Can you make a tag mandatory provided another tag key/value exists

[timnolan1]

Hello,
Is there a way to do this? Our use case is as follows:

• environment is a mandatory tag that must be one of several values in a list (i.e., dev, prod, test, etc.)
• IF this value = 'test', then the tag test-type must be present on the resource
• IF this value != 'test', then the tag test-type is optional
  Thank you

[thisisshi]

You can accomplish this with boolean filters, example below:

policies:
- name: find-non-compliant-tagged-resources
  resource: aws.ec2
  description: checks to see if the tag environment is present and \
               if the value is "test" checks that tag tag-test \
               is also present.
  filters:
    - not:
      - or:
        - and:
          - tag:environment: present
          - tag:environment: test
          - tag:test-type: present
        - and:
          - tag:environment: present

[timnolan1]

Thanks for the quick reply @thisisshi - much appreciated :)

[timnolan1]

@thisisshi do you happen to know how the syntax of the above policy if using a macro?

for example we have a macros.yml with:

---
- name: required-tags_noncompliant
  section: filters
  value:
    or:
    - type: value
      key: "tag:contact"
      op: regex-case
      value: '^(?!\d{6}).{,5}|.{7,}$'
    - type: value
      key: "tag:environment"
      op: not-in
      value:
        - dev
        - poc
        - test
        - prod

and then we inject this macro into Cloud Custodian policies using macro:required-tags_compliant, such as:

---
tags:
  - all
policies:
  - name: ec2_periodic_tag_compliant
    resource: ec2
    description: |
      Find compliant EC2 Instances and mark them compliant
    comment: EC2 Marked Compliant
    filters:
      - or:
        - tag:tag-compliant: absent
        - not:
          - tag:tag-compliant: "yes"
      - macro:required-tags_compliant
    actions:
    - type: tag
      tags:
        tag-compliant: "yes"
    - unmark

I wish to adapt your policy above to the syntax in our macros.yaml. Any ideas?

[thisisshi]

Are you using some sort of yaml pre processor? there isn't any support for macros like this in cloud custodian, though you can use yaml anchors

[timnolan1]

Thank you @thisisshi I will let you know if we have any further questions. Appreciate your quick reply :)