From e6c20e77dcce083bd2d8850ec397f4166bb394a5 Mon Sep 17 00:00:00 2001
From: bouerghi-opticca <101893671+bouerghi-opticca@users.noreply.github.com>
Date: Thu, 29 Sep 2022 12:11:20 -0400
Subject: [PATCH] add all the resource that can be tagged in aws

---
 .../aws/enforce-mandatory-tags.sentinel       | 132 +++++++++++++++++-
 1 file changed, 129 insertions(+), 3 deletions(-)

diff --git a/governance/third-generation/aws/enforce-mandatory-tags.sentinel b/governance/third-generation/aws/enforce-mandatory-tags.sentinel
index 9edc54a38..efe0d28f9 100644
--- a/governance/third-generation/aws/enforce-mandatory-tags.sentinel
+++ b/governance/third-generation/aws/enforce-mandatory-tags.sentinel
@@ -11,15 +11,141 @@ import "aws-functions" as aws
 
 # List of resources that are required to have name/value tags
 param resource_types default [
-  "aws_s3_bucket",
-  "aws_instance",
+  "aws_s3_bucket","aws_instance","aws_acm_certificate","aws_api_gateway_api_key","aws_api_gateway_client_certificate","aws_api_gateway_domain_name","aws_api_gateway_rest_api","aws_api_gateway_vpc_link","aws_apigatewayv2_api","aws_apigatewayv2_stage","aws_apigatewayv2_vpc_link",
+   "aws_amplify_app","aws_amplify_branch",
+   "aws_appmesh_gateway_route","aws_appmesh_mesh","aws_appmesh_route","aws_appmesh_virtual_gateway","aws_appmesh_virtual_node","aws_appmesh_virtual_router","aws_appmesh_virtual_service",
+   "aws_apprunner_auto_scaling_configuration_version","aws_apprunner_connection","aws_apprunner_observability_configuration","aws_apprunner_observability_configuration","aws_apprunner_vpc_connector",
+   "aws_appconfig_application","aws_appconfig_configuration_profile","aws_appconfig_deployment","aws_appconfig_deployment_strategy","aws_appconfig_environment","aws_appflow_flow",
+   "aws_appintegrations_event_integration",
+   "aws_appstream_fleet","aws_appstream_image_builder","aws_appstream_stack","aws_appsync_graphql_api",
+   "aws_athena_data_catalog","aws_athena_workgroup",
+   "aws_autoscaling_group",
+   "aws_backup_plan","aws_backup_report_plan","aws_backup_vault",
+   "aws_batch_compute_environment","aws_batch_job_definition","aws_batch_job_queue","aws_batch_scheduling_policy",
+   "aws_ce_anomaly_monitor","aws_ce_cost_category",
+   "aws_service_discovery_http_namespace","aws_service_discovery_private_dns_namespace","aws_service_discovery_service",
+   "aws_cloud9_environment_ec2","aws_cloudformation_stack","aws_cloudformation_stack_set",
+   "aws_cloudfront_distribution",
+   "aws_cloudhsm_v2_cluster",
+   "aws_cloudtrail",
+   "aws_cloudwatch_composite_alarm","aws_cloudwatch_metric_alarm","aws_cloudwatch_metric_stream","aws_applicationinsights_application","aws_cloudwatch_log_group",
+   "aws_rum_app_monitor",
+   "aws_codeartifact_domain","aws_codeartifact_repository",
+   "aws_codebuild_project","aws_codebuild_report_group","aws_codecommit_repository",
+   "aws_codedeploy_app","aws_codedeploy_deployment_group",
+   "aws_codepipeline","aws_codepipeline_webhook",
+   "aws_codestarconnections_connection",
+   "aws_codestarnotifications_notification_rule",
+   "aws_cognito_user_pool","aws_cognito_identity_pool",
+   "aws_comprehend_entity_recognizer",
+   "aws_config_aggregate_authorization","aws_config_config_rule","aws_config_configuration_aggregator",
+   "aws_connect_contact_flow","aws_connect_contact_flow_module","aws_connect_hours_of_operation","aws_connect_queue","aws_connect_routing_profile","aws_connect_security_profile","aws_connect_user_hierarchy_group","aws_connect_vocabulary",
+   "aws_dlm_lifecycle_policy",
+   "aws_dms_certificate","aws_dms_endpoint","aws_dms_event_subscription","aws_dms_replication_instance","aws_dms_replication_subnet_group","aws_dms_replication_task",
+   "aws_directory_service_directory","aws_directory_service_region",
