Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

False positive match on Tag:Project absent resources rest-api and rest-resource

See original GitHub issue

Description:

We’re checking for missing ‘Project’ tags but are getting false positive matches on the rest-api and rest-resource resources when there is a Project tag present.

Reproduce: We normally run these specific policies in pull mode via AWS CodeBuild, but can reproduce on MacOS pull mode.

custodian run --dryrun --verbose --cache-period 0 --debug --region eu-west-1 --output-dir=. tag-test-project.yml

with the following policies

policies:

  - name: rest-api-tag-compliance
    resource: rest-api
    comment: |
      Report on untagged rest-api tagging
    filters:
      - "tag:Project": absent

  - name: rest-resource-tag-compliance
    resource: rest-resource
    comment: |
      Report on untagged rest-resource tagging
    filters:
      - "tag:Project": absent

and we have this output:

[
  {
    "id": "redeacted",
    "name": "test2",
    "createdDate": "2020-04-02T11:37:27+01:00",
    "apiKeySource": "HEADER",
    "endpointConfiguration": {
      "types": [
        "EDGE"
      ]
    },
    "Tags": [
      {
        "Key": "Key",
        "Value": "Project"
      },
      {
        "Key": "Value",
        "Value": "bind"
      }
    ],
    "c7n:MatchedFilters": [
      "tag:Project"
    ]
  },
  {
    "id": "redacted",
    "name": "test",
    "createdDate": "2020-04-02T11:35:00+01:00",
    "apiKeySource": "HEADER",
    "endpointConfiguration": {
      "types": [
        "EDGE"
      ]
    },
    "Tags": [
      {
        "Key": "Key",
        "Value": "Project"
      },
      {
        "Key": "Value",
        "Value": "infx"
      }
    ],
    "c7n:MatchedFilters": [
      "tag:Project"
    ]
  }
]

Expected Behaviour:

Rest-APIs should be filtered out when they contain the “Project” tag.

Background:

Custodian: 0.9.6 Python: 3.7.4 (default, Sep 7 2019, 18:27:02) [Clang 10.0.1 (clang-1001.0.46.4)] Platform: posix.uname_result(sysname=‘Darwin’, nodename=‘STEVCRAI01M’, release=‘19.6.0’, version=‘Darwin Kernel Version 19.6.0: Sun Jul 5 00:43:10 PDT 2020; root:xnu-6153.141.1~9/RELEASE_X86_64’, machine=‘x86_64’) Using venv: True Docker: False Installed:

argcomplete==1.12.0 attrs==20.2.0 boto3==1.14.59 botocore==1.17.59 docutils==0.15.2 importlib-metadata==1.7.0 jmespath==0.10.0 jsonschema==3.2.0 pyrsistent==0.17.2 python-dateutil==2.8.1 pyyaml==5.3.1 s3transfer==0.3.3 setuptools==40.8.0 six==1.15.0 tabulate==0.8.7 urllib3==1.25.10 zipp==3.1.0

Issue Analytics

State:
Created 3 years ago
Comments:5

Top GitHub Comments

1reaction

stevesworkgithubcommented, Sep 11, 2020

Apologies. Have updated the initial comment. Thanks very much.

0reactions

stevesworkgithubcommented, Sep 24, 2020

I’ve run some further testing on this and can get an expected match against running production rest-api resources now where they are tagged. We do have some issues around tagging consistency, but this appears to be around the testing, not the production systems, so am closing this ticket. Thanks for the help.