Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add all the resource that can be tagged in aws #328

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

add all the resource that can be tagged in aws #328

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
132 changes: 129 additions & 3 deletions governance/third-generation/aws/enforce-mandatory-tags.sentinel
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,15 +11,141 @@ import "aws-functions" as aws

# List of resources that are required to have name/value tags
param resource_types default [
"aws_s3_bucket",
"aws_instance",
"aws_s3_bucket","aws_instance","aws_acm_certificate","aws_api_gateway_api_key","aws_api_gateway_client_certificate","aws_api_gateway_domain_name","aws_api_gateway_rest_api","aws_api_gateway_vpc_link","aws_apigatewayv2_api","aws_apigatewayv2_stage","aws_apigatewayv2_vpc_link",
"aws_amplify_app","aws_amplify_branch",
"aws_appmesh_gateway_route","aws_appmesh_mesh","aws_appmesh_route","aws_appmesh_virtual_gateway","aws_appmesh_virtual_node","aws_appmesh_virtual_router","aws_appmesh_virtual_service",
"aws_apprunner_auto_scaling_configuration_version","aws_apprunner_connection","aws_apprunner_observability_configuration","aws_apprunner_observability_configuration","aws_apprunner_vpc_connector",
"aws_appconfig_application","aws_appconfig_configuration_profile","aws_appconfig_deployment","aws_appconfig_deployment_strategy","aws_appconfig_environment","aws_appflow_flow",
"aws_appintegrations_event_integration",
"aws_appstream_fleet","aws_appstream_image_builder","aws_appstream_stack","aws_appsync_graphql_api",
"aws_athena_data_catalog","aws_athena_workgroup",
"aws_autoscaling_group",
"aws_backup_plan","aws_backup_report_plan","aws_backup_vault",
"aws_batch_compute_environment","aws_batch_job_definition","aws_batch_job_queue","aws_batch_scheduling_policy",
"aws_ce_anomaly_monitor","aws_ce_cost_category",
"aws_service_discovery_http_namespace","aws_service_discovery_private_dns_namespace","aws_service_discovery_service",
"aws_cloud9_environment_ec2","aws_cloudformation_stack","aws_cloudformation_stack_set",
"aws_cloudfront_distribution",
"aws_cloudhsm_v2_cluster",
"aws_cloudtrail",
"aws_cloudwatch_composite_alarm","aws_cloudwatch_metric_alarm","aws_cloudwatch_metric_stream","aws_applicationinsights_application","aws_cloudwatch_log_group",
"aws_rum_app_monitor",
"aws_codeartifact_domain","aws_codeartifact_repository",
"aws_codebuild_project","aws_codebuild_report_group","aws_codecommit_repository",
"aws_codedeploy_app","aws_codedeploy_deployment_group",
"aws_codepipeline","aws_codepipeline_webhook",
"aws_codestarconnections_connection",
"aws_codestarnotifications_notification_rule",
"aws_cognito_user_pool","aws_cognito_identity_pool",
"aws_comprehend_entity_recognizer",
"aws_config_aggregate_authorization","aws_config_config_rule","aws_config_configuration_aggregator",
"aws_connect_contact_flow","aws_connect_contact_flow_module","aws_connect_hours_of_operation","aws_connect_queue","aws_connect_routing_profile","aws_connect_security_profile","aws_connect_user_hierarchy_group","aws_connect_vocabulary",
"aws_dlm_lifecycle_policy",
"aws_dms_certificate","aws_dms_endpoint","aws_dms_event_subscription","aws_dms_replication_instance","aws_dms_replication_subnet_group","aws_dms_replication_task",
"aws_directory_service_directory","aws_directory_service_region",
"aws_dataexchange_data_set","aws_dataexchange_revision",
"aws_datapipeline_pipeline",
"aws_datasync_agent","aws_datasync_location_efs","aws_datasync_location_fsx_lustre_file_system","aws_datasync_location_fsx_openzfs_file_system","aws_datasync_location_fsx_windows_file_system","aws_datasync_location_hdfs","aws_datasync_location_nfs","aws_datasync_location_s3","aws_datasync_location_smb","aws_datasync_task",
"aws_detective_graph",
"aws_devicefarm_device_pool","aws_devicefarm_instance_profile","aws_devicefarm_network_profile","aws_devicefarm_project","aws_devicefarm_test_grid_project",
"aws_dx_connection","aws_dx_hosted_private_virtual_interface_accepter","aws_dx_hosted_public_virtual_interface_accepter","aws_dx_hosted_transit_virtual_interface_accepter","aws_dx_private_virtual_interface","aws_dx_public_virtual_interface","aws_dx_transit_virtual_interface",
"aws_docdb_cluster","aws_docdb_cluster_instance","aws_docdb_cluster_parameter_group","aws_docdb_event_subscription","aws_docdb_subnet_group",
"aws_dynamodb_table","aws_dynamodb_table_replica","aws_dax_cluster",
"aws_ebs_snapshot","aws_ebs_snapshot_copy","aws_ebs_snapshot_import","aws_ebs_volume",
"aws_ami","aws_ami_copy","aws_ami_from_instance","aws_ec2_capacity_reservation","aws_ec2_fleet","aws_ec2_host","aws_eip","aws_instance","aws_key_pair","aws_launch_template","aws_placement_group","aws_spot_fleet_request","aws_spot_instance_request",
"aws_imagebuilder_component","aws_imagebuilder_container_recipe","aws_imagebuilder_distribution_configuration","aws_imagebuilder_image","aws_imagebuilder_image_pipeline","aws_imagebuilder_image_recipe","aws_imagebuilder_infrastructure_configuration",
"aws_ecr_repository","aws_ecrpublic_repository",
"aws_ecs_capacity_provider","aws_ecs_task_definition","aws_ecs_task_set",
"aws_efs_access_point","aws_efs_file_system",
"aws_eks_cluster","aws_eks_fargate_profile","aws_eks_identity_provider_config","aws_eks_node_group",
"aws_lb",
"aws_emr_cluster","aws_emr_studio","aws_emrcontainers_virtual_cluster","aws_emrserverless_application",
"aws_elasticache_cluster","aws_elasticache_parameter_group","aws_elasticache_subnet_group",
"aws_elastic_beanstalk_application","aws_elastic_beanstalk_application_version","aws_elastic_beanstalk_environment",
"aws_elasticsearch_domain",
"aws_media_convert_queue",
"aws_medialive_input","aws_medialive_input_security_group","aws_medialive_multiplex",
"aws_media_package_channel","aws_media_store_container",
"aws_cloudwatch_event_bus","aws_cloudwatch_event_rule",
"aws_schemas_discoverer","aws_schemas_registry","aws_schemas_schema"
"aws_fis_experiment_template",
"aws_fms_policy",
"aws_fsx_backup","aws_fsx_data_repository_association","aws_fsx_lustre_file_system","aws_fsx_ontap_file_system","aws_fsx_ontap_storage_virtual_machine","aws_fsx_ontap_volume","aws_fsx_openzfs_file_system","aws_fsx_openzfs_snapshot","aws_fsx_openzfs_volume",
"aws_gamelift_alias","aws_gamelift_build","aws_gamelift_fleet","aws_gamelift_game_server_group","aws_gamelift_game_session_queue","aws_gamelift_script",
"aws_globalaccelerator_accelerator",
"aws_glue_connection","aws_glue_crawler","aws_glue_dev_endpoint","aws_glue_job","aws_glue_registry","aws_glue_schema","aws_glue_trigger","aws_glue_workflow",
"aws_guardduty_detector","aws_guardduty_filter","aws_guardduty_ipset","aws_guardduty_threatintelset",
"aws_iam_instance_profile","aws_iam_openid_connect_provider","aws_iam_policy","aws_iam_role","aws_iam_saml_provider","aws_iam_service_linked_role","aws_iam_user",
"aws_accessanalyzer_analyzer",
"aws_inspector_assessment_template",
"aws_inspector_resource_group",
"aws_iot_provisioning_template","aws_iot_thing_group","aws_iot_thing_type",
"aws_kms_external_key","aws_kms_key","aws_kms_replica_external_key","aws_kms_replica_key",
