This repository was archived by the owner on Sep 3, 2024. It is now read-only.
This repository was archived by the owner on Sep 3, 2024. It is now read-only.
[BUG] rego/rules/tf/aws/waf/known_bad_inputs.rego#L37 doesn't recognize that managed rulesets MUST be overridden with "none" #426
Description
Describe the bug
This line doesn't recognize a no-op "none" override
See: this bug comment
How you're running Regula
3.2.1, build fed1e44, built with OPA v0.46.0-dev
cd cdktf.out/stacks/stackname
regula runOperating System
MacOS.
Steps to reproduce
Try to use more than one AWSManagedRules<foo>RuleSet with the required override_action: { none }
IaC Configuration
If it looks weird, this comes from cdktf synth --hcl:
resource "aws_wafv2_web_acl" "wafacl" {
description = "waf acls"
name = "wafacl"
scope = "REGIONAL"
default_action {
allow {
}
}
rule {
name = "AWSManagedRulesKnownBadInputsRuleSet"
priority = 100
override_action {
none {
}
}
statement = [object Object]
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "AWSManagedRulesKnownBadInputsRuleSet"
sampled_requests_enabled = false
}
}
rule {
name = "AWSManagedRulesCommonRuleSet"
priority = 110
override_action {
none {
}
}
statement = [object Object]
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "AWSManagedRulesCommonRuleSet"
sampled_requests_enabled = false
}
}
visibility_config {
cloudwatch_metrics_enabled = false
metric_name = "Dev-Magento-WAF"
sampled_requests_enabled = false
}
}