fix(terraform): make CKV_AWS_86 detect CloudFront v1 and v2 logging configurations

[dbuaon]

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Description

This PR fixes Terraform CKV_AWS_86 for CloudFront logging by migrating evaluation to graph-based logic so the same control supports both logging models:

• Legacy or v1 logging on aws_cloudfront_distribution via logging_config
• CloudFront v2 logging via CloudWatch log delivery resources:
  • aws_cloudwatch_log_delivery_source
  • aws_cloudwatch_log_delivery
  • aws_cloudwatch_log_delivery_destination

Previously, v2-only configurations could still fail CKV_AWS_86.
After this change, CKV_AWS_86 passes for valid v1 and valid v2 configurations, and fails when logging is not configured.

Fixes #7385

New/Edited policies

Description

CKV_AWS_86 is now implemented as a Terraform graph policy in checkov/terraform/checks/graph_checks/aws/CloudfrontDistributionLogging.yaml. It evaluates a CloudFront distribution as compliant when either:

1. legacy logging is configured on the distribution via logging_config, or
2. a CloudFront v2 CloudWatch log delivery chain is configured from the distribution.

This preserves backward compatibility while resolving v2 false positives

Fix

To remediate violations, configure one of:

1. Legacy logging:

• Add logging_config on aws_cloudfront_distribution with a valid log bucket.

2. v2 CloudWatch delivery logging:

• Add aws_cloudwatch_log_delivery_source referencing the CloudFront distribution ARN.
• Add aws_cloudwatch_log_delivery_destination.
• Add aws_cloudwatch_log_delivery linking source and destination.

Validation

Local commands executed:

• python -m pytest -q -n0 tests/terraform/graph/checks/test_yaml_policies.py::TestYamlPolicies::test_CloudFrontLoggingEnabled

-python -m pytest -q -n0 tests/terraform/checks/resource/aws/test_CloudfrontDistributionLogging.py

• checkov -d tests/terraform/checks/resource/aws/example_CloudfrontDistributionLoggingV2 --check CKV_AWS_86 --compact

Observed results:

• Graph policy test: 1 passed

• CKV_AWS_86 resource-side runner test: 1 passed, 1 skipped (pre-existing skip: test_null_var_651)

• Terraform fixture scan:

  • PASS: aws_cloudfront_distribution.pass_v1
  • PASS: aws_cloudfront_distribution.pass_v2
  • PASS: aws_cloudfront_distribution.fail_v2_incomplete_chain
  • FAIL: aws_cloudfront_distribution.fail_no_logging

Note: fail_v2_incomplete_chain currently passes because the graph check validates that the CloudFront distribution is connected to a CloudWatch Logs delivery source. It does not enforce the full delivery destination chain.

Checklist:

• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have added tests that prove my feature, policy, or fix is effective and works
• New and existing tests pass locally with my changes

[dbuaon]

Hi maintainers, just adding a note on the validation scope.

This PR intentionally validates CKV_AWS_86 compliance when the CloudFront distribution is connected to a CloudWatch Logs delivery source, which fixes the current v2 false positive while preserving the existing v1 behavior.

I documented the current limitation around validating the full delivery destination chain in the PR description. I can extend the graph policy further if you prefer CKV_AWS_86 to require the complete v2 source -> delivery -> destination chain.