-
Notifications
You must be signed in to change notification settings - Fork 0
/
locals.fp
176 lines (168 loc) · 4.87 KB
/
locals.fp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
locals {
aws_tags_common_tags = {
category = "tags"
plugin = "aws"
service = "AWS"
}
}
// Consts
locals {
level_verbose = "verbose"
level_info = "info"
level_error = "error"
style_ok = "ok"
style_info = "info"
style_alert = "alert"
}
// Notification level
locals {
notification_level_enum = ["info", "verbose", "error"]
}
// Common Texts
locals {
description_account_id = "The account ID of the resource."
description_approvers = "List of notifiers to be used for obtaining action/approval decisions."
description_arn = "The ARN of the resource."
description_connection = "Name of the AWS connection to be used for any authenticated actions."
description_database = "Database connection string."
description_default_action = "The default action to use for the detected item, used if no input is provided."
description_enabled_actions = "The list of enabled actions to provide to approvers for selection."
description_items = "A collection of detected resources to run corrective actions against."
description_max_concurrency = "The maximum concurrency to use for responding to detection items."
description_notifier = "The name of the notifier to use for sending notification messages."
description_notifier_level = "The verbosity level of notification messages to send."
description_region = "AWS Region of the resource(s)."
description_title = "Title of the resource, to be used as a display name."
description_trigger_enabled = "If true, the trigger is enabled."
description_trigger_schedule = "The schedule on which to run the trigger if enabled."
}
locals {
incorrect_tags_default_action_enum = ["notify", "apply", "skip"]
}
locals {
base_tag_rules = {
add = try(var.base_tag_rules.add, {})
remove = try(var.base_tag_rules.remove, [])
remove_except = try(var.base_tag_rules.remove_except, [])
update_keys = try(var.base_tag_rules.update_keys, {})
update_values = try(var.base_tag_rules.update_values, {})
}
}
locals {
operators = ["~", "~*", "like", "ilike", "="]
tags_query_template = <<-EOQ
with tags as (
select
__TITLE__ as title,
arn,
region,
account_id,
sp_connection_name as conn,
coalesce(tags, '{}'::jsonb) as tags,
key,
value
from
__TABLE_NAME__
left join
jsonb_each_text(tags) as t(key, value) on true
),
updated_tags as (
select
arn,
key as old_key,
case
when false then key
__UPDATE_KEYS_OVERRIDE__
else key
end as new_key,
value
from
tags
where key is not null and key not like 'aws:%'
),
required_tags as (
select
r.arn,
null as old_key,
a.key as new_key,
a.value
from
(select distinct arn from __TABLE_NAME__) r
cross join (
values
__ADD_OVERRIDE__
) as a(key, value)
where not exists (
select 1 from updated_tags ut where ut.arn = r.arn and ut.new_key = a.key
)
),
all_tags as (
select arn, old_key, new_key, value from updated_tags
union all
select arn, old_key, new_key, value from required_tags where new_key is not null
),
allowed_tags as (
select distinct
arn,
new_key
from (
select
arn,
new_key,
case
__REMOVE_EXCEPT_OVERRIDE__
else false
end as allowed
from all_tags
) a
where allowed = true
),
remove_tags as (
select distinct arn, key from (
select
arn,
new_key as key,
case
__REMOVE_OVERRIDE__
else false
end as remove
from all_tags) r
where remove = true
union
select arn, old_key as key from all_tags where old_key is not null and old_key != new_key
union
select arn, new_key as key from all_tags a where not exists (select 1 from allowed_tags at where at.arn = a.arn and at.new_key = a.new_key)
),
updated_values as (
select
arn,
new_key,
value as old_value,
case
when false then value
__UPDATE_VALUES_OVERRIDE__
else value
end as updated_value
from
all_tags
)
select * from (
select
t.title,
t.arn,
t.region,
t.account_id,
t.conn,
coalesce((select jsonb_agg(key) from remove_tags rt where rt.arn = t.arn), '[]'::jsonb) as remove,
coalesce((select jsonb_object_agg(at.new_key, at.value) from all_tags at where at.arn = t.arn and at.new_key != coalesce(at.old_key, '') and not exists (
select 1 from remove_tags rt where rt.arn = at.arn and rt.key = at.new_key
)), '{}'::jsonb) || coalesce((select jsonb_object_agg(uv.new_key, uv.updated_value) from updated_values uv where uv.arn = t.arn and uv.updated_value != uv.old_value and not exists (
select 1 from remove_tags rt where rt.arn = uv.arn and rt.key = uv.new_key
)), '{}'::jsonb) as upsert
from
tags t
group by t.title, t.arn, t.region, t.account_id, t.conn
) result
where remove != '[]'::jsonb or upsert != '{}'::jsonb;
EOQ
}