+   "aws_dataexchange_data_set","aws_dataexchange_revision",
+   "aws_datapipeline_pipeline",
+   "aws_datasync_agent","aws_datasync_location_efs","aws_datasync_location_fsx_lustre_file_system","aws_datasync_location_fsx_openzfs_file_system","aws_datasync_location_fsx_windows_file_system","aws_datasync_location_hdfs","aws_datasync_location_nfs","aws_datasync_location_s3","aws_datasync_location_smb","aws_datasync_task",
+   "aws_detective_graph",
+   "aws_devicefarm_device_pool","aws_devicefarm_instance_profile","aws_devicefarm_network_profile","aws_devicefarm_project","aws_devicefarm_test_grid_project",
+   "aws_dx_connection","aws_dx_hosted_private_virtual_interface_accepter","aws_dx_hosted_public_virtual_interface_accepter","aws_dx_hosted_transit_virtual_interface_accepter","aws_dx_private_virtual_interface","aws_dx_public_virtual_interface","aws_dx_transit_virtual_interface",
+   "aws_docdb_cluster","aws_docdb_cluster_instance","aws_docdb_cluster_parameter_group","aws_docdb_event_subscription","aws_docdb_subnet_group",
+   "aws_dynamodb_table","aws_dynamodb_table_replica","aws_dax_cluster",
+   "aws_ebs_snapshot","aws_ebs_snapshot_copy","aws_ebs_snapshot_import","aws_ebs_volume",
+   "aws_ami","aws_ami_copy","aws_ami_from_instance","aws_ec2_capacity_reservation","aws_ec2_fleet","aws_ec2_host","aws_eip","aws_instance","aws_key_pair","aws_launch_template","aws_placement_group","aws_spot_fleet_request","aws_spot_instance_request",
+   "aws_imagebuilder_component","aws_imagebuilder_container_recipe","aws_imagebuilder_distribution_configuration","aws_imagebuilder_image","aws_imagebuilder_image_pipeline","aws_imagebuilder_image_recipe","aws_imagebuilder_infrastructure_configuration",
+   "aws_ecr_repository","aws_ecrpublic_repository",
+   "aws_ecs_capacity_provider","aws_ecs_task_definition","aws_ecs_task_set",
+   "aws_efs_access_point","aws_efs_file_system",
+   "aws_eks_cluster","aws_eks_fargate_profile","aws_eks_identity_provider_config","aws_eks_node_group",
+   "aws_lb",
+   "aws_emr_cluster","aws_emr_studio","aws_emrcontainers_virtual_cluster","aws_emrserverless_application",
+   "aws_elasticache_cluster","aws_elasticache_parameter_group","aws_elasticache_subnet_group",
+   "aws_elastic_beanstalk_application","aws_elastic_beanstalk_application_version","aws_elastic_beanstalk_environment",
+   "aws_elasticsearch_domain",
+   "aws_media_convert_queue",
+   "aws_medialive_input","aws_medialive_input_security_group","aws_medialive_multiplex",
+   "aws_media_package_channel","aws_media_store_container",
+   "aws_cloudwatch_event_bus","aws_cloudwatch_event_rule",
+   "aws_schemas_discoverer","aws_schemas_registry","aws_schemas_schema"
+   "aws_fis_experiment_template",
+   "aws_fms_policy",
+   "aws_fsx_backup","aws_fsx_data_repository_association","aws_fsx_lustre_file_system","aws_fsx_ontap_file_system","aws_fsx_ontap_storage_virtual_machine","aws_fsx_ontap_volume","aws_fsx_openzfs_file_system","aws_fsx_openzfs_snapshot","aws_fsx_openzfs_volume",
+   "aws_gamelift_alias","aws_gamelift_build","aws_gamelift_fleet","aws_gamelift_game_server_group","aws_gamelift_game_session_queue","aws_gamelift_script",
+   "aws_globalaccelerator_accelerator",
+   "aws_glue_connection","aws_glue_crawler","aws_glue_dev_endpoint","aws_glue_job","aws_glue_registry","aws_glue_schema","aws_glue_trigger","aws_glue_workflow",
+   "aws_guardduty_detector","aws_guardduty_filter","aws_guardduty_ipset","aws_guardduty_threatintelset",
+   "aws_iam_instance_profile","aws_iam_openid_connect_provider","aws_iam_policy","aws_iam_role","aws_iam_saml_provider","aws_iam_service_linked_role","aws_iam_user",
+   "aws_accessanalyzer_analyzer",
+   "aws_inspector_assessment_template",
+   "aws_inspector_resource_group",
+   "aws_iot_provisioning_template","aws_iot_thing_group","aws_iot_thing_type",
+   "aws_kms_external_key","aws_kms_key","aws_kms_replica_external_key","aws_kms_replica_key",
+   "aws_kendra_data_source","aws_kendra_faq","aws_kendra_index","aws_kendra_query_suggestions_block_list","aws_kendra_thesaurus",
+   "aws_keyspaces_keyspace","aws_keyspaces_table",
+   "aws_kinesis_stream","aws_kinesis_analytics_application","aws_kinesisanalyticsv2_application","aws_kinesis_firehose_delivery_stream","aws_kinesis_video_stream",
+   "aws_lambda_function",
+   "aws_licensemanager_license_configuration",
+   "aws_lightsail_container_service","aws_lightsail_database","aws_lightsail_instance",
+   "aws_location_geofence_collection","aws_location_map","aws_location_place_index","aws_location_route_calculator","aws_location_tracker",
+   "aws_mq_broker","aws_mq_configuration",
+   "aws_mwaa_environment",
+   "aws_macie2_classification_job","aws_macie2_custom_data_identifier","aws_macie2_findings_filter","aws_macie2_member",
+   "aws_grafana_workspace",
+   "aws_msk_cluster",
+   "aws_memorydb_acl","aws_memorydb_cluster","aws_memorydb_parameter_group","aws_memorydb_snapshot","aws_memorydb_subnet_group","aws_memorydb_user",
+   "aws_neptune_cluster","aws_neptune_cluster_endpoint","aws_neptune_cluster_instance","aws_neptune_cluster_parameter_group","aws_neptune_event_subscription","aws_neptune_parameter_group","aws_neptune_subnet_group",
+   "aws_networkfirewall_firewall","aws_networkfirewall_firewall_policy","aws_networkfirewall_rule_group",
+   "aws_networkmanager_connection","aws_networkmanager_device","aws_networkmanager_global_network","aws_networkmanager_link","aws_networkmanager_site","aws_networkmanager_transit_gateway_peering","aws_networkmanager_transit_gateway_route_table_attachment","aws_networkmanager_vpc_attachment",
+   "aws_opensearch_domain",
+   "aws_opsworks_custom_layer","aws_opsworks_ecs_cluster_layer","aws_opsworks_ganglia_layer","aws_opsworks_haproxy_layer","aws_opsworks_java_app_layer","aws_opsworks_memcached_layer","aws_opsworks_mysql_layer","aws_opsworks_nodejs_app_layer","aws_opsworks_php_app_layer","aws_opsworks_rails_app_layer","aws_opsworks_stack","aws_opsworks_static_web_layer",
+    "aws_quicksight_data_source",
+"aws_ram_resource_share",
+"aws_db_cluster_snapshot","aws_db_event_subscription","aws_db_instance","aws_db_option_group","aws_db_parameter_group","aws_db_proxy","aws_db_proxy_endpoint","aws_db_security_group","aws_db_snapshot","aws_db_snapshot_copy","aws_db_subnet_group","aws_rds_cluster","aws_rds_cluster_endpoint","aws_rds_cluster_instance","aws_rds_cluster_parameter_group",
+"aws_redshift_cluster","aws_redshift_event_subscription","aws_redshift_hsm_client_certificate","aws_redshift_hsm_configuration","aws_redshift_parameter_group","aws_redshift_snapshot_copy_grant","aws_redshift_snapshot_schedule","aws_redshift_subnet_group","aws_redshift_usage_limit",
+"aws_redshiftserverless_namespace","aws_redshiftserverless_workgroup",
+"aws_resourcegroups_group",
+"aws_rolesanywhere_profile","aws_rolesanywhere_trust_anchor",
+"aws_route53_health_check",
+"aws_route53domains_registered_domain",
+"aws_route53recoveryreadiness_cell","aws_route53recoveryreadiness_readiness_check","aws_route53recoveryreadiness_recovery_group","aws_route53recoveryreadiness_resource_set",
+"aws_route53_resolver_endpoint","aws_route53_resolver_firewall_domain_list","aws_route53_resolver_firewall_rule_group","aws_route53_resolver_firewall_rule_group_association","aws_route53_resolver_query_log_config","aws_route53_resolver_rule",
+"aws_s3_bucket","aws_s3_bucket_analytics_configuration","aws_s3_bucket_intelligent_tiering_configuration","aws_s3_bucket_lifecycle_configuration","aws_s3_bucket_metric","aws_s3_bucket_object","aws_s3_bucket_replication_configuration","aws_s3_object","aws_s3_object_copy",
+"aws_s3control_bucket","aws_s3control_bucket_lifecycle_configuration",
+"aws_glacier_vault",
+"aws_sfn_activity","aws_sfn_state_machine",
+"aws_sns_topic",
+"aws_sqs_queue",
+"aws_ssm_activation","aws_ssm_document","aws_ssm_maintenance_window","aws_ssm_parameter","aws_ssm_patch_baseline",
+"aws_ssoadmin_permission_set",
+"aws_swf_domain","
+"aws_sagemaker_app","aws_sagemaker_app_image_config","aws_sagemaker_code_repository","aws_sagemaker_device_fleet","aws_sagemaker_domain","aws_sagemaker_endpoint","aws_sagemaker_endpoint_configuration","aws_sagemaker_feature_group","aws_sagemaker_flow_definition","aws_sagemaker_human_task_ui","aws_sagemaker_image","aws_sagemaker_model","aws_sagemaker_model_package_group","aws_sagemaker_notebook_instance","aws_sagemaker_project","aws_sagemaker_studio_lifecycle_config","aws_sagemaker_user_profile","aws_sagemaker_workteam",
+"aws_secretsmanager_secret",
+"aws_serverlessapplicationrepository_cloudformation_stack",
+"aws_servicecatalog_portfolio","aws_servicecatalog_product","aws_servicecatalog_provisioned_product",
+"aws_shield_protection","aws_shield_protection_group"
+"aws_signer_signing_profile",
+"aws_storagegateway_cached_iscsi_volume","aws_storagegateway_file_system_association","aws_storagegateway_gateway","aws_storagegateway_nfs_file_share","aws_storagegateway_smb_file_share","aws_storagegateway_stored_iscsi_volume","aws_storagegateway_tape_pool"
+"aws_timestreamwrite_database","aws_timestreamwrite_table",
+"aws_transcribe_language_model","aws_transcribe_medical_vocabulary","aws_transcribe_vocabulary","aws_transcribe_vocabulary_filter",
+"aws_transfer_server","aws_transfer_user","aws_transfer_workflow",
+"aws_ec2_transit_gateway","aws_ec2_transit_gateway_connect","aws_ec2_transit_gateway_connect_peer","aws_ec2_transit_gateway_multicast_domain","aws_ec2_transit_gateway_peering_attachment","aws_ec2_transit_gateway_peering_attachment_accepter","aws_ec2_transit_gateway_policy_table","aws_ec2_transit_gateway_route_table","aws_ec2_transit_gateway_vpc_attachment","aws_ec2_transit_gateway_vpc_attachment_accepter",
+"aws_default_network_acl","aws_default_route_table","aws_default_security_group","aws_default_vpc_dhcp_options","aws_ec2_managed_prefix_list","aws_ec2_network_insights_analysis","aws_ec2_network_insights_path","aws_ec2_traffic_mirror_filter","aws_ec2_traffic_mirror_session","aws_ec2_traffic_mirror_target","aws_egress_only_internet_gateway","aws_flow_log","aws_internet_gateway","aws_nat_gateway","aws_network_acl","aws_network_interface",",aws_route_table","aws_security_group","aws_subnet","aws_vpc","aws_vpc_dhcp_options","aws_vpc_endpoint","aws_vpc_endpoint_service","aws_vpc_peering_connection","aws_vpc_peering_connection_accepter",
+"aws_vpc_ipam","aws_vpc_ipam_pool",
+"aws_ec2_client_vpn_endpoint",
+"aws_customer_gateway","aws_vpn_connection","aws_vpn_gateway",
+"aws_wafv2_ip_set","aws_wafv2_regex_pattern_set","aws_wafv2_rule_group",aws_wafv2_web_acl",
+"aws_wafregional_rate_based_rule","aws_wafregional_rule","aws_wafregional_rule_group","aws_wafregional_web_acl",
+"aws_ec2_carrier_gateway",
+"aws_workspaces_directory","aws_workspaces_ip_group","aws_workspaces_workspace",
+"aws_xray_group","aws_appflow_flow"
 ]
 
 # List of mandatory tags
 # Note that the tags here are for internal HashiCorp usage
 # You should assign your own tags in a "mandatory_tags" parameter in your policy set
 # Or change the tags here in the policy.
-param mandatory_tags default ["Name", "ttl", "owner", "se-region", "purpose", "terraform"]
+param mandatory_tags default ["Billing","Owner","Environment","Application","Name"]
 
 # Get all AWS Resources with standard tags
 allAWSResourcesWithStandardTags =