From ba5a5494ea298f99f77f9c3079396f0005066b22 Mon Sep 17 00:00:00 2001
From: Andre Pereira <219305055+cx-andre-pereira@users.noreply.github.com>
Date: Thu, 10 Jul 2025 12:38:30 +0100
Subject: [PATCH] query(fix): fix fp for s3_bucket_logging_disabled (terraform)

---
 .../aws/s3_bucket_logging_disabled/query.rego      |  7 +++++++
 .../s3_bucket_logging_disabled/test/negative4.tf   | 14 ++++++++++++++
 2 files changed, 21 insertions(+)
 create mode 100644 assets/queries/terraform/aws/s3_bucket_logging_disabled/test/negative4.tf

diff --git a/assets/queries/terraform/aws/s3_bucket_logging_disabled/query.rego b/assets/queries/terraform/aws/s3_bucket_logging_disabled/query.rego
index c3ebcf05c7d..03c425992d7 100644
--- a/assets/queries/terraform/aws/s3_bucket_logging_disabled/query.rego
+++ b/assets/queries/terraform/aws/s3_bucket_logging_disabled/query.rego
@@ -8,6 +8,7 @@ CxPolicy[result] {
 
     not common_lib.valid_key(s3, "logging")  # version before TF AWS 4.0
     not tf_lib.has_target_resource(bucketName, "aws_s3_bucket_logging") # version after TF AWS 4.0
+    not is_logging_target(bucketName) 
 
     result := {
         "documentId": input.document[i].id,
@@ -38,3 +39,9 @@ CxPolicy[result] {
         "searchLine": common_lib.build_search_line(["module", name], []),
     }
 }
+
+is_logging_target(bucketName) {
+  some name
+  logging := input.document[i].resource.aws_s3_bucket_logging[name]
+  logging.target_bucket == sprintf("${aws_s3_bucket.%s.id}", [bucketName])
+}
diff --git a/assets/queries/terraform/aws/s3_bucket_logging_disabled/test/negative4.tf b/assets/queries/terraform/aws/s3_bucket_logging_disabled/test/negative4.tf
new file mode 100644
index 00000000000..a7b16d48305
--- /dev/null
+++ b/assets/queries/terraform/aws/s3_bucket_logging_disabled/test/negative4.tf
@@ -0,0 +1,14 @@
+resource "aws_s3_bucket" "attachments_bucket" {
+  bucket = "${local.env_app_name}-attachments"
+}
+
+resource "aws_s3_bucket" "log_bucket" {
+  bucket = "${local.env_app_name}-attachments-logs"
+}
+
+resource "aws_s3_bucket_logging" "logging" {
+  bucket = aws_s3_bucket.attachments_bucket.id
+
+  target_bucket = aws_s3_bucket.log_bucket.id
+  target_prefix = "log/"
+}