False positive match on Tag:Project absent resources rest-api and rest-resource
See original GitHub issueDescription:
We’re checking for missing ‘Project’ tags but are getting false positive matches on the rest-api and rest-resource resources when there is a Project tag present.
Reproduce: We normally run these specific policies in pull mode via AWS CodeBuild, but can reproduce on MacOS pull mode.
custodian run --dryrun --verbose --cache-period 0 --debug --region eu-west-1 --output-dir=. tag-test-project.yml
with the following policies
policies:
- name: rest-api-tag-compliance
resource: rest-api
comment: |
Report on untagged rest-api tagging
filters:
- "tag:Project": absent
- name: rest-resource-tag-compliance
resource: rest-resource
comment: |
Report on untagged rest-resource tagging
filters:
- "tag:Project": absent
and we have this output:
[
{
"id": "redeacted",
"name": "test2",
"createdDate": "2020-04-02T11:37:27+01:00",
"apiKeySource": "HEADER",
"endpointConfiguration": {
"types": [
"EDGE"
]
},
"Tags": [
{
"Key": "Key",
"Value": "Project"
},
{
"Key": "Value",
"Value": "bind"
}
],
"c7n:MatchedFilters": [
"tag:Project"
]
},
{
"id": "redacted",
"name": "test",
"createdDate": "2020-04-02T11:35:00+01:00",
"apiKeySource": "HEADER",
"endpointConfiguration": {
"types": [
"EDGE"
]
},
"Tags": [
{
"Key": "Key",
"Value": "Project"
},
{
"Key": "Value",
"Value": "infx"
}
],
"c7n:MatchedFilters": [
"tag:Project"
]
}
]
Expected Behaviour:
Rest-APIs should be filtered out when they contain the “Project” tag.
Background:
Custodian: 0.9.6 Python: 3.7.4 (default, Sep 7 2019, 18:27:02) [Clang 10.0.1 (clang-1001.0.46.4)] Platform: posix.uname_result(sysname=‘Darwin’, nodename=‘STEVCRAI01M’, release=‘19.6.0’, version=‘Darwin Kernel Version 19.6.0: Sun Jul 5 00:43:10 PDT 2020; root:xnu-6153.141.1~9/RELEASE_X86_64’, machine=‘x86_64’) Using venv: True Docker: False Installed:
argcomplete==1.12.0 attrs==20.2.0 boto3==1.14.59 botocore==1.17.59 docutils==0.15.2 importlib-metadata==1.7.0 jmespath==0.10.0 jsonschema==3.2.0 pyrsistent==0.17.2 python-dateutil==2.8.1 pyyaml==5.3.1 s3transfer==0.3.3 setuptools==40.8.0 six==1.15.0 tabulate==0.8.7 urllib3==1.25.10 zipp==3.1.0
Issue Analytics
- State:
- Created 3 years ago
- Comments:5
Top GitHub Comments
Apologies. Have updated the initial comment. Thanks very much.
I’ve run some further testing on this and can get an expected match against running production rest-api resources now where they are tagged. We do have some issues around tagging consistency, but this appears to be around the testing, not the production systems, so am closing this ticket. Thanks for the help.