Skip to content

Add Resource Tags rule #639

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 9 commits into
base: master
Choose a base branch
from
Open

Add Resource Tags rule #639

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
b0f573b
Add Resource Invalid Tags rule
marckysharky May 7, 2024
c130893
Add additional resources as-per README instructions
marckysharky May 7, 2024
1632ca6
[wip] Merge tag rules into single dsl
marckysharky Jun 11, 2024
fd7235a
Move to single aws_resource_tags rule
marckysharky Jun 11, 2024
d169516
Amend docs
marckysharky Jun 11, 2024
beff0bf
Amend integration map-attribute
marckysharky Jun 11, 2024
8078405
Amend references to previous tag rule name
marckysharky Jun 11, 2024
096536f
Amend integration test
marckysharky Jun 11, 2024
994f4d1
[whitespace] Amend test
marckysharky Jun 11, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion docs/rules/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ These rules enforce best practices and naming conventions:
|[aws_iam_policy_gov_friendly_arns](aws_iam_policy_gov_friendly_arns.md)|Ensure `iam_policy` resources do not contain `arn:aws:` ARN's||
|[aws_iam_role_policy_gov_friendly_arns](aws_iam_role_policy_gov_friendly_arns.md)|Ensure `iam_role_policy` resources do not contain `arn:aws:` ARN's||
|[aws_lambda_function_deprecated_runtime](aws_lambda_function_deprecated_runtime.md)|Disallow deprecated runtimes for Lambda Function|✔|
|[aws_resource_missing_tags](aws_resource_missing_tags.md)|Require specific tags for all AWS resource types that support them||
|[aws_resource_tags](aws_resource_tags.md)|Require specific tags for all AWS resource types that support them||
|[aws_s3_bucket_name](aws_s3_bucket_name.md)|Ensures all S3 bucket names match the naming rules|✔|
|[aws_provider_missing_default_tags](aws_provider_missing_default_tags.md)|Require specific tags for all AWS providers default tags||

Expand Down
2 changes: 1 addition & 1 deletion docs/rules/README.md.tmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ These rules enforce best practices and naming conventions:
|[aws_iam_policy_gov_friendly_arns](aws_iam_policy_gov_friendly_arns.md)|Ensure `iam_policy` resources do not contain `arn:aws:` ARN's||
|[aws_iam_role_policy_gov_friendly_arns](aws_iam_role_policy_gov_friendly_arns.md)|Ensure `iam_role_policy` resources do not contain `arn:aws:` ARN's||
|[aws_lambda_function_deprecated_runtime](aws_lambda_function_deprecated_runtime.md)|Disallow deprecated runtimes for Lambda Function|✔|
|[aws_resource_missing_tags](aws_resource_missing_tags.md)|Require specific tags for all AWS resource types that support them||
|[aws_resource_tags](aws_resource_tags.md)|Require specific tags for all AWS resource types that support them||
|[aws_s3_bucket_name](aws_s3_bucket_name.md)|Ensures all S3 bucket names match the naming rules|✔|
|[aws_provider_missing_default_tags](aws_provider_missing_default_tags.md)|Require specific tags for all AWS providers default tags||

Expand Down
11 changes: 4 additions & 7 deletions docs/rules/aws_provider_missing_default_tags.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,18 +45,15 @@ Notice: The provider is missing the following tags: "Bar", "Foo". (aws_provider_
- Using default tags results in better tagging coverage. The resource missing tags rule needs support
to be added for non-standard uses of tags in the provider, for example EC2 root block devices.

