gorillastack / auto-tag Goto Github PK

This tagging created by automatically and its specially use for cost management.

I noticed user able to delete this tag.

So user should not delete or edit this tag.

Tagging works when I log in as tester user and launch EC2 instance via EC2 console. It creates tag in following format:

Key: AutoTag_Creator
Value: arn:aws:iam::1234567890:user/tester

I also use CFT templates to launch EC2 instance (stack) via Service Catalog. When I log in as the same tester user or any other user and launch EC2 instance (stack) via Service Catalog the instance is always getting tagged with:

Key: AutoTag_Creator
Value: arn:aws:sts::1234567890:assumed-role/LinuxUbuntuServerLaunchRole/servicecatalog

Is there a way to capture and tag authenticated user (tester) instead of assumed-role?

{
"errorMessage": "Cannot read property '0' of undefined",
"errorType": "TypeError",
"stackTrace": [
"/var/task/aws_cloud_trail_log_listener.js:119:58",
"AwsCloudTrailLogListener.retrieveLogFileDetails (/var/task/aws_cloud_trail_log_listener.js:117:14)",
"_callee$ (/var/task/aws_cloud_trail_log_listener.js:66:30)",
"tryCatch (/var/task/regenerator-runtime/runtime.js:65:40)",
"GeneratorFunctionPrototype.invoke [as _invoke] (/var/task/regenerator-runtime/runtime.js:303:22)",
"GeneratorFunctionPrototype.prototype.(anonymous function) [as next] (/var/task/regenerator-runtime/runtime.js:117:21)",
"onFulfilled (/var/task/co/index.js:65:19)",
"/var/task/co/index.js:54:5",
"co (/var/task/co/index.js:50:10)",
"AwsCloudTrailLogListener.execute (/var/task/aws_cloud_trail_log_listener.js:58:31)"
]
}

Error while running the lambda for retroTagging

How do you tag multi regions. updating CodeS3Bucket with "gorillastack-autotag-releases-ap-northeast-1, gorillastack-autotag-releases-us-west-2" did not work.

Getting this error in Lambda function after creating an IAM role to test autotag with latest git pull:

Syntax error in module 'autotag_event': SyntaxError
const handler = async (cloudtrailEvent, context) => {
^
SyntaxError: Unexpected token (
at createScript (vm.js:56:10)
at Object.runInThisContext (vm.js:97:10)
at Module._compile (module.js:542:28)
at Object.Module._extensions..js (module.js:579:10)
at Module.load (module.js:487:32)
at tryModuleLoad (module.js:446:12)
at Function.Module._load (module.js:438:3)
at Module.require (module.js:497:17)
at require (internal/module.js:20:19)

Currently, after receiving an event, we construct the role to assume using the recipient account id (good) with the stack name (bad - as changing between different stacks).

Need to either use a constant role name, or add a parameter to the stack, such that we can easily roll our across many accounts

I'm pretty new to Lambda and had to make a change to get auto-tag working and just wanted to make sure it wasn't something I missed.

The role that has permission to tag items, I had to update its Trust Relationship, specifying the Lambda role to be trusted. by default it was "service: lambda.amazonaws.com".

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[account running lambda]:role/AutoTagLambdaRole"
},
"Action": "sts:AssumeRole"
}
]

Without doing this, I get the following:

User: arn:aws:sts::[my account]:assumed-role/AutoTagLambdaRole/awslambda_20160209121944195 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::[my account]:role/AutoTagRole

It is the AutoTagLambdaRole that appears to need to be trusted, not lambda.amazonaws.com.

If this is correct, ill happily update the doco.

Hello,
I do already have S3 bucket with trails from multiple accounts in it. What modifications do I need to do to use the existing bucket for cloudtrail logs?

How can I change the tag name? While file needs modification?

Attempting to implement autotagging across accounts. Seems the functionality exists within the code however, execution fails with the following error.
2017-06-02T17:40:35.538Z 6cca367d-47ba-11e7-81aa-e3668cf6c658 { [AccessDenied: Not authorized to perform sts:AssumeRole]
message: 'Not authorized to perform sts:AssumeRole',
code: 'AccessDenied'

Current Deployment does currently tag instances created in the account where the lambda is running.
Any configuration assistance would be appreciated, appears this detail is missing from the Readme, or I have overlooked it.

While deploying in ap-southeast-1, I am facing this issue:

The runtime parameter of nodejs4.3 is no longer supported for creating or updating AWS Lambda 
functions. We recommend you use the new runtime (nodejs8.10) while creating or updating functions. 
(Service: AWSLambdaInternal; Status Code: 400; Error Code: InvalidParameterValueException; 
Request ID: XXXXXXXXXXXXXXXXX)

Any workaround on this (as I am not much familiar with node) ?

Hello,
I'm seeing the above error (from Lambda) when a new instance is created. The instance is not being tagged successfully.
I used the "CloudWatch Events Method - Multi-Region" method to install/deploy.

Full error:

Unable to import module 'autotag_event': Error
at Function.Module._resolveFilename (module.js:469:15)
at Function.Module._load (module.js:417:25)
at Module.require (module.js:497:17)
at require (internal/module.js:20:19)

Thanks for taking a look.

On the https://github.com/GorillaStack/auto-tag/blob/master/cloud_formation/s3object_template/autotag_s3object_main-template.json -file at row 71, the runtime is nodejs6.10. Using this template makes the stack roll back at CloudFormation, because Node 6 is deprecated. Simply changing this line to nodejs8.10 works, but as I'm fairly inexperienced at using GitHub, I prefer just writing about this issue instead of creating Pull Request.

The same issue seems to be here too: https://github.com/GorillaStack/auto-tag/blob/master/cloud_formation/event_multi_region_template/autotag_event_main-template.rb .

On the first file, the default folder and file are outdated (auto-tag-0.3.0.zip), but that's not a huge problem, as creating my own files is simple

We will do the following steps in CI/CD:

• build code package
• generate any CloudFormation that needs generation
• deploy code and CF templates to S3

Simplify the README:

• Don't require the user to do any generation of templates or uploading from their computer. Instead outline these steps in a Contribution guide or development section

I tested this in my master payer account, ran the templates for the roles in there and separately in one sub-account I am testing with. Then ran the stackset, besides an STS error for most regions, it appeared to run in the 2 regions I use (the errors probably have to do with an SCP I have that limits to these 2 regions)
In any event, I logged on as a test user and created an EC2 and bucket in the test target account, and there is no activity in the Lambda function in the master payer account. Looks like the cloudwatch Auto-Tag CloudTrailLogs rule is there, but nothing is happening.

Will these function work if we update the Node.js.8.10 versions to to Node.js.10.x? Just starting to get EOL messages from Amazon on Node.js.8.x functions.
1/6/2020 customers won't be able to create new functions using 8.10
2/3/2020 customers won't be able to update functions using this version.
existing 8.x functions will continue to be able to process invocation events though

I installed AutoTag on Friday and it seemed to be working fine (I verified it was working). Starting Sunday I started seeing errors and nothing was getting tagged. Here is the error I am seeing

{
"errorMessage": "Cannot read property '0' of undefined",
"errorType": "TypeError",
"stackTrace": [
"/var/task/aws_cloud_trail_listener.js:98:58",
"new Promise (/var/task/node_modules/babel-polyfill/node_modules/core-js/modules/es6.promise.js:193:7)",
"AwsCloudTrailListener.retrieveLogFileDetails (/var/task/aws_cloud_trail_listener.js:96:14)",
"_callee$ (/var/task/aws_cloud_trail_listener.js:62:30)",
"tryCatch (/var/task/node_modules/babel-regenerator-runtime/runtime.js:61:40)",
"GeneratorFunctionPrototype.invoke [as _invoke] (/var/task/node_modules/babel-regenerator-runtime/runtime.js:329:22)",
"GeneratorFunctionPrototype.prototype.(anonymous function) [as next] (/var/task/node_modules/babel-regenerator-runtime/runtime.js:94:21)",
"onFulfilled (/var/task/node_modules/co/index.js:65:19)",
"/var/task/node_modules/co/index.js:54:5",
"new Promise (/var/task/node_modules/babel-polyfill/node_modules/core-js/modules/es6.promise.js:193:7)"
]
}

The CloudTrail logs seem fine. I was able to download them and see valid content. If there are instructions to self host the code with modifications that will help a lot.

I successfully created the "autotag" CloudFormation stack using the instructions in the readme in this repo. I can see the cloudtrail logs being generated in the S3 bucket that the stack creates, however, I'm not seeing any tags being added after I launch a new EC2 instance.

Perhaps I missed a step in the auto-tag setup or the instance launch process that tells the tags to auto add themselves? Let me know if you need any additional info from me that would be helpful in figuring out what's going on.

Thanks in advance!

START RequestId: a01677f8-6242-11e7-b1a2-b9666a07d848 Version: $LATEST

2017-07-06T12:02:51.261Z a01677f8-6242-11e7-b1a2-b9666a07d848 { [Error: incorrect header check] errno: -3, code: 'Z_DATA_ERROR' }

2017-07-06T12:02:51.262Z a01677f8-6242-11e7-b1a2-b9666a07d848 Error: incorrect header check
at Zlib._handle.onerror (zlib.js:363:17)

2017-07-06T12:02:51.319Z a01677f8-6242-11e7-b1a2-b9666a07d848
{
"errorMessage": "incorrect header check",
"errorType": "Error",
"stackTrace": [
"Zlib._handle.onerror (zlib.js:363:17)"
]
}

END RequestId: a01677f8-6242-11e7-b1a2-b9666a07d848

Hi all,
I successfully created the template but unable to tag the resource after deploy the template through cloud formation. Is there any extra steps that has to be done after deploy cloud formation template. If any plz tell me the detail.

The autotag-0.3.0.zip version of the code that the cloudformation template installs from S3 seems to have had a major refactor from the tagged 0.3.0 version in github.

This is not only strange but a bit concerning since anyone checking out this repo and following the setup instructions is running code that is quite different from what they would assume.

Hi Guys,

Thanks so much for this solution! When I attempt to edit some of the react classes and components within your zip file and upload the refactored code to Lambda, I receive the following error. Not sure what's going on as the file still contains all of the same modules before the changes I've made.

I have specifically changed static variables and functions in the autotag_default_worker.js file. I am attempting to retrieve the User Name vice the ARN from AWS.

var AUTOTAG_TAG_NAME = 'User';
var ROLE_PREFIX = 'arn:aws:iam::';
var ROLE_SUFFIX = ':role';
var DEFAULT_STACK_NAME = 'autotag';
var MASTER_ROLE_NAME = 'AutoTagMasterRole';
var MASTER_ROLE_PATH = '/gorillastack/autotag/master/';

    key: 'getAutotagPair',
    value: function getAutotagPair() {
      return {
        Key: this.getTagName(),
        Value: this.getTagValue()
      };
    }
  }, {
    key: 'getTagName',
    value: function getTagName() {
      return AUTOTAG_TAG_NAME;
    }
  }, {
    key: 'getTagValue',
    value: function getTagValue() {
      return this.event.userIdentity.userName;
    }
  }]);

  return AutotagDefaultWorker;
}();

Here is the error message I recieve in Lambda.

{
  "errorMessage": "Cannot find module '/var/task/autotag'",
  "errorType": "Error",
  "stackTrace": [
    "Function.Module._load (module.js:276:25)",
    "Module.require (module.js:353:17)",
    "require (internal/module.js:12:17)"
  ]
}

Please let me know your thoughts.

Kind Regards

-Pat

As of now, tagging is supported in IAM resources as well. This is very helpful on who has created a particular user, etc.

I was going through the docs of AWS and I there are several more resources that can be tagged:

https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/supported-resources.html#supported-resources-tagging-console

I observed following errors in cloud watch logs regularly. This behavior was seen in 0.2.0 as well as in 0.3.0.
Auto Tag is adding tags to EC2 and S3 (not tested rest) but wonder what cases are missing

{ "errorMessage": "Cannot read property 'instancesSet' of null", "errorType": "TypeError", "stackTrace": [ "AutotagEC2Worker.getInstanceId (/var/task/workers/autotag_ec2_worker.js:105:41)", "_callee$ (/var/task/workers/autotag_ec2_worker.js:71:53)", "tryCatch (/var/task/node_modules/babel-regenerator-runtime/runtime.js:61:40)", "GeneratorFunctionPrototype.invoke [as _invoke] (/var/task/node_modules/babel-regenerator-runtime/runtime.js:329:22)", "GeneratorFunctionPrototype.prototype.(anonymous function) [as next] (/var/task/node_modules/babel-regenerator-runtime/runtime.js:94:21)", "onFulfilled (/var/task/node_modules/co/index.js:65:19)", "run (/var/task/node_modules/babel-polyfill/node_modules/core-js/modules/es6.promise.js:89:22)", "/var/task/node_modules/babel-polyfill/node_modules/core-js/modules/es6.promise.js:102:28", "flush (/var/task/node_modules/babel-polyfill/node_modules/core-js/modules/_microtask.js:18:9)", "nextTickCallbackWith0Args (node.js:415:9)" ] }

I have been using Autotag for almost a month now, and it is functioning satisfactorily in all the regions. Now, I need to cover all my accounts. Can you explain how to move with that?
Just for your review, I created a role in my other account and trusted my account where autotag is working, I also added an inline policy in my Autotag execution role to assume the role in the other account. However, it is still not working. What else is needed?

{
"errorMessage": "Cannot read property '0' of undefined",
"errorType": "TypeError",
"stackTrace": [
"/var/task/aws_cloud_trail_listener.js:98:58",
"new Promise (/var/task/node_modules/babel-polyfill/node_modules/core-js/modules/es6.promise.js:193:7)",
"AwsCloudTrailListener.retrieveLogFileDetails (/var/task/aws_cloud_trail_listener.js:96:14)",
"_callee$ (/var/task/aws_cloud_trail_listener.js:62:30)",
"tryCatch (/var/task/node_modules/babel-regenerator-runtime/runtime.js:61:40)",
"GeneratorFunctionPrototype.invoke [as _invoke] (/var/task/node_modules/babel-regenerator-runtime/runtime.js:329:22)",
"GeneratorFunctionPrototype.prototype.(anonymous function) [as next] (/var/task/node_modules/babel-regenerator-runtime/runtime.js:94:21)",
"onFulfilled (/var/task/node_modules/co/index.js:65:19)",
"/var/task/node_modules/co/index.js:54:5",
"new Promise (/var/task/node_modules/babel-polyfill/node_modules/core-js/modules/es6.promise.js:193:7)"
]
}�

When a resource is tagged with key, the value is something like this, arn:aws:sts::Account-number:assumed-role/Account-name/[email protected].
Can this be customized that, only the email id is tagged as the key?
Like
AutoTag_Creator : [email protected].

I know this is pretty basic, but I'm new to this and having some trouble. I'd like to have additional tags added to each, in addition to the owner of the resource. Is there a way to add this to the script?

Hi
I'm following the https://www.gorillastack.com/news/gorillastack-presents-auto-tag/. From the process it mentioned, I have to setup policy for lambda and autotag.
Could you make it more specific that code for the policy? I see several policies in the cloudformation template, and I've no idea which part I need.
Appreciate it for your answer

had run the prerequisite stacks for the roles in child/master accounts, ran the auto-tag stack in the master account, without issue. When running the stackset, I chose all regions, making the MainAwsRegion us-east-1 and entered all of the child account #s comma separated. The stack instances show 100 and all but two show as outdated with the operation returning "failed". On the two accounts (out of 13) that I ran this against that it created any resources, it appears to only have created the SNS topic/subscription and Cloudwatch rule. The SNS topic points to a subscriber of a Lambda AutoTag function within its own account that doesn't exist. I don't see any event in the stack where it even attempted to create this Lambda function (in child account)

I did considerable work on porting the cloudformation template to terraform modules and once it's deployed I see lambda error messages failing on describeStackResource. I look and see that in the node js files there appears to be a hard dependency on cloudformation now:

https://github.com/GorillaStack/auto-tag/blob/master/src/workers/autotag_default_worker.js#L36

I'd love to get this dependency removed so I can deploy this using terraform (required by my client) and do a PR to get terraform added to this project.

Anyone have an idea of how to remedy this?

Cloudwatch logs for lambda:

message: 'User: arn:aws:sts::<account>:assumed-role/AutoTagExecutionRole/AutoTag is not authorized to perform: cloudformation:DescribeStackResource on resource: arn:aws:cloudformation:us-west-2:<account>:stack/autotag/*',```

getRoleName() {
let _this = this;
return new Promise((resolve, reject) => {
try {
let cloudFormation = new AWS.CloudFormation({ region: _this.s3Region });
cloudFormation.describeStackResource({
StackName: DEFAULT_STACK_NAME,
LogicalResourceId: MASTER_ROLE_NAME
}, (err, data) => {
if (err) {
reject(err);
} else {
resolve(data.StackResourceDetail.PhysicalResourceId);
}
});
} catch (e) {
reject(e);
}
});
}

Tagging EC2 instances works fine, however when I create an S3 bucket, that does not get tagged and I can see an invocation error occur. I'm not sure how many resource types do this, as I have not tested all, but I know at least for a fact that S3 buckets are not being tagged and I'm not sure why.

I have some security concerns with hosting a 3rd party bucket and giving it permissions to execute in my secure AWS environment. I'd like to host the autotag.zip in our own bucket so we can control when this code is updated.

I'm trying to download the existing auto-tag.zip file with no luck

The stack name for the event multi-region needs to be "AutoTag", as you see if it is different,
the lambda function uses the stack name for the function name.

However, event collector template, assume the lambda function name is always going to be "AutoTag"

The documentation clearly mentions the stack name can be anything, which is not true anymore.

I had a hard time getting this to work. I set up the appropriate roles but it keeps giving same error:

{
    "errorMessage": "Cannot read property 'bucket' of undefined",
    "errorType": "TypeError",
    "stackTrace": [
        "/var/task/aws_cloud_trail_listener.js:72:38",
        "Array.map (native)",
        "/var/task/aws_cloud_trail_listener.js:71:56",
        "new Promise (/var/task/node_modules/babel/node_modules/babel-core/node_modules/core-js/modules/es6.promise.js:178:7)",
        "AwsCloudTrailListener.retrieveLogFileDetails (/var/task/aws_cloud_trail_listener.js:69:14)",
        "callee$2$0$ (/var/task/aws_cloud_trail_listener.js:40:28)",
        "tryCatch (/var/task/node_modules/babel/node_modules/babel-core/node_modules/regenerator/runtime.js:61:40)",
        "GeneratorFunctionPrototype.invoke [as _invoke] (/var/task/node_modules/babel/node_modules/babel-core/node_modules/regenerator/runtime.js:323:22)",
        "GeneratorFunctionPrototype.prototype.(anonymous function) [as next] (/var/task/node_modules/babel/node_modules/babel-core/node_modules/regenerator/runtime.js:94:21)",
        "onFulfilled (/var/task/node_modules/co/index.js:65:19)"
    ]
}

I probably bit off more than I could chew, never developing in node.js before, but I couldn't run the main.js file using provided instructions. After installing the babel-preset-es2015 package, i kept getting errors trying to find babel/polyfill.

