Mods

turbot/aws_tags

GitHub
Overview
5Dashboards
350Controls
0Queries
6Variables
GitHub
On This Page
References
Documentation
Getting started
Advanced usage
Contributing
Get Involved
Edit on GitHub
Discuss on Slack
Source Code
turbot/steampipe-mod-aws-tags
License
Apache License 2.0
Version
v0.9

AWS Tags Mod

Run tagging controls across all your AWS accounts to look for untagged resources, missing tags, resources with too many tags, and more.

References

AWS provides on-demand cloud computing platforms and APIs to authenticated customers on a metered pay-as-you-go basis.

Steampipe is an open source CLI to instantly query cloud APIs using SQL.

Steampipe Mods are collections of named queries, and codified controls that can be used to test current configuration of your cloud resources against a desired configuration.

Documentation

Getting started

Installation

Download and install Steampipe (https://steampipe.io/downloads). Or use Brew:

brew tap turbot/tap
brew install steampipe

Install the AWS plugin with Steampipe:

steampipe plugin install aws

Clone:

git clone https://github.com/turbot/steampipe-mod-aws-tags.git
cd steampipe-mod-aws-tags

Usage

Start your dashboard server to get started:

steampipe dashboard

By default, the dashboard interface will then be launched in a new browser window at http://localhost:9194. From here, you can run benchmarks by selecting one or searching for a specific one.

Instead of running benchmarks in a dashboard, you can also run them within your terminal with the steampipe check command:

Run all benchmarks:

steampipe check all

Run a single benchmark:

steampipe check benchmark.untagged

Run a specific control:

steampipe check control.s3_bucket_untagged

Different output formats are also available, for more information please see Output Formats.

Credentials

This mod uses the credentials configured in the Steampipe AWS plugin.

Configuration

Several benchmarks have input variables that can be configured to better match your environment and requirements. Each variable has a default defined in its source file, e.g., controls/limit.sp, but these can be overriden in several ways:

  • Copy and rename the steampipe.spvars.example file to steampipe.spvars, and then modify the variable values inside that file
  • Pass in a value on the command line:
    steampipe check benchmark.mandatory --var 'mandatory_tags=["Application", "Environment", "Department", "Owner"]'
  • Set an environment variable:
    SP_VAR_mandatory_tags='["Application", "Environment", "Department", "Owner"]' steampipe check control.ec2_instance_mandatory
    • Note: When using environment variables, if the variable is defined in steampipe.spvars or passed in through the command line, either of those will take precedence over the environment variable value. For more information on variable definition precedence, please see the link below.

These are only some of the ways you can set variables. For a full list, please see Passing Input Variables.

Advanced usage

Remediation

Using the control output and the AWS CLI, you can remediate various tagging issues.

For instance, with the results of the ec2_instance_mandatory control, you can add missing tags with the AWS CLI:

#!/bin/bash


OLDIFS=$IFS
IFS='#'


INPUT=$(steampipe check control.ec2_instance_mandatory --var 'mandatory_tags=["Application"]' --output csv --header=false --separator '#' | grep 'alarm')
[ -z "$INPUT" ] && { echo "No instances in alarm, aborting"; exit 0; }


while read -r group_id title description control_id control_title control_description reason resource status account_id region
do
  aws resourcegroupstaggingapi tag-resources --region ${region} --resource-arn-list ${resource} --tags Application=MyApplication
done <<< "$INPUT"


IFS=$OLDIFS

To remove prohibited tags from EC2 instances:

#!/bin/bash


OLDIFS=$IFS
IFS='#'


INPUT=$(steampipe check control.ec2_instance_prohibited --var 'prohibited_tags=["Password"]' --output csv --header=false --separator '#' | grep 'alarm')
[ -z "$INPUT" ] && { echo "No instances in alarm, aborting"; exit 0; }


while read -r group_id title description control_id control_title control_description reason resource status account_id region
do
  aws resourcegroupstaggingapi untag-resources --region ${region} --resource-arn-list ${resource} --tag-keys Password
done <<< "$INPUT"


IFS=$OLDIFS

Common and Tag Dimensions

The benchmark queries use common properties (like account_id, connection_name and region) and tags that are defined in the form of a default list of strings in the mod.sp file. These properties can be overwritten in several ways:

  • Copy and rename the steampipe.spvars.example file to steampipe.spvars, and then modify the variable values inside that file

  • Pass in a value on the command line:

    steampipe check benchmark.limit --var 'common_dimensions=["account_id", "connection_name", "region"]'
    steampipe check benchmark.limit --var 'tag_dimensions=["Environment", "Owner"]'

  • Set an environment variable:

    SP_VAR_common_dimensions='["account_id", "connection_name", "region"]' steampipe check control.ebs_snapshot_tag_limit
    SP_VAR_tag_dimensions='["Environment", "Owner"]' steampipe check control.ebs_snapshot_tag_limit

Contributing

If you have an idea for additional controls or just want to help maintain and extend this mod (or others) we would love you to join the community and start contributing.

Please see the contribution guidelines and our code of conduct. All contributions are subject to the Apache 2.0 open source license.

Want to help but not sure where to start? Pick up one of the help wanted issues: