Bug in aws_waf_web_acl resource - waf resource does not exist
jeraldsm opened this issue Β· comments
π Inspec resource aws_waf_web_acl fails to detect resource even though they actually exist.
π InSpec and Platform Version
InSpec client Version:5.18.14
inspec-aws Version: 1.83.43
π€ Replication Case
We are trying to check whether the WAF resource exist in the AWS account using the inspec resource aws_waf_web_acl
, but unfortunately the inspec execution fails as it does not detect the resource in AWS, even though the aws waf resource actually exists in EU-frankfurt region.
Γ WebACLExists: WAF Web ACL Exists Tests (3 failed)
Γ Web ACL ID: d88828c3-6c85-xxxx is expected to exist
expected Web ACL ID: d88828c3-6c85-xxxx to exist
Γ Web ACL ID: a9a5cb86-e31e-xxxx expected to exist
expected Web ACL ID: a9a5cb86-e31e-xxxx to exist
Γ Web ACL ID: a9793633-fd6a-xxxxis expected to exist
expected Web ACL ID: a9793633-fd6a-xxxx to exist
Following is the ruby code for checking if the WAF exists:
# Input variables
content = inspec.profile.file("attributes.json")
params = JSON.parse(content)
# Get json values
aws_waf_web_acl_id = params['web_acl_id']['value']
# Controls
control "WebACLExists" do
impact 1.0
title "WAF Web ACL Exists Tests"
desc "Checking if the AWS WAF web ACLs has been successfully created"
for element in aws_waf_web_acl_id
describe aws_waf_web_acl(web_acl_id: element) do
it { should exist }
end
end
end
Here's the JSON file where the WAF ids are parsed.
"web_acl_id": {
"sensitive": false,
"type": [
"tuple",
[
"string",
"string",
"string"
]
],
"value": [
"d88828c3-6c85-xxxx",
"a9a5cb86-e31e-xxxx,
"a9793633-fd6a-xxxx"
]
}
Screenshot of AWS WAF resources:
π» Logs with debug
jeraldmanakkunnel@JERALDS-MACBOOK-PRO-NEW tests % inspec exec profile --chef-license accept-silent --input -t aws:// --log-level=debug
[2022-09-13T17:32:01+02:00] DEBUG: Option backend_cache is enabled
[2022-09-13T17:32:01+02:00] DEBUG: Resolve profile into cache /Users/jeraldmanakkunnel/.inspec/cache
[2022-09-13T17:32:01+02:00] DEBUG: Dependency does not exist in the cache profile
[2022-09-13T17:32:01+02:00] DEBUG: Starting run with targets: ["Inspec::Profile<InSpecTests>"]
[2022-09-13T17:32:01+02:00] DEBUG: Using existing lockfile profile/inspec.lock
[2022-09-13T17:32:01+02:00] DEBUG: Using cached dependency for {:url=>"https://github.com/inspec/inspec-aws/archive/refs/tags/v1.83.43.tar.gz", :sha256=>"06a775df12ea2371df1ca630a520ff032ddfa9f3e5c820ef3c9788cbe6017907", :backend=>Inspec::Backend::Class @transport=TrainPlugins::Aws::Connection, :inputs=>nil}
[2022-09-13T17:32:02+02:00] DEBUG: Loading libraries/aws_waf_web_acl.rb into #<Inspec::ProfileContext:0x00007f8c9b9977d8>
[2022-09-13T17:32:02+02:00] DEBUG: Loading libraries/aws_waf_web_acls.rb into #<Inspec::ProfileContext:0x00007f8c9b9977d8>
[2022-09-13T17:32:02+02:00] DEBUG: Loading libraries/aws_waf_xss_match_set.rb into #<Inspec::ProfileContext:0x00007f8c9b9977d8>
[2022-09-13T17:32:02+02:00] DEBUG: Loading libraries/aws_waf_xss_match_sets.rb into #<Inspec::ProfileContext:0x00007f8c9b9977d8>
[2022-09-13T17:32:02+02:00] DEBUG: Loading profile/controls/waf.rb into #<Inspec::ProfileContext:0x00007f8ccc9ca3a0>
[2022-09-13T17:32:03+02:00] WARN: AWS Service Error encountered running a control with Resource aws_waf_web_acl. Error message: The referenced item does not exist.. You should address this error to ensure your controls are behaving as expected.
[2022-09-13T17:32:04+02:00] WARN: AWS Service Error encountered running a control with Resource aws_waf_web_acl. Error message: The referenced item does not exist.. You should address this error to ensure your controls are behaving as expected.
[2022-09-13T17:32:04+02:00] WARN: AWS Service Error encountered running a control with Resource aws_waf_web_acl. Error message: The referenced item does not exist.. You should address this error to ensure your controls are behaving as expected.
[2022-09-13T17:32:04+02:00] DEBUG: Registering rule WebACLExists
Profile: InSpec Infrastructure Tests (InSpecTests)
Version: 1.0.0
Target: aws://eu-central-1
Target ID: 49c24f45-5eb1-5209-8546-5abd870ab9b7
Γ WebACLExists: WAF Web ACL Exists Tests (3 failed)
Γ Web ACL ID: d88828c3-6c85-xxxx is expected to exist
expected Web ACL ID: d88828c3-6c85-xxxx to exist
Γ Web ACL ID: a9a5cb86-e31e-xxxx expected to exist
expected Web ACL ID: a9a5cb86-e31e-xxxx to exist
Γ Web ACL ID: a9793633-fd6a-xxxxis expected to exist
expected Web ACL ID: a9793633-fd6a-xxxx to exist
Profile: Amazon Web Services Resource Pack (inspec-aws)
Version: 1.83.43
Target: aws://eu-central-1
Target ID: 49c24f45-5eb1-5209-8546-5abd870ab9b7
No tests executed.
Profile Summary: 0 successful controls, 1 control failure, 0 controls skipped
Test Summary: 0 successful, 3 failures, 0 skipped`
Is there something I can do to fix this? Any help will be appreciated.
This is happening because the v2 sdk is not supported yet.
For example for loadbalancing v2 has
https://github.com/inspec/inspec-aws/blob/main/libraries/aws_backend.rb
require "aws-sdk-elasticloadbalancing"
require "aws-sdk-elasticloadbalancingv2"
Waf only has 1.0 support
require "aws-sdk-waf"
...
def waf_client
aws_client(Aws::WAF::Client)
end