "MyDeployment", - "ApiId": "CFNWebSocket", - "StageName": "Prod" - } + "AWSTemplateFormatVersion": "2010-09-09", + "Resources": { + "MyStage": { + "Type": "AWS::ApiGateway::Stage", + "Properties": { + "StageName": "Prod", + "Description": "Prod Stage", + "DeploymentId": { + "Ref": "MyDeployment" + }, + "MethodSettings": { + "DetailedMetricsEnabled": true, + "LoggingLevel": "INFO", + "DataTraceEnabled": false, + "ThrottlingBurstLimit": 10, + "ThrottlingRateLimit": 10 + }, + "RestApiId": { + "Ref": "CFNWebSocket" + } + } + } } - } -} +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive3.json b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive3.json index dcc63234775..1d2171c4ac8 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive3.json +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive3.json @@ -1,29 +1,19 @@ { "AWSTemplateFormatVersion": "2010-09-09", + "Description": "Router53", "Resources": { "MyStage": { - "Type": "AWS::ApiGatewayV2::Stage", + "Type": "AWS::ApiGateway::Stage", "Properties": { - "StageName": "Prod", "Description": "Prod Stage", - "AccessLogSettings": { + "AccessLogSetting": { "DestinationArn": "dest", "Format": "format" }, - "DeploymentId": { - "Ref": "MyDeployment" - }, - "ApiId": { - "Ref": "CFNWebSocket" - }, - "DefaultRouteSettings": { - "DetailedMetricsEnabled": true, - "LoggingLevel": "OFF", - "DataTraceEnabled": false, - "ThrottlingBurstLimit": 10, - "ThrottlingRateLimit": 10 - } + "DeploymentId": "MyDeployment", + "RestApiId": "CFNWebSocket", + "StageName": "Prod" } } } -} +} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive17.yaml b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive4.yaml similarity index 52% rename from assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive17.yaml rename to assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive4.yaml index e75aeb6159b..ff2587b2c87 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive17.yaml +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive4.yaml @@ -1,12 +1,12 @@ Resources: Prod: - Type: AWS::ApiGatewayV2::Stage + Type: AWS::ApiGateway::Stage Properties: StageName: Prod Description: Prod Stage + AccessLogSetting: + DestinationArn: "dest" + Format: "format" RestApiId: !Ref MyRestApi DeploymentId: !Ref TestDeployment - DocumentationVersion: "" - ApiId: "teste" - DefaultRouteSettings: - LoggingLevel: "ON" \ No newline at end of file + DocumentationVersion: "" \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive5.json b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive5.json index 0b3f72e21f8..8dd532335a1 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive5.json +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive5.json @@ -2,22 +2,21 @@ "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "MyStage": { - "Type": "AWS::ApiGatewayV2::Stage", + "Type": "AWS::ApiGateway::Stage", "Properties": { "StageName": "Prod", "Description": "Prod Stage", + "AccessLogSetting": { + "DestinationArn": "dest", + "Format": "format" + }, "DeploymentId": { "Ref": "MyDeployment" }, - "ApiId": { + "RestApiId": { "Ref": "CFNWebSocket" }, - "DefaultRouteSettings": { - "DetailedMetricsEnabled": true, - "LoggingLevel": "INFO", - "DataTraceEnabled": false, - "ThrottlingBurstLimit": 10, - "ThrottlingRateLimit": 10 + "MethodSettings": { } } } diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive6.json b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive6.json deleted file mode 100644 index 2133df7f76a..00000000000 --- a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive6.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "AWSTemplateFormatVersion": "2010-09-09", - "Resources": { - "MyStage": { - "Type": "AWS::ApiGateway::Stage", - "Properties": { - "StageName": "Prod", - "Description": "Prod Stage", - "DeploymentId": { - "Ref": "MyDeployment" - }, - "MethodSettings": { - "DetailedMetricsEnabled": true, - "LoggingLevel": "INFO", - "DataTraceEnabled": false, - "ThrottlingBurstLimit": 10, - "ThrottlingRateLimit": 10 - }, - "RestApiId": { - "Ref": "CFNWebSocket" - } - } - } - } -} \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive16.yaml b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive6.yaml similarity index 68% rename from assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive16.yaml rename to assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive6.yaml index 11ebeedb967..4adf05d2a6c 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive16.yaml +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive6.yaml @@ -4,8 +4,10 @@ Resources: Properties: StageName: Prod Description: Prod Stage + AccessLogSetting: + DestinationArn: "dest" + Format: "format" RestApiId: !Ref MyRestApi DeploymentId: !Ref TestDeployment DocumentationVersion: "" - MethodSettings: - LoggingLevel: "ON" \ No newline at end of file + MethodSettings: \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive7.json b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive7.json index 1d2171c4ac8..3bbd4b22c77 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive7.json +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive7.json @@ -1,18 +1,28 @@ { "AWSTemplateFormatVersion": "2010-09-09", - "Description": "Router53", "Resources": { "MyStage": { "Type": "AWS::ApiGateway::Stage", "Properties": { + "StageName": "Prod", "Description": "Prod