fix: enforce tags correctly (#110)

DataChefHQ · Jan 30, 2025 · 2c4cc83 · 2c4cc83
1 parent ddfc020
commit 2c4cc83
Show file tree

Hide file tree

Showing 13 changed files with 3,034 additions and 73 deletions.
diff --git a/API.md b/API.md
diff --git a/docs/src/content/docs/components/account-management/tagging.mdx b/docs/src/content/docs/components/account-management/tagging.mdx
@@ -24,7 +24,7 @@ to the resources.
 
 ## Default Mandatory Tags
 
-The mandatory tags all begin with a capital letter, but the underlying code property is lowercase. The mandatory tags include:
+The mandatory tags all begin with a capital letter, but the underlying code property is lowercase. The mandatory tags are:
 - `Owner` - Identifies the team or individual responsible for the resource.
 - `Project` - Specifies the project to which the resource belongs.
 - `Environment` - Defines the environment of the resource, such as `development`, `staging`, or `production`.
@@ -37,6 +37,14 @@ The DLZ construct will automatically apply the following tags to all resources i
 These tag values can be customized by providing an array of values for each tag in `mandatoryTags`.
 Note that while the code property is lowercase, the tags created will follow the capitalized format outlined above.
 
+Tag values are optional, but if provided, the resource will only be created if the tag value matches one of the specified
+values. Specifying an empty array or `undefined` enforces the presence of the tag but does not restrict
+its value.
+
+Not all service actions are supported for enforcement by the Organization Tag Policy. To keep the policy size manageable,
+we do not list every resource in the [list of supported resources](https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_supported-resources-enforcement.html).
+Instead, we include all `:*` actions and focus on "major" services to ensure the policy remains concise.
+
 <DualCode>
   <Fragment slot="ts">
     ```ts
@@ -46,8 +54,8 @@ Note that while the code property is lowercase, the tags created will follow the
     const app = new App();
     const dlz = new DataLandingZone(app, {
       mandatoryTags: {
-        owner: ['backend'],
-        project: ['project1'],
+        owner: [],
+        project: undefined,
         environment: ['development', 'staging', 'production'],
       },
      ...
@@ -62,8 +70,8 @@ Note that while the code property is lowercase, the tags created will follow the
     app = cdk.App()
     dlz.DataLandingZone(app,
         mandatory_tags={
-            "owner": ["backend"],
-            "project": ["project1"],
+            "owner": None,
+            "project": dlz.ANY_TAG_VALUE,
             "environment": ["development", "staging", "production"],
         },
         ...

diff --git a/docs/src/content/docs/reference/api.md b/docs/src/content/docs/reference/api.md
@@ -16634,7 +16634,7 @@ const dlzTag: DlzTag = { ... }
 | **Name** | **Type** | **Description** |
 | --- | --- | --- |
 | <code><a href="#aws-data-landing-zone.DlzTag.property.name">name</a></code> | <code>string</code> | *No description.* |
-| <code><a href="#aws-data-landing-zone.DlzTag.property.values">values</a></code> | <code>string[]</code> | *No description.* |
+| <code><a href="#aws-data-landing-zone.DlzTag.property.values">values</a></code> | <code>string[]</code> | Specifying an empty array or undefined still enforces the tag presence but does not enforce the value. |
 
 ---
 
@@ -16656,6 +16656,8 @@ public readonly values: string[];
 
 - *Type:* string[]
 
+Specifying an empty array or undefined still enforces the tag presence but does not enforce the value.
+
 ---
 
 ### DlzTagPolicyProps <a name="DlzTagPolicyProps" id="aws-data-landing-zone.DlzTagPolicyProps"></a>
@@ -18127,7 +18129,7 @@ const mandatoryTags: MandatoryTags = { ... }
 
 ---
 
-##### `environment`<sup>Required</sup> <a name="environment" id="aws-data-landing-zone.MandatoryTags.property.environment"></a>
+##### `environment`<sup>Optional</sup> <a name="environment" id="aws-data-landing-zone.MandatoryTags.property.environment"></a>
 
 ```typescript
 public readonly environment: string[];
@@ -18137,9 +18139,12 @@ public readonly environment: string[];
 
 The values of the mandatory `Environment` tag that all resources must have.
 
+Specifying an empty array or undefined
+still enforces the tag presence but does not enforce the value.
+
 ---
 
-##### `owner`<sup>Required</sup> <a name="owner" id="aws-data-landing-zone.MandatoryTags.property.owner"></a>
+##### `owner`<sup>Optional</sup> <a name="owner" id="aws-data-landing-zone.MandatoryTags.property.owner"></a>
 
 ```typescript
 public readonly owner: string[];
@@ -18149,9 +18154,12 @@ public readonly owner: string[];
 
 The values of the mandatory `Owner` tag that all resources must have.
 
+Specifying an empty array or undefined
+still enforces the tag presence but does not enforce the value.
+
 ---
 
-##### `project`<sup>Required</sup> <a name="project" id="aws-data-landing-zone.MandatoryTags.property.project"></a>
+##### `project`<sup>Optional</sup> <a name="project" id="aws-data-landing-zone.MandatoryTags.property.project"></a>
 
 ```typescript
 public readonly project: string[];
@@ -18161,6 +18169,9 @@ public readonly project: string[];
 
 The values of the mandatory `Project` tag that all resources must have.
 
+Specifying an empty array or undefined
+still enforces the tag presence but does not enforce the value.
+
 ---
 
 ### Network <a name="Network" id="aws-data-landing-zone.Network"></a>

diff --git a/internal/extract-tag-policy-enforcement-resources.ts b/internal/extract-tag-policy-enforcement-resources.ts
@@ -0,0 +1,57 @@
+import axios from 'axios';
+import * as cheerio from 'cheerio';
+
+
+async function main()
+{
+  const response = await axios.get('https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_supported-resources-enforcement.html', {
+    headers: {
+      'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36'
+    }
+  });
+
+  // Load the HTML content
+  const $ = cheerio.load(response.data);
+  // const pageHtml = $('body').html();
+  // console.debug(pageHtml);
+
+  const jsonArray: string[] = [];
+  $('table tbody tr').each((index, element) => {
+    // Select the "JSON syntax" column (3rd <td>)
+    const jsonSyntax = $(element).find('td').eq(2).find('code').map((i, el) => $(el).text().slice(1,-1)).get();
+    jsonArray.push(...jsonSyntax);
+  });
+  // console.log(jsonArray);
+
+
+  const starrServiceActions = jsonArray.filter((value) => value.endsWith('*'));
+  const additionalMainServiceActions: string[] = [
+    "backup:backup-plan",
+    "batch:job",
+    "logs:log-group",
+    "ec2:elastic-ip",
+    "ec2:instance",
+    "ec2:vpc",
+    "ec2:security-group",
+    "ecr:repository",
+    "ecs:service",
+    "eks:cluster",
+    "es:domain",
+    "elasticmapreduce:cluster",
+    "elasticache:cluster",
+    "iam:policy",
+    "network-firewall:firewall",
+    "rds:secgrp",
+    "s3:bucket",
+    "sns:topic",
+    "sqs:queue",
+  ]
+  const allServiceActions = [...starrServiceActions, ...additionalMainServiceActions];
+  console.log(allServiceActions);
+  console.log(JSON.stringify(allServiceActions).length);
+}
+
+main().catch((error) => {
+  console.error(error);
+  process.exit(1);
+});