Control: WAFV2 rule groups should not have prohibited tags
Description
Check if WAFV2 rule groups have any prohibited tags.
Usage
Run the control in your terminal:
powerpipe control run aws_tags.control.wafv2_rule_group_prohibited
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_tags.control.wafv2_rule_group_prohibited --share
Steampipe Tables
Params
Args | Name | Default | Description | Variable |
---|---|---|---|---|
$1 | prohibited_tags |
|
SQL
with analysis as ( select arn, array_agg(k) as prohibited_tags, region, account_id, tags, _ctx from aws_wafv2_rule_group, jsonb_object_keys(tags) as k, unnest($1::text[]) as prohibited_key where k = prohibited_key group by arn, region, account_id, tags, _ctx)select r.arn as resource, case when a.prohibited_tags <> array[]::text[] then 'alarm' else 'ok' end as status, case when a.prohibited_tags <> array[]::text[] then r.title || ' has prohibited tags: ' || array_to_string(a.prohibited_tags, ', ') || '.' else r.title || ' has no prohibited tags.' end as reason , r.region, r.account_idfrom aws_wafv2_rule_group as rfull outer join analysis as a on a.arn = r.arn;