standard
turbot/aws_tags
- Detect & correct Access Analyzers with incorrect tags
- Detect & correct CloudFront distributions with incorrect tags
- Detect & correct CloudWatch alarms with incorrect tags
- Detect & correct CodeBuild projects with incorrect tags
- Detect & correct CodeCommit repositories with incorrect tags
- Detect & correct CodePipeline pipelines with incorrect tags
- Detect & correct Config rules with incorrect tags
- Detect & correct Directory Service directories with incorrect tags
- Detect & correct DMS replication instances with incorrect tags
- Detect & correct DynamoDB tables with incorrect tags
- Detect & correct EBS snapshots with incorrect tags
- Detect & correct EBS volumes with incorrect tags
- Detect & correct EC2 application load balancers with incorrect tags
- Detect & correct EC2 classic load balancers with incorrect tags
- Detect & correct EC2 gateway load balancers with incorrect tags
- Detect & correct EC2 instances with incorrect tags
- Detect & correct EC2 network load balancers with incorrect tags
- Detect & correct EC2 reserved instances with incorrect tags
- Detect & correct ECR repositories with incorrect tags
- Detect & correct ECS container instances with incorrect tags
- Detect & correct ECS services with incorrect tags
- Detect & correct EFS file_systems with incorrect tags
- Detect & correct EKS addons with incorrect tags
- Detect & correct EKS clusters with incorrect tags
- Detect & correct EKS identity provider configs with incorrect tags
- Detect & correct Elastic Beanstalk applications with incorrect tags
- Detect & correct Elastic Beanstalk environments with incorrect tags
- Detect & correct ElastiCache clusters with incorrect tags
- Detect & correct Elasticsearch domains with incorrect tags
- Detect & correct EventBridge rules with incorrect tags
- Detect & correct GuardDuty detectors with incorrect tags
- Detect & correct IAM roles with incorrect tags
- Detect & correct IAM server certificates with incorrect tags
- Detect & correct IAM users with incorrect tags
- Detect & correct Inspector assessment templates with incorrect tags
- Detect & correct Kinesis firehose delivery streams with incorrect tags
- Detect & correct KMS keys with incorrect tags
- Detect & correct Lambda functions with incorrect tags
- Detect & correct RDS DB cluster parameter groups with incorrect tags
- Detect & correct RDS DB cluster snapshots with incorrect tags
- Detect & correct RDS DB clusters with incorrect tags
- Detect & correct RDS DB instances with incorrect tags
- Detect & correct RDS DB option groups with incorrect tags
- Detect & correct RDS DB parameter groups with incorrect tags
- Detect & correct RDS DB snapshots with incorrect tags
- Detect & correct RDS DB subnet groups with incorrect tags
- Detect & correct Redshift clusters with incorrect tags
- Detect & correct Route53 domains with incorrect tags
- Detect & correct Route53 resolver endpoints with incorrect tags
- Detect & correct S3 buckets with incorrect tags
- Detect & correct SageMaker endpoint configurations with incorrect tags
- Detect & correct SageMaker models with incorrect tags
- Detect & correct SageMaker notebook instances with incorrect tags
- Detect & correct SageMaker training jobs with incorrect tags
- Detect & correct Secrets Manager secrets with incorrect tags
- Detect & correct VPC elastic IPs with incorrect tags
- Detect & correct VPC NAT Gateways with incorrect tags
- Detect & correct VPC Network ACLs with incorrect tags
- Detect & correct VPC Security Groups with incorrect tags
- Detect & correct VPC VPN Connections with incorrect tags
- Detect & correct VPCs with incorrect tags
- Detect & correct WAFV2 IPSets with incorrect tags
- Detect & correct WAFV2 IP Sets with incorrect tags
- Detect & correct WAFV2 regex pattern sets with incorrect tags
- Detect & correct WAFV2 regex patterns with incorrect tags
- Detect & correct WAFV2 rule groups with incorrect tags
- Detect & correct WAFV2 rule groups with incorrect tags
- Detect & correct WAFV2 web ACLs with incorrect tags
- Detect & correct WAFV2 web ACLs with incorrect tags
Get Involved
Version
Trigger: Detect & correct Secrets Manager secrets with incorrect tags
Detects Secrets Manager secrets with incorrect tags and optionally attempts to correct them.
Query
with tags as ( select title as title, arn, region, account_id, sp_connection_name as conn, coalesce(tags, '{}' :: jsonb) as tags, key, value from aws_secretsmanager_secret left join jsonb_each_text(tags) as t(key, value) on true),updated_tags as ( select arn, key as old_key, case when false then key else key end as new_key, value from tags where key is not null and key not like 'aws:%'),required_tags as ( select r.arn, null as old_key, a.key as new_key, a.value from ( select distinct arn from aws_secretsmanager_secret ) r cross join ( values (null, null) ) as a(key, value) where not exists ( select 1 from updated_tags ut where ut.arn = r.arn and ut.new_key = a.key )),all_tags as ( select arn, old_key, new_key, value from updated_tags union all select arn, old_key, new_key, value from required_tags where new_key is not null),allowed_tags as ( select distinct arn, new_key from ( select arn, new_key, case when new_key like '%' then true else false end as allowed from all_tags ) a where allowed = true),remove_tags as ( select distinct arn, key from ( select arn, new_key as key, case when new_key like '%' then false else false end as remove from all_tags ) r where remove = true union select arn, old_key as key from all_tags where old_key is not null and old_key != new_key union select arn, new_key as key from all_tags a where not exists ( select 1 from allowed_tags at where at.arn = a.arn and at.new_key = a.new_key )),updated_values as ( select arn, new_key, value as old_value, case when false then value else value end as updated_value from all_tags)select *from ( select t.title, t.arn, t.region, t.account_id, t.conn, coalesce( ( select jsonb_agg(key) from remove_tags rt where rt.arn = t.arn ), '[]' :: jsonb ) as remove, coalesce( ( select jsonb_object_agg(at.new_key, at.value) from all_tags at where at.arn = t.arn and at.new_key != coalesce(at.old_key, '') and not exists ( select 1 from remove_tags rt where rt.arn = at.arn and rt.key = at.new_key ) ), '{}' :: jsonb ) || coalesce( ( select jsonb_object_agg(uv.new_key, uv.updated_value) from updated_values uv where uv.arn = t.arn and uv.updated_value != uv.old_value and not exists ( select 1 from remove_tags rt where rt.arn = uv.arn and rt.key = uv.new_key ) ), '{}' :: jsonb ) as upsert from tags t group by t.title, t.arn, t.region, t.account_id, t.conn ) resultwhere remove != '[]' :: jsonb or upsert != '{}' :: jsonb;
Schedule
15m
Tags
category = tags
plugin = aws
service = AWS/SecretsManager