Merge pull request #14 from doitintl/tyler/CSI-1648

Validate tags before allowing CDK to deploy changes

Author: neoakris

config/eks/global_baseline_eks_config.ts

@@ -9,28 +9,14 @@ import request from 'sync-request-curl'; //npm install sync-request-curl (cdk re
 
 //export function apply_config(config: Easy_EKS_Config_Data, stack: cdk.Stack, cluster: eks.Cluster){ //config: is of type Easy_EKS_Config_Data
 export function apply_config(config: Easy_EKS_Config_Data, stack: cdk.Stack){ //config: is of type Easy_EKS_Config_Data    
-    config.addTag("AWS Tag Allowed Characters", "letters numbers + - = . _ : / @ WebSiteLinks");
-    config.addTag("AWS Tag Forbidden Characters", "Hashtag Comma SingleQuote DoubleQuote Parenthesis QuestionMark Asterisk Ampersand https://docs.aws.amazon.com/codeguru/latest/bugbust-ug/limits-tags.html");
     config.addTag("IaC Tooling used for Provisioning and Management of this EKS Cluster", "cdk: a CLI tool that stands for AWS Cloud Development Kit.");
     config.addTag("Upstream Methodology Docs", "https://github.com/doitintl/easyeks");
-    //^-- NOTE: hashtag(#)   comma(,)   singlequote(')   doublequote(\")   parenthesis()   and more are not valid tag values
-    //    https://docs.aws.amazon.com/codeguru/latest/bugbust-ug/limits-tags.html
-    /*Note it's possible when updating tags, that you could see 
-    An error like AWS::EKS::Nodegroup "Update is not supported for the following properties"
-    If that happens temporarily edit the following line in Easy_EKS.ts
-    this.cluster.addNodegroupCapacity(`default_MNG`, default_MNG);
-    to
-    this.cluster.addNodegroupCapacity(`default_MNG-1`, default_MNG);
-    redeploy and it'll go through
-    then rename it back
-    Note: 
-    After setting default_MNG-1, you may see ...is in UPDATE_ROLLBACK_FAILED state and can not be updated
-    If so, go to CloudFormation -> stack -> Stack actions -> continue update rollback for stack - Advanced troubleshooting
-    --> resources to skip - optional (check the box) --> Continue update rollback. 
-    (wait 10 sec, then retry cdk deploy stack)
-    */
-    ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
-
+    //^-- NOTE: AWS tag restrictions vary by service, but generally only letters, numbers, spaces, and the following characters are allowed: + - = . _ : / @
+    //    Tags are validated by the validateTag() function in lib/Utilities.ts before deployment
+    //    More details:
+    //      - https://docs.aws.amazon.com/eks/latest/userguide/eks-using-tags.html#tag-restrictions
+    //      - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-restrictions
+    
 }//end apply_config()
 
 ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

config/vpc/global_baseline_vpc_config.ts

@@ -2,10 +2,11 @@ import { Opinionated_VPC_Config_Data } from '../../lib/Opinionated_VPC_Config_Da
 import * as cdk from 'aws-cdk-lib';
 
 export function apply_config(config: Opinionated_VPC_Config_Data, stack: cdk.Stack){ //config: is of type Opinionated_VPC_Config_Data
-    config.addTag("AWS Tag Allowed Characters", "letters numbers + - = . _ : / @ WebSiteLinks");
-    config.addTag("AWS Tag Forbidden Character", "Hashtag Comma SingleQuote DoubleQuote Parenthesis QuestionMark Asterisk Ampersand https://docs.aws.amazon.com/codeguru/latest/bugbust-ug/limits-tags.html");
     config.addTag("IaC Tooling used for Provisioning and Management of this VPC", "cdk: a CLI tool that stands for AWS Cloud Development Kit.");
     config.addTag("Upstream Methodology Docs", "https://github.com/doitintl/easyeks");
-    //^-- NOTE: hashtag(#)   comma(,)   singlequote(')   doublequote(\")   parenthesis()   and more are not valid tag values
-    //    https://docs.aws.amazon.com/codeguru/latest/bugbust-ug/limits-tags.html
+    //^-- NOTE: AWS tag restrictions vary by service, but generally only letters, numbers, spaces, and the following characters are allowed: + - = . _ : / @
+    //    Tags are validated by the validateTag() function in lib/Utilities.ts before deployment
+    //    More details:
+    //      - https://docs.aws.amazon.com/eks/latest/userguide/eks-using-tags.html#tag-restrictions
+    //      - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-restrictions
 }//end apply_config

