search

inspec / inspec-aws

InSpec AWS Resource Pack https://www.inspec.io/
Other
133 stars 106 forks source link

Bug in aws_waf_web_acl resource - waf resource does not exist #949

Open jeraldsm opened 1 year ago

jeraldsm commented 1 year ago

πŸŽ› Inspec resource aws_waf_web_acl fails to detect resource even though they actually exist.

🌍 InSpec and Platform Version

InSpec client Version:5.18.14 inspec-aws Version: 1.83.43

πŸ€” Replication Case

We are trying to check whether the WAF resource exist in the AWS account using the inspec resource aws_waf_web_acl, but unfortunately the inspec execution fails as it does not detect the resource in AWS, even though the aws waf resource actually exists in EU-frankfurt region.

  Γ—  WebACLExists: WAF Web ACL Exists Tests (3 failed)
     Γ—  Web ACL ID: d88828c3-6c85-xxxx is expected to exist
     expected Web ACL ID: d88828c3-6c85-xxxx to exist
     Γ—  Web ACL ID: a9a5cb86-e31e-xxxx expected to exist
     expected Web ACL ID: a9a5cb86-e31e-xxxx to exist
     Γ—  Web ACL ID: a9793633-fd6a-xxxxis expected to exist
     expected Web ACL ID: a9793633-fd6a-xxxx to exist

Following is the ruby code for checking if the WAF exists:

# Input variables
content = inspec.profile.file("attributes.json")
params  = JSON.parse(content)

# Get json values
aws_waf_web_acl_id    = params['web_acl_id']['value']

  # Controls
  control "WebACLExists" do
    impact 1.0
    title "WAF Web ACL Exists Tests"
    desc "Checking if the AWS WAF web ACLs has been successfully created"
    for element in aws_waf_web_acl_id
      describe aws_waf_web_acl(web_acl_id: element) do
        it { should exist }
      end
    end
  end

Here's the JSON file where the WAF ids are parsed.

  "web_acl_id": {
    "sensitive": false,
    "type": [
      "tuple",
      [
        "string",
        "string",
        "string"
      ]
    ],
    "value": [
      "d88828c3-6c85-xxxx",
      "a9a5cb86-e31e-xxxx,
      "a9793633-fd6a-xxxx"
    ]
  }

Screenshot of AWS WAF resources:

image

πŸ’» Logs with debug

jeraldmanakkunnel@JERALDS-MACBOOK-PRO-NEW tests % inspec exec profile --chef-license accept-silent --input -t aws:// --log-level=debug
[2022-09-13T17:32:01+02:00] DEBUG: Option backend_cache is enabled
[2022-09-13T17:32:01+02:00] DEBUG: Resolve profile into cache /Users/jeraldmanakkunnel/.inspec/cache
[2022-09-13T17:32:01+02:00] DEBUG: Dependency does not exist in the cache profile
[2022-09-13T17:32:01+02:00] DEBUG: Starting run with targets: ["Inspec::Profile<InSpecTests>"]
[2022-09-13T17:32:01+02:00] DEBUG: Using existing lockfile profile/inspec.lock
[2022-09-13T17:32:01+02:00] DEBUG: Using cached dependency for {:url=>"https://github.com/inspec/inspec-aws/archive/refs/tags/v1.83.43.tar.gz", :sha256=>"06a775df12ea2371df1ca630a520ff032ddfa9f3e5c820ef3c9788cbe6017907", :backend=>Inspec::Backend::Class @transport=TrainPlugins::Aws::Connection, :inputs=>nil}
[2022-09-13T17:32:02+02:00] DEBUG: Loading libraries/aws_waf_web_acl.rb into #<Inspec::ProfileContext:0x00007f8c9b9977d8>
[2022-09-13T17:32:02+02:00] DEBUG: Loading libraries/aws_waf_web_acls.rb into #<Inspec::ProfileContext:0x00007f8c9b9977d8>
[2022-09-13T17:32:02+02:00] DEBUG: Loading libraries/aws_waf_xss_match_set.rb into #<Inspec::ProfileContext:0x00007f8c9b9977d8>
[2022-09-13T17:32:02+02:00] DEBUG: Loading libraries/aws_waf_xss_match_sets.rb into #<Inspec::ProfileContext:0x00007f8c9b9977d8>
[2022-09-13T17:32:02+02:00] DEBUG: Loading profile/controls/waf.rb into #<Inspec::ProfileContext:0x00007f8ccc9ca3a0>
[2022-09-13T17:32:03+02:00] WARN: AWS Service Error encountered running a control with Resource aws_waf_web_acl. Error message: The referenced item does not exist.. You should address this error to ensure your controls are behaving as expected.
[2022-09-13T17:32:04+02:00] WARN: AWS Service Error encountered running a control with Resource aws_waf_web_acl. Error message: The referenced item does not exist.. You should address this error to ensure your controls are behaving as expected.
[2022-09-13T17:32:04+02:00] WARN: AWS Service Error encountered running a control with Resource aws_waf_web_acl. Error message: The referenced item does not exist.. You should address this error to ensure your controls are behaving as expected.
[2022-09-13T17:32:04+02:00] DEBUG: Registering rule WebACLExists

Profile:   InSpec Infrastructure Tests (InSpecTests)
Version:   1.0.0
Target:    aws://eu-central-1
Target ID: 49c24f45-5eb1-5209-8546-5abd870ab9b7

  Γ—  WebACLExists: WAF Web ACL Exists Tests (3 failed)
     Γ—  Web ACL ID: d88828c3-6c85-xxxx is expected to exist
     expected Web ACL ID: d88828c3-6c85-xxxx to exist
     Γ—  Web ACL ID: a9a5cb86-e31e-xxxx expected to exist
     expected Web ACL ID: a9a5cb86-e31e-xxxx to exist
     Γ—  Web ACL ID: a9793633-fd6a-xxxxis expected to exist
     expected Web ACL ID: a9793633-fd6a-xxxx to exist

Profile:   Amazon Web Services  Resource Pack (inspec-aws)
Version:   1.83.43
Target:    aws://eu-central-1
Target ID: 49c24f45-5eb1-5209-8546-5abd870ab9b7

     No tests executed.

Profile Summary: 0 successful controls, 1 control failure, 0 controls skipped
Test Summary: 0 successful, 3 failures, 0 skipped`

Is there something I can do to fix this? Any help will be appreciated.

robertdeheer commented 9 months ago

This is happening because the v2 sdk is not supported yet.

For example for loadbalancing v2 has

https://github.com/inspec/inspec-aws/blob/main/libraries/aws_backend.rb

require "aws-sdk-elasticloadbalancing"
require "aws-sdk-elasticloadbalancingv2"

Waf only has 1.0 support

require "aws-sdk-waf"

...
def waf_client
    aws_client(Aws::WAF::Client)
  end