Stage", "AccessLogSetting": { "DestinationArn": "dest", "Format": "format" }, - "DeploymentId": "MyDeployment", - "RestApiId": "CFNWebSocket", - "StageName": "Prod" + "DeploymentId": { + "Ref": "MyDeployment" + }, + "RestApiId": { + "Ref": "CFNWebSocket" + }, + "MethodSettings": { + "DetailedMetricsEnabled": true, + "LoggingLevel": "OFF", + "DataTraceEnabled": false, + "ThrottlingBurstLimit": 10, + "ThrottlingRateLimit": 10 + } } } } diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive8.yaml b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive8.yaml index ff2587b2c87..91e68e12d8f 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive8.yaml +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive8.yaml @@ -9,4 +9,6 @@ Resources: Format: "format" RestApiId: !Ref MyRestApi DeploymentId: !Ref TestDeployment - DocumentationVersion: "" \ No newline at end of file + DocumentationVersion: "" + MethodSettings: + LoggingLevel: "OFF" \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive9.yaml b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive9.yaml index cde2ef542eb..11ebeedb967 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive9.yaml +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive9.yaml @@ -1,13 +1,11 @@ Resources: Prod: - Type: AWS::ApiGatewayV2::Stage + Type: AWS::ApiGateway::Stage Properties: StageName: Prod Description: Prod Stage - AccessLogSettings: - DestinationArn: "dest" - Format: "format" RestApiId: !Ref MyRestApi DeploymentId: !Ref TestDeployment DocumentationVersion: "" - ApiId: "teste" \ No newline at end of file + MethodSettings: + LoggingLevel: "ON" \ No newline at end of file diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json index 9d8ccfea665..0b6a0645294 100644 --- a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json @@ -8,91 +8,91 @@ { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 7, - "fileName": "positive2.json" + "line": 6, + "fileName": "positive2.json" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 21, + "line": 7, "fileName": "positive3.json" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 19, - "fileName": "positive4.json" + "line": 4, + "fileName": "positive4.yaml" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 6, + "line": 19, "fileName": "positive5.json" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 6, - "fileName": "positive6.json" + "line": 19, + "fileName": "positive5.json" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 7, - "fileName": "positive7.json" + "line": 4, + "fileName": "positive6.yaml" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 4, - "fileName": "positive8.yaml" + "line": 13, + "fileName": "positive6.yaml" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 4, - "fileName": "positive9.yaml" + "line": 21, + "fileName": "positive7.json" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 19, - "fileName": "positive10.json" + "line": 14, + "fileName": "positive8.yaml" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 19, - "fileName": "positive10.json" + "line": 4, + "fileName": "positive9.yaml" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 4, - "fileName": "positive11.yaml" + "line": 11, + "fileName": "positive10.yaml" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 13, - "fileName": "positive11.yaml" + "line": 11, + "fileName": "positive10.yaml" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 21, - "fileName": "positive12.json" + "line": 11, + "fileName": "positive11.yaml" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 4, - "fileName": "positive13.yaml" + "line": 18, + "fileName": "positive12.yaml" }, { "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", "severity": "MEDIUM", - "line": 14, + "line": 16, "fileName": "positive13.yaml" }, { @@ -100,23 +100,5 @@ "severity": "MEDIUM", "line": 14, "fileName": "positive14.yaml" - }, - { - "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", - "severity": "MEDIUM", - "line": 15, - "fileName": "positive15.yaml" - }, - { - "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", - "severity": "MEDIUM", - "line": 4, - "fileName": "positive16.yaml" - }, - { - "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined", - "severity": "MEDIUM", - "line": 4, - "fileName": "positive17.yaml" } ] From 8c4bc47920e35a38644a120b29cdee7e2b7619ec Mon Sep 17 00:00:00 2001 From: Artur Ribeiro Date: Mon, 17 Jun 2024 11:28:48 +0100 Subject: [PATCH 2/2] add negative unit test for protocolType HTTP --- .../test/negative10.yaml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative10.yaml diff --git a/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative10.yaml b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative10.yaml new file mode 100644 index 00000000000..86200ed61b9 --- /dev/null +++ b/assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative10.yaml @@ -0,0 +1,18 @@ +AWSTemplateFormatVersion: "2010-09-09" +# line 8, defines API of WEBSOCKET protocol but there's AccessLogSettings in Stage (line 11) already defined +Resources: + ApiGatewayRestApi: + Type: AWS::ApiGatewayV2::Api + Properties: + ProtocolType: HTTP + Description: Test websocket API + ApiGatewayStage: + Type: AWS::ApiGatewayV2::Stage + Properties: + DeploymentId: !Ref ApiGatewayDeployment + Description: Lambda API Stage v0 + ApiId: !Ref ApiGatewayRestApi + StageName: "v0" + AccessLogSettings: + DestinationArn: "dest" + Format: "format" \ No newline at end of file