gorillastack / auto-tag Goto Github PK
View Code? Open in Web Editor NEWAutomatically tag AWS resources on creation, for cost assignment
License: GNU General Public License v3.0
Automatically tag AWS resources on creation, for cost assignment
License: GNU General Public License v3.0
This tagging created by automatically and its specially use for cost management.
I noticed user able to delete this tag.
So user should not delete or edit this tag.
Tagging works when I log in as tester user and launch EC2 instance via EC2 console. It creates tag in following format:
Key: AutoTag_Creator
Value: arn:aws:iam::1234567890:user/tester
I also use CFT templates to launch EC2 instance (stack) via Service Catalog. When I log in as the same tester user or any other user and launch EC2 instance (stack) via Service Catalog the instance is always getting tagged with:
Key: AutoTag_Creator
Value: arn:aws:sts::1234567890:assumed-role/LinuxUbuntuServerLaunchRole/servicecatalog
Is there a way to capture and tag authenticated user (tester) instead of assumed-role?
{
"errorMessage": "Cannot read property '0' of undefined",
"errorType": "TypeError",
"stackTrace": [
"/var/task/aws_cloud_trail_log_listener.js:119:58",
"AwsCloudTrailLogListener.retrieveLogFileDetails (/var/task/aws_cloud_trail_log_listener.js:117:14)",
"_callee$ (/var/task/aws_cloud_trail_log_listener.js:66:30)",
"tryCatch (/var/task/regenerator-runtime/runtime.js:65:40)",
"GeneratorFunctionPrototype.invoke [as _invoke] (/var/task/regenerator-runtime/runtime.js:303:22)",
"GeneratorFunctionPrototype.prototype.(anonymous function) [as next] (/var/task/regenerator-runtime/runtime.js:117:21)",
"onFulfilled (/var/task/co/index.js:65:19)",
"/var/task/co/index.js:54:5",
"co (/var/task/co/index.js:50:10)",
"AwsCloudTrailLogListener.execute (/var/task/aws_cloud_trail_log_listener.js:58:31)"
]
}
Error while running the lambda for retroTagging
How do you tag multi regions. updating CodeS3Bucket with "gorillastack-autotag-releases-ap-northeast-1, gorillastack-autotag-releases-us-west-2" did not work.
Getting this error in Lambda function after creating an IAM role to test autotag with latest git pull:
Syntax error in module 'autotag_event': SyntaxError
const handler = async (cloudtrailEvent, context) => {
^
SyntaxError: Unexpected token (
at createScript (vm.js:56:10)
at Object.runInThisContext (vm.js:97:10)
at Module._compile (module.js:542:28)
at Object.Module._extensions..js (module.js:579:10)
at Module.load (module.js:487:32)
at tryModuleLoad (module.js:446:12)
at Function.Module._load (module.js:438:3)
at Module.require (module.js:497:17)
at require (internal/module.js:20:19)
Currently, after receiving an event, we construct the role to assume using the recipient account id (good) with the stack name (bad - as changing between different stacks).
Need to either use a constant role name, or add a parameter to the stack, such that we can easily roll our across many accounts
I'm pretty new to Lambda and had to make a change to get auto-tag working and just wanted to make sure it wasn't something I missed.
The role that has permission to tag items, I had to update its Trust Relationship, specifying the Lambda role to be trusted. by default it was "service: lambda.amazonaws.com".
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[account running lambda]:role/AutoTagLambdaRole"
},
"Action": "sts:AssumeRole"
}
]
Without doing this, I get the following:
User: arn:aws:sts::[my account]:assumed-role/AutoTagLambdaRole/awslambda_20160209121944195 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::[my account]:role/AutoTagRole
It is the AutoTagLambdaRole that appears to need to be trusted, not lambda.amazonaws.com.
If this is correct, ill happily update the doco.
Hello,
I do already have S3 bucket with trails from multiple accounts in it. What modifications do I need to do to use the existing bucket for cloudtrail logs?
How can I change the tag name? While file needs modification?
Attempting to implement autotagging across accounts. Seems the functionality exists within the code however, execution fails with the following error.
2017-06-02T17:40:35.538Z 6cca367d-47ba-11e7-81aa-e3668cf6c658 { [AccessDenied: Not authorized to perform sts:AssumeRole]
message: 'Not authorized to perform sts:AssumeRole',
code: 'AccessDenied'
Current Deployment does currently tag instances created in the account where the lambda is running.
Any configuration assistance would be appreciated, appears this detail is missing from the Readme, or I have overlooked it.
While deploying in ap-southeast-1, I am facing this issue:
The runtime parameter of nodejs4.3 is no longer supported for creating or updating AWS Lambda
functions. We recommend you use the new runtime (nodejs8.10) while creating or updating functions.
(Service: AWSLambdaInternal; Status Code: 400; Error Code: InvalidParameterValueException;
Request ID: XXXXXXXXXXXXXXXXX)
Any workaround on this (as I am not much familiar with node) ?
Hello,
I'm seeing the above error (from Lambda) when a new instance is created. The instance is not being tagged successfully.
I used the "CloudWatch Events Method - Multi-Region" method to install/deploy.
Full error:
Unable to import module 'autotag_event': Error
at Function.Module._resolveFilename (module.js:469:15)
at Function.Module._load (module.js:417:25)
at Module.require (module.js:497:17)
at require (internal/module.js:20:19)
Thanks for taking a look.