"aws_kendra_data_source","aws_kendra_faq","aws_kendra_index","aws_kendra_query_suggestions_block_list","aws_kendra_thesaurus",
"aws_keyspaces_keyspace","aws_keyspaces_table",
"aws_kinesis_stream","aws_kinesis_analytics_application","aws_kinesisanalyticsv2_application","aws_kinesis_firehose_delivery_stream","aws_kinesis_video_stream",
"aws_lambda_function",
"aws_licensemanager_license_configuration",
"aws_lightsail_container_service","aws_lightsail_database","aws_lightsail_instance",
"aws_location_geofence_collection","aws_location_map","aws_location_place_index","aws_location_route_calculator","aws_location_tracker",
"aws_mq_broker","aws_mq_configuration",
"aws_mwaa_environment",
"aws_macie2_classification_job","aws_macie2_custom_data_identifier","aws_macie2_findings_filter","aws_macie2_member",
"aws_grafana_workspace",
"aws_msk_cluster",
"aws_memorydb_acl","aws_memorydb_cluster","aws_memorydb_parameter_group","aws_memorydb_snapshot","aws_memorydb_subnet_group","aws_memorydb_user",
"aws_neptune_cluster","aws_neptune_cluster_endpoint","aws_neptune_cluster_instance","aws_neptune_cluster_parameter_group","aws_neptune_event_subscription","aws_neptune_parameter_group","aws_neptune_subnet_group",
"aws_networkfirewall_firewall","aws_networkfirewall_firewall_policy","aws_networkfirewall_rule_group",
"aws_networkmanager_connection","aws_networkmanager_device","aws_networkmanager_global_network","aws_networkmanager_link","aws_networkmanager_site","aws_networkmanager_transit_gateway_peering","aws_networkmanager_transit_gateway_route_table_attachment","aws_networkmanager_vpc_attachment",
"aws_opensearch_domain",
"aws_opsworks_custom_layer","aws_opsworks_ecs_cluster_layer","aws_opsworks_ganglia_layer","aws_opsworks_haproxy_layer","aws_opsworks_java_app_layer","aws_opsworks_memcached_layer","aws_opsworks_mysql_layer","aws_opsworks_nodejs_app_layer","aws_opsworks_php_app_layer","aws_opsworks_rails_app_layer","aws_opsworks_stack","aws_opsworks_static_web_layer",
"aws_quicksight_data_source",
"aws_ram_resource_share",
"aws_db_cluster_snapshot","aws_db_event_subscription","aws_db_instance","aws_db_option_group","aws_db_parameter_group","aws_db_proxy","aws_db_proxy_endpoint","aws_db_security_group","aws_db_snapshot","aws_db_snapshot_copy","aws_db_subnet_group","aws_rds_cluster","aws_rds_cluster_endpoint","aws_rds_cluster_instance","aws_rds_cluster_parameter_group",
"aws_redshift_cluster","aws_redshift_event_subscription","aws_redshift_hsm_client_certificate","aws_redshift_hsm_configuration","aws_redshift_parameter_group","aws_redshift_snapshot_copy_grant","aws_redshift_snapshot_schedule","aws_redshift_subnet_group","aws_redshift_usage_limit",
"aws_redshiftserverless_namespace","aws_redshiftserverless_workgroup",
"aws_resourcegroups_group",
"aws_rolesanywhere_profile","aws_rolesanywhere_trust_anchor",
"aws_route53_health_check",
"aws_route53domains_registered_domain",
"aws_route53recoveryreadiness_cell","aws_route53recoveryreadiness_readiness_check","aws_route53recoveryreadiness_recovery_group","aws_route53recoveryreadiness_resource_set",
"aws_route53_resolver_endpoint","aws_route53_resolver_firewall_domain_list","aws_route53_resolver_firewall_rule_group","aws_route53_resolver_firewall_rule_group_association","aws_route53_resolver_query_log_config","aws_route53_resolver_rule",
"aws_s3_bucket","aws_s3_bucket_analytics_configuration","aws_s3_bucket_intelligent_tiering_configuration","aws_s3_bucket_lifecycle_configuration","aws_s3_bucket_metric","aws_s3_bucket_object","aws_s3_bucket_replication_configuration","aws_s3_object","aws_s3_object_copy",
"aws_s3control_bucket","aws_s3control_bucket_lifecycle_configuration",
