Control: VPCs should not have prohibited tags

Description

Check if VPCs have any prohibited tags.

Usage

Run the control in your terminal:

powerpipe control run aws_tags.control.vpc_prohibited

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_tags.control.vpc_prohibited --share

Steampipe Tables

aws_vpc

SQL

with analysis as (
  select
    arn,
    array_agg(k) as prohibited_tags,
    region,
    account_id,
    tags,
    _ctx
  from
    aws_vpc,
    jsonb_object_keys(tags) as k,
    unnest($1::text[]) as prohibited_key
  where
    k = prohibited_key
  group by
    arn,
    region,
    account_id,
    tags,
    _ctx
)
select
  r.arn as resource,
  case
    when a.prohibited_tags <> array[]::text[] then 'alarm'
    else 'ok'
  end as status,
  case
    when a.prohibited_tags <> array[]::text[] then r.title || ' has prohibited tags: ' || array_to_string(a.prohibited_tags, ', ') || '.'
    else r.title || ' has no prohibited tags.'
  end as reason
  
  , r.region, r.account_id
from
  aws_vpc as r
full outer join
  analysis as a on a.arn = r.arn;

Params

Args	Name	Default	Description	Variable
$1	prohibited_tags	`["Password","Key"]`		prohibited_tags