feat(waf): add check for regional web ACL logging enabled

[Sid-0602]

Context

This PR adds a new AWS check for WAF Classic Regional Web ACL logging. There is no existing issue; this gap was identified by cross-referencing Prowler's existing coverage, waf_global_webacl_logging_enabled exists for CloudFront-scoped (global) Web ACLs but the regional equivalent protecting Application Load Balancers and API Gateway stages was missing.

Description

Adds waf_regional_webacl_logging_enabled, a new check that verifies each AWS WAF Classic Regional Web ACL has logging enabled by checking for at least one configured log destination.

This PR includes a small service change alongside the new check:

• waf_service.py: Added _get_logging_configuration method to the WAFRegional class and wired it into __init__. The WebAcl model already had a logging_enabled: bool field; this change simply populates it for regional ACLs, mirroring the identical method already present in the WAF global class.
• Check + metadata + tests: New check using wafregional_client, 3 test cases (no ACLs, logging disabled, logging enabled).

No new IAM permissions needed. The check reads from waf-regional:GetLoggingConfiguration, which is already included in Prowler's WAF Regional permission baseline.

Steps to review

1. In prowler/providers/aws/services/waf/waf_service.py, confirm the new _get_logging_configuration method in WAFRegional mirrors the existing one in WAF, using self.regional_clients[acl.region] instead of self.client
2. Review the check in waf_regional_webacl_logging_enabled.py; it iterates wafregional_client.web_acls and checks acl.logging_enabled
3. Run the tests: pytest tests/providers/aws/services/waf/waf_regional_webacl_logging_enabled/ -v
4. Verify the check is detected: python prowler-cli.py aws --list-checks | grep waf_regional_webacl_logging
5. Cross-reference with waf_global_webacl_logging_enabled to confirm the regional check is consistent in structure and messaging

Checklist

Community Checklist

• This feature/issue is listed in [here](https://github.com/prowler-cloud/prowler/issues?q=sort%3Aupdated-desc+is%3Aissue+is%3Aopen) or roadmap.prowler.com
• Is it assigned to me, if not, request it via the issue/feature in [here](https://github.com/prowler-cloud/prowler/issues?q=sort%3Aupdated-desc+is%3Aissue+is%3Aopen) or [Prowler Community Slack](goto.prowler.com/slack)

• Review if the code is being covered by tests.
• Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
• Review if backport is needed.
• Review if is needed to change the [Readme.md](https://github.com/prowler-cloud/prowler/blob/master/README.md)
• Ensure new entries are added to [CHANGELOG.md](https://github.com/prowler-cloud/prowler/blob/master/prowler/CHANGELOG.md), if applicable.

SDK/CLI

• Are there new checks included in this PR? Yes
  • Do we need to update permissions for the provider? No, waf-regional:GetLoggingConfiguration is already part of Prowler's WAF Regional permission set.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Summary by CodeRabbit

• New Features
  • Added a new AWS WAF Classic regional Web ACL check to verify logging is enabled to Kinesis Data Firehose, improving visibility and compliance monitoring.
• Infrastructure
  • WAF regional collection now detects and marks Web ACLs with logging enabled.
• Tests
  • Added unit tests covering no-ACL, logging-disabled (FAIL), and logging-enabled (PASS) scenarios.
• Documentation
  • Changelog updated with the new check entry.

[coderabbitai]

📝 Walkthrough

Walkthrough

A new Prowler check waf_regional_webacl_logging_enabled validates AWS WAF Classic Regional Web ACLs have logging enabled; WAFRegional now fetches per-ACL logging config, the check reports PASS/FAIL per ACL, metadata and changelog entries are added, and tests cover no-ACL, disabled, and enabled scenarios.

Changes

WAF Regional Web ACL Logging Check Implementation

Layer / File(s)	Summary
WAFRegional logging configuration retrieval prowler/providers/aws/services/waf/waf_service.py	WAFRegional.__init__ dispatches _get_logging_configuration concurrently for collected web ACLs; _get_logging_configuration calls get_logging_configuration(ResourceArn=acl.arn) and sets acl.logging_enabled when LogDestinationConfigs is present.
Check execution and reporting prowler/providers/aws/services/waf/waf_regional_webacl_logging_enabled/waf_regional_webacl_logging_enabled.py	New waf_regional_webacl_logging_enabled check class iterates WAFRegional web ACLs, creates a Check_Report_AWS per ACL with default FAIL, and marks PASS when acl.logging_enabled is true; returns findings.
Metadata and changelog documentation prowler/providers/aws/services/waf/waf_regional_webacl_logging_enabled/waf_regional_webacl_logging_enabled.metadata.json, prowler/CHANGELOG.md	Adds metadata JSON for the check (identity, severity, classification, controls, remediation examples) and a changelog bullet in 5.30.0 (Prowler UNRELEASED) under Added.
Test cases and API mocking tests/providers/aws/services/waf/waf_regional_webacl_logging_enabled/waf_regional_webacl_logging_enabled_test.py	Adds tests that mock botocore _make_api_call to simulate WAFRegional operations including GetLoggingConfiguration; validates no web ACLs (no findings), logging disabled (FAIL), and logging enabled (PASS) with assertions on status, status_extended, resource_id, resource_arn, and region.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers

