From d1efb9c218687bb4badf032d16a32f8ca420e666 Mon Sep 17 00:00:00 2001
From: Ori Bendet <oribendet@Oris-MacBook-Pro.local>
Date: Sat, 28 Feb 2026 17:50:16 -0500
Subject: [PATCH] fix(terraform): exclude NLBs and GWLBs from ALB WAF
 integration check

Network Load Balancers (load_balancer_type = "network") and Gateway Load
Balancers (load_balancer_type = "gateway") do not support WAF integration,
so the "ALB Is Not Integrated With WAF" rule should only apply to Application
Load Balancers.

Add is_nlb() helper (mirroring is_internal_alb()) and exclude non-ALB
resources from the CxPolicy condition. Add a negative test case for an NLB
without WAF to cover this scenario.

Fixes #7964

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../terraform/aws/alb_is_not_integrated_with_waf/query.rego | 6 ++++++
 .../aws/alb_is_not_integrated_with_waf/test/negative3.tf    | 6 ++++++
 2 files changed, 12 insertions(+)
 create mode 100644 assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/negative3.tf

diff --git a/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/query.rego b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/query.rego
index bca984dcf86..15514a775e2 100644
--- a/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/query.rego
+++ b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/query.rego
@@ -11,6 +11,7 @@ CxPolicy[result] {
 	lb := {"aws_alb", "aws_lb"}
 	resource := input.document[i].resource[lb[idx]][name]
 	not is_internal_alb(resource)
+	not is_nlb(resource)
 	count({x | x := associated_waf(name)}) == 0
 
 	result := {
@@ -28,6 +29,11 @@ is_internal_alb(resource) {
 	resource.internal == true
 }
 
+is_nlb(resource) {
+	non_alb_types := {"network", "gateway"}
+	non_alb_types[resource.load_balancer_type]
+}
+
 associated_waf(name) {
 	waf := input.document[_].resource[waf_resources[_]][_]
 	attribute := waf.resource_arn
diff --git a/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/negative3.tf b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/negative3.tf
new file mode 100644
index 00000000000..012f9bc96ff
--- /dev/null
+++ b/assets/queries/terraform/aws/alb_is_not_integrated_with_waf/test/negative3.tf
@@ -0,0 +1,6 @@
+resource "aws_lb" "nlb" {
+  name               = "test-nlb-tf"
+  internal           = false
+  load_balancer_type = "network"
+  subnets            = [for subnet in aws_subnet.public : subnet.id]
+}