From 9a99818268104af101e4fb0892adc733443c3f7b Mon Sep 17 00:00:00 2001 From: g0dfl3sh Date: Fri, 13 Feb 2026 21:11:19 +0200 Subject: [PATCH 1/2] add conditional for query --- .../aws/alb_is_not_integrated_with_waf/query.rego | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/query.rego b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/query.rego index bca984dcf86..d3fe45f03c7 100644 --- a/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/query.rego +++ b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/query.rego @@ -10,6 +10,7 @@ waf_resources := [ CxPolicy[result] { lb := {"aws_alb", "aws_lb"} resource := input.document[i].resource[lb[idx]][name] + is_application_load_balancer(lb[idx], resource) not is_internal_alb(resource) count({x | x := associated_waf(name)}) == 0 @@ -24,6 +25,16 @@ CxPolicy[result] { } } +is_application_load_balancer(lb_type, resource) { + # Both aws_alb and aws_lb with load_balancer_type "application" or not specified (defaults to application) + not resource.load_balancer_type +} + +is_application_load_balancer(lb_type, resource) { + # Both aws_alb and aws_lb with load_balancer_type explicitly set to "application" + resource.load_balancer_type == "application" +} + is_internal_alb(resource) { resource.internal == true } From 54def232b4b3c206fff9f5130dbf6f0d09193f48 Mon Sep 17 00:00:00 2001 From: g0dfl3sh Date: Fri, 13 Feb 2026 21:13:44 +0200 Subject: [PATCH 2/2] add tests --- .../aws/alb_is_not_integrated_with_waf/test/negative3.tf | 6 ++++++ .../aws/alb_is_not_integrated_with_waf/test/negative4.tf | 6 ++++++ .../aws/alb_is_not_integrated_with_waf/test/positive3.tf | 5 +++++ .../test/positive_expected_result.json | 6 ++++++ 4 files changed, 23 insertions(+) create mode 100644 assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/negative3.tf create mode 100644 assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/negative4.tf create mode 100644 assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive3.tf diff --git a/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/negative3.tf b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/negative3.tf new file mode 100644 index 00000000000..93b4548fc31 --- /dev/null +++ b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/negative3.tf @@ -0,0 +1,6 @@ +resource "aws_lb" "nlb" { + name = "test-nlb-tf" + internal = false + load_balancer_type = "network" + subnets = [aws_subnet.public1.id, aws_subnet.public2.id] +} diff --git a/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/negative4.tf b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/negative4.tf new file mode 100644 index 00000000000..c51bc5c7ddc --- /dev/null +++ b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/negative4.tf @@ -0,0 +1,6 @@ +resource "aws_alb" "nlb" { + name = "test-nlb-tf" + internal = false + load_balancer_type = "network" + subnets = [aws_subnet.public1.id, aws_subnet.public2.id] +} diff --git a/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive3.tf b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive3.tf new file mode 100644 index 00000000000..94754fc46d8 --- /dev/null +++ b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive3.tf @@ -0,0 +1,5 @@ +resource "aws_lb" "alb" { + name = "test-lb-tf" + internal = false + subnets = [aws_subnet.public1.id, aws_subnet.public2.id] +} diff --git a/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive_expected_result.json b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive_expected_result.json index 412dc085a1f..1455e9ae090 100644 --- a/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive_expected_result.json +++ b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/positive_expected_result.json @@ -10,5 +10,11 @@ "severity": "MEDIUM", "line": 1, "filename": "positive2.tf" + }, + { + "queryName": "ALB Is Not Integrated With WAF", + "severity": "MEDIUM", + "line": 1, + "filename": "positive3.tf" } ]