Merge pull request #1115 from guardian/aa/obligatron-null-tags

fix(obligatron): Handle case where there no tags
guardian · Jun 20, 2024 · 8e16c9e · 8e16c9e
2 parents 9ab16b1 + c902acb
commit 8e16c9e
Showing 1 changed file with 17 additions and 5 deletions.
diff --git a/packages/obligatron/src/obligations/tagging.ts b/packages/obligatron/src/obligations/tagging.ts
@@ -2,8 +2,17 @@ import type { PrismaClient } from '@prisma/client';
 import type { ObligationResult } from '.';
 
 type FindingResource = {
+	/**
+	 * The resource identifier, such as the ARN.
+	 */
 	Id: string;
-	Tags: Record<string, string>;
+
+	/**
+	 * The tags on the resource.
+	 *
+	 * A value of `null` represents the absence of tags.
+	 */
+	Tags: null | Record<string, string>;
 };
 
 const securityHubLink = (region: string, findingId: string) => {
@@ -95,10 +104,13 @@ export async function evaluateTaggingObligation(
 				url: securityHubLink(finding.region, finding.id),
 				contacts: {
 					aws_account_id: finding.aws_account_id,
-					// Resource might only be missing one of these tags which might help us assert ownership
-					Stack: resource.Tags.Stack,
-					Stage: resource.Tags.Stage,
-					App: resource.Tags.App,
+
+					...(resource.Tags !== null && {
+						// Resource might only be missing one of these tags which might help us assert ownership
+						Stack: resource.Tags.Stack,
+						Stage: resource.Tags.Stage,
+						App: resource.Tags.App,
+					}),
 				},
 			})),
 		);