Open showerlee opened 4 years ago
jckuester
commented
4 years ago The problem is that the AWS API returns always empty tags for aws_iam_user resources (tags must be fetched via a separate API call). Do you see any tags? This will be fixed in my PR https://github.com/cloudetc/awsweeper/pull/102 that fetches all tags via Terraform.
I'll merge that later today.
showerlee
commented
4 years ago Got it, #102 would be a big change. Looking forward to seeing any magic. 👍
jckuester
commented
4 years ago I merged the PR and tags are working now. However, I still need to work something out to delete aws_iam_user_policy_attachment resources. If policies are attached, IAM users can currently not be deleted. Fix is coming in https://github.com/cloudetc/awsweeper/pull/100
showerlee
commented
4 years ago Hi @jckuester , based on my scenario, I have two questions:
For now all my iam users are attached to an Inline policy from group xxx, so is that still the very case needs to fix via coming #100 since I still can filter out all the users with proper owner tag configured after install the latest version.
I saw awsweeper prints a bunch of AWS managed policies and Customer managed that needs to be deleted in aws_iam_user_policy_attachment
---
Type: aws_iam_user_policy_attachment
Found: 11
Id: arn:aws:iam::xxxxxx:policy/xxx_training_group_accesskey_policy
Id: arn:aws:iam::xxxxxx:policy/xxx_training_group_accesskey_policy
Id: arn:aws:iam::xxxxxx:policy/xxx_training_group_accesskey_policy
Id: arn:aws:iam::aws:policy/AmazonRDSFullAccess
Id: arn:aws:iam::aws:policy/AmazonEC2FullAccess
Id: arn:aws:iam::aws:policy/IAMFullAccess
Id: arn:aws:iam::aws:policy/AmazonS3FullAccess
Id: arn:aws:iam::aws:policy/CloudWatchFullAccess
Id: arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess
Id: arn:aws:iam::xxxxxxx:policy/xxxx_training_group_accesskey_policy
Id: arn:aws:iam::xxxxxxx:policy/xxx_training_group_accesskey_policy
---I can't see what is the tag in those policies and how to add/delete tag to a current policy. Is that what we expected?
Feel free to let me know what's your thought.
jckuester
commented
4 years ago Hi @showerlee,
1) Yes, you want to use https://github.com/cloudetc/awsweeper/pull/100, which fixes that inline policies are deleted from a user first before deleting the user (otherwise deleting the user fails).
2) What you see here are just attachments of policies to the users (the policies themselves are not deleted). The attachments have no tags. Maybe its confusing to show aws_iam_user_policy_attachment resources and they should be hidden from the printed list of resources (they are not real resources, same as inline policies aka. aws_iam_user_policy resources)?
You can use https://github.com/cloudetc/awsweeper/pull/100 already if you want (tests are green).
showerlee
commented
4 years ago Hi @jckuester , thanks for the detailed explanation. Looks the #100 doesn't take into effect. After I removed old ./bin/awsweeper, .terradozer and reinstall 0.8.0. I still filter out all the IAM users with proper tag that shouldn't be removed.
Is there anything else I need to config for #100 ?
jckuester
commented
4 years ago The install.sh script only works for official releases and I haven't released a new version yet (I will release v0.9.0 tomorrow that includes all the changes).
For now, you can clone the master branch and run go build.
jckuester
commented
4 years ago
Hi @jckuester , just let you know there may be a bug happened for aws_iam_user of https://github.com/cloudetc/awsweeper/pull/101 I confirmed all the iam users in my aws account have already tagged the
Ownerand the awsweeper policy with following:The result after applying this policy shows up it will filler out entire iam users which actually shouldn't be filler out.
For the other resources applying the same #101 pattern, they look good for now.
Feel free to let me know if anything miss-config from my side.