✨ Add Cloudwatch log group tags to resource.

VasilSirakov · VasilSirakov · commit 52103ceb3d26 · 2025-12-04T13:35:57.000+02:00
Signed-off-by: Vasil Sirakov &lt;sirakov97@gmail.com&gt;
diff --git a/providers/aws/resources/aws.lr b/providers/aws/resources/aws.lr
@@ -1767,6 +1767,8 @@ private aws.cloudwatch.loggroup @defaults("arn") {
   region string
   // Number of days to retain the log events in the specified log group
   retentionInDays int
+  // Tags for the log group
+  tags map[string]string
 }
 
 // Amazon CloudWatch log group metrics filter
diff --git a/providers/aws/resources/aws.lr.go b/providers/aws/resources/aws.lr.go
diff --git a/providers/aws/resources/aws.lr.manifest.yaml b/providers/aws/resources/aws.lr.manifest.yaml
@@ -539,6 +539,8 @@ resources:
       region: {}
       retentionInDays:
         min_mondoo_version: 9.0.0
+      tags:
+        min_mondoo_version: 9.0.0
     is_private: true
     min_mondoo_version: 5.15.0
     platform:
diff --git a/providers/aws/resources/aws_cloudwatch.go b/providers/aws/resources/aws_cloudwatch.go
@@ -8,6 +8,7 @@ import (
 	"crypto/sha256"
 	"encoding/json"
 	"fmt"
+	"maps"
 	"strings"
 	"time"
 
@@ -585,14 +586,25 @@ func (a *mqlAwsCloudwatch) getLogGroups(conn *connection.AwsConnection) []*jobpo
 				}
 				args := make(map[string]*llx.RawData)
 				for _, loggroup := range logGroups.LogGroups {
+					tags := make(map[string]any)
+					groupTags, err := svc.ListTagsForResource(ctx, &cloudwatchlogs.ListTagsForResourceInput{
+						ResourceArn: loggroup.LogGroupArn,
+					})
+					if err == nil {
+						maps.Copy(tags, strMapToInterface(groupTags.Tags))
+					} else {
+						log.Warn().Msgf("could not get tags for log group %s: %v", convert.ToValue(loggroup.LogGroupName), err)
+					}
+
 					args["arn"] = llx.StringDataPtr(loggroup.Arn)
 					args["name"] = llx.StringDataPtr(loggroup.LogGroupName)
 					args["region"] = llx.StringData(region)
 					args["retentionInDays"] = llx.IntDataDefault(loggroup.RetentionInDays, 0)
+					args["tags"] = llx.MapData(tags, types.String)
 
 					// add kms key if there is one
 					if loggroup.KmsKeyId != nil {
-						mqlKeyResource, err := NewResource(a.MqlRuntime, "aws.kms.key",
+						mqlKeyResource, err := NewResource(a.MqlRuntime, ResourceAwsKmsKey,
 							map[string]*llx.RawData{
 								"arn": llx.StringDataPtr(loggroup.KmsKeyId),
 							})
@@ -606,7 +618,7 @@ func (a *mqlAwsCloudwatch) getLogGroups(conn *connection.AwsConnection) []*jobpo
 						args["kmsKey"] = llx.NilData
 					}
 
-					mqlLogGroup, err := CreateResource(a.MqlRuntime, "aws.cloudwatch.loggroup", args)
+					mqlLogGroup, err := CreateResource(a.MqlRuntime, ResourceAwsCloudwatchLoggroup, args)
 					if err != nil {
 						return nil, err
 					}

Original file line number	Diff line number	Diff line change
`@@ -1767,6 +1767,8 @@ private aws.cloudwatch.loggroup @defaults("arn") {`
`1767`	`1767`	`region string`
`1768`	`1768`	`// Number of days to retain the log events in the specified log group`
`1769`	`1769`	`retentionInDays int`
	`1770`	`+ // Tags for the log group`
	`1771`	`+ tags map[string]string`
`1770`	`1772`	`}`
`1771`	`1773`
`1772`	`1774`	`// Amazon CloudWatch log group metrics filter`