Add Resource Invalid Tags rule

[marckysharky]

Add aws_resource_invalid_tags rule to support enforcing of specific values for the given tag keys.

[wata727]

Intuitively, this is a superset of the aws_resource_missing_tags rule, so it seems to make sense to extend it. What do you think?

[marckysharky]

@wata727 what are you referring to?
The code implementation, extension of the existing rule and modifying the interface, or both/something else?

[bendrucker]

If nothing else aws_resource_invalid_tags is a confusing name. Tags are optional so it's reasonable clear "missing" is a user-level construct. "Invalid" suggests they would not be accepted by AWS.

I would agree that it doesn't make sense to have one rule to require tag keys and a separate one for tag values. Seems like they should be consolidated into aws_resource_tags and the existing "missing" rule deprecated:

rule "aws_resource_tags" {
  required = ["Foo"]

  values = {
    Foo = ["Bar"]
    Baz = ["Qux"] # optional
  }
}

[marckysharky]

If we're happy to implement a single rule to provide both features for tags I would extend upon @bendrucker's comment above and propose the following:

rule "aws_resource_tags" {
  rules = {
    Foo = { values: ["Bar"], required: true },
    Baz = { values: ["Qux"] }, # not required by default
  }
}

The AWS Docs specify some hard restrictions on the tags which could be configured with an additionally adjusted DSL:

rule "aws_resource_tags" {
  tags_max_count       = 10, # default value from doc
  key_max_length       = 32, # default value from doc
  value_max_length     = 128, # default value from doc
  character_allow_list = ["+", "-", "="], # default value from doc
  
  rules = {
    Foo = { allowed_prefixes = ["foo:"] }, # support per-tag value prefix matching
    Baz = { allowed_characters = ["+", "-"] }, # support per-tag restriction of valid characters
    Xar = { max_length = 3 }, # support per-tag character length restriction
  }
}

NOTE: I am not suggesting the future implementation in this PR, just the former to meet the existing and proposed functionality:

• presence check
• value restrictions

[bendrucker]

required can be readily paired with forbidden in a flat configuration. Not a fan of putting a rules key in the configuration for a rule as it starts to overload "rule."

I don't expect we'll ever pursue all these knobs around allowed characters, length, etc. We don't need to create space for that at the expense of straightforward cases. It's an option, but we shouldn't be creating an awkward API with the expectation of extending it substantially.

A good practical goal here would be to support an Environment tag. It would have a few known values and should be used over equivalents like Env.