How to verify AWS tags with Pulumi before deployment?

Question

Pulumi · Accepted Answer

Verifying AWS tags with Pulumi before deployment can be achieved by including a check within your Pulumi script that verifies the tags for the particular AWS resources that you are creating or updating. For instance, if you were creating an AWS S3 bucket, you could add a check for the tags before creating the bucket.

Let's consider the creation of an S3 bucket. We want to ensure this bucket has specific tags before deployment takes place:

```typescript
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const config = new pulumi.Config();

// Fetch the tags from the configuration:
// Config should be set as machine-readable in pulumi config file, e.g. pulumi config set tags {"Project":"XYZ","Owner":"ABC"} 
const tags = config.getObject<{ [key: string]: any }>("tags") || {};

// Validate the tags
if (!tags.Project || tags.Project !== "XYZ") {
    throw new Error("Missing or invalid 'Project' tag. It should be 'XYZ'.");
}
if (!tags.Owner || tags.Owner !== "ABC") {
    throw new Error("Missing or invalid 'Owner' tag. It should be 'ABC'.");
}

// If all validations pass something like this will be displayed in the console: "Tags validated successfully."
console.log("Tags validated successfully.");

// Then include these tags when creating resources
const bucket = new aws.s3.Bucket("my-bucket", {
    acl: "private",
    tags: tags,
});

// Export the name of the bucket
export const bucketName = bucket.id;
```

In this script, we first get the tags from the [Pulumi configuration](https://www.pulumi.com/docs/intro/concepts/config/#setting-and-getting-configuration-values).

Then we validate the tags. If the tags do not meet the requirements (in this example, if they don't have `Project` and `Owner` tags with expected values), we throw an error, which will abort the Pulumi preview or update.

If the tag validation passes, we print a success message to the console.

Finally, we create an S3 bucket with the provided tags. The bucket will only be created if the tag validation passes.

Remember to set the tags in the Pulumi configuration before running `pulumi up`, using the `pulumi config set` command. For example:

```shell
pulumi config set tags '{"Project":"XYZ","Owner":"ABC"}'
```

Then you can run `pulumi up` to deploy your stack. The script will validate the tags before creating or updating any resources.

For more details about tagging AWS resources in Pulumi, refer to the official [Pulumi AWS documentation](https://www.pulumi.com/registry/packages/aws/api-docs/ec2/tag/).