search

turbot / steampipe-mod-aws-tags

Is your AWS tagging strategy following best practice? This mod checks if your AWS resource tags are set correctly to help you manage them effectively using Powerpipe and Steampipe.
https://hub.powerpipe.io/mods/turbot/aws_tags
Apache License 2.0
19 stars 8 forks source link

Null check insufficient to find all untagged AWS resources #36

Closed brad-webb closed 1 year ago

brad-webb commented 1 year ago

Describe the bug Resources that have no tags do not always pass the 'is null' test.

Steampipe version (steampipe -v) Steampipe v0.20.9

Plugin version (steampipe plugin list) hub.steampipe.io/plugins/turbot/aws@latest 0.113.0 aws

To reproduce

select arn from aws_dynamodb_table where tags is null +-----+ | arn | +-----+ +-----+ select arn from aws_dynamodb_table where (tags is null or not exists (select 1 from jsonb_object_keys(tags))) +------------------------------------------------------------------+ | arn | +------------------------------------------------------------------+ | arn:aws:dynamodb:ap-southeast-2:account-id:table/my-lock-table | +------------------------------------------------------------------+ select arn, tags from aws_dynamodb_table where arn='arn:aws:dynamodb:ap-southeast-2:account-id:table/my-lock-table' +------------------------------------------------------------------+------+ | arn | tags | +------------------------------------------------------------------+------+ | arn:aws:dynamodb:ap-southeast-2:account-id:table/my-lock-table | {} | +------------------------------------------------------------------+------+

Expected behavior Empty tags objects that for whatever reason do not pass the 'is null' test, should still be counted as empty and the resource they are associated with marked as 'untagged'.

Additional context I do not know why certain empty tag objects are failing the 'is null' check while others pass.

misraved commented 1 year ago

Fixed in https://github.com/turbot/steampipe-mod-aws-tags/pull/37