Skip to content

Enforce mandatory tags for all tagging supported resources #86

New issue
Jump to bottom
New issue
Jump to bottom
Open
Open
Enforce mandatory tags for all tagging supported resources#86
Labels
enhancementNew feature or requestneeds-triageThis issue or PR still needs to be triaged.
@gsund89

Description

@gsund89
gsund89
opened on Oct 16, 2020

My requirements are:

  • Enforce few mandatory tags (say ApplicationName, ApplicationOwner, SupportContact, Environment & CostCenter) to all tagging supported resources. cfn-guard should raise error if any of these tags are found missing.
  • Developers can add any number of tags other than the mandatory tags. cfn-guard should not fail if such tags are defined.

Below shown is a sample ruleset that I used to validate the mandatory tags for VPC.

AWS::EC2::VPC Tags == /.*"Key":"Environment".*/ << the mandatory Tag: Environment is not specified
AWS::EC2::VPC Tags == /.*"Key":"ApplicationName".*/ << the mandatory Tag: ApplicationName is not specified
AWS::EC2::VPC Tags == /.*"Key":"SupportContact".*/ << the mandatory Tag: SupportContact is not specified
AWS::EC2::VPC Tags == /.*"Key":"ApplicationOwner".*/ << the mandatory Tag: ApplicationOwner is not specified
AWS::EC2::VPC Tags == /.*"Key":"CostCenter".*/ << the mandatory Tag: CostCenter is not specified

By evaluating a CFT which contains only tag keys Service, Name and ApplicationName, using this above ruleset, I received the below output.

[VPC] failed because [Tags] is [[{"Key":"Service","Value":"VPC"},{"Key":"Name","Value":"DemoVPC"},{"Key":"ApplicationName","Value":"webapp"}]] and the mandatory Tag: ApplicationOwner is not specified
[VPC] failed because [Tags] is [[{"Key":"Service","Value":"VPC"},{"Key":"Name","Value":"DemoVPC"},{"Key":"ApplicationName","Value":"webapp"}]] and the mandatory Tag: CostCenter is not specified
[VPC] failed because [Tags] is [[{"Key":"Service","Value":"VPC"},{"Key":"Name","Value":"DemoVPC"},{"Key":"ApplicationName","Value":"webapp"}]] and the mandatory Tag: Environment is not specified
[VPC] failed because [Tags] is [[{"Key":"Service","Value":"VPC"},{"Key":"Name","Value":"DemoVPC"},{"Key":"ApplicationName","Value":"webapp"}]] and the mandatory Tag: SupportContact is not specified

Got two questions here:

  1. I have used regex in ruleset to validate tags. Is there any other method suggested for checking the existence of mandatory tags?
  2. As per my understanding, cfn-guard currently supports only adding rulesets for each resource type individually. Is there a way to apply this rule set globally for all resources?

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestneeds-triageThis issue or PR still needs to be triaged.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions