Filter resources when a specific tag is not present altogether

[abirdatta]

As far I understand, we can filter resources based on a specific tag's value. For example, the following is going to select all ecs clusters based on a tag named environment whose value is not play

aws_ecs_cluster:
  - tags:
      environment: NOT(play)

Is there any way we can filter resources, if a specific tag is not present altogether. So based on previous example, I want to delete all ecs_clusters where the tag environment is not present.

Thanks.

[showerlee]

This's also what I am currently expected: Is there any way to delete all ec2 where the tag owner is not present or no tag owner is defined. I want to track and remove all the ec2 which don't tag key: owner with whatever value.

Something like the following:

aws_instance:
  - tags:
      NOT(owner: .*)

So far the current tags don't support this pattern. Hope someone can help me out. cc: @jckuester

[andreamaruccia]

yes I tried the same :)

[jckuester]

Hey folks :wave:

I will have a look into the issue and try to come up with a solution. Thanks for posting the issue.

[jckuester]

Thinking about it, I see three cases to be covered:

1) Delete resources that are not tagged at all (set of tags is nil) or are tagged (non-empty set of tags). We would probably need an extra config flag for this (e.g. - tagged: <bool>) 2) Delete resources which must have some tags, e.g., both tag foo: bar and boo: baz. 3) Delete resources that DON'T have some tags (including resources with no tags), e.g., a resource's tag set must not include foo: bar nor boo: baz.

Any thoughts on this?

[showerlee]

Not sure if the case 3 is what I intent to expect. I just want to delete resources that have some tags which do NOT match some given tag expressions (owner: .*), i.e, a resource's tag set does not include owner: john, owner: bill, owner: kate, etc will be removed. Only if the key owner is existing with whatever values, this resource should be good to stay.

[jckuester]

@showerlee let me know if this is better: You can now surround the tag key with NOT(...):

aws_instance:
  - tags:
      NOT(owner): .*

This deletes all EC2 instances without the owner tag (having any value). Note that tag expressions must be in <key>: <value> style, so the expression NOT(owner: .*) is invalid. Note that the key cannot be a regular expression (just would make no sense), but the value can.

Another example with multiple tag expressions:

aws_instance:
  - tags:
      NOT(owner): Pete
      foo: bar

This would mean delete all resources that have the foo: bar tag and at the same time NOT having the owner: Pete tag.

FYI, I created a PR for this feature https://github.com/cloudetc/awsweeper/pull/101 (will be released soon if you are happy with this).

[jckuester]

Thanks @andreamaruccia (and everyone else) for testing and feedback. Released in https://github.com/cloudetc/awsweeper/releases/tag/v0.8.0. If you like the project and wouldn't mind, please leave a :star: :relaxed:

[showerlee]

Thanks @jckuester , I will try it in my aws environment later. Great work 👍 👍 👍

[showerlee]

Test this new feature and it looks pretty awesome. Thanks @jckuester and all guys who help to figure it out. It saves my life 👍 👍 👍

[jckuester]

@showerlee I am glad that you like it. FYI, I am just working on bigger feature to support over 200 more resources (with tag support) in an automated way: https://github.com/cloudetc/awsweeper/pull/102

Stay tuned ;-)

[showerlee]

Hi @jckuester , just let you know there may be a bug happened for aws_iam_user for this feature. I confirmed all the iam users in my account has already tagged the Owner and the awsweeper policy with following:

aws_iam_user:
  - tags:
      NOT(Owner): .*

The result after applying this policy shows up it will filler out all the iam users which actually shouldn't be filler out.

For the other resources, they look good for now.