---
policy: /ce/ca/azure/application-gateway/web-application-firewall
logic: /ce/ca/azure/application-gateway/web-application-firewall/prod.logic.yaml
executionTime: 2026-05-09T12:04:13.392107143Z
generationMs: 67
executionMs: 1680
rows:
  - id: '001'
    match: true
    status:
      expected: COMPLIANT
      actual: COMPLIANT
    conditionIndex:
      expected: 199
      actual: 199
    conditionText:
      expected: extract('CA10__wafEnabled__c') == true
      actual: extract('CA10__wafEnabled__c') == true
    runtimeError: {}
  - id: '002'
    match: true
    status:
      expected: INCOMPLIANT
      actual: INCOMPLIANT
    conditionIndex:
      expected: 200
      actual: 200
    conditionText:
      expected: otherwise
      actual: otherwise
    runtimeError: {}
usedFiles:
  - path: /ce/ca/azure/application-gateway/web-application-firewall/policy.yaml
    md5Hash: 22A691109E633102CE496A8E5D94873A
    content: "---\nnames:\n  full: \"Azure Application Gateway Web Application Firewall\
      \ is not enabled\"\n  contextual: \"Application Gateway Web Application Firewall\
      \ is not enabled\"\ndescription: >\n  Azure Web Application Firewall helps protect\
      \ applications from common exploits \n  and attacks by inspecting and filtering\
      \ incoming traffic.\ntype: COMPLIANCE_POLICY\ncategories:\n  - SECURITY\nframeworkMappings:\n\
      \  - \"/frameworks/cis-azure-v6.0.0/07/10\"\n  - \"/frameworks/cloudaware/resource-security/threat-protection\"\
      \n"
  - path: /ce/ca/azure/application-gateway/web-application-firewall/prod.logic.yaml
    md5Hash: 6B7F33273CBF20F6A28087317545121C
    content: |
      ---
      inputType: "CA10__CaAzureApplicationGateway__c"
      testData:
        - file: "test-data.json"
      importExtracts:
        - file: /types/CA10__CaAzureApplicationGateway__c/object.extracts.yaml
      conditions:
        - status: "COMPLIANT"
          currentStateMessage: "Web Application Firewall (WAF) is enabled on the Application Gateway."
          check:
            IS_EQUAL:
              left:
                EXTRACT: "CA10__wafEnabled__c"
              right:
                BOOLEAN: true
      otherwise:
        status: "INCOMPLIANT"
        currentStateMessage: "Web Application Firewall (WAF) is not enabled on the Application Gateway."
        remediationMessage: "Enable Web Application Firewall (WAF) on the Application Gateway."
  - path: /ce/ca/azure/application-gateway/web-application-firewall/test-data.json
    md5Hash: 86E56340D7757BB713D8CEC825836447
    content: |
      [
        {
          "expectedResult": {
            "status": "COMPLIANT",
            "conditionIndex": "199",
            "conditionText": "extract('CA10__wafEnabled__c') == true",
            "runtimeError": null
          },
          "context": { "snapshotTime": "2025-11-10T11:11:03Z" },
          "CA10__disappearanceTime__c": null,
          "CA10__wafEnabled__c": true,
          "Id": "001"
        },
        {
          "expectedResult": {
            "status": "INCOMPLIANT",
            "conditionIndex": "200",
            "conditionText": "otherwise",
            "runtimeError": null
          },
          "context": { "snapshotTime": "2025-11-10T11:11:03Z" },
          "CA10__disappearanceTime__c": null,
          "CA10__wafEnabled__c": false,
          "Id": "002"
        }
      ]
  - path: /types/CA10__CaAzureApplicationGateway__c/object.extracts.yaml
    md5Hash: 0D83E678F320459334C801870D84974C
    content: "---\nextracts:\n# Checkbox.\n  - name: \"CA10__wafEnabled__c\"\n   \
      \ value: \n      FIELD:\n        path: \"CA10__wafEnabled__c\"\n# Text. Nullable\n\
      \  - name: \"CA10__sslPolicyMinProtocolVersion__c\"\n    value: \n      FIELD:\n\
      \        path: \"CA10__sslPolicyMinProtocolVersion__c\"\n# Checkbox.\n  - name:\
      \ \"CA10__enableHttp2__c\"\n    value: \n      FIELD:\n        path: \"CA10__enableHttp2__c\"\
      \n"
script: |-
  CREATE TEMP FUNCTION mock_ExpectedResult()
  RETURNS ARRAY<STRUCT<
          Id STRING,
          expectedResult STRUCT<status STRING, conditionIndex DECIMAL, conditionText STRING, runtimeError STRING>
      >>
  DETERMINISTIC
  LANGUAGE js
  AS r"""
    return [ {
    "Id" : "001",
    "expectedResult" : {
      "status" : "COMPLIANT",
      "conditionIndex" : "199",
      "conditionText" : "extract('CA10__wafEnabled__c') == true",
      "runtimeError" : null
    }
  }, {
    "Id" : "002",
    "expectedResult" : {
      "status" : "INCOMPLIANT",
      "conditionIndex" : "200",
      "conditionText" : "otherwise",
      "runtimeError" : null
    }
  } ];
  """;

