Merged API Gateway Stage Access Logging Settings Not Defined into API…

… Gateway Access Logging Disabled and corresponding unit tests

assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/metadata.json

@@ -1,12 +1,12 @@
 {
-    "id": "999ecb35-10df-4d73-8f17-3f4b8c3beec5",
-    "queryName": "API Gateway Access Logging Disabled",
-    "severity": "MEDIUM",
-    "category": "Observability",
-    "descriptionText": "API Gateway should have Access Log Settings defined",
-    "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-stage.html#cfn-apigateway-stage-accesslogsetting",
-    "platform": "CloudFormation",
-    "descriptionID": "d7151524",
-    "cloudProvider": "aws",
-    "cwe": ""
-  }
+  "id": "80d45af4-4920-4236-a56e-b7ef419d1941",
+  "queryName": "API Gateway Access Logging Disabled",
+  "severity": "MEDIUM",
+  "category": "Observability",
+  "descriptionText": "API Gateway Stage should have Access Logging Settings defined",
+  "descriptionUrl": "https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-apigatewayv2-stage.html#cfn-apigatewayv2-stage-accesslogsettings",
+  "platform": "CloudFormation",
+  "descriptionID": "2a69fc63",
+  "cloudProvider": "aws",
+  "cwe": ""
+}

assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/query.rego

@@ -1,12 +1,131 @@
 package Cx
 
+import data.generic.common as common_lib
 import data.generic.cloudformation as cf_lib
 
+CxPolicy[result] {
+	document := input.document
+	resource = document[i].Resources[name]
+	resource.Type == "AWS::ApiGatewayV2::Stage"
+
+	properties := resource.Properties
+	not common_lib.valid_key(properties, "DefaultRouteSettings")
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": resource.Type,
+		"resourceName": cf_lib.get_resource_name(resource, name),
+		"searchKey": sprintf("Resources.%s.Properties", [name]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": sprintf("Resources.%s.Properties.DefaultRouteSettings should be defined and not null", [name]),
+		"keyActualValue": sprintf("Resources.%s.Properties.DefaultRouteSettings are undefined or null", [name]),
+	}
+}
+
+CxPolicy[result] {
+	document := input.document
+	resource = document[i].Resources[name]
+	resource.Type == "AWS::ApiGatewayV2::Stage"
+
+	properties := resource.Properties
+	defaultRouteSettings := properties.DefaultRouteSettings
+	not common_lib.valid_key(defaultRouteSettings, "LoggingLevel")
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": resource.Type,
+		"resourceName": cf_lib.get_resource_name(resource, name),
+		"searchKey": sprintf("Resources.%s.Properties.DefaultRouteSettings", [name]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": sprintf("Resources.%s.Properties.DefaultRouteSettings.LoggingLevel should be defined and not null", [name]),
+		"keyActualValue": sprintf("Resources.%s.Properties.DefaultRouteSettings.LoggingLevel are undefined or null", [name]),
+	}
+}
+
+CxPolicy[result] {
+	document := input.document
+	resource = document[i].Resources[name]
+	resource.Type == "AWS::ApiGatewayV2::Stage"
+
+	properties := resource.Properties
+	loggingLevel := properties.DefaultRouteSettings.LoggingLevel
+	loggingLevel == "OFF"
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": resource.Type,
+		"resourceName": cf_lib.get_resource_name(resource, name),
+		"searchKey": sprintf("Resources.%s.Properties.DefaultRouteSettings.LoggingLevel", [name]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("Resources.%s.Properties.DefaultRouteSettings.LoggingLevel should not be set to OFF", [name]),
+		"keyActualValue": sprintf("Resources.%s.Properties.DefaultRouteSettings.LoggingLevel is OFF", [name]),
+	}
+}
+
+CxPolicy[result] {
+	document := input.document
+	resource = document[i].Resources[name]
+	resource.Type == "AWS::ApiGateway::Stage"
+
+	properties := resource.Properties
+	not common_lib.valid_key(properties, "MethodSettings")
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": resource.Type,
+		"resourceName": cf_lib.get_resource_name(resource, name),
+		"searchKey": sprintf("Resources.%s.Properties", [name]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": sprintf("Resources.%s.Properties.MethodSettings should be defined and not null", [name]),
+		"keyActualValue": sprintf("Resources.%s.Properties.MethodSettings are undefined or null", [name]),
+	}
+}
+
+CxPolicy[result] {
+	document := input.document
+	resource = document[i].Resources[name]
+	resource.Type == "AWS::ApiGateway::Stage"
+
+	properties := resource.Properties
+	methodSettings := properties.MethodSettings
+	not common_lib.valid_key(methodSettings, "LoggingLevel")
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": resource.Type,
+		"resourceName": cf_lib.get_resource_name(resource, name),
+		"searchKey": sprintf("Resources.%s.Properties.MethodSettings", [name]),
+		"issueType": "MissingAttribute",
+		"keyExpectedValue": sprintf("Resources.%s.Properties.MethodSettings.LoggingLevel should be defined and not null", [name]),
+		"keyActualValue": sprintf("Resources.%s.Properties.MethodSettings.LoggingLevel are undefined or null", [name]),
+	}
+}
+
+CxPolicy[result] {
+	document := input.document
+	resource = document[i].Resources[name]
+	resource.Type == "AWS::ApiGateway::Stage"
+
+	properties := resource.Properties
+	loggingLevel := properties.MethodSettings.LoggingLevel
+	loggingLevel == "OFF"
+
+	result := {
+		"documentId": input.document[i].id,
+		"resourceType": resource.Type,
+		"resourceName": cf_lib.get_resource_name(resource, name),
+		"searchKey": sprintf("Resources.%s.Properties.MethodSettings.LoggingLevel", [name]),
+		"issueType": "IncorrectValue",
+		"keyExpectedValue": sprintf("Resources.%s.Properties.MethodSettings.LoggingLevel should not be set to OFF", [name]),
+		"keyActualValue": sprintf("Resources.%s.Properties.MethodSettings.LoggingLevel is OFF", [name]),
+	}
+}
+
 CxPolicy[result] {
 	doc := input.document[i]
-	res := doc.Resources[stage]
-	properties := res.Properties
-	res.Type == "AWS::ApiGatewayV2::Stage"
+	resource := doc.Resources[stage]
+	properties := resource.Properties
+	resource.Type == "AWS::ApiGatewayV2::Stage"
 
