Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CKV_AWS_68: Example mentions id of aws_wafv2_web_acl when it should be ARN #634

Open
avazula opened this issue May 13, 2024 · 1 comment

Comments

@avazula
Copy link

avazula commented May 13, 2024

Checkov version: 3.2.90

Regarding CKV_AWS_68: AWS CloudFront web distribution with AWS Web Application Firewall (AWS WAF) service disabled https://github.com/hlxsites/prisma-cloud-docs/blob/main/docs/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-27.adoc

The Fix:builtime section mentions the following fix:

resource "aws_cloudfront_distribution" "example" {
  ...
  enabled             = true
  is_ipv6_enabled     = false
+ web_acl_id = aws_wafv2_web_acl.example.id
  ...
}

when it should either be

resource "aws_cloudfront_distribution" "example" {
  ...
  enabled             = true
  is_ipv6_enabled     = false
+ web_acl_id = aws_wafv2_web_acl.example.arn
  ...
}

or

resource "aws_cloudfront_distribution" "example" {
  ...
  enabled             = true
  is_ipv6_enabled     = false
+ web_acl_id = aws_waf_web_acl.example.id
  ...
}

Source: Terraform doc for aws_cloudfront_distribution:

"To specify a web ACL created using the latest version of AWS WAF (WAFv2), use the ACL ARN, for example aws_wafv2_web_acl.example.arn. To specify a web ACL created using AWS WAF Classic, use the ACL ID, for example aws_waf_web_acl.example.id. The WAF Web ACL must exist in the WAF Global (CloudFront) region and the credentials configuring this argument must have waf:GetWebACL permissions assigned."

Trying to apply the fix mentioned by CKV_AWS_68 results in the following error:


# terraform apply infra.out results:

module.static_webpage_cloudfront.aws_cloudfront_distribution.this: Modifying... [id=<REDACTED>]
╷
│ Error: updating CloudFront Distribution (<REDACTED>): InvalidWebACLId: Web ACL is not accessible by the requester.
│       status code: 400, request id: <REDACTED>
│ 
│   with module.static_webpage_cloudfront.aws_cloudfront_distribution.this,
│   on ../../static_webpage_cloudfront/main.tf line 62, in resource "aws_cloudfront_distribution" "this":
│   62: resource "aws_cloudfront_distribution" "this" {
│ 
╵

Suggested fix:

  • Edit the documentation to support both aws_waf_web_acl and aws_wafv2_web_acl
  • Report these changes in checkov's engine to check for the presence of either the ID of aws_waf_web_acl or the ARN of aws_wafv2_web_acl
@avazula
Copy link
Author

avazula commented Dec 2, 2024

bump

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant