Skip to main content

tagvalidator Infrastructure App

This infrastructure app validates the contents of expiration tags. With it you can enforce a max. expiration length for certain resources in an account. For instance you could have an org policy that says in our "dev" account compute instances are only allowed to exist for 2 days max. Then this infrastructure app can ensure that the expiration tag on those instances is set to no more than 2 days. If it is set to e.g. 50h it would be corrected down to 48h.

Installation​

> app install tagvalidator
info

Upon installation, Fix Inventory will create a config fix.apps.tagvalidator.

Configuration​

  1. Execute the following command in Fix Inventory Shell to open the infrastructure app configuration for editing:

    > config edit fix.apps.tagvalidator
  2. Update the configuration:

    tagvalidator configuration
    config:
    default:
    expiration: '24h'
    kinds:
    - 'aws_ec2_instance'
    - 'aws_vpc'
    - 'aws_cloudformation_stack'
    - 'aws_elb'
    - 'aws_alb'
    - 'aws_alb_target_group'
    - 'aws_eks_cluster'
    - 'aws_eks_nodegroup'
    - 'aws_ec2_nat_gateway'
    accounts:
    aws:
    '123465706934':
    name: 'eng-audit'
    '123479172032':
    name: 'eng-devprod'
    '123453451782':
    name: 'sales-lead-gen'
    expiration: '12h'
    '123415487488':
    name: 'sales-hosted-lead-gen'
    expiration: '8d'
    info

    The configuration contains a default section with the expiration that should be used for all accounts by default.

    The kinds section contains the list of kinds that these expiration tag rules apply to.

    The accounts section contain the cloud ids followed by the account ids. Each account ID must contain a name and optionally an expiration that overwrites the global default.

Usage​

Run the app using the app run command:

> app run tagvalidator
tip

Add the optional --dry-run flag to see what commands the app would perform, without actually executing them.

Further Reading​