Skip to content

fix(terraform): exclude NLBs and GWLBs from ALB WAF integration check#7975

Open
cx-ori-bendet wants to merge 1 commit intomasterfrom
fix/alb-waf-nlb-false-positive
Open

fix(terraform): exclude NLBs and GWLBs from ALB WAF integration check#7975
cx-ori-bendet wants to merge 1 commit intomasterfrom
fix/alb-waf-nlb-false-positive

Conversation

@cx-ori-bendet
Copy link
Contributor

@cx-ori-bendet cx-ori-bendet commented Feb 28, 2026

Summary

  • Network Load Balancers (load_balancer_type = "network") and Gateway Load Balancers (load_balancer_type = "gateway") do not support AWS WAF integration — only Application Load Balancers do
  • The query was flagging any aws_lb / aws_alb resource without a WAF association regardless of type, producing false positives for NLBs
  • Added is_nlb() helper (mirroring the existing is_internal_alb() pattern) that returns true for "network" and "gateway" load balancer types
  • Added not is_nlb(resource) condition to CxPolicy so only ALBs are checked
  • Added negative3.tf test case: an NLB without WAF that should produce no finding

Fixes #7964

Test plan

  • Scan an aws_lb with load_balancer_type = "network" and no WAF — should produce no finding
  • Scan an aws_lb with load_balancer_type = "application" and no WAF — should still produce a finding
  • Scan an aws_lb with no load_balancer_type set (defaults to application) and no WAF — should still produce a finding
  • Run go test ./test/... -run TestQueries to verify all query tests pass

I submit this contribution under the Apache-2.0 license.

🤖 Generated with Claude Code

@claude
fix(terraform): exclude NLBs and GWLBs from ALB WAF integration check
d1efb9c 
Network Load Balancers (load_balancer_type = "network") and Gateway Load
Balancers (load_balancer_type = "gateway") do not support WAF integration,
so the "ALB Is Not Integrated With WAF" rule should only apply to Application
Load Balancers.

Add is_nlb() helper (mirroring is_internal_alb()) and exclude non-ALB
resources from the CxPolicy condition. Add a negative test case for an NLB
without WAF to cover this scenario.

Fixes #7964

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@cx-ori-bendet cx-ori-bendet requested a review from a team as a code owner February 28, 2026 22:50
@github-actions github-actions bot added community Community contribution query New query feature terraform Terraform query aws PR related with AWS Cloud labels Feb 28, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Feb 28, 2026

kics-logo

KICS version: v2.1.18

Category Results
CRITICAL CRITICAL 0
HIGH HIGH 0
MEDIUM MEDIUM 0
LOW LOW 0
INFO INFO 0
TRACE TRACE 0
TOTAL TOTAL 0
Metric Values
Files scanned placeholder 1
Files parsed placeholder 1
Files failed to scan placeholder 0
Total executed queries placeholder 47
Queries failed to execute placeholder 0
Execution time placeholder 0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

aws PR related with AWS Cloud community Community contribution query New query feature terraform Terraform query

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

bug(terraform): false positive for "ALB Is not Integrated With WAF" for NLBs

1 participant

@cx-ori-bendet