Just wondering if auto tagging would be implemented for creation of stacks

I want to add more tags such as ManagedBy or Owner.

Got this error:

Your access has been denied by S3, please make sure your request credentials have permission to GetObject for gorillastack-autotag-releases-ap-south-1/autotag-0.3.0.zip. S3 Error Code: AccessDenied. S3 Error Message: Access Denied (Service: AWSLambda; Status Code: 403; Error Code: AccessDeniedException;

Is there no package for ap-south-1 region ?

Love the current functionality.... but any plan for spot instance support in the future?

Can you explicitly add an open source license to the project?

Hey,
while using your Skript this happens to the Cloudwatch log for autotag.The authorization mechanism you have provided is not supported. Please use AWS4-HMAC-SHA256

How can I change the authentification for eu-central-1
Like: var s3 = new AWS.S3({signatureVersion: 'v4'});

Getting this error in Lambda function after creating a ec2 volume to test autotag with latest git pull (similar to this):

Syntax error in module 'autotag_event': SyntaxError
^
SyntaxError: Unexpected token (
at createScript (vm.js:56:10)
at Object.runInThisContext (vm.js:97:10)
at Module._compile (module.js:542:28)
at Object.Module._extensions..js (module.js:579:10)
at Module.load (module.js:487:32)
at tryModuleLoad (module.js:446:12)
at Function.Module._load (module.js:438:3)
at Module.require (module.js:497:17)
at require (internal/module.js:20:19)

Hello guys I'm trying to follow the installation steps in the README.md.
And I'm receiving this error from the Lambda output.

Can someone help me with that one?

@em0ney I was testing all resources as per your list.

Covered EC2,RDS and ELB so far all are tagged.
However EBS volumes (root and other volume) that I created with my Ec2 did not get tagged. Ec2 itself was tagged okay.
Was wondering if there is a debug option in auto tag so we get more info in Cloudwatch.

EBS volumes need to be tagged. Pl suggest.

The tags created either adds or overwrites tags to a resource. It would be great if we add tags only if they do not exist. This would help to avoid tags being overwritten by AutoTag.
We need this feature as we want to retain tags like ProductID where user assigned values can be different from the value assigned by AutoTag .

It is failing to launch stack with this error:

Error occurred while GetObject. S3 Error Code: NoSuchKey. S3 Error Message: The specified key does not exist.

AWS::Lambda::Function
AutoTagLambdaFunction

Hi again
Currently, we have a new feature requirement to implement. Here's the scenario, when we're going to launch a new ec2 instance and the new instance has already been tagged as certain key/value using userdata or whatever. By default, the new instance will be tagged by auto-tag function as well.
Is that possible that the auto-tag function won't perform the tagging operation after detecting that the ec2 has already been tagged with specific tags ?
Appreciate it for your answer, many thanks

gorillastack-autotag-releases-ca-central-1 results in "Error occurred while GetObject. S3 Error Code: NoSuchBucket. S3 Error Message: The specified bucket does not exist".

This might be a case for a map.

Are we expect to install a stack in every region we want to monitor?

The Gemfile for the retro_tagging tool seems to be lacking the following lines:

gem 'terminal-table'
gem 'pastel'
gem 'docopt'

Without adding those, the retro_tag.rb script fails with errors of the following type:

Traceback (most recent call last):
	2: from retro_tag.rb:8:in `<main>'
	1: from /usr/local/lib/ruby/site_ruby/2.5.0/rubygems/core_ext/kernel_require.rb:59:in `require'
/usr/local/lib/ruby/site_ruby/2.5.0/rubygems/core_ext/kernel_require.rb:59:in `require': cannot load such file -- terminal-table (LoadError)