Create "obligatron" lambda #989
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
AshCorr
force-pushed
the
mob/obligatron
branch
10 times, most recently
from
0a4b778
to
eeddcee
Compare
AshCorr
commented
May 9, 2024
AshCorr
commented
May 9, 2024
akash1810
reviewed
May 10, 2024
adamnfish
reviewed
May 13, 2024
akash1810
approved these changes
May 13, 2024
|
|
||
| const REQUIRED_TAGS = ['Stack', 'Stage', 'App', 'gu:repo'] as const; | ||
|
|
||
| const isExemptResource = (resource: AwsResource): boolean => { |
There was a problem hiding this comment.
Not a blocker for this PR, I wonder if switching on the resource would make it easier to assert those rules that apply to specific resource? For example:
switch (resourceType): {
case IAM_USER: {
return evaluateStandardTags && evaluateIamUserTags;
}
case EC2_AMI: {
return evaluateStandardTags && evaluateEc2AmiTags;
}
default: {
return evaluateStandardTags;
}
}
|
Going to merge this down as is as I want to get some code merged in and not keep updating this PR. There will likely be some changes once the ADR is published and theres a good chance we'll switch to pulling data from Security Hub instead of our AWS Resources view once we've finished figuring out how we turn that on for all accounts. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does this change?
Creates a new "obligatron" lambda which evaluates service-catalogue data and decides if its compliant with obligations.
Why?
This lays some of the groundwork for writing the business logic for some of the obligations the Ops team is working on (and maybe Security and Reliability too?).
Eventually this lambda should provide a framework for fetching data from Service Catalogue and saving it to a results table in a generic way so that when writing a new obligation the developer only has to worry about parsing the data, and not establish a DB connection or saving the results to a table.
In the short term this lambda will evaluate the Ops TAGGING obligation by fetching data from the aws_resources view, filtering out AWS managed resources, and validating them against our tagging schema.
How has it been verified?
Ran locally.