aws - cloudfront - fix wafv2-enabled filter to find waf-classic assoc…

…iations (cloud-custodian#7986)
newscorp-ghfb · Nov 29, 2022 · 09efdd7 · 09efdd7
1 parent c5eb491
commit 09efdd7
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 10 deletions.
diff --git a/c7n/resources/cloudfront.py b/c7n/resources/cloudfront.py
@@ -176,13 +176,26 @@ class IsWafV2Enabled(Filter):
 
             policies:
               - name: filter-distribution-wafv2
+                description: |
+                  match resources that are NOT associated with any wafV2 web-acls
+                resource: distribution
+                filters:
+                  - type: wafv2-enabled
+                    state: false
+
+              - name: filter-distribution-wafv2-specific-acl
+                description: |
+                  match resources that are NOT associated with wafV2's testv2 web-acl
                 resource: distribution
                 filters:
                   - type: wafv2-enabled
                     state: false
                     web-acl: testv2
 
               - name: filter-distribution-wafv2-regex
+                description: |
+                  match resources that are NOT associated with specified
+                  wafV2 web-acl regex
                 resource: distribution
                 filters:
                   - type: wafv2-enabled
@@ -206,19 +219,14 @@ def process(self, resources, event=None):
         state = self.data.get('state', False)
         target_acl_ids = [v for k, v in waf_name_id_map.items() if
                           re.match(target_acl, k)]
-
         results = []
         for r in resources:
             r_web_acl_id = r.get('WebACLId')
             if state:
-                if not target_acl and r_web_acl_id:
-                    results.append(r)
-                elif target_acl and r_web_acl_id in target_acl_ids:
+                if r_web_acl_id and r_web_acl_id in target_acl_ids:
                     results.append(r)
             else:
-                if not target_acl and not r_web_acl_id:
-                    results.append(r)
-                elif target_acl and r_web_acl_id not in target_acl_ids:
+                if not r_web_acl_id or r_web_acl_id not in target_acl_ids:
                     results.append(r)
         return results
 

diff --git a/tests/test_cloudfront.py b/tests/test_cloudfront.py
@@ -182,9 +182,8 @@ def test_set_wafv2_action_regex_multiple_webacl_match(self):
             },
             session_factory=factory,
         )
-        with self.assertRaises(ValueError) as ctx:
-            policy.push(event_data("event-cloud-trail-update-distribution.json"))
-            self.assertTrue('matching to none or multiple webacls' in str(ctx))
+        resources = policy.push(event_data("event-cloud-trail-tag-distribution.json"))
+        self.assertEqual(len(resources), 0)
 
     def test_set_wafv2_active_response_tag_resource(self):
         factory = self.replay_flight_data("test_distribution_wafv2")