On the https://github.com/GorillaStack/auto-tag/blob/master/cloud_formation/s3object_template/autotag_s3object_main-template.json -file at row 71, the runtime is nodejs6.10. Using this template makes the stack roll back at CloudFormation, because Node 6 is deprecated. Simply changing this line to nodejs8.10 works, but as I'm fairly inexperienced at using GitHub, I prefer just writing about this issue instead of creating Pull Request.
The same issue seems to be here too: https://github.com/GorillaStack/auto-tag/blob/master/cloud_formation/event_multi_region_template/autotag_event_main-template.rb .
On the first file, the default folder and file are outdated (auto-tag-0.3.0.zip), but that's not a huge problem, as creating my own files is simple
We will do the following steps in CI/CD:
Simplify the README:
I tested this in my master payer account, ran the templates for the roles in there and separately in one sub-account I am testing with. Then ran the stackset, besides an STS error for most regions, it appeared to run in the 2 regions I use (the errors probably have to do with an SCP I have that limits to these 2 regions)
In any event, I logged on as a test user and created an EC2 and bucket in the test target account, and there is no activity in the Lambda function in the master payer account. Looks like the cloudwatch Auto-Tag CloudTrailLogs rule is there, but nothing is happening.
Will these function work if we update the Node.js.8.10 versions to to Node.js.10.x? Just starting to get EOL messages from Amazon on Node.js.8.x functions.
1/6/2020 customers won't be able to create new functions using 8.10
2/3/2020 customers won't be able to update functions using this version.
existing 8.x functions will continue to be able to process invocation events though
I installed AutoTag on Friday and it seemed to be working fine (I verified it was working). Starting Sunday I started seeing errors and nothing was getting tagged. Here is the error I am seeing
{
"errorMessage": "Cannot read property '0' of undefined",
"errorType": "TypeError",
"stackTrace": [
"/var/task/aws_cloud_trail_listener.js:98:58",
"new Promise (/var/task/node_modules/babel-polyfill/node_modules/core-js/modules/es6.promise.js:193:7)",
"AwsCloudTrailListener.retrieveLogFileDetails (/var/task/aws_cloud_trail_listener.js:96:14)",
"_callee$ (/var/task/aws_cloud_trail_listener.js:62:30)",
"tryCatch (/var/task/node_modules/babel-regenerator-runtime/runtime.js:61:40)",
"GeneratorFunctionPrototype.invoke [as _invoke] (/var/task/node_modules/babel-regenerator-runtime/runtime.js:329:22)",
"GeneratorFunctionPrototype.prototype.(anonymous function) [as next] (/var/task/node_modules/babel-regenerator-runtime/runtime.js:94:21)",
"onFulfilled (/var/task/node_modules/co/index.js:65:19)",
"/var/task/node_modules/co/index.js:54:5",
"new Promise (/var/task/node_modules/babel-polyfill/node_modules/core-js/modules/es6.promise.js:193:7)"
]
}
The CloudTrail logs seem fine. I was able to download them and see valid content. If there are instructions to self host the code with modifications that will help a lot.
I successfully created the "autotag" CloudFormation stack using the instructions in the readme in this repo. I can see the cloudtrail logs being generated in the S3 bucket that the stack creates, however, I'm not seeing any tags being added after I launch a new EC2 instance.
Perhaps I missed a step in the auto-tag setup or the instance launch process that tells the tags to auto add themselves? Let me know if you need any additional info from me that would be helpful in figuring out what's going on.
Thanks in advance!
START RequestId: a01677f8-6242-11e7-b1a2-b9666a07d848 Version: $LATEST
2017-07-06T12:02:51.261Z a01677f8-6242-11e7-b1a2-b9666a07d848 { [Error: incorrect header check] errno: -3, code: 'Z_DATA_ERROR' }
2017-07-06T12:02:51.262Z a01677f8-6242-11e7-b1a2-b9666a07d848 Error: incorrect header check
at Zlib._handle.onerror (zlib.js:363:17)
2017-07-06T12:02:51.319Z a01677f8-6242-11e7-b1a2-b9666a07d848
{
"errorMessage": "incorrect header check",
"errorType": "Error",
"stackTrace": [
"Zlib._handle.onerror (zlib.js:363:17)"
]
}
END RequestId: a01677f8-6242-11e7-b1a2-b9666a07d848
Hi all,
I successfully created the template but unable to tag the resource after deploy the template through cloud formation. Is there any extra steps that has to be done after deploy cloud formation template. If any plz tell me the detail.
The autotag-0.3.0.zip
version of the code that the cloudformation template installs from S3 seems to have had a major refactor from the tagged 0.3.0 version in github.
This is not only strange but a bit concerning since anyone checking out this repo and following the setup instructions is running code that is quite different from what they would assume.
Hi Guys,
Thanks so much for this solution! When I attempt to edit some of the react classes and components within your zip file and upload the refactored code to Lambda, I receive the following error. Not sure what's going on as the file still contains all of the same modules before the changes I've made.
I have specifically changed static variables and functions in the autotag_default_worker.js file. I am attempting to retrieve the User Name vice the ARN from AWS.
var AUTOTAG_TAG_NAME = 'User';
var ROLE_PREFIX = 'arn:aws:iam::';
var ROLE_SUFFIX = ':role';
var DEFAULT_STACK_NAME = 'autotag';
var MASTER_ROLE_NAME = 'AutoTagMasterRole';
var MASTER_ROLE_PATH = '/gorillastack/autotag/master/';
key: 'getAutotagPair',
value: function getAutotagPair() {
return {