lib/Easy_EKS_Config_Data.ts

@@ -4,6 +4,7 @@ import * as eks from 'aws-cdk-lib/aws-eks';
 import * as ec2 from 'aws-cdk-lib/aws-ec2';
 import * as iam from 'aws-cdk-lib/aws-iam';
 import { execSync } from 'child_process';
+import { validateTag } from './Utilities';
 
 type Optional<T, K extends keyof T> = Pick<Partial<T>, K> & Omit<T, K>;
 type EKSAddOnInput = Optional<eks.CfnAddonProps, 'clusterName'>; //makes clusterName Optional parameter
@@ -83,9 +84,15 @@ export class Easy_EKS_Config_Data { //This object just holds config data.
     }
     setKubernetesVersion(version: KubernetesVersion){ this.kubernetesVersion = version; }
     setKubectlLayer(version: cdk.aws_lambda.ILayerVersion ){ this.kubectlLayer = version; }
-    addTag(key: string, value: string){ 
-        if(this.tags === undefined){ this.tags = { [key] : value } }
-        else{ this.tags = { ...this.tags, [key] : value }}
+    addTag(key: string, value: string){
+        try {
+            validateTag(key, value)
+            if(this.tags === undefined){ this.tags = { [key] : value } }
+            else{ this.tags = { ...this.tags, [key] : value }}
+        } catch (error: any) {
+            console.error("Error:", error.message)
+            throw "Error validating tags. See details above"// Using throw here to stop the checks; otherwise an error will print out for every place this tag would be applied, and the process will continue
+        }
     }
     setBaselineMNGSize(num_baseline_nodes: number){
         this.baselineNodesNumber = num_baseline_nodes;

lib/Opinionated_VPC_Config_Data.ts

@@ -1,5 +1,6 @@
 import { FckNatInstanceProvider, FckNatInstanceProps } from 'cdk-fck-nat' //source: npm install cdk-fck-nat@latest
 import * as ec2 from 'aws-cdk-lib/aws-ec2';
+import { validateTag } from './Utilities';
 
 export class Opinionated_VPC_Config_Data { //This object just holds config data.
     //Typescript(TS) readability notes
@@ -30,9 +31,15 @@ export class Opinionated_VPC_Config_Data { //This object just holds config data.
 
 
     //Config Snippet Population Methods
-    addTag(key: string, value: string){ 
-        if(this.tags === undefined){ this.tags = [{key: key, value: value}] }
-        else{ this.tags.push({key: key, value: value}) }
+    addTag(key: string, value: string){
+        try {
+            validateTag(key, value)
+            if(this.tags === undefined){ this.tags = [{key: key, value: value}] }
+            else{ this.tags.push({key: key, value: value}) }
+        } catch (error: any) {
+            console.error("Error:", error.message)
+            throw "Error validating tags. See details above"// Using throw here to stop the checks; otherwise an error will print out for every place this tag would be applied, and the process will continue
+        }
     }
     setNatGatewayProviderAsFckNat(props: FckNatInstanceProps){
         this.natGatewayProvider = new FckNatInstanceProvider( props );

lib/Utilities.ts

@@ -0,0 +1,24 @@
+class InvalidInputError extends Error {
+    constructor(message: string) {
+        super(message);
+        this.name = "InvalidInputError";
+    }
+}
+
+export function validateTag(key: string, value: string){
+    const allowedChars = "^([\\p{L}\\p{Z}\\p{N}_.:/=+\\-@]*)$"; // https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_Tag.html; also using cfn-lint as a baseline
+    // The set of allowed characters varies by service, from basically any character to a strict set of English alphanumeric characters and a few symbols
+    const allowedCharsText = "The string can only contain Unicode letters, digits, whitespace, and the characters _.:/=+\-@";
+    const allowedRegex = new RegExp(allowedChars, "mu");
+
+    if (!allowedRegex.test(key)){
+        throw new InvalidInputError(`Invalid tag key: "${key}". ${allowedCharsText}`)
+    } else if (key.toLowerCase().startsWith("aws:")) {
+        throw new InvalidInputError(`Invalid tag key "${key}". Tag keys cannot start with "aws:".`)
+    } else if (!allowedRegex.test(value)){
+        throw new InvalidInputError(`Invalid tag value: "${value}". ${allowedCharsText}`)
+    } else {
+        return true
+    }
+}
+