Check existence and values of specific tag keys #23
Comments
|
Do you have an example template to run against this rule? As written, it would look at the Tags property of the AWS::EC2::EIP type and expect it to exactly match that list of maps on the right-side of the rule. If there were an additional value inside that right-side list, it would fail to exactly match and the check should fail. Here's what I got from a test that sounds similar to your question: |
|
Generally we want that all tagable resources have 2 specific tags, one that denotes the owner and one that denotes the environment type. However the resources may also have any number of additional tags that we do not track or care about and it should not fail cfn-guard if those additional tags are defined. The only hard requirement is the existence the Owner and Environment tags. |
|
That sounds like a good candidate for wildcards. Try something like: What these rules say is "At least item in the list under Tags must contain this value". Taken together they guarantee that each instance of EIP Tags needs to have these somewhere in its list. Note the lack of whitespace, though. Because the parsers eliminate them when they deserialize, your right-side value needs to be |
|
Hi, That didnt work as expected, now it complains twice for every other tag that's not specifically listed like: The ruleset is: The template is missing OwnerContact Tag //Edit: It seems that I can only enforce it using positional Tags such as |
|
Hmm. Sorry to hear that's not working. The extra messages are a result of wildcard I think I can write a simple rule to address this use case but before I do, can I get an example template (nothing sensitive in it) to try it on my side? |
|
This would be an example: ClusterSg:
Type: AWS::EC2::SecurityGroup
Properties:
VpcId:
Fn::ImportValue: !Sub ${EnvironmentType}-net-vpc-VpcId
GroupDescription: !Sub ${EnvironmentType}-sg-${ClusterName}
SecurityGroupEgress:
- CidrIp: "0.0.0.0/0"
IpProtocol : "-1"
Description: "Allow all outgoing traffic"
SecurityGroupIngress:
- SourceSecurityGroupId: !Ref AlbSg
IpProtocol : "-1"
Description: !Sub "Allow incoming traffic from ${ClusterName} ALB"
Tags:
- Key: EnvironmentType
Value: !Ref EnvironmentType
- Key: OwnerContact
Value: !Ref OwnerContact
- Key: Name
Value: !Sub ${EnvironmentType}-${ClusterName}-sg
- Key: ClusterName
Value: !Ref ECSCluster
- Key: Scope
Value: ecsThe only tags we want to enforce setting is I appreciate the help :) |
nathanataws
added
bug
|
You caught a bug! Good eye. The issue was that the regex was too restrictive and mandated a value after the Can you build from the It should mandate that each of those tags must be present at least once. You'll still get the multiple errors when they're not present because the You should get the following result: But with the tags in the template uncommented, it should pass. |
|
Haha nice, this will slim down my rules a lot. I'll build 0.5.2 and test it :) |
|
Awesome. I'll close this for now. Please do re-open it if you're still jammed-up. |
|
👀 Taking a look. This should be covered by test cases. If not, that's a bug in and of itself. |
|
I just tested from the head of And the ruleset: It failed with the tags commented out: And passed when the tags were uncommented: What's the error you got? |
|
Actually looking at the results again it seems to be matching different Tags objects that it just didnt match before... Something like: Had to heavily redact this one sadly. But this will be matched against: So I just added 'EnvironmentType' as literal into the array and it started matching again. |
|
Interesting! Can you give me the rule? I think some of the unexpected behavior might be tied to the new JSON list vs regular list. |
|
I'll just assume it's a list type rule and test with that, but I'd love to have the exact rule to make sure I'm not making bad assumptions. |
|
Based on what you were saying about adding the literal making it work, I think I might know what you're running into: Works because when it's looking at tags, each item in the tag list represented by the * themselves resolve to the full item (eg, However if the rule is written like: It'll fail because "Key" would resolve to "key", not If you added a literal item to the list that would match to "key", eg: It'll pass because a "Key"'s actual value will match to |
|
The ruleset hasn't changed, I still just use I assume it wasnt matching the Tags of that resource previously so all in all it got better :D |
|
Okay. If you're cool with how it works, that's a good thing. :-) On my end, things are working as expected and I have lots of tests around both the list types and the wildcards, so hopefully, I have all of them nailed down. If not, please do reopen and we'll keep unpacking this. |
|
Hi @f0o |
|
@KarthikVenkatraman have a look at #152 for v1 rulesets - otherwise the ruleset of v0 as posted above in this thread still work fine |
Hi,
Is there away to enforce specific tags to be set, ideally with specific values?
would fail if the resource has additional Tags
The text was updated successfully, but these errors were encountered: