Scenario: Ensure all resources have tags, does not fail in the absence of tags

[nikhilswagle]

Description :
I am using version 1.2.11
I have scenario "Ensure all resources have tags" defined as shown in example here
Scenario does not fail the below terraform code when I comment out tags property from a resource.

To Reproduce

1. Terraform Code

provider "aws" {
  profile = "default"
  region = "us-east-1"
}

provider "archive" {
}

################################################################################
# Ensure all resources have tags
# Ensure that specific tags are defined
################################################################################
resource "aws_instance" "tf-example-ec2" {
  ami = "ami-0323c3dd2da7fb37d"
  instance_type = "t2.micro"
  iam_instance_profile = "${aws_iam_instance_profile.test_profile.name}"
  # tags = {
  #   Name = "tf-example-ec2"
  # }
}

################################################################################
# Validate lambda function runtime environment for non-compliant runtime
# Ensure all resources have tags
# Ensure that specific tags are defined
################################################################################
data "archive_file" "ssm_tag_collector_zip" {
  type        = "zip"
  source_file = "${path.module}/files/ssmTagCollector.py"
  output_path = "${path.module}/files/ssmTagCollector.zip"
}

data template_file "ssm_tag_collector_lambda_role" {
  template = "${file("${path.module}/files/ssm_tag_collector_lambda_role.json")}"
}

resource "aws_iam_role" "ssm_tag_collector_role" {
  assume_role_policy = "${data.template_file.ssm_tag_collector_lambda_role.rendered}"
  tags = {
    Name = "ssm_tag_collector_role"
  }
}

resource "aws_lambda_function" "ssm_tag_collector_lambda" {
  filename         = "${data.archive_file.ssm_tag_collector_zip.output_path}"
  function_name    = "ssm-tag-collector"
  description      = "Send tags from the list of instances in the event context to the ssm-tag-manager lambda in master account."
  role             = "${aws_iam_role.ssm_tag_collector_role.arn}"
  handler          = "ssmTagCollector.lambda_handler"
  source_code_hash = "${base64sha256("ssmTagCollector.zip")}"
  runtime          = "python3.6"
  timeout          = 25
  tags = {
    Name = "ssm_tag_collector_lambda"
  }
}
################################# END ##########################################


################################################################################
# API documentation check 1: API Documentation Part
# API documentation check 2: API Documentation Version
################################################################################
resource "aws_api_gateway_documentation_version" "example" {
  version     = "example_version"
  rest_api_id = "${aws_api_gateway_rest_api.tf_example_rest_api.id}"
  description = "Example description"
  depends_on  = ["aws_api_gateway_documentation_part.example"]
}

resource "aws_api_gateway_documentation_part" "example" {
  location {
    type   = "METHOD"
    method = "GET"
    path   = "/example"
  }
  properties  = "{\"description\":\"Example description\"}"
  rest_api_id = "${aws_api_gateway_rest_api.tf_example_rest_api.id}"
}

resource "aws_api_gateway_rest_api" "tf_example_rest_api" {
  name = "example_api"
  tags = {
    Name = "tf-example-rest-api"
  }
}
################################# END ##########################################

2. terraform-compliance parameters
   -f
   -p
   --tags

3. Run as python package

4. None

5. Scenario

Given I have resource that supports tags defined
Then it must contain tags
And its value must not be null

Expected behavior :
Scenario should fail the above terraform code when tags property is absent from a resource.

Tested versions :

• 1.2.11
• 0.12.29
• 3.7

Additional context
I found similar issue here

[Kudbettin]

Hi @nikhilswagle,

Thanks for submitting the issue.
A fix (#352) is opened, I will ping the issue once it's released.

[Kudbettin]

Hi @nikhilswagle,

Could you give 1.3.2 a try?

[nikhilswagle]

Hi @Kudbettin,
We did some testing from our side and saw a strange behavior. To explain it I will need to give you a full picture.
We have classified our compliance features into certain categories. Each category of features has its own .feature file and is annotated with its category name. For e.g. feature file annotated with @security has all the tests belonging to security.

Scenario 1:
If we intend to run only security tests in isolation we use below command (with —tags option)
terraform-compliance -f <location-of-feature-files> -p <tf-plan> --tags security
This only runs security tests and ignores tests from other feature files.

Scenario 2:
If we intend to run all tests across all features then we use below command (without —tags option)
terraform-compliance -f <location-of-feature-files> -p <tf-plan>

The fix #352 works in Scenario 1. It is able to identify the AWS resources with out tags or resources without specific tags.
But when it comes to Scenario 2, the test is skipped over with the message “Can not find resource that supports tags defined in target terraform plan.”

So unfortunately the issue still exists.
Not sure if this was newly introduced or always existed.

[Kudbettin]

Nice tags usage! It seems the problem was introduced with 1.3 and not related to changes on the last release.

The fix would likely release tomorrow (#356). Thanks for pointing that out. I will ping the issue once again upon release.

[Kudbettin]

Hi @nikhilswagle

I'm sorry for the late response. Could you give 1.3.3 a try?

[nikhilswagle]

Thanks @Kudbettin
Gave 1.3.3 a shot. It works fine.
This issue can be closed now.

[ghost]

This issue's conversation is now locked. If you want to continue this discussion please open a new issue.