Control: Key vault secrets should have appropriate tag values
Description
Check if Key vault secrets have appropriate tag values.
Usage
Run the control in your terminal:
powerpipe control run azure_tags.control.key_vault_secret_expected_tag_values
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run azure_tags.control.key_vault_secret_expected_tag_values --share
Steampipe Tables
Params
Args | Name | Default | Description | Variable |
---|---|---|---|---|
$1 | expected_tag_values |
|
SQL
with raw_data as( select id, title, tags, row_to_json(json_each($1)) as expected_tag_values, resource_group, subscription_id from azure_key_vault_secret where tags::text <> '{}' or tags is not null),exploded_expected_tag_values as( select id, title, expected_tag_values ->> 'key' as tag_key, jsonb_array_elements_text((expected_tag_values ->> 'value')::jsonb) as expected_values, tags ->> (expected_tag_values ->> 'key') as current_value, resource_group, subscription_id from raw_data),analysis as( select id, title, current_value like expected_values as has_appropriate_value, case when current_value is null then true else false end as has_no_matching_tags, tag_key, current_value, resource_group, subscription_id from exploded_expected_tag_values),status_by_tag as( select id, title, bool_or(has_appropriate_value) as status, tag_key, case when bool_or(has_appropriate_value) then '' else tag_key end as reason, bool_or(has_no_matching_tags) as can_skip, current_value, resource_group, subscription_id from analysis group by id, title, tag_key, current_value, resource_group, subscription_id)select id as resource, case when bool_and(can_skip) then 'skip' when bool_and(status) then 'ok' else 'alarm' end as status, case when bool_and(can_skip) then title || ' has no matching tag keys.' when bool_and(status) then title || ' has expected tag values for tags: ' || array_to_string(array_agg(tag_key) filter(where status), ', ') || '.' else title || ' has unexpected tag values for tags: ' || array_to_string(array_agg(tag_key) filter(where not status), ', ') || '.' end as reason, resource_group, subscription_idfrom status_by_taggroup by id, title, resource_group, subscription_idunion allselect id as resource, 'skip' as status, title || ' has no tags.' as reason, resource_group, subscription_idfrom azure_key_vault_secretwhere tags::text = '{}' or tags is nullunion allselect id as resource, 'skip' as status, title || ' has tags but no expected tag values are set.' as reason, resource_group, subscription_idfrom azure_key_vault_secretwhere $1::text = '{}' and tags::text <> '{}' or tags is not null;