fix(query): resolve false positive on API Gateway access logging #7466

Made-with: Cursor

Author: cx-prathmesh-borle

assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/query.rego

@@ -114,18 +114,18 @@ CxPolicy[result] {
 	resource.Type == "AWS::ApiGateway::Stage"
 
 	properties := resource.Properties
-	methodSettings := properties.MethodSettings
-	not common_lib.valid_key(methodSettings, "LoggingLevel")
+	methodSetting := properties.MethodSettings[j]
+	not common_lib.valid_key(methodSetting, "LoggingLevel")
 
 	result := {
 		"documentId": input.document[i].id,
 		"resourceType": resource.Type,
 		"resourceName": cf_lib.get_resource_name(resource, name),
 		"searchKey": sprintf("Resources.%s.Properties.MethodSettings", [name]),
 		"issueType": "MissingAttribute",
-		"keyExpectedValue": sprintf("Resources.%s.Properties.MethodSettings.LoggingLevel should be defined and not null", [name]),
-		"keyActualValue": sprintf("Resources.%s.Properties.MethodSettings.LoggingLevel are undefined or null", [name]),
-		"searchLine": common_lib.build_search_line(["Resources", name, "Properties", "MethodSettings"], []),
+		"keyExpectedValue": sprintf("Resources.%s.Properties.MethodSettings[%d].LoggingLevel should be defined and not null", [name, j]),
+		"keyActualValue": sprintf("Resources.%s.Properties.MethodSettings[%d].LoggingLevel is undefined or null", [name, j]),
+		"searchLine": common_lib.build_search_line(["Resources", name, "Properties", "MethodSettings", j], []),
 	}
 }
 
@@ -135,18 +135,18 @@ CxPolicy[result] {
 	resource.Type == "AWS::ApiGateway::Stage"
 
 	properties := resource.Properties
-	loggingLevel := properties.MethodSettings.LoggingLevel
+	loggingLevel := properties.MethodSettings[j].LoggingLevel
 	loggingLevel == ""
 
 	result := {
 		"documentId": input.document[i].id,
 		"resourceType": resource.Type,
 		"resourceName": cf_lib.get_resource_name(resource, name),
-		"searchKey": sprintf("Resources.%s.Properties.MethodSettings.LoggingLevel", [name]),
+		"searchKey": sprintf("Resources.%s.Properties.MethodSettings[%d].LoggingLevel", [name, j]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": sprintf("Resources.%s.Properties.MethodSettings.LoggingLevel should be not be empty", [name]),
-		"keyActualValue": sprintf("Resources.%s.Properties.MethodSettings.LoggingLevel is empty", [name]),
-		"searchLine": common_lib.build_search_line(["Resources", name, "Properties", "MethodSettings", "LoggingLevel"], []),
+		"keyExpectedValue": sprintf("Resources.%s.Properties.MethodSettings[%d].LoggingLevel should not be empty", [name, j]),
+		"keyActualValue": sprintf("Resources.%s.Properties.MethodSettings[%d].LoggingLevel is empty", [name, j]),
+		"searchLine": common_lib.build_search_line(["Resources", name, "Properties", "MethodSettings", j, "LoggingLevel"], []),
 	}
 }
 
@@ -156,18 +156,18 @@ CxPolicy[result] {
 	resource.Type == "AWS::ApiGateway::Stage"
 
 	properties := resource.Properties
-	loggingLevel := properties.MethodSettings.LoggingLevel
+	loggingLevel := properties.MethodSettings[j].LoggingLevel
 	loggingLevel == "OFF"
 
 	result := {
 		"documentId": input.document[i].id,
 		"resourceType": resource.Type,
 		"resourceName": cf_lib.get_resource_name(resource, name),
-		"searchKey": sprintf("Resources.%s.Properties.MethodSettings.LoggingLevel", [name]),
+		"searchKey": sprintf("Resources.%s.Properties.MethodSettings[%d].LoggingLevel", [name, j]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": sprintf("Resources.%s.Properties.MethodSettings.LoggingLevel should not be set to OFF", [name]),
-		"keyActualValue": sprintf("Resources.%s.Properties.MethodSettings.LoggingLevel is OFF", [name]),
-		"searchLine": common_lib.build_search_line(["Resources", name, "Properties", "MethodSettings", "LoggingLevel"], []),
+		"keyExpectedValue": sprintf("Resources.%s.Properties.MethodSettings[%d].LoggingLevel should not be set to OFF", [name, j]),
+		"keyActualValue": sprintf("Resources.%s.Properties.MethodSettings[%d].LoggingLevel is OFF", [name, j]),
+		"searchLine": common_lib.build_search_line(["Resources", name, "Properties", "MethodSettings", j, "LoggingLevel"], []),
 	}
 }
 

assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative3.json

@@ -13,13 +13,15 @@
                 "DeploymentId": {
                     "Ref": "MyDeployment"
                 },
-                "MethodSettings": {
-                  "DetailedMetricsEnabled": true,
-                  "LoggingLevel": "INFO",
-                  "DataTraceEnabled": false,
-                  "ThrottlingBurstLimit": 10,
-                  "ThrottlingRateLimit": 10
-                },
+                "MethodSettings": [
+                  {
+                    "DetailedMetricsEnabled": true,
+                    "LoggingLevel": "INFO",
+                    "DataTraceEnabled": false,
+                    "ThrottlingBurstLimit": 10,
+                    "ThrottlingRateLimit": 10
+                  }
+                ],
                 "RestApiId": {
                     "Ref": "CFNWebSocket"
                 }

assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/negative4.yaml

@@ -8,7 +8,7 @@ Resources:
       DeploymentId: !Ref TestDeployment
       DocumentationVersion: ""
       MethodSettings:
-        LoggingLevel: "ON"
+        - LoggingLevel: "INFO"
       AccessLogSetting:
         DestinationArn: "dest"
         Format: "format"

assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive10.json

@@ -16,8 +16,9 @@
         "RestApiId": {
           "Ref": "CFNWebSocket"
         },
-        "MethodSettings": {
-        }
+        "MethodSettings": [
+          {}
+        ]
       }
     }
   }

assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive12.json

@@ -16,13 +16,15 @@
         "RestApiId": {
           "Ref": "CFNWebSocket"
         },
-        "MethodSettings": {
-          "DetailedMetricsEnabled": true,
-          "LoggingLevel": "OFF",
-          "DataTraceEnabled": false,
-          "ThrottlingBurstLimit": 10,
-          "ThrottlingRateLimit": 10
-        }
+        "MethodSettings": [
+          {
+            "DetailedMetricsEnabled": true,
+            "LoggingLevel": "OFF",
+            "DataTraceEnabled": false,
+            "ThrottlingBurstLimit": 10,
+            "ThrottlingRateLimit": 10
+          }
+        ]
       }
     }
   }

assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive14.yaml

@@ -11,4 +11,4 @@ Resources:
       DeploymentId: !Ref TestDeployment
       DocumentationVersion: ""
       MethodSettings:
-        LoggingLevel: "OFF"
+        - LoggingLevel: "OFF"

assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive16.yaml

@@ -8,4 +8,4 @@ Resources:
       DeploymentId: !Ref TestDeployment
       DocumentationVersion: ""
       MethodSettings:
-        LoggingLevel: "ON"
+        - LoggingLevel: "INFO"

assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive6.json

@@ -9,13 +9,15 @@
                 "DeploymentId": {
                     "Ref": "MyDeployment"
                 },
-                "MethodSettings": {
-                  "DetailedMetricsEnabled": true,
-                  "LoggingLevel": "INFO",
-                  "DataTraceEnabled": false,
-                  "ThrottlingBurstLimit": 10,
-                  "ThrottlingRateLimit": 10
-                },
+                "MethodSettings": [
+                  {
+                    "DetailedMetricsEnabled": true,
+                    "LoggingLevel": "INFO",
+                    "DataTraceEnabled": false,
+                    "ThrottlingBurstLimit": 10,
+                    "ThrottlingRateLimit": 10
+                  }
+                ],
                 "RestApiId": {
                     "Ref": "CFNWebSocket"
                 }

assets/queries/cloudFormation/aws/api_gateway_access_logging_disabled/test/positive_expected_result.json

@@ -2,7 +2,19 @@
   {
     "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined",
     "severity": "MEDIUM",
-    "line": 16,
+    "line": 17,
+    "fileName": "positive1.yaml"
+  },
+  {
+    "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined",
+    "severity": "MEDIUM",
+    "line": 21,
+    "fileName": "positive1.yaml"
+  },
+  {
+    "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined",
+    "severity": "MEDIUM",
+    "line": 25,
     "fileName": "positive1.yaml"
   },
   {
@@ -68,13 +80,7 @@
   {
     "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined",
     "severity": "MEDIUM",
-    "line": 13,
-    "fileName": "positive11.yaml"
-  },
-  {
-    "queryName": "API Gateway V2 Stage Access Logging Settings Not Defined",
-    "severity": "MEDIUM",
-    "line": 21,
+    "line": 22,
     "fileName": "positive12.json"
   },
   {