Control: WAFV2 regex pattern sets should have appropriate tag values
Description
Check if WAFV2 regex pattern sets have appropriate tag values.
Usage
Run the control in your terminal:
powerpipe control run aws_tags.control.wafv2_regex_pattern_set_expected_tag_values
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_tags.control.wafv2_regex_pattern_set_expected_tag_values --share
Steampipe Tables
Params
Args | Name | Default | Description | Variable |
---|---|---|---|---|
$1 | expected_tag_values |
|
SQL
with raw_data as( select arn, title, tags, row_to_json(json_each($1)) as expected_tag_values, region, account_id, _ctx from aws_wafv2_regex_pattern_set where tags is not null or tags::text != '{}'),exploded_expected_tag_values as( select arn, title, expected_tag_values ->> 'key' as tag_key, jsonb_array_elements_text((expected_tag_values ->> 'value')::jsonb) as expected_values, tags ->> (expected_tag_values ->> 'key') as current_value, region, account_id, _ctx from raw_data),analysis as( select arn, title, current_value like expected_values as has_appropriate_value, case when current_value is null then true else false end as has_no_matching_tags, tag_key, current_value, region, account_id, _ctx from exploded_expected_tag_values),status_by_tag as( select arn, title, bool_or(has_appropriate_value) as status, tag_key, case when bool_or(has_appropriate_value) then '' else tag_key end as reason, bool_or(has_no_matching_tags) as can_skip, current_value, region, account_id, _ctx from analysis group by arn, title, tag_key, current_value, region, account_id, _ctx)select arn as resource, case when bool_and(can_skip) then 'skip' when bool_and(status) then 'ok' else 'alarm' end as status, case when bool_and(can_skip) then title || ' has no matching tag keys.' when bool_and(status) then title || ' has expected tag values for tags: ' || array_to_string(array_agg(tag_key) filter(where status), ', ') || '.' else title || ' has unexpected tag values for tags: ' || array_to_string(array_agg(tag_key) filter(where not status), ', ') || '.' end as reason , region, account_idfrom status_by_taggroup by arn, title, region, account_id, _ctxunion allselect arn as resource, 'skip' as status, title || ' has no tags.' as reason , region, account_idfrom aws_wafv2_regex_pattern_setwhere tags is null or tags = '{}'union allselect arn as resource, 'skip' as status, title || ' has tags but no expected tag values are set.' as reason , region, account_idfrom aws_wafv2_regex_pattern_setwhere $1::text = '{}' and tags is not null or tags::text != '{}';