jmassardo · February 19, 2021 17:07
diff --git a/TerraformRequiredTags.rego b/TerraformRequiredTags.rego
 package terraform

 import input as tfplan

 # define mandatory tags as a set rather than array (then we can use set arithmetic below)
 mandatory_tags := {
  "ApplicationName",
  "Environment",
  "Owner",
 }

 deny[{"msg": msg}] {
  # pick out our resource (will need a loop if there are multiple resources)
  resource := tfplan.resource_changes[_]
  
  # build a set of tags on the resource
  # This picks out the tag name without the value so we can compare tags to tags
  resource_tags := {t | some t; resource.change.after.tags[t]}
  
  # subtract the resource tags from the set of mandatory tags to find the missing tags 
  missing_tags := mandatory_tags - resource_tags
  
  # check if there are any missing tags
  # This is the actual trigger for the rule
  count(missing_tags) > 0
  
  msg := sprintf("resource %v is missing tags:", [resource.address, missing_tags])
 }
	package terraform

	import input as tfplan

	# define mandatory tags as a set rather than array (then we can use set arithmetic below)
	mandatory_tags := {
	"ApplicationName",
	"Environment",
	"Owner",
	}

	deny[{"msg": msg}] {
	# pick out our resource (will need a loop if there are multiple resources)
	resource := tfplan.resource_changes[_]

	# build a set of tags on the resource
	# This picks out the tag name without the value so we can compare tags to tags
	resource_tags := {t \| some t; resource.change.after.tags[t]}

	# subtract the resource tags from the set of mandatory tags to find the missing tags
	missing_tags := mandatory_tags - resource_tags

	# check if there are any missing tags
	# This is the actual trigger for the rule
	count(missing_tags) > 0

	msg := sprintf("resource %v is missing tags:", [resource.address, missing_tags])
	}
No results found