Tagging checking issue!

i have the following code that is working properly to check tag with tag_regex:

import "tfplan-functions" as plan
import "azure-functions" as azure

allAzureResourcesWithStandardTags = azure.find_resources_with_standard_tags([
  "azurerm_windows_virtual_machine",
])

violatingAzureResources = plan.filter_attribute_not_in_list(
  allAzureResourcesWithStandardTags,
  "tags.environment" ,
  "^[a-zA-Z0-9]+$",
  true,
)

main = rule {
  length(violatingAzureResources["messages"]) is 0
}

and here is the tag from azurerm_windows_virtual_machine:

tags = {
    backup = "example"
    environment = "D3@$v"
  }

when the policy run it can check the error in “environment” as below

Print messages:

azurerm_windows_virtual_machine.windowsvm has tags.environment with value: "D3@$v" 
 that is not in the allowed list:  ^[a-zA-Z0-9]+$

./tag-regex.sentinel:15:1 - Rule "main"
  Value:
    false

The problem is, i also want to check the “tags.backup” as well. But don’t know where to add it within the code to check for! Since i’ve tried so many ways already !
please help!

Hi! Welcome to the forum - please reformat your message

@jaesukdo1986 take a look at the following example:

In your case you should be able to expand the scope of the mandatory_tags parameter to include backup.

param mandatory_tags default ["environment", "backup"]

So, how can i make sure that the tags environment or backup can be compliance with the regex:

 "^[a-zA-Z0-9]+$" ?

Hi @jaesukdo1986. To perform regex assertions you can use the matches operator.

Actually, the below can work properly:

violatingAzureResources = plan.filter_attribute_not_in_list(
  allAzureResourcesWithStandardTags,
  "tags.environment" ,
  "^[a-zA-Z0-9]+$",
  true,
)

But, i need to add the “tags.backup” but there is no option as: “tags.environment | tags.backup” or “tags.environment|backup” to do the check.

The filter_attribute_not_in_list function, found here, accepts a single attribute and against a list of values.

Therefore you should be using it like so:

violatingAzureResources = plan.filter_attribute_not_in_list(
  allAzureResourcesWithStandardTags,
  "tags" ,
  ["environment", "backup"],
  true,
)

The docs are outlined here.

the one you provided :

violatingAzureResources = plan.filter_attribute_not_in_list(
  allAzureResourcesWithStandardTags,
  "tags" ,
  ["environment", "backup"],
  true,
)

that is only check if the tags has “environment” and “backup”
if it so, the policy will pass. Otherwise, the policy will be failed!
Not any mention about the tags.environment or tags. backup value that can be checked with regex

 ("^[a-zA-Z0-9]+$")

my question is how to check the “tags.environment and tags.backup” value with the regex

("^[a-zA-Z0-9]+$")

because i can only run a check that is tags.environment or tags.backup with regex only. Not with both!
here is the tags sample:

tags = {
    backup = "example"
    environment = "D3@$v"
  }

@jaesukdo1986 have you tried using some of the other functions that are in the library? Since you are using a regular expression, you may be better off using plan.filter_attribute_does_not_match_regex instead.

i can find out the solution for it!
need to double the block :
violatingAzureResources = plan.filter_attribute_not_in_list(
allAzureResourcesWithStandardTags,
“tags.environment” ,
“^[1]+$”,
true,
)
another is point to “tags.backup”
and of course, thanks for your recommendation to use “plan.filter_attribute_does_not_match_regex”
without it, i can not make it work properly!
thank you again!

1. a-zA-Z0-9 ↩︎