bug: ec2/unused_acls.sql got be 'pass' if 'associations' is null

[sabe6]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

https://github.com/cloudquery/cloudquery/blob/main/plugins/source/aws/policies/queries/ec2/unused_acls.sql

EC2.16 control says:

If the only relationship is the VPC of the network ACL, then the control fails.

'Unused network acl' would mean it does not have any subnet associations.

Expected Behavior

Patch it works:

diff --git a/plugins/source/aws/policies/queries/ec2/unused_acls.sql b/plugins/source/aws/policies/queries/ec2/unused_acls.sql
index ee91bb6fd..3306475c3 100644
--- a/plugins/source/aws/policies/queries/ec2/unused_acls.sql
+++ b/plugins/source/aws/policies/queries/ec2/unused_acls.sql
@@ -4,8 +4,8 @@ select distinct
     network_acl_id as resource_id,
     case when
         a->>'NetworkAclAssociationId' is null
-        then 'pass'
-        else 'fail'
+        then 'fail'
+        else 'pass'
     end as status
 from aws_ec2_network_acls left join jsonb_array_elements(aws_ec2_network_acls.associations) as a on true
         )

CloudQuery (redacted) config

N/A

Steps To Reproduce

No response

CloudQuery (redacted) logs

N/A

CloudQuery version

main

Additional Context

No response

Pull request (optional)

• I can submit a pull request