turbot/aws_tags

Control: ElastiCache clusters should not have prohibited tags

Description

Check if ElastiCache clusters have any prohibited tags.

Usage

steampipe check aws_tags.control.elasticache_cluster_prohibited

Plugins & Tables

Params

ArgsNameDefaultDescription
$1prohibited_tags
array['Password','Key']

SQL

with analysis as (
select
arn,
array_agg(k) as prohibited_tags
from
aws_elasticache_cluster,
jsonb_object_keys(tags) as k,
unnest($1::text[]) as prohibited_key
where
k = prohibited_key
group by
arn
)
select
r.arn as resource,
case
when a.prohibited_tags <> array[]::text[] then 'alarm'
else 'ok'
end as status,
case
when a.prohibited_tags <> array[]::text[] then r.title || ' has prohibited tags: ' || array_to_string(a.prohibited_tags, ', ') || '.'
else r.title || ' has no prohibited tags.'
end as reason,
r.region, r.account_id
from
aws_elasticache_cluster as r
full outer join
analysis as a on a.arn = r.arn