Policy Packs
Enforce AWS EC2 Instances Use AMIs With Approved Tags

Policy Setting: AWS > EC2 > Instance > Approved > Custom

Policies

This policy setting is dependent on the following policy types:

Source

resource "turbot_policy_setting" "aws_ec2_instance_approved_custom" {
resource = turbot_policy_pack.main.id
type = "tmod:@turbot/aws-ec2#/policy/types/instanceApprovedCustom"
template_input = <<-EOT
- |
{
item: instance {
image: get(path: "ImageId")
}
region {
turbot {
id
}
}
}
- |
{
resources(filter: "resourceId:{{ $.region.turbot.id }} resourceTypeId:'tmod:@turbot/aws-ec2#/resource/types/ami' $.ImageId:'{{ $.item.image }}' resourceTypeLevel:self") {
items {
tags
}
}
}
EOT
# Replace your list of approved tags in inputTagKeys
template = <<-EOT
{%- set tags = $.resources.items[0].tags -%}
{%- set inputTagKeys = ["name", "environment"] -%}
{%- set tagsLength = tags | length -%}
{%- set allTagsPresent = true -%}
{%- set flag = true -%}
{%- if tagsLength > 0 -%}
{%- for key in inputTagKeys -%}
{%- if flag and key not in tags -%}
{%- set allTagsPresent = false -%}
{%- set flag = false -%}
{%- endif -%}
{%- endfor -%}
{%- endif -%}
{%- if tagsLength > 0 and allTagsPresent -%}
{%- set data = {
"title": "AMI Tags",
"result": "Approved",
"message": "AMI has approved tags"
} -%}
{%- elif tagsLength == 0 or not allTagsPresent -%}
{%- set data = {
"title": "AMI Tags",
"result": "Not approved",
"message": "AMI does not have approved tags"
} -%}
{%- else -%}
{%- set data = {
"title": "AMI Tags",
"result": "Skip",
"message": "No data for AMI tags yet"
} -%}
{%- endif -%}
{{ data | json }}
EOT
}