Add Resource Tags rule #639
Conversation
marckysharky
force-pushed
the
invalid-tags-rule
branch
2 times, most recently
from
526d22f
to
e39d0a0
Compare
|
Intuitively, this is a superset of the aws_resource_missing_tags rule, so it seems to make sense to extend it. What do you think? |
|
@wata727 what are you referring to? |
|
If nothing else I would agree that it doesn't make sense to have one rule to require tag keys and a separate one for tag values. Seems like they should be consolidated into rule "aws_resource_tags" {
required = ["Foo"]
values = {
Foo = ["Bar"]
Baz = ["Qux"] # optional
}
} |
|
If we're happy to implement a single rule to provide both features for tags I would extend upon @bendrucker's comment above and propose the following: rule "aws_resource_tags" {
rules = {
Foo = { values: ["Bar"], required: true },
Baz = { values: ["Qux"] }, # not required by default
}
}The AWS Docs specify some hard restrictions on the tags which could be configured with an additionally adjusted DSL: rule "aws_resource_tags" {
tags_max_count = 10, # default value from doc
key_max_length = 32, # default value from doc
value_max_length = 128, # default value from doc
character_allow_list = ["+", "-", "="], # default value from doc
rules = {
Foo = { allowed_prefixes = ["foo:"] }, # support per-tag value prefix matching
Baz = { allowed_characters = ["+", "-"] }, # support per-tag restriction of valid characters
Xar = { max_length = 3 }, # support per-tag character length restriction
}
}NOTE: I am not suggesting the future implementation in this PR, just the former to meet the existing and proposed functionality:
|
|
I don't expect we'll ever pursue all these knobs around allowed characters, length, etc. We don't need to create space for that at the expense of straightforward cases. It's an option, but we shouldn't be creating an awkward API with the expectation of extending it substantially. A good practical goal here would be to support an |
marckysharky
force-pushed
the
invalid-tags-rule
branch
from
30f3297
to
fd7235a
Compare
|
Updated MR to merge the tag concepts of required and value validation into a single |
|
The |
There was a problem hiding this comment.
The aws_resource_missing_tags rule cannot be removed without warning
Yep, this would be a breaking change which we'd want to defer for a bit.
There isn't a straightforward way to deprecate a rule, arguably that's something we should work on. Rules have no readily accessible way to write to the CLI's stdout since logs are suppressed by default without a value for TFLINT_LOG.
Logging a warning seems like your only option for now.
| @@ -0,0 +1,47 @@ | |||
| # aws_resource_tags | |||
|
|
|||
| Rule for resources tag presence and value validation from prefixed list. | |||
There was a problem hiding this comment.
| Rule for resources tag presence and value validation from prefixed list. | |
| Enforce required tag keys and restrict tag values. |
"Prefixed" connotes a string prefix whereas I'm pretty sure you just mean fixed/exact.
| } | ||
|
|
||
| provider "aws" { | ||
| ... |
There was a problem hiding this comment.
| ... | |
| # ... |
Ensure that code samples are valid
|
|
||
| ## Why | ||
|
|
||
| Enforce standard tag values across all resources. |
There was a problem hiding this comment.
| Enforce standard tag values across all resources. | |
| Organizations commonly use conventional AWS tags to track resources, such as `Environment`, `Department`, or `Service`. Example AWS features that depend on having a well-known set of tags include: | |
| * [Cost allocation](https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-alloc-tags.html) | |
| * [ABAC](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_attribute-based-access-control.html) |
Make sure Why tells the user why they should care about enforcing this and doesn't just restate the rule description.
|
|
||
| ## How To Fix | ||
|
|
||
| Align the provider, resource or autoscaling group tags to the configured expectation. |
There was a problem hiding this comment.
| Align the provider, resource or autoscaling group tags to the configured expectation. | |
| Set the required tag keys/values, either as `default_tags` on the `provider` or as `tags` on the resource itself. |
| return keys, true | ||
| } | ||
| return keys, !value.ForEachElement(func(key, _ cty.Value) bool { | ||
| // If any key is unknown or sensitive, return early as any missing tag could be this unknown key. |
There was a problem hiding this comment.
| // If any key is unknown or sensitive, return early as any missing tag could be this unknown key. | |
| // If any key is unknown or sensitive, return early as any missing keys could be this unknown key. |
| }) | ||
| } | ||
|
|
||
| func stringInSlice(a string, list []string) bool { |
There was a problem hiding this comment.
| return tags, true | ||
| } | ||
|
|
||
| return tags, !value.ForEachElement(func(key, value cty.Value) bool { |
There was a problem hiding this comment.
This still has a lot of references to tags
Good point, I've opened an issue in the SDK to track this terraform-linters/tflint-plugin-sdk#331 |
Add
aws_resource_tagsrule to support enforcing of specific values for the given tag keys.Subsumes the existing
aws_resource_missing_tagsrule.