  CREATE TEMP FUNCTION mock_CA10__CaAzureApplicationGateway__c()
  RETURNS ARRAY<STRUCT<
      CA10__disappearanceTime__c TIMESTAMP,
      CA10__wafEnabled__c BOOLEAN,
      Id STRING,
      context STRUCT<
          snapshotTime TIMESTAMP
      >
  >>
  DETERMINISTIC
  LANGUAGE js
  AS r"""
    return [ {
    "context" : {
      "snapshotTime" : new Date("2025-11-10T11:11:03Z")
    },
    "CA10__wafEnabled__c" : true,
    "Id" : "001"
  }, {
    "context" : {
      "snapshotTime" : new Date("2025-11-10T11:11:03Z")
    },
    "CA10__wafEnabled__c" : false,
    "Id" : "002"
  } ];
  """;

  CREATE TEMP FUNCTION process_CA10__CaAzureApplicationGateway__c(
      obj STRUCT<
          CA10__disappearanceTime__c TIMESTAMP,
          CA10__wafEnabled__c BOOLEAN,
          Id STRING
      >,
      snapshotTime TIMESTAMP
  )
  RETURNS STRUCT<status STRING, conditionIndex DECIMAL, conditionText STRING, currentStateMessage STRING, currentStateReferences STRING, remediation STRING, runtimeError STRING>
  DETERMINISTIC
  LANGUAGE js
  AS r"""
      var references1 = [];
      // condition[0], conditionIndex:[0..99]
      references1.push('Deleted From Azure [CA10__disappearanceTime__c]: ' + obj.CA10__disappearanceTime__c);
      if (obj.CA10__disappearanceTime__c != null) {
          return {status: 'DISAPPEARED', conditionIndex: 99, conditionText: "isDisappeared(CA10__disappearanceTime__c)", currentStateMessage: "Object is deleted in the source", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null};
      }
      // condition[1], conditionIndex:[100..199]
      function extract3() { if (!this.out) { this.out = obj.CA10__wafEnabled__c; } return this.out; };
      references1.push('WAF Enabled [obj.CA10__wafEnabled__c]: ' + obj.CA10__wafEnabled__c);
      if (extract3.call(extract3) == true) {
          return {status: 'COMPLIANT', conditionIndex: 199, conditionText: "extract('CA10__wafEnabled__c') == true", currentStateMessage: "Web Application Firewall (WAF) is enabled on the Application Gateway.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null};
      }
      return {status: 'INCOMPLIANT', conditionIndex: 200, conditionText: "otherwise", currentStateMessage: "Web Application Firewall (WAF) is not enabled on the Application Gateway.", currentStateReferences: references1.join('\n'), remediation: "Enable Web Application Firewall (WAF) on the Application Gateway.", runtimeError: null};
  """;


  SELECT
    expectedResult.Id as Id,
    IF (
      IFNULL(expectedResult.expectedResult.status, '') = IFNULL(sObject.result.status, '')
      AND IFNULL(expectedResult.expectedResult.conditionIndex, -1) = IFNULL(sObject.result.conditionIndex, -1)
      AND IFNULL(expectedResult.expectedResult.conditionText, '') = IFNULL(sObject.result.conditionText, '')
      AND IFNULL(expectedResult.expectedResult.runtimeError, '') = IFNULL(sObject.result.runtimeError, ''),
      "MATCH",
      "FAIL"
    ) as match,
    expectedResult.expectedResult.status as expectedStatus, sObject.result.status as actualStatus,
    expectedResult.expectedResult.conditionIndex as expectedConditionIndex, sObject.result.conditionIndex as actualConditionIndex,
    expectedResult.expectedResult.conditionText as expectedConditionText, sObject.result.conditionText as actualConditionText,
    expectedResult.expectedResult.runtimeError as expectedRuntimeError, sObject.result.runtimeError as actualRuntimeError
  FROM UNNEST(mock_ExpectedResult()) expectedResult
  LEFT JOIN (
      SELECT
          sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c,
          sObject.CA10__wafEnabled__c AS CA10__wafEnabled__c,
          sObject.Id AS Id,
          process_CA10__CaAzureApplicationGateway__c(
              STRUCT(
                  sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c,
                  sObject.CA10__wafEnabled__c AS CA10__wafEnabled__c,
                  sObject.Id AS Id
              ),
              sObject.context.snapshotTime
          ) as result
      FROM UNNEST(mock_CA10__CaAzureApplicationGateway__c()) AS sObject
  ) sObject ON sObject.Id = expectedResult.Id;