fix(cloudformation): query API Gateway V2 Stage Access Logging Settings Not Defined with FP

assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/query.rego

@@ -3,65 +3,121 @@ package Cx
 import data.generic.common as common_lib
 import data.generic.cloudformation as cf_lib
 
+# Checks if Properties.AccessLogSettings exists for "AWS::ApiGatewayV2::Stage"
 CxPolicy[result] {
-	document := input.document
-	resource = document[i].Resources[name]
+	doc := input.document[i]
+	resource := doc.Resources[stage]
 	resource.Type == "AWS::ApiGatewayV2::Stage"
+
+	properties := resource.Properties
+	not properties.DefaultRouteSettings
+	not properties.AccessLogSettings
+
+	result := {
+		"documentId": doc.id,
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": "'AccessLogSettings' should be defined",
+		"keyActualValue": "'AccessLogSettings' is not defined",
+		"resourceType": resource.Type,
+		"resourceName": cf_lib.get_resource_name(resource, stage),
+		"searchKey": sprintf("Resources.%s.Properties", [stage]),
+	}
+}
 
+# Checks if Properties.AccessLogSettings exists for "AWS::ApiGateway::Stage"
+CxPolicy[result] {
+	doc := input.document[i]
+	resource := doc.Resources[stage]
+	resource.Type == "AWS::ApiGateway::Stage"
 	properties := resource.Properties
-	searchKeyValid := common_lib.valid_non_empty_key(properties, "DefaultRouteSettings")
+
+	not properties.AccessLogSetting
 
 	result := {
-		"documentId": input.document[i].id,
+		"documentId": doc.id,
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": "'AccessLogSetting' should be defined",
+		"keyActualValue": "'AccessLogSetting' is not defined",
 		"resourceType": resource.Type,
-		"resourceName": cf_lib.get_resource_name(resource, name),
+		"resourceName": cf_lib.get_resource_name(resource, stage),
+		"searchKey": sprintf("Resources.%s.Properties", [stage]),
+	}
+}
+
+# Checks if ProtocolType == WEBSOCKET for AWS::ApiGatewayV2::Api & Properties.DefaultRouteSettings Key exists for "AWS::ApiGatewayV2::Stage"
+CxPolicy[result] {
+	document := input.document
+	api_resource := document[i].Resources[_]
+	api_resource.Type == "AWS::ApiGatewayV2::Api"
+	api_resource.Properties.ProtocolType == "WEBSOCKET"
+
+	stage_resource := document[i].Resources[name]
+	stage_resource.Type == "AWS::ApiGatewayV2::Stage"
+	properties := stage_resource.Properties
+	not properties.AccessLogSettings
+	searchKeyValid := common_lib.valid_non_empty_key(properties, "DefaultRouteSettings")
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": stage_resource.Type,
+		"resourceName": cf_lib.get_resource_name(stage_resource, name),
 		"searchKey": sprintf("Resources.%s.Properties%s", [name, searchKeyValid]),
 		"issueType": "MissingAttribute",
 		"keyExpectedValue": sprintf("Resources.%s.Properties.DefaultRouteSettings should be defined and not null", [name]),
 		"keyActualValue": sprintf("Resources.%s.Properties.DefaultRouteSettings are undefined or null", [name]),
 	}
 }
 
+# Checks if ProtocolType == WEBSOCKET for AWS::ApiGatewayV2::Api & Properties.DefaultRouteSettings.LoggingLevel Key exists for "AWS::ApiGatewayV2::Stage"
 CxPolicy[result] {
 	document := input.document
-	resource = document[i].Resources[name]
-	resource.Type == "AWS::ApiGatewayV2::Stage"
-
-	properties := resource.Properties
+	api_resource := document[i].Resources[_]
+	api_resource.Type == "AWS::ApiGatewayV2::Api"
+	api_resource.Properties.ProtocolType == "WEBSOCKET"
+
+	stage_resource := document[i].Resources[name]
+	stage_resource.Type == "AWS::ApiGatewayV2::Stage"
+	properties := stage_resource.Properties
 	defaultRouteSettings := properties.DefaultRouteSettings
 	searchKeyValid := common_lib.valid_non_empty_key(defaultRouteSettings, "LoggingLevel")
 
 	result := {
 		"documentId": input.document[i].id,
-		"resourceType": resource.Type,
-		"resourceName": cf_lib.get_resource_name(resource, name),
+		"resourceType": stage_resource.Type,
+		"resourceName": cf_lib.get_resource_name(stage_resource, name),
 		"searchKey": sprintf("Resources.%s.Properties.DefaultRouteSettings%s", [name, searchKeyValid]),
 		"issueType": "MissingAttribute",
 		"keyExpectedValue": sprintf("Resources.%s.Properties.DefaultRouteSettings.LoggingLevel should be defined and not null", [name]),
 		"keyActualValue": sprintf("Resources.%s.Properties.DefaultRouteSettings.LoggingLevel are undefined or null", [name]),
 	}
 }
 
+# Checks if ProtocolType == WEBSOCKET for AWS::ApiGatewayV2::Api & properties.DefaultRouteSettings.LoggingLevel == OFF for "AWS::ApiGatewayV2::Stage"
 CxPolicy[result] {
 	document := input.document
-	resource = document[i].Resources[name]
-	resource.Type == "AWS::ApiGatewayV2::Stage"
-
-	properties := resource.Properties
-	loggingLevel := properties.DefaultRouteSettings.LoggingLevel
-	loggingLevel == "OFF"
+
+	api_resource := document[i].Resources[_]
+	api_resource.Type == "AWS::ApiGatewayV2::Api"
+	api_resource.Properties.ProtocolType == "WEBSOCKET"
+
+	stage_resource := document[i].Resources[name]
+	stage_resource.Type == "AWS::ApiGatewayV2::Stage"
+    stage_properties := stage_resource.Properties
+	stage_properties.DefaultRouteSettings.LoggingLevel == "OFF"
+    not stage_properties.AccessLogSettings
 
 	result := {
 		"documentId": input.document[i].id,
-		"resourceType": resource.Type,
-		"resourceName": cf_lib.get_resource_name(resource, name),
+		"resourceType": stage_resource.Type,
+		"resourceName": cf_lib.get_resource_name(stage_resource, name),
 		"searchKey": sprintf("Resources.%s.Properties.DefaultRouteSettings.LoggingLevel", [name]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": sprintf("Resources.%s.Properties.DefaultRouteSettings.LoggingLevel should not be set to OFF", [name]),
+		"keyExpectedValue": sprintf("Resources.%s.Properties.DefaultRouteSettings.LoggingLevel should be defined and not null", [name]),
 		"keyActualValue": sprintf("Resources.%s.Properties.DefaultRouteSettings.LoggingLevel is OFF", [name]),
 	}
 }
 
+# Checks if properties.MethodSettings Key exists for "AWS::ApiGateway::Stage"
 CxPolicy[result] {
 	document := input.document
 	resource = document[i].Resources[name]
@@ -81,6 +137,7 @@ CxPolicy[result] {
 	}
 }
 
+# Checks if properties.MethodSettings.LoggingLevel Key exists for "AWS::ApiGateway::Stage"
 CxPolicy[result] {
 	document := input.document
 	resource = document[i].Resources[name]
@@ -101,6 +158,7 @@ CxPolicy[result] {
 	}
 }
 
+# Checks if properties.MethodSettings.LoggingLevel == OFF for "AWS::ApiGateway::Stage"
 CxPolicy[result] {
 	document := input.document
 	resource = document[i].Resources[name]
@@ -120,41 +178,3 @@ CxPolicy[result] {
 		"keyActualValue": sprintf("Resources.%s.Properties.MethodSettings.LoggingLevel is OFF", [name]),
 	}
 }
-
-CxPolicy[result] {
-	doc := input.document[i]
-	resource := doc.Resources[stage]
-	resource.Type == "AWS::ApiGatewayV2::Stage"
-	properties := resource.Properties
-
-	not properties.AccessLogSettings
-
-	result := {
-		"documentId": doc.id,
-		"issueType": "MissingAttribute",
-		"keyExpectedValue": "'AccessLogSettings' should be defined",
-		"keyActualValue": "'AccessLogSettings' is not defined",
-		"resourceType": resource.Type,
-		"resourceName": cf_lib.get_resource_name(resource, stage),
-		"searchKey": sprintf("Resources.%s.Properties", [stage]),
-	}
-}
-
-CxPolicy[result] {
-	doc := input.document[i]
-	resource := doc.Resources[stage]
-	resource.Type == "AWS::ApiGateway::Stage"
-	properties := resource.Properties
-
-	not properties.AccessLogSetting
-
-	result := {
-		"documentId": doc.id,
-		"issueType": "MissingAttribute",
-		"keyExpectedValue": "'AccessLogSetting' should be defined",
-		"keyActualValue": "'AccessLogSetting' is not defined",
-		"resourceType": resource.Type,
-		"resourceName": cf_lib.get_resource_name(resource, stage),
-		"searchKey": sprintf("Resources.%s.Properties", [stage]),
-	}
-}

assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative10.yaml

@@ -0,0 +1,18 @@
+AWSTemplateFormatVersion: "2010-09-09"
+# line 8, defines API of WEBSOCKET protocol but there's AccessLogSettings in Stage (line 11) already defined
+Resources:
+  ApiGatewayRestApi:
+    Type: AWS::ApiGatewayV2::Api
+    Properties:
+      ProtocolType: HTTP
+      Description: Test websocket API
+  ApiGatewayStage:
+    Type: AWS::ApiGatewayV2::Stage
+    Properties:
+      DeploymentId: !Ref ApiGatewayDeployment
+      Description: Lambda API Stage v0
+      ApiId: !Ref ApiGatewayRestApi
+      StageName: "v0"
+      AccessLogSettings: 
+        DestinationArn: "dest"
+        Format: "format"

assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative5.yaml

@@ -0,0 +1,21 @@
+AWSTemplateFormatVersion: "2010-09-09"
+# line 8, defines API of WEBSOCKET protocol but there's DefaultRouteSettings in Stage (line 11) already defined
+Resources:
+  ApiGatewayRestApi:
+    Type: AWS::ApiGatewayV2::Api
+    Properties:
+      ProtocolType: WEBSOCKET
+      Description: Test websocket API
+  ApiGatewayStage:
+    Type: AWS::ApiGatewayV2::Stage
+    Properties:
+      DeploymentId: !Ref ApiGatewayDeployment
+      Description: Lambda API Stage v0
+      ApiId: !Ref ApiGatewayRestApi
+      StageName: "v0" 
+      DefaultRouteSettings:
+        DetailedMetricsEnabled: true
+        LoggingLevel: INFO
+        DataTraceEnabled: false
+        ThrottlingBurstLimit: 10
+        ThrottlingRateLimit: 10

assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative6.yaml

@@ -0,0 +1,18 @@
+AWSTemplateFormatVersion: "2010-09-09"
+# line 8, defines API of WEBSOCKET protocol but there's AccessLogSettings in Stage (line 11) already defined
+Resources:
+  ApiGatewayRestApi:
+    Type: AWS::ApiGatewayV2::Api
+    Properties:
+      ProtocolType: WEBSOCKET
+      Description: Test websocket API
+  ApiGatewayStage:
+    Type: AWS::ApiGatewayV2::Stage
+    Properties:
+      DeploymentId: !Ref ApiGatewayDeployment
+      Description: Lambda API Stage v0
+      ApiId: !Ref ApiGatewayRestApi
+      StageName: "v0"
+      AccessLogSettings: 
+        DestinationArn: "dest"
+        Format: "format"

assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative7.json

@@ -0,0 +1,19 @@
+{
+  "AWSTemplateFormatVersion": "2010-09-09",
+  "Description": "Router53",
+  "Resources": {
+    "MyStage": {
+      "Type": "AWS::ApiGatewayV2::Stage",
+      "Properties": {
+        "Description": "Prod Stage",
+        "AccessLogSettings": {
+            "DestinationArn": "dest",
+            "Format": "format"
+        },
+        "DeploymentId": "MyDeployment",
+        "ApiId": "CFNWebSocket",
+        "StageName": "Prod"
+      }
+    }
+  }
+}

assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive15.yaml → assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative8.yaml

@@ -10,6 +10,4 @@ Resources:
       RestApiId: !Ref MyRestApi
       DeploymentId: !Ref TestDeployment
       DocumentationVersion: ""
-      ApiId: "teste"
-      DefaultRouteSettings:
-        LoggingLevel: "OFF"
+      ApiId: "teste"

assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive4.json → assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative9.json

@@ -6,10 +6,6 @@
       "Properties": {
         "StageName": "Prod",
         "Description": "Prod Stage",
-        "AccessLogSettings": {
-            "DestinationArn": "dest",
-            "Format": "format"
-        },
         "DeploymentId": {
           "Ref": "MyDeployment"
         },
@@ -18,11 +14,12 @@
         },
         "DefaultRouteSettings": {
           "DetailedMetricsEnabled": true,
+          "LoggingLevel": "INFO",
           "DataTraceEnabled": false,
           "ThrottlingBurstLimit": 10,
           "ThrottlingRateLimit": 10
         }
       }
     }
   }
-}
+}

assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive10.yaml

@@ -0,0 +1,15 @@
+AWSTemplateFormatVersion: "2010-09-09"
+# line 8, defines API of Websocket protocol and there's no AccessLogSettings nor DefaultRouteSettings.LoggingLevel in Stage (line 11)
+Resources:
+  ApiGatewayRestApi:
+    Type: AWS::ApiGatewayV2::Api
+    Properties:
+      ProtocolType: WEBSOCKET
+      Description: Test websocket API
+  ApiGatewayStage:
+    Type: AWS::ApiGatewayV2::Stage
+    Properties:
+      DeploymentId: !Ref ApiGatewayDeployment
+      Description: Lambda API Stage v0
+      ApiId: !Ref ApiGatewayRestApi
+      StageName: "v0"

assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive11.yaml

@@ -1,13 +1,15 @@
+AWSTemplateFormatVersion: "2010-09-09"
+# line 8, defines API of HTTP protocol and there's no AccessLogSettings in Stage (line 11)
 Resources:
-  Prod:
-    Type: AWS::ApiGateway::Stage
+  ApiGatewayRestApi:
+    Type: AWS::ApiGatewayV2::Api
     Properties:
-      StageName: Prod
-      Description: Prod Stage
-      AccessLogSetting: 
-        DestinationArn: "dest"
-        Format: "format"
-      RestApiId: !Ref MyRestApi
-      DeploymentId: !Ref TestDeployment
-      DocumentationVersion: ""
-      MethodSettings:
+      ProtocolType: HTTP
+      Description: Test websocket API
+  ApiGatewayStage:
+    Type: AWS::ApiGatewayV2::Stage
+    Properties:
+      DeploymentId: !Ref ApiGatewayDeployment
+      Description: Lambda API Stage v0
+      ApiId: !Ref ApiGatewayRestApi
+      StageName: "v0"