Skip to content

fix(query): handle list-form access_logs in ELBv2 LB Access Log Disabled#8068

Open
arpitjain099 wants to merge 1 commit into
Checkmarx:masterfrom
arpitjain099:fix/elbv2-access-log-enabled-fp
Open

fix(query): handle list-form access_logs in ELBv2 LB Access Log Disabled#8068
arpitjain099 wants to merge 1 commit into
Checkmarx:masterfrom
arpitjain099:fix/elbv2-access-log-enabled-fp

Conversation

@arpitjain099

@arpitjain099 arpitjain099 commented Jun 4, 2026

Copy link
Copy Markdown

Description

The Terraform query aws/elb_v2_lb_access_log_disabled (ELBv2 LB Access Log Disabled) reports a false positive when access_logs is written as a list of objects rather than a single nested block.

The query read resource.access_logs.enabled directly, assuming access_logs is always parsed as an object. When the config uses the list form:

resource "aws_lb" "test" {
  name = "test-lb-tf"

  access_logs = [{
    bucket  = aws_s3_bucket.lb_logs.id
    enabled = true
  }]
}

the parser stores access_logs as an array, so resource.access_logs.enabled is undefined. The second CxPolicy block (not valid_key(resource.access_logs, "enabled")) then fires and the load balancer is flagged as having access logging disabled even though enabled = true.

Fix

Normalize access_logs to a list of blocks before the enabled check, mirroring the object-or-array handling already used by other queries (for example aws/efs_volume_with_disabled_transit_encryption). The enabled check then works for both the single-block and list shapes, and the search key / search line are indexed only in the list case so the single-block results are unchanged.

True positives are preserved: access_logs absent, enabled missing, or enabled not set to true are still reported, including when access_logs is a list.

Tests

  • test/negative3.tf: list-form access_logs with enabled = true (the reported false positive) - must not be flagged.
  • test/positive7.tf: list-form access_logs with enabled = false - must still be flagged.
  • test/positive_expected_result.json updated for positive7.tf.

Verified locally:

  • go test ./test/ -run 'TestQueries$/terraform/aws/elb_v2_lb_access_log_disabled' passes.
  • TestQueriesContent and TestQueriesMetadata for the query pass.
  • Reverting only query.rego while keeping the new fixtures makes the test fail (the original query flags negative3.tf and reports positive7.tf on the wrong line), confirming the fix is what resolves the false positive.

Closes #8036

@arpitjain099
fix(query): handle list-form access_logs in ELBv2 LB Access Log Disabled
7e3b96b 
The Terraform query aws/elb_v2_lb_access_log_disabled assumed access_logs was
always parsed as a single object and read resource.access_logs.enabled directly.
When access_logs is written as a list (access_logs = [{ ... enabled = true }]),
the parser stores it as an array, so that path is undefined and the load
balancer is flagged even though access logging is enabled.

Normalize access_logs to a list of blocks (mirroring the object-or-array
handling used by other queries such as efs_volume_with_disabled_transit_encryption)
so the enabled check works for both the single-block and list shapes. The
true-positive cases (access_logs absent, enabled missing, or enabled = false)
are still reported, including when access_logs is a list.

Adds negative3.tf (list form with enabled = true, must not flag) and
positive7.tf (list form with enabled = false, must still flag).

Closes Checkmarx#8036

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

bug(terraform): ELBv2 LB Access Log Disabled - false positves

1 participant

@arpitjain099