Control: Key vault managed hardware security modules should have appropriate tag values
Description
Check if Key vault managed hardware security modules have appropriate tag values.
Usage
Run the control in your terminal:
powerpipe control run azure_tags.control.key_vault_managed_hardware_security_module_expected_tag_values
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_tags.control.key_vault_managed_hardware_security_module_expected_tag_values --share
Steampipe Tables
Params
Args | Name | Default | Description | Variable |
---|---|---|---|---|
$1 | expected_tag_values |
|
SQL
with raw_data as( select id, title, tags, row_to_json(json_each($1)) as expected_tag_values, resource_group, subscription_id from azure_key_vault_managed_hardware_security_module where tags::text <> '{}' or tags is not null),exploded_expected_tag_values as( select id, title, expected_tag_values ->> 'key' as tag_key, jsonb_array_elements_text((expected_tag_values ->> 'value')::jsonb) as expected_values, tags ->> (expected_tag_values ->> 'key') as current_value, resource_group, subscription_id from raw_data),analysis as( select id, title, current_value like expected_values as has_appropriate_value, case when current_value is null then true else false end as has_no_matching_tags, tag_key, current_value, resource_group, subscription_id from exploded_expected_tag_values),status_by_tag as( select id, title, bool_or(has_appropriate_value) as status, tag_key, case when bool_or(has_appropriate_value) then '' else tag_key end as reason, bool_or(has_no_matching_tags) as can_skip, current_value, resource_group, subscription_id from analysis group by id, title, tag_key, current_value, resource_group, subscription_id)select id as resource, case when bool_and(can_skip) then 'skip' when bool_and(status) then 'ok' else 'alarm' end as status, case when bool_and(can_skip) then title || ' has no matching tag keys.' when bool_and(status) then title || ' has expected tag values for tags: ' || array_to_string(array_agg(tag_key) filter(where status), ', ') || '.' else title || ' has unexpected tag values for tags: ' || array_to_string(array_agg(tag_key) filter(where not status), ', ') || '.' end as reason, resource_group, subscription_idfrom status_by_taggroup by id, title, resource_group, subscription_idunion allselect id as resource, 'skip' as status, title || ' has no tags.' as reason, resource_group, subscription_idfrom azure_key_vault_managed_hardware_security_modulewhere tags::text = '{}' or tags is nullunion allselect id as resource, 'skip' as status, title || ' has tags but no expected tag values are set.' as reason, resource_group, subscription_idfrom azure_key_vault_managed_hardware_security_modulewhere $1::text = '{}' and tags::text <> '{}' or tags is not null;