-
Notifications
You must be signed in to change notification settings - Fork 183
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enforce mandatory tags for all tagging supported resources #86
Comments
Keep in mind tagging is actually one of the more difficult enforcement scenarios to statically analyze since these tags are usually passed in at the stack level rather than being present in the template itself ( That could also be an easier way to enforce those tags on all those resource types if you can make sure they're just passed in at the stack-level, especially since most resource types don't currently support CloudformationSchemas $ grep -L '"Tags"' * | wc -l
375 # resource types that currently don't support Tags I like the general idea of regular expressions for types in rules though |
Yes, that has to be taken care by whoever is launching the stack, though. And to ensure that, we might need some other mechanism. |
I'm running into this issue as well - certain resources will require different tags - for instance for AWS Backup. So defining the tags at a stack level doesn't make the best sense. We are using AWS Config to capture non-compliant resources but since everything is going done thru CI/CD and IaC it would be nice to enforce these policies at creation. Other than that, really loving this product! Great job. |
@nathanataws - I was wondering in which language the rulesets are written? |
|
The problem with the rule set above is that the lines are effectively contradicting each other. They're saying that every tag must be all of those things (which is impossible). The best way to check all of those tags would most likely be to either |OR| the existing rules together or find a way to express the position of the value you want to check without a regex and then have all the acceptable values in a list. Eg AWS::EC2::VPC Tags.*.Key in [x, y, z] The downside to that approach is that you won't be able to use those different custom messages. For that, you'll have to use the |OR| as mentioned above. |
What do you mean by "effectively contradicting each other". Could you please elaborate. Because the above rule set was working fine as per our requirement. |
The rules mentioned above aren't effectively contradicting each other since they are just matching regular expressions on the entire list of tags. If a key specified via regex is present in the tags array, the regex should match and the rule should pass. Our equality operator for lists actually works if ANY values in the list match, so you should be able to rewrite your above ruleset as:
Tested with a minimal example ruleset:
template:
result:
|
The requested functionality is equivalent to functionality in Cloud Custodian (c7n) and is highly desirable to improve developer/builder experience and push enforcement left. In line with the recommendation we give in the Tagging Best Practice whitepaper. Currently recursively building Cfn Hooks for all resource types that support the tagris tagging standard is a lengthy (~10mins) build process, as demonstrated in this set of labs in the Tagging Workshop. |
Hi, Can we enforce the tagging at the stack-level, I tried it and it worked at the resource level only. Thanks, |
My requirements are:
ApplicationName
,ApplicationOwner
,SupportContact
,Environment
&CostCenter
) to all tagging supported resources. cfn-guard should raise error if any of these tags are found missing.Below shown is a sample ruleset that I used to validate the mandatory tags for VPC.
By evaluating a CFT which contains only tag keys
Service
,Name
andApplicationName
, using this above ruleset, I received the below output.Got two questions here:
The text was updated successfully, but these errors were encountered: