search

pulumi / pulumi-policy

Pulumi's Policy as Code SDK, CrossGuard. Define infrastructure checks in code to enforce security, compliance, cost, and other practices, enforced at deployment time.
https://www.pulumi.com/docs/guides/crossguard/
Apache License 2.0
32 stars 4 forks source link

Tagging Policy for ASG Not Enforced #283

Closed mark-bixler closed 7 months ago

mark-bixler commented 2 years ago

What happened?

We recently enabled Tagging enforcement for various AWS resources via Policy Packs. This is working and displaying missing tags for all resources except Auto Scaling Groups.

I believe this is due to ASG Tags being sent as an array [ ] rather than most tags sent as a map { }.

Steps to reproduce

I've created a simple pulumi project with just a launch template & asg and added that project to our tagging policy.

export const testTemplate = new aws.ec2.LaunchTemplate("tagging-test-asg-template", {
  imageId: "ami-07d4836e0aad1ece7",
  instanceType: "t3.medium"
});
const testAsg = new aws.autoscaling.Group("tagging-test-asg", {
  availabilityZones: ["us-west-2a"],
  desiredCapacity: 1,
  maxSize: 1,
  minSize: 1,
  launchTemplate: {
      id: testTemplate.id,
      version: `$Latest`,
  },
  tags: asgTags
});

This produced an output stating the proper tags are NOT being added, even though they are present on the ASG in the AWS Console.

Expected Behavior

ASG Tags would would be properly reported on by the policy pack matching what is in the AWS Console.

Actual Behavior

Tags are shown as not added by the policy pack.

Versions used

─❯ pulumi about
CLI
Version      3.33.1
Go Version   go1.18.2
Go Compiler  gc

Host
OS       darwin
Version  12.3.1
Arch     x86_64

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

AaronFriel commented 2 years ago

@mark-bixler could you give tell us which policy pack you're using, or if one you authored, reply with the code for the tag enforcement so we can reproduce?

mark-bixler commented 2 years ago

We're using the "tagging-policy-pack" v 1.0.5

mark-bixler commented 2 years ago

Just checking to see if there are any updates on this. Thanks!

lukehoban commented 8 months ago

We're using the "tagging-policy-pack" v 1.0.5

What exactly is tagging-policy-pack? Is that something you built based on https://github.com/joeduffy/aws-tags-example? I suspect this is something that just needs to be updated in the code for that policy pack. If it is indeed code from that repo, we can move this issue over there.

lukehoban commented 7 months ago

Haven’t been able to identify what policies this issue is related to - I suspect either this issue should be opened against https://github.com/joeduffy/aws-tags-example, or else that this is an issue with policy authored by a specific user that needs to be updated on that code. I’ll close as No Repro for now, but please do reopen with details on what the policy is and where it comes from if you are still having issues here.