Tagging your resources is another way of keeping track of all the components of an application. Cloud Formation templates are great at doing this, but tagging allows you to easily find what resources your application/system is using without having to sift through your CF stacks' lists of outputs.
AWS search-resources reference: https://awscli.amazonaws.com/v2/documentation/api/latest/reference/resource-groups/search-resources.html
- aws resource-groups search-resources --region us-west-2 --resource-query file://aws_tag_query.json
You provide search-resources with a JSON query file. You can sepcify that you want to see all resource types as in the example below or specific resource types like 'AWS::S3::Bucket'.
{
"Type": "TAG_FILTERS_1_0",
"Query": "{\"ResourceTypeFilters\":[\"AWS::AllSupported\"],\"TagFilters\":[{\"Key\":\"Service\", \"Values\":[\"dmp\"]},{\"Key\":\"Subservice\", \"Values\":[\"hub\"]}]}"
}
For the full list of supported resource types, see: https://docs.aws.amazon.com/ARG/latest/userguide/supported-resources.html
Using tags like 'CodeRepo' and 'Contact' can help others find and modify your resource when necessary (or at least figure out who is responsible for the resource).
Since this resource query can be called via the AWS CLI, it can be used to automate workflows. For example, if you have a CF template that builds an RDS instance, you could have a shell script that fetches the RDS ARN and then runs a subsequent AWS CLI command to seed the database.
For example, here is a script that fetches an S3 bucket and then uploads a file:
#!/bin/bash
TAG_QUERY=aws_tag_query.json
HTML=src/cloudfront/index.html
ARN_PREFIX=arn:aws:s3:::
if [ $# -ne 1 ]; then
echo 'Wrong number of arguments. Expecting 1: S3 Bucket name. Note the bucket name can be a partial name.'
exit 2
fi
if [ -f "$TAG_QUERY" ]; then
if [ -f "$HTML" ]; then
echo "Searching for S3 buckets with name like: *$1*"
for bucket in `aws resource-groups search-resources --resource-query file://$TAG_QUERY | jq .ResourceIdentifiers[].ResourceArn`; do
if [[ "$bucket" == *"$1"* ]]; then
name="s3://$(echo $bucket | sed -e "s/\"//g" | sed -e "s/$ARN_PREFIX//")"
echo "Detected S3 Bucket: $name"
aws s3 cp $HTML $name
exit 0
fi
done
echo "No S3 buckets matched the name you provided: $1"
else
echo "Expecting to find an index.html in this directory!"
fi
else
echo "Expecting to find a JSON query file, $TAG_QUERY, for AWS CLI command `resource-groups` query!"
fi
- Route53 recordsets don't have tags so they're not findable this way
- Sometimes stale/deleted resources still show up (See: https://stackoverflow.com/questions/71035336/only-get-existing-resources-with-resourcegrouptaggingapi)
Example of the stale/deleted issue. The first was deleted several days ago but still shows up!
{
"ResourceIdentifiers": [
{
"ResourceArn": "arn:aws:cognito-idp:us-west-2:123456789:userpool/us-west-2_abcd1234",
"ResourceType": "AWS::Cognito::UserPool"
},
{
"ResourceArn": "arn:aws:cognito-idp:us-west-2:123456789:userpool/us-west-2_zyxw9876",
"ResourceType": "AWS::Cognito::UserPool"
}
]
}