Skip to main content

Required Tags auditor

Project description

probator-auditor-required-tags

Please open issues in the Probator repository

Description

This auditor reviews, alerts and potentially takes action on AWS objects that are found not to be compliant with the tagging requirements.

Configuration Options

Option name Default Value Type Description
alert_settings See notes below JSON Alert and enforcement settings for supported resources
always_send_email True bool Send emails even in collect mode
audit_ignore_tag probator:ignore string Probator will ignore alerting/enforcement if resources are tagged with this
audit_scope aws_ec2_instance string Select resources (aws_ec2_instance, aws_s3_bucket)
collect_only True bool Do not shutdown resources, only update caches
confirm_shutdown True bool Require manual confirmation before shutting down instances
email_subject Resources missing required tags string Subject of the new issues email notifications
enabled False bool Enable the Required Tags auditor
interval 30 int How often the auditor executes, in minutes
partial_owner_match False bool Allow partial matches of the Owner tag
permanent_recipient [] array List of email addresses to receive all alerts
required_tags ['owner', 'accounting', 'name'] array List of required tags

Example alert_settings:

{
    "global": {
        "actions": [
            {
                "name": "alert:1",
                "age": "now",
                "action": "alert",
                "order": 0
            },
            {
                "name": "alert:2",
                "age": "3 weeks",
                "action": "alert",
                "order": 1
            },
            {
                "name": "alert:3",
                "age": "3 weeks, 6 days",
                "action": "alert",
                "order": 2
            },
            {
                "name": "stop",
                "age": "4 weeks",
                "action": "stop",
                "order": 3
            },
            {
                "name": "remove",
                "age": "12 weeks",
                "action": "remove",
                "order": 4
            }
        ],
        "requiredTags": {
            "Name": null,
            "owner": "([a-zA-Z0-9._%+-]+[^+]@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,})"
        },
        "extraConfig": {}
    },
    "aws_ec2_instance": {
        "requiredTags": {
            "ssmEnabled": "^(true|false)$"
        }
    }
}

The global section is applied to all resources, with some restrictions that we will cover in the detail sections below. In addition to the global section, you can also define additional tags for some resource types or override the actions to use a different schedule for specific resource types

actions

The actions block defines the set of actions to be taken. Using the example above, we can see that there are a total of 5 actions that will be taken for all resources.

  1. Upon detection, send an alert immediately (age = now)
  2. After 3 weeks, send another alert
  3. After another 6 days, send a third alert
  4. After 4 weeks, stop the instance (also sends a notification)
  5. Finally after 12 weeks, remove the resource (also sends a notification)

Actions can be overridden for specific resources, however if you provide a new action schedule, the global schedule will be ignored for the resource type.

Valid action types

Currently only three types of actions are supported: alert, stop and remove.

alert

Sends a notification to each of the registered owners for the resource account

stop

Stops the resource, if applicable. As an example, this will stop an EC2 Instance if it is running. The state of the resource will be evaluated on each execution of the auditor, so if the resource is started again the stop action will be applied again

remove

Deletes the resource completely, for example if the resource is an EC2 Instance, it will be terminated.

required_tags

The required_tags is a dictionary like object, where the keys are the names of the tags and the value is a regular expression pattern that will be used to validate the tag value of the resource. If a tag fails to match the provided regular expression, the resource will be marked as not compliant, with a note detailing that the tag failed matching the regular expression.

If any value is valid, you can provide an null value instead of a regular expression, to avoid any matching from happening, instead of using a blank / global expression such as .*

extra_config

This section can be used to provide extra information that may be needed to validate a tag. At this time, this is not actively used by the base auditor functions, but can be helpful in cases where you implement custom action methods

Implementing action methods

Action methods are simple methods which accept a single argument being the Resource object that the action needs to be performed on. See probator_auditor_required_tags/actions.py for example implementations.

Action methods are dynamically loaded using entry points defined in setup.py, in the namespace probator_auditor_required_tags.actions. The name of the entry point must be <resource_type>_<action>. For example the action to remove an S3 bucket would be aws_s3_bucket_remove.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

probator-auditor-required-tags-1.2.0.tar.gz (10.5 kB view details)

Uploaded Source

File details

Details for the file probator-auditor-required-tags-1.2.0.tar.gz.

File metadata

  • Download URL: probator-auditor-required-tags-1.2.0.tar.gz
  • Upload date:
  • Size: 10.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/1.12.1 pkginfo/1.5.0.1 requests/2.21.0 setuptools/40.6.3 requests-toolbelt/0.9.1 tqdm/4.30.0 CPython/3.7.2

File hashes

Hashes for probator-auditor-required-tags-1.2.0.tar.gz
Algorithm Hash digest
SHA256 009ca035c05f09f06db813f953aea8ecb34ee8a654da13f7ee773aed8de35e51
MD5 fea764ec62a1a2e6004c3608e2aa69ab
BLAKE2b-256 cd97237d86a2eada28f253ac5fd58abcc28715b11b40683a7d739eb0333f1bf8

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page