turbot/aws_tags
Loading controls...

Control: VPC VPN connections should have appropriate tag values

Description

Check if VPC VPN connections have appropriate tag values.

Usage

Run the control in your terminal:

powerpipe control run aws_tags.control.vpc_vpn_connection_expected_tag_values

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_tags.control.vpc_vpn_connection_expected_tag_values --share

Steampipe Tables

Params

ArgsNameDefaultDescriptionVariable
$1expected_tag_values
{"Environment":["Dev","Staging","Prod"]}

SQL

with raw_data as (
select
arn,
title,
tags,
row_to_json(json_each($1)) as expected_tag_values,
region,
account_id,
_ctx
from
aws_vpc_vpn_connection
where
tags is not null
or tags :: text != '{}'
),
exploded_expected_tag_values as (
select
arn,
title,
expected_tag_values ->> 'key' as tag_key,
jsonb_array_elements_text((expected_tag_values ->> 'value') :: jsonb) as expected_values,
tags ->> (expected_tag_values ->> 'key') as current_value,
region,
account_id,
_ctx
from
raw_data
),
analysis as (
select
arn,
title,
current_value like expected_values as has_appropriate_value,
case
when current_value is null then true
else false
end as has_no_matching_tags,
tag_key,
current_value,
region,
account_id,
_ctx
from
exploded_expected_tag_values
),
status_by_tag as (
select
arn,
title,
bool_or(has_appropriate_value) as status,
tag_key,
case
when bool_or(has_appropriate_value) then ''
else tag_key
end as reason,
bool_or(has_no_matching_tags) as can_skip,
current_value,
region,
account_id,
_ctx
from
analysis
group by
arn,
title,
tag_key,
current_value,
region,
account_id,
_ctx
)
select
arn as resource,
case
when bool_and(can_skip) then 'skip'
when bool_and(status) then 'ok'
else 'alarm'
end as status,
case
when bool_and(can_skip) then title || ' has no matching tag keys.'
when bool_and(status) then title || ' has expected tag values for tags: ' || array_to_string(
array_agg(tag_key) filter(
where
status
),
', '
) || '.'
else title || ' has unexpected tag values for tags: ' || array_to_string(
array_agg(tag_key) filter(
where
not status
),
', '
) || '.'
end as reason,
region,
account_id
from
status_by_tag
group by
arn,
title,
region,
account_id,
_ctx
union all
select
arn as resource,
'skip' as status,
title || ' has no tags.' as reason,
region,
account_id
from
aws_vpc_vpn_connection
where
tags is null
or tags = '{}'
union all
select
arn as resource,
'skip' as status,
title || ' has tags but no expected tag values are set.' as reason,
region,
account_id
from
aws_vpc_vpn_connection
where
$1 :: text = '{}'
and tags is not null
or tags :: text != '{}';