• danibarranqueroo

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 58.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: adding a check for WAF regional web ACL logging.
Description check	✅ Passed	The description covers context, implementation details, review steps, and most checklist items including test coverage, documentation, CHANGELOG updates, and permission analysis.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@prowler/CHANGELOG.md`:
- Line 9: Update the placeholder PR number in the changelog entry for the
`waf_regional_webacl_logging_enabled` check: replace the `(`#XXXX`)` token with
the actual PR reference `(`#11539`)` in the CHANGELOG.md entry so the line reads
with the correct PR number.

In `@prowler/providers/aws/services/waf/waf_service.py`:
- Around line 283-301: Add a Google-style docstring to the
_get_logging_configuration method describing its purpose (retrieve WAF regional
Web ACL logging config), the parameters (acl: object with name, arn, region and
expected attributes), what it does (queries
regional_clients.get_logging_configuration and sets acl.logging_enabled based on
LoggingConfiguration.LogDestinationConfigs), return/side-effects (mutates
acl.logging_enabled) and error handling (logs exceptions). Place the docstring
immediately below the def _get_logging_configuration(self, acl): signature and
follow Google docstring sections: Args, Returns (or Side Effects), and
Raises/Errors if applicable.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: f468c46d-ce8a-4aa0-a17d-f1909cfeeb69

📥 Commits

Reviewing files that changed from the base of the PR and between 75f9555 and 22a50ca.

📒 Files selected for processing (7)

• prowler/CHANGELOG.md
• prowler/providers/aws/services/waf/waf_regional_webacl_logging_enabled/__init__.py
• prowler/providers/aws/services/waf/waf_regional_webacl_logging_enabled/waf_regional_webacl_logging_enabled.metadata.json
• prowler/providers/aws/services/waf/waf_regional_webacl_logging_enabled/waf_regional_webacl_logging_enabled.py
• prowler/providers/aws/services/waf/waf_service.py
• tests/providers/aws/services/waf/waf_regional_webacl_logging_enabled/__init__.py
• tests/providers/aws/services/waf/waf_regional_webacl_logging_enabled/waf_regional_webacl_logging_enabled_test.py

[coderabbitai]

♻️ Duplicate comments (1)

prowler/providers/aws/services/waf/waf_service.py (1)

283-283: 🧹 Nitpick | 🔵 Trivial | ⚡ Quick win

Add type hints to method signature.

The coding guidelines require type hints for all public functions. Although this is a private method, adding type hints improves maintainability and IDE support. Based on the docstring, acl should be typed as WebAcl, and the return type should be explicit.

🔧 Proposed enhancement

-    def _get_logging_configuration(self, acl):
+    def _get_logging_configuration(self, acl: "WebAcl") -> None:
         """Fetch and store the logging configuration for a Regional Web ACL.

As per coding guidelines, type hints are required for all public functions in Python code (prowler/**/*.py guideline).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@prowler/providers/aws/services/waf/waf_service.py` at line 283, Add explicit
type hints to the _get_logging_configuration method signature: annotate the acl
parameter as WebAcl and add an explicit return type (e.g.,
Optional[LoggingConfiguration] or the actual logging config type used in the
module) so IDEs and linters can validate usage; update any necessary imports
(from typing import Optional and the WebAcl/LoggingConfiguration types) and
ensure the docstring still matches the annotated types.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@prowler/providers/aws/services/waf/waf_service.py`:
- Line 283: Add explicit type hints to the _get_logging_configuration method
signature: annotate the acl parameter as WebAcl and add an explicit return type
(e.g., Optional[LoggingConfiguration] or the actual logging config type used in
the module) so IDEs and linters can validate usage; update any necessary imports
(from typing import Optional and the WebAcl/LoggingConfiguration types) and
ensure the docstring still matches the annotated types.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: d7555487-cba3-4916-af6a-bbfde1c39d90

📥 Commits

Reviewing files that changed from the base of the PR and between 22a50ca and b156f1a.

📒 Files selected for processing (2)

• prowler/CHANGELOG.md
• prowler/providers/aws/services/waf/waf_service.py

[Sid-0602]

Hey @danibarranqueroo @HugoPBrito !!
When you get a chance, would appreciate a review on this. Happy to address any feedback :)