AWS Tag compliance Codebundle #15

saurabh3460 · 2025-01-31T15:05:06Z

The SLI produces a score of 0 (bad), 1(good), or a value in between. This score is generated by capturing the following:

Tag compliance for ${AWS_RESOURCE_PROVIDERS}

…s in runbook

…s health cb

stewartshea · 2025-02-03T12:37:59Z

codebundles/aws-c7n-tag-compliance/.test/README.md

The code under .test doesn't appear to be valid for this codebundle. At a minumum the .test folder needs a README.md that specifies how to set up a scenario to verify the codebundle. This appears to not be updated for this scenario.

added a note like this:

Build Test Infrastructure:

Note: By default, the test environment leverages existing AWS resources such as VPCs and Security Groups that are untagged. These resources are sufficient to test the codebundle's tagging compliance functionality.

stewartshea · 2025-02-03T12:39:26Z

codebundles/aws-c7n-tag-compliance/Util.py

If you think this function is useful across other CodeBundles, we may consider moving it into the keyword.

I haven't seen or needed this in other CodeBundles so far, if I see anywhere it's required will definitely move to cloudcustodian core lib

codebundles/aws-c7n-tag-compliance/runbook.robot

codebundles/aws-c7n-tag-compliance/sli.robot

codebundles/aws-c7n-tag-compliance/runbook.robot

stewartshea · 2025-02-03T12:57:54Z

codebundles/aws-c7n-tag-compliance/runbook.robot

+    ...    pattern=^[a-zA-Z0-9,]+$
+    ...    example=ec2,rds,vpc,iam-group,iam-policy,iam-user,security-group
+    ...    default=ec2,rds,vpc,iam-group,iam-policy,iam-user,security-group
+    ${AWS_RESOURCE_PROVIDERS_ID_MAPPINGS}=    RW.Core.Import User Variable    AWS_RESOURCE_PROVIDERS_ID_MAPPINGS


What is the purpose of this? If it's needed, why doesn't it exist in the SLI? If it isn't needed, or is predictable and well known or assumed, can we remove it from the configuration?

Updated it now loading it through a json file that contains resource-id mapping.

…C, subnets, security groups, and EC2 instance

…d from external JSON file

saurabh3460 · 2025-02-05T06:56:12Z

@stewartshea we can review it, added simple EC2 infra

stewartshea · 2025-02-06T14:08:18Z

codebundles/aws-c7n-acm-health/.test/terraform/main.tf

Might need a rebase, this will likely cause merge conflicts

stewartshea · 2025-02-06T14:22:30Z

A few overall comments @saurabh3460 :

We need more "Add Pre to Report" content regarding report output, not just for issues

For scope / Issue output

Can we ensure that these checks only run against regions that have active resources? My small environment produced 41 issues, mostly with details about regions I don't use
Is it possible to group the issues by region? The amount of issues generated feels pretty large, and I suspect we could just include a list of all resources that need attention in the issue details / report, with a next step that says "Apply missing tags Name, Environment, Owner to resources in AWS region ap-northeast-3 and AWS account 982534371594" - and then the report / issue details contains a table formatted list of all resources that are missing these details?

…ng for missing tags

saurabh3460 · 2025-02-10T07:21:25Z

A few overall comments @saurabh3460 :

We need more "Add Pre to Report" content regarding report output, not just for issues

For scope / Issue output

Can we ensure that these checks only run against regions that have active resources? My small environment produced 41 issues, mostly with details about regions I don't use

Is it possible to group the issues by region? The amount of issues generated feels pretty large, and I suspect we could just include a list of all resources that need attention in the issue details / report, with a next step that says "Apply missing tags Name, Environment, Owner to resources in AWS region ap-northeast-3 and AWS account 982534371594" - and then the report / issue details contains a table formatted list of all resources that are missing these details?

Sure, I have tried to improve it, please have a look

add icon, update alias

…book

…link creation

saurabh3460 and others added 30 commits November 20, 2024 17:14

add codebundles/aws-c7n-ebs-health/sli.robot

63adb4f

add c7n ebs policies

7a205bd

add script to create test infra

9ee4894

added runbook.robot with List Unattached EBS Volumes task

b86124b

Merge branch 'runwhen-contrib:main' into main

e1bd6e0

added parse_ebs_results func in Core.py

774460f

change name of unused-ebs-snapshots policy

9d5dd28

change secret__aws_account_id -> secret__aws_access_key_id

3dd7314

updated create/delete snapshot script in .test

b9505d0

added List Unused EBS Snapshots and List Unencrypted EBS Volumes task…

aa77f67

…s in runbook

add runwhen generation rule and template yaml

780854e

clean cc lib

3455556

replace ebs test script with terraform

ecc92ff

remove volume check and add encrypted false in ebs.tf

cfb684b

added taskfile in ebs health codebundle

e9f4513

add account_id in ebs gen rule qualifiers

6102c59

add check-rwp-config task in ebs cb test's taskfile

4c59821

update ebs cb test README

90b306b

add encrypted filed in ebs tf file

7f81bd3

add suite variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY in eb…

9602af8

…s health cb

add rw-cli-keywords dependency in requirements.txt

becadf9

fix sli locations filed in both ebs and s3 cb

37fd8b7

update Author in sli

5672dc9

fix Add Issue and change AWS_ACCOUNT_NAME -> AWS_ACCOUNT_ID

53c55bc

ebs Taskfile: add custom field and terraform/cb.secret

406e2fd

ebs sli: fix score logic

b0d6153

ebs runbook: update next steps string and task title

4580a3b

EBS CB: fix typo and update image url in templates

d7fce89

update intervalSeconds 300 -> 600

59c5463

EBS CB: update Metadata and thresholds defaults 1->0

d1caa2e

Fix alert operators in AWS Tag Compliance SLI template

ad22be7