 	not properties.AccessLogSettings
 
@@ -15,17 +134,17 @@ CxPolicy[result] {
 		"issueType": "MissingAttribute",
 		"keyExpectedValue": "'AccessLogSettings' should be defined",
 		"keyActualValue": "'AccessLogSettings' is not defined",
-		"resourceType": res.Type,
-		"resourceName": cf_lib.get_resource_name(res, stage),
+		"resourceType": resource.Type,
+		"resourceName": cf_lib.get_resource_name(resource, stage),
 		"searchKey": sprintf("Resources.%s.Properties", [stage]),
 	}
 }
 
 CxPolicy[result] {
 	doc := input.document[i]
-	res := doc.Resources[stage]
-	properties := res.Properties
-	res.Type == "AWS::ApiGateway::Stage"
+	resource := doc.Resources[stage]
+	properties := resource.Properties
+	resource.Type == "AWS::ApiGateway::Stage"
 
 	not properties.AccessLogSetting
 
@@ -34,8 +153,8 @@ CxPolicy[result] {
 		"issueType": "MissingAttribute",
 		"keyExpectedValue": "'AccessLogSetting' should be defined",
 		"keyActualValue": "'AccessLogSetting' is not defined",
-		"resourceType": res.Type,
-		"resourceName": cf_lib.get_resource_name(res, stage),
+		"resourceType": resource.Type,
+		"resourceName": cf_lib.get_resource_name(resource, stage),
 		"searchKey": sprintf("Resources.%s.Properties", [stage]),
 	}
-}
+}

assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative2.json

@@ -1,23 +1,26 @@
 {
-  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
   "Resources": {
-    "NewAmpApp-1": {
-      "Type": "AWS::Amplify::App",
+    "MyStage": {
+      "Type": "AWS::ApiGatewayV2::Stage",
       "Properties": {
-        "OauthToken": "String",
-        "Repository": "String",
-        "BasicAuthConfig": {
-          "Username": "admin",
-          "EnableBasicAuth": true,
-          "Password": "@skdsjdk0234!AB"
+        "StageName": "Prod",
+        "Description": "Prod Stage",
+        "DeploymentId": "MyDeployment",
+        "ApiId": "CFNWebSocket",
+        "DefaultRouteSettings": {
+          "DetailedMetricsEnabled": true,
+          "LoggingLevel": "INFO",
+          "DataTraceEnabled": false,
+          "ThrottlingBurstLimit": 10,
+          "ThrottlingRateLimit": 10
         },
-        "CustomHeaders": "String",
-        "Description": "String",
-        "Name": "NewAmpApp",
-        "BuildSpec": "String",
-        "EnableBranchAutoDeletion": true,
-        "IAMServiceRole": "String"
+        "AccessLogSettings": {
+          "DestinationArn": "arn:aws:logs:us-east-1:123456789:log-group:my-log-group",
+          "Format": "{\"requestId\":\"$context.requestId\", \"ip\": \"$context.identity.sourceIp\", \"caller\":\"$context.identity.caller\", \"user\":\"$context.identity.user\",\"requestTime\":\"$context.requestTime\", \"eventType\":\"$context.eventType\",\"routeKey\":\"$context.routeKey\", \"status\":\"$context.status\",\"connectionId\":\"$context.connectionId\"}"
+        }
       }
     }
-  }
+  },
+  "AWSTemplateFormatVersion": "2010-09-09",
+  "Description": "Router53"
 }

assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative3.json

@@ -1,22 +1,26 @@
 {
-    "AWSTemplateFormatVersion": "2010-09-09",
-    "Resources": {
-        "MyStage": {
-            "Type": "AWS::ApiGateway::Stage",
-            "Properties": {
-                "StageName": "Prod",
-                "Description": "Prod Stage",
-                "AccessLogSetting": {
-                    "DestinationArn": "dest",
-                    "Format": "format"
-                },
-                "DeploymentId": {
-                    "Ref": "MyDeployment"
-                },
-                "RestApiId": {
-                    "Ref": "CFNWebSocket"
-                }
-            }
-        }
+  "AWSTemplateFormatVersion": "2010-09-09",
+  "Description": "Router53",
+  "Resources": {
+    "MyStage": {
+      "Type": "AWS::ApiGatewayV2::Stage",
+      "Properties": {
+        "Description": "Prod Stage",
+        "AccessLogSettings": {
+            "DestinationArn": "dest",
+            "Format": "format"
+        },
+        "DeploymentId": "MyDeployment",
+        "ApiId": "CFNWebSocket",
+        "DefaultRouteSettings": {
+          "ThrottlingBurstLimit": 10,
+          "ThrottlingRateLimit": 10,
+          "DetailedMetricsEnabled": true,
+          "LoggingLevel": "INFO",
+          "DataTraceEnabled": false
+        },
+        "StageName": "Prod"
+      }
     }
-}
+  }
+}

assets/queries/cloudFormation/aws/api_gateway_stage_access_logging_settings_not_defined/test/negative4.json → assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative4.json

@@ -6,6 +6,10 @@
       "Properties": {
         "StageName": "Prod",
         "Description": "Prod Stage",
+        "AccessLogSettings": {
+            "DestinationArn": "dest",
+            "Format": "format"
+        },
         "DeploymentId": {
           "Ref": "MyDeployment"
         },

assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative6.json

@@ -0,0 +1,23 @@
+{
+  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
+  "Resources": {
+    "NewAmpApp-1": {
+      "Type": "AWS::Amplify::App",
+      "Properties": {
+        "OauthToken": "String",
+        "Repository": "String",
+        "BasicAuthConfig": {
+          "Username": "admin",
+          "EnableBasicAuth": true,
+          "Password": "String"
+        },
+        "CustomHeaders": "String",
+        "Description": "String",
+        "Name": "NewAmpApp",
+        "BuildSpec": "String",
+        "EnableBranchAutoDeletion": true,
+        "IAMServiceRole": "String"
+      }
+    }
+  }
+}

assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative7.json

@@ -0,0 +1,29 @@
+{
+    "AWSTemplateFormatVersion": "2010-09-09",
+    "Resources": {
+        "MyStage": {
+            "Type": "AWS::ApiGateway::Stage",
+            "Properties": {
+                "StageName": "Prod",
+                "Description": "Prod Stage",
+                "AccessLogSetting": {
+                    "DestinationArn": "dest",
+                    "Format": "format"
+                },
+                "DeploymentId": {
+                    "Ref": "MyDeployment"
+                },
+                "MethodSettings": {
+                  "DetailedMetricsEnabled": true,
+                  "LoggingLevel": "INFO",
+                  "DataTraceEnabled": false,
+                  "ThrottlingBurstLimit": 10,
+                  "ThrottlingRateLimit": 10
+                },
+                "RestApiId": {
+                    "Ref": "CFNWebSocket"
+                }
+            }
+        }
+    }
+}

assets/queries/cloudFormation/aws/api_gateway_stage_access_logging_settings_not_defined/test/positive1.yaml → assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive1.yaml

@@ -4,6 +4,9 @@ Resources:
     Properties:
       StageName: Prod
       Description: Prod Stage
+      AccessLogSetting: 
+        DestinationArn: "dest"
+        Format: "format"
       RestApiId: !Ref MyRestApi
       DeploymentId: !Ref TestDeployment
       DocumentationVersion: ""