首页 / 技能 / cloud-tagging-enforcer

📦 cloud-tagging-enforcer

v1.0.0

Enforce cloud resource tagging policies for cost allocation, 合规, and 治理 across AWS/GCP/Azure

0· 24·0 当前·0 累计
charlie-morrison 头像by @charlie-morrison
云服务存储部署CI/CDDevOps系统工具
下载技能包
0

运行时依赖

无特殊依赖

安装命令

点击复制
官方npx clawhub@latest install cloud-tagging-enforcer
镜像加速npx clawhub@latest install cloud-tagging-enforcer --registry https://cn.longxiaskill.com

技能文档

Cloud Tagging Enforcer

扫描 cloud infrastructure for missing, incorrect, or non-compliant resource tags. This 技能 teaches an AI 代理 to 审计 tagging across AWS, GCP, and Azure, define and 验证 tagging 模式s, 生成 合规 报告s, and produce remediation scripts that bring resources into policy 合规.

Use when: "检查 cloud tags", "untagged resources", "tagging policy", "cost allocation tags", "tag 合规", "enforce tags", "missing tags", "tag 治理", "remediate tags"

Commands

  • 扫描 -- Find untagged or non-compliant resources

Discover all resources that violate the tagging policy by having missing, empty, or incorrectly 格式化ted tags.

Step 1: Define the expected tagging 模式

Before 扫描ning, establish what "compliant" means. Load the policy or define defaults.

# 检查 if a tagging policy file exists in the repo rg -l "tagging.policy|tag.模式|required.tags" . -g '*.{json,yaml,yml,toml}'

# If no policy exists, use a sensible default for cost allocation and 治理 cat <<'POLICY' required_tags: - key: "环境" allowed_values: ["production", "staging", "development", "sandbox"] - key: "Owner" pattern: "^[a-z]+@[a-z]+\\.[a-z]+$" - key: "Team" allowed_values: [] # any non-empty value - key: "CostCenter" pattern: "^CC-[0-9]{4}$" - key: "Project" allowed_values: [] # any non-empty value - key: "ManagedBy" allowed_values: ["terraform", "cloud格式化ion", "pulumi", "manual"] POLICY

Step 2: 扫描 AWS resources # AWS: Find all resources missing required tags using Resource Groups Tagging API # This is the most efficient API -- covers 50+ resource types in one call aws resourcegroupstaggingAPI 获取-resources \ --no-paginate \ --输出 json | python3 -c " 导入 sys, json

required_keys = ['环境', 'Owner', 'Team', 'CostCenter', 'Project'] data = json.load(sys.stdin) violations = []

for resource in data.获取('ResourceTagM应用ing列出', []): arn = resource['ResourceARN'] tags = {t['Key']: t['Value'] for t in resource.获取('Tags', [])} missing = [k for k in required_keys if k not in tags] empty = [k for k in required_keys if k in tags and not tags[k].strip()]

if missing or empty: violations.应用end({ 'arn': arn, 'missing_tags': missing, 'empty_tags': empty, 'existing_tags': tags })

print(f'Total resources 扫描ned: {len(data.获取(\"ResourceTagM应用ing列出\", []))}') print(f'Non-compliant resources: {len(violations)}') print() for v in violations[:20]: svc = v['arn'].split(':')[2] print(f' {svc}: {v[\"arn\"]}') if v['missing_tags']: print(f' MISSING: {v[\"missing_tags\"]}') if v['empty_tags']: print(f' EMPTY: {v[\"empty_tags\"]}') print() if len(violations) > 20: print(f' ... and {len(violations) - 20} more') "

# AWS: Find EC2 instances specifically without the 环境 tag aws ec2 describe-instances \ --过滤器s "Name=instance-状态-name,Values=运行ning" \ --查询 'Reservations[].Instances[?!not_null(Tags[?Key==环境].Value | [0])].{ID:InstanceId,Name:Tags[?Key==Name]|[0].Value,Type:InstanceType}' \ --输出 table

# AWS: Find untagged S3 buckets for bucket in $(aws s3API 列出-buckets --查询 'Buckets[].Name' --输出 text); do tags=$(aws s3API 获取-bucket-tagging --bucket "$bucket" 2>/dev/null | python3 -c " 导入 sys, json data = json.load(sys.stdin) keys = [t['Key'] for t in data.获取('Tag设置', [])] print(','.join(keys)) " 2>/dev/null) if [ -z "$tags" ]; then echo "UNTAGGED: s3://$bucket" fi done

Step 3: 扫描 GCP resources # GCP: Find instances without required labels gcloud compute instances 列出 --格式化=json | python3 -c " 导入 sys, json

required_labels = ['环境', 'owner', 'team', 'cost-center', 'project'] instances = json.load(sys.stdin) for inst in instances: labels = inst.获取('labels', {}) missing = [l for l in required_labels if l not in labels] if missing: zone = inst['zone'].split('/')[-1] print(f'NON-COMPLIANT: {inst[\"name\"]} ({zone})') print(f' Missing labels: {missing}') "

# GCP: 扫描 all project resources using Cloud As设置 Inventory gcloud as设置 搜索-all-resources \ --scope="projects/$GCP_PROJECT" \ --查询="NOT labels:环境" \ --格式化="table(name.basename(), as设置Type, labels)"

Step 4: 扫描 Azure resources # Azure: Find resources without required tags az resource 列出 --查询 "[?tags.环境==null || tags.Owner==null].{Name:name,Type:type,RG:resourceGroup,Tags:tags}" --输出 table

# Azure: 获取 a 合规 percentage by resource group az resource 列出 --输出 json | python3 -c " 导入 sys, json from collections 导入 defaultdict

required = ['环境', 'Owner', 'Team', 'CostCenter'] resources = json.load(sys.stdin) rg_stats = defaultdict(lambda: {'total': 0, 'compliant': 0})

for r in resources: rg = r.获取('resourceGroup', 'unknown') tags = r.获取('tags') or {} rg_st

数据来源ClawHub ↗ · 中文优化:龙虾技能库