VPC flow-logs policy Errors

[scoleri]

Describe the bug

When searching for non-compliant vpc flow-logs I get an Exception when looking for a specific LogDestination (bucketname) if the policy hits a resource that has only type cloud-watch because there is NO LogDestination in cloud-watch just group name. (i hope i'm saying that right).

What did you expect to happen?

When custodian hits a flow-log that no specific type and destination it should record as a NON-Compliant resource.

Cloud Provider

Amazon Web Services (AWS)

Cloud Custodian version and dependency information

20:12 $ custodian version --debug

Please copy/paste the following info along with any bug reports:

Custodian:   0.9.17
Python:      3.9.8 (main, Nov  8 2021, 00:00:00)
             [GCC 11.2.1 20210728 (Red Hat 11.2.1-2)]
Platform:    posix.uname_result(sysname='Linux', nodename='910695a23d3b', release='4.14.231-173.361.amzn2.aarch64', version='#1 SMP Mon Apr 26 20:57:10 UTC 2021', machine='aarch64')
Using venv:  False
Docker: True
Installed:

argcomplete==2.0.0
attrs==21.4.0
boto3==1.24.10
botocore==1.27.10
docutils==0.17.1
importlib-metadata==4.11.4
importlib-resources==5.7.1
jmespath==1.0.0
jsonschema==4.6.0
pyrsistent==0.18.1
python-dateutil==2.8.2
pyyaml==6.0
s3transfer==0.6.0
six==1.16.0
tabulate==0.8.9
typing-extensions==4.2.0
urllib3==1.26.9
zipp==3.8.0

Policy

policies:
   - name: flow-logs-not-compliant
    resource: vpc
    filters:
    - or:
      - not:
        - type: flow-logs
          enabled: true
          destination-type: s3
          destination: "arn:aws:s3:::BLAHBLAH/"
      - type: flow-logs
        enabled: false
    actions:
      - type: set-flow-log
        LogDestination: arn:aws:s3:::BLAHBLAH/
        LogDestinationType: s3
        TrafficType: ALL

Relevant log/traceback output

#NODEBUGRUN:
2022-08-11 20:23:10,418: c7n_org:ERROR Exception running policy:flow-logs-not-compliant account:BLAH Production region:us-east-1 error:'LogDestination'

#DEBUGRUN:
2022-08-11 20:15:11,477: c7n_org:ERROR Exception running policy:flow-logs-not-compliant account:BLAH Production region:us-east-1 error:'LogDestination'
Traceback (most recent call last):
  File "/home/cloudcustodian/.local/lib/python3.9/site-packages/c7n_org/cli.py", line 609, in run_account
    resources = p.run()
  File "/home/cloudcustodian/.local/lib/python3.9/site-packages/c7n/policy.py", line 1236, in __call__
    resources = PullMode(self).run()
  File "/home/cloudcustodian/.local/lib/python3.9/site-packages/c7n/policy.py", line 290, in run
    resources = self.policy.resource_manager.resources()
  File "/home/cloudcustodian/.local/lib/python3.9/site-packages/c7n/query.py", line 532, in resources
    resources = self.filter_resources(resources)
  File "/home/cloudcustodian/.local/lib/python3.9/site-packages/c7n/manager.py", line 111, in filter_resources
    resources = f.process(resources, event)
  File "/home/cloudcustodian/.local/lib/python3.9/site-packages/c7n/filters/core.py", line 337, in process
    return self.process_set(resources, event)
  File "/home/cloudcustodian/.local/lib/python3.9/site-packages/c7n/filters/core.py", line 353, in process_set
    r[rtype_id] for r in f.process(resources, event)])
  File "/home/cloudcustodian/.local/lib/python3.9/site-packages/c7n/filters/core.py", line 378, in process
    return self.process_set(resources, event)
  File "/home/cloudcustodian/.local/lib/python3.9/site-packages/c7n/filters/core.py", line 397, in process_set
    resources = f.process(resources, event)
  File "/home/cloudcustodian/.local/lib/python3.9/site-packages/c7n/resources/vpc.py", line 139, in process
    fl['LogDestination'], destination)
KeyError: 'LogDestination'
> /home/cloudcustodian/.local/lib/python3.9/site-packages/c7n/resources/vpc.py(139)process()
-> fl['LogDestination'], destination)

Extra information or context

I fixed it in my world with this - if i could do a PR i would. I'm sure there is a better way to fix this too.

--- /home/cloudcustodian/.local/lib/python3.9/site-packages/c7n/resources/vpc.py        2022-08-11 20:20:19.564963795 +0000
+++ /home/cloudcustodian/vpc.py 2022-08-11 20:21:40.694324344 +0000
@@ -134,8 +134,11 @@
                 for fl in flogs:
                     dest_type_match = (destination_type is None) or op(
                         fl['LogDestinationType'], destination_type)
-                    dest_match = (destination is None) or op(
-                        fl['LogDestination'], destination)
+                    if fl['LogDestinationType'] == "s3":
+                      dest_match = (destination is None) or op(
+                          fl['LogDestination'], destination)
+                    else:
+                      dest_match = (destination is None)
                     status_match = (status is None) or op(fl['FlowLogStatus'], status.upper())
                     delivery_status_match = (delivery_status is None) or op(
                         fl['DeliverLogsStatus'], delivery_status.upper())
@@ -2456,7 +2459,7 @@
         },
         'cloud-watch-logs': {
             'required': ['DeliverLogsPermissionArn'],
-            'one-of': ['LogGroupName', 'LogDestination'],
+            'one-of': ['LogGroupName', 'LogDestination']
         }
     }