Skip to content

jakebark/tag-nag

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

542 Commits
.github
.github
 
 
examples
examples
 
 
img
img
 
 
internal
internal
 
 
testdata
testdata
 
 
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
main.go
main.go
 
 
main_test.go
main_test.go
 
 

Repository files navigation

tag-nag

Validate AWS tags in Terraform and CloudFormation.

Installation

go install github.com/jakebark/tag-nag@latest

You may need to set GOPATH.

Commands

Tag-nag will search a file or directory for tag keys. Directory search is recursive.

tag-nag <file/directory> --tags "Key1,Key2"

tag-nag main.tf --tags "Owner" # run against a file
tag-nag ./my_project --tags "Owner,Environment" # run against a directory
tag-nag . --tags "Owner", "Environment" # will take string or list

Search for tag keys and tag values

tag-nag <file/directory> --tags "Key[Value]"

tag-nag main.tf --tags "Owner[Jake]" 
tag-nag main.tf --tags "Owner[Jake],Environment" # mixed search possible
tag-nag main.tf --tags "Owner[Jake],Environment[Dev,Prod]" # multiple options for tag values

Flags

-c --case-insensitive  
-d --dry-run # will always exit successfully
--cfn-spec ~/path/to/CloudFormationResourceSpecification.json # path to Cfn spec file, filters taggable resources
-s --skip "file.tf, path/to/directory" # skip files and directories
-o --output json # output to json (default is text)

Config file

The above commands can be issued with a .tag-nag.yml file in the same directory where tag-nag is run.

See the example .tag-nag.yml file.

Skip Checks

Skip file

#tag-nag ignore-all

Terraform

resource "aws_s3_bucket" "this" {
  #tag-nag ignore
  bucket   = "that"
}

CloudFormation

EC2Instance:  #tag-nag ignore
    Type: "AWS::EC2::Instance"
    Properties: 
      ImageId: ami-12a34b
      InstanceType: c1.xlarge

Filtering taggable resources

Some AWS resources cannot be tagged.

To filter out these resources with Terraform, run tag-nag against an initialised directory (terraform init).

To filter out these resources with CloudFormation, specify a path to the CloudFormation JSON spec file with the --cfn-spec input.

Docker

Run

docker pull jakebark/tag-nag:latest
docker run --rm -v $(pwd):/workspace -w /workspace jakebark/tag-nag \
  . --tags "Owner,Environment"

Interactive shell

docker pull jakebark/tag-nag:latest
docker run -it --rm \
  -v "$(pwd)":/workspace \
  -w /workspace \
  --entrypoint /bin/sh jakebark/tag-nag:latest

The image contains terraform, allowing terraform init to be run, if required.

docker pull jakebark/tag-nag:latest
docker run --rm -v $(pwd):/workspace -w /workspace \
  --entrypoint /bin/sh jakebark/tag-nag:latest \
  -c "terraform init -input=false -no-color && tag-nag\
     . --tags 'Owner,Environment'"

CI/CD

Example CI files:

Related Resources

tag:nag

About

Validate AWS tags in Terraform and CloudFormation

Resources

Readme

License

MIT license
Activity

Stars

274 stars

Watchers

24 watching

Forks

6 forks
Report repository

Releases 47

v0.8.5 Latest
Feb 17, 2026
+ 46 releases

Contributors

Languages