Tagging checking issue!

jaesukdo1986 · April 18, 2023, 10:26am

i have the following code that is working properly to check tag with tag_regex:

import "tfplan-functions" as plan
import "azure-functions" as azure

allAzureResourcesWithStandardTags = azure.find_resources_with_standard_tags([
  "azurerm_windows_virtual_machine",
])

violatingAzureResources = plan.filter_attribute_not_in_list(
  allAzureResourcesWithStandardTags,
  "tags.environment" ,
  "^[a-zA-Z0-9]+$",
  true,
)

main = rule {
  length(violatingAzureResources["messages"]) is 0
}

and here is the tag from azurerm_windows_virtual_machine:

tags = {
    backup = "example"
    environment = "D3@$v"
  }

when the policy run it can check the error in “environment” as below

Print messages:

azurerm_windows_virtual_machine.windowsvm has tags.environment with value: "D3@$v" 
 that is not in the allowed list:  ^[a-zA-Z0-9]+$

./tag-regex.sentinel:15:1 - Rule "main"
  Value:
    false

The problem is, i also want to check the “tags.backup” as well. But don’t know where to add it within the code to check for! Since i’ve tried so many ways already !
please help!

maxb · April 18, 2023, 10:27am

Hi! Welcome to the forum - please reformat your message

hcrhall · April 18, 2023, 8:52pm

@jaesukdo1986 take a look at the following example:

github.com

hashicorp/terraform-sentinel-policies/blob/main/azure/enforce-mandatory-tags.sentinel

# This policy uses the Sentinel tfplan/v2 import to require that
# specified Azure resources have all mandatory tags

# Import common-functions/tfplan-functions/tfplan-functions.sentinel
# with alias "plan"
import "tfplan-functions" as plan

# Import azure-functions/azure-functions.sentinel
# with alias "azure"
import "azure-functions" as azure

# List of Azure resources that are required to have name/value tags.
param resource_types default [
  "azurerm_resource_group",
  "azurerm_virtual_machine",
  "azurerm_linux_virtual_machine",
  "azurerm_windows_virtual_machine",
  "azurerm_virtual_network",
]

This file has been truncated. show original

In your case you should be able to expand the scope of the mandatory_tags parameter to include backup.

param mandatory_tags default ["environment", "backup"]

jaesukdo1986 · April 19, 2023, 12:57am

So, how can i make sure that the tags environment or backup can be compliance with the regex:

 "^[a-zA-Z0-9]+$" ?

cam-stitt · April 19, 2023, 1:38am

Hi @jaesukdo1986. To perform regex assertions you can use the matches operator.

jaesukdo1986 · April 19, 2023, 2:07am

Actually, the below can work properly:

violatingAzureResources = plan.filter_attribute_not_in_list(
  allAzureResourcesWithStandardTags,
  "tags.environment" ,
  "^[a-zA-Z0-9]+$",
  true,
)

But, i need to add the “tags.backup” but there is no option as: “tags.environment | tags.backup” or “tags.environment|backup” to do the check.

cam-stitt · April 19, 2023, 3:32am

The filter_attribute_not_in_list function, found here, accepts a single attribute and against a list of values.

Therefore you should be using it like so:

violatingAzureResources = plan.filter_attribute_not_in_list(
  allAzureResourcesWithStandardTags,
  "tags" ,
  ["environment", "backup"],
  true,
)

The docs are outlined here.

jaesukdo1986 · April 19, 2023, 4:44am

the one you provided :

violatingAzureResources = plan.filter_attribute_not_in_list(
  allAzureResourcesWithStandardTags,
  "tags" ,
  ["environment", "backup"],
  true,
)

that is only check if the tags has “environment” and “backup”
if it so, the policy will pass. Otherwise, the policy will be failed!
Not any mention about the tags.environment or tags. backup value that can be checked with regex

 ("^[a-zA-Z0-9]+$")

my question is how to check the “tags.environment and tags.backup” value with the regex

("^[a-zA-Z0-9]+$")

because i can only run a check that is tags.environment or tags.backup with regex only. Not with both!
here is the tags sample:

tags = {
    backup = "example"
    environment = "D3@$v"
  }

hcrhall · April 20, 2023, 9:12am

@jaesukdo1986 have you tried using some of the other functions that are in the library? Since you are using a regular expression, you may be better off using plan.filter_attribute_does_not_match_regex instead.

jaesukdo1986 · April 20, 2023, 4:23pm

i can find out the solution for it!
need to double the block :
violatingAzureResources = plan.filter_attribute_not_in_list(
allAzureResourcesWithStandardTags,
“tags.environment” ,
“^[1]+$”,
true,
)
another is point to “tags.backup”
and of course, thanks for your recommendation to use “plan.filter_attribute_does_not_match_regex”
without it, i can not make it work properly!
thank you again!

a-zA-Z0-9 ↩︎