"aws_glacier_vault",
"aws_sfn_activity","aws_sfn_state_machine",
"aws_sns_topic",
"aws_sqs_queue",
"aws_ssm_activation","aws_ssm_document","aws_ssm_maintenance_window","aws_ssm_parameter","aws_ssm_patch_baseline",
"aws_ssoadmin_permission_set",
"aws_swf_domain","
"aws_sagemaker_app","aws_sagemaker_app_image_config","aws_sagemaker_code_repository","aws_sagemaker_device_fleet","aws_sagemaker_domain","aws_sagemaker_endpoint","aws_sagemaker_endpoint_configuration","aws_sagemaker_feature_group","aws_sagemaker_flow_definition","aws_sagemaker_human_task_ui","aws_sagemaker_image","aws_sagemaker_model","aws_sagemaker_model_package_group","aws_sagemaker_notebook_instance","aws_sagemaker_project","aws_sagemaker_studio_lifecycle_config","aws_sagemaker_user_profile","aws_sagemaker_workteam",
"aws_secretsmanager_secret",
"aws_serverlessapplicationrepository_cloudformation_stack",
"aws_servicecatalog_portfolio","aws_servicecatalog_product","aws_servicecatalog_provisioned_product",
"aws_shield_protection","aws_shield_protection_group"
"aws_signer_signing_profile",
"aws_storagegateway_cached_iscsi_volume","aws_storagegateway_file_system_association","aws_storagegateway_gateway","aws_storagegateway_nfs_file_share","aws_storagegateway_smb_file_share","aws_storagegateway_stored_iscsi_volume","aws_storagegateway_tape_pool"
"aws_timestreamwrite_database","aws_timestreamwrite_table",
"aws_transcribe_language_model","aws_transcribe_medical_vocabulary","aws_transcribe_vocabulary","aws_transcribe_vocabulary_filter",
"aws_transfer_server","aws_transfer_user","aws_transfer_workflow",
"aws_ec2_transit_gateway","aws_ec2_transit_gateway_connect","aws_ec2_transit_gateway_connect_peer","aws_ec2_transit_gateway_multicast_domain","aws_ec2_transit_gateway_peering_attachment","aws_ec2_transit_gateway_peering_attachment_accepter","aws_ec2_transit_gateway_policy_table","aws_ec2_transit_gateway_route_table","aws_ec2_transit_gateway_vpc_attachment","aws_ec2_transit_gateway_vpc_attachment_accepter",
"aws_default_network_acl","aws_default_route_table","aws_default_security_group","aws_default_vpc_dhcp_options","aws_ec2_managed_prefix_list","aws_ec2_network_insights_analysis","aws_ec2_network_insights_path","aws_ec2_traffic_mirror_filter","aws_ec2_traffic_mirror_session","aws_ec2_traffic_mirror_target","aws_egress_only_internet_gateway","aws_flow_log","aws_internet_gateway","aws_nat_gateway","aws_network_acl","aws_network_interface",",aws_route_table","aws_security_group","aws_subnet","aws_vpc","aws_vpc_dhcp_options","aws_vpc_endpoint","aws_vpc_endpoint_service","aws_vpc_peering_connection","aws_vpc_peering_connection_accepter",
"aws_vpc_ipam","aws_vpc_ipam_pool",
"aws_ec2_client_vpn_endpoint",
"aws_customer_gateway","aws_vpn_connection","aws_vpn_gateway",
"aws_wafv2_ip_set","aws_wafv2_regex_pattern_set","aws_wafv2_rule_group",aws_wafv2_web_acl",
"aws_wafregional_rate_based_rule","aws_wafregional_rule","aws_wafregional_rule_group","aws_wafregional_web_acl",
"aws_ec2_carrier_gateway",
"aws_workspaces_directory","aws_workspaces_ip_group","aws_workspaces_workspace",
"aws_xray_group","aws_appflow_flow"
]

# List of mandatory tags
# Note that the tags here are for internal HashiCorp usage
# You should assign your own tags in a "mandatory_tags" parameter in your policy set
# Or change the tags here in the policy.
param mandatory_tags default ["Name", "ttl", "owner", "se-region", "purpose", "terraform"]
param mandatory_tags default ["Billing","Owner","Environment","Application","Name"]

# Get all AWS Resources with standard tags
allAWSResourcesWithStandardTags =
Expand Down