Use this rule in conjuction with aws_resource_missing_tags_rule, for example to enforce common tags and
Use this rule in conjuction with aws_resource_tags_rule, for example to enforce common tags and
resource specific tags, without duplicating tags.

```hcl
rule "aws_resource_missing_tags" {
enabled = true
tags = [
rule "aws_resource_tags" {
enabled = true
required = [
"kubernetes.io/cluster/eks",
]
include = [
"aws_subnet",
]
}

rule "aws_provider_missing_default_tags" {
Expand Down
76 changes: 0 additions & 76 deletions docs/rules/aws_resource_missing_tags.md
View file
Open in desktop

This file was deleted.

47 changes: 47 additions & 0 deletions docs/rules/aws_resource_tags.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
# aws_resource_tags

Rule for resources tag presence and value validation from prefixed list.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Rule for resources tag presence and value validation from prefixed list.
Enforce required tag keys and restrict tag values.

"Prefixed" connotes a string prefix whereas I'm pretty sure you just mean fixed/exact.


## Example

```hcl
rule "aws_resource_tags" {
enabled = true
exclude = ["aws_autoscaling_group"]
required = ["Environment"]
values = {
Department = ["finance", "hr", "payments", "engineering"]
Environment = ["sandbox", "staging", "production"]
}
}

provider "aws" {
...
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
...
# ...

Ensure that code samples are valid

default_tags {
tags = { Environment = "sandbox" }
}
}

resource "aws_s3_bucket" "bucket" {
...
tags = { Project: "homepage", Department: "science" }
}
```

```
$ tflint
1 issue(s) found:

Notice: aws_s3_bucket.bucket Received 'science' for tag 'Department', expected one of 'finance,hr,payments,engineering'.

on test.tf line 3:
3: tags = { Project: "homepage", Department = "science" }
```

## Why

Enforce standard tag values across all resources.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Enforce standard tag values across all resources.
Organizations commonly use conventional AWS tags to track resources, such as `Environment`, `Department`, or `Service`. Example AWS features that depend on having a well-known set of tags include:
* [Cost allocation](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-alloc-tags.html)
* [ABAC](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html)

Make sure Why tells the user why they should care about enforcing this and doesn't just restate the rule description.


## How To Fix

Align the provider, resource or autoscaling group tags to the configured expectation.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Align the provider, resource or autoscaling group tags to the configured expectation.
Set the required tag keys/values, either as `default_tags` on the `provider` or as `tags` on the resource itself.

6 changes: 3 additions & 3 deletions integration/cty-based-eval/.tflint.hcl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ plugin "aws" {
enabled = true
}

rule "aws_resource_missing_tags" {
enabled = true
tags = ["Environment", "Name", "Type"]
rule "aws_resource_tags" {
enabled = true
required = ["Environment", "Name", "Type"]
}
6 changes: 3 additions & 3 deletions integration/cty-based-eval/result.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,11 @@
"issues": [
{
"rule": {
"name": "aws_resource_missing_tags",
"name": "aws_resource_tags",
"severity": "info",
"link": "https://github.com/terraform-linters/tflint-ruleset-aws/blob/v0.32.0/docs/rules/aws_resource_missing_tags.md"
"link": "https://github.com/terraform-linters/tflint-ruleset-aws/blob/v0.32.0/docs/rules/aws_resource_tags.md"
},
"message": "The resource is missing the following tags: \"Environment\", \"Name\", \"Type\".",
"message": "Tag 'Environment' is required. Tag 'Name' is required. Tag 'Type' is required.",
"range": {
"filename": "template.tf",
"start": {
Expand Down
6 changes: 3 additions & 3 deletions integration/map-attribute/.tflint.hcl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ plugin "aws" {
enabled = true
}

rule "aws_resource_missing_tags" {
enabled = true
tags = ["Environment", "Name", "Type"]
rule "aws_resource_tags" {
enabled = true
required = ["Environment", "Name", "Type"]
}
6 changes: 3 additions & 3 deletions integration/map-attribute/result.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,11 @@
"issues": [
{
"rule": {
"name": "aws_resource_missing_tags",
"name": "aws_resource_tags",
"severity": "info",
"link": "https://github.com/terraform-linters/tflint-ruleset-aws/blob/v0.32.0/docs/rules/aws_resource_missing_tags.md"
"link": "https://github.com/terraform-linters/tflint-ruleset-aws/blob/v0.32.0/docs/rules/aws_resource_tags.md"
},
"message": "The resource is missing the following tags: \"Environment\", \"Name\", \"Type\".",
"message": "Tag 'Environment' is required. Tag 'Name' is required. Tag 'Type' is required.",
"range": {
"filename": "template.tf",
"start": {
Expand Down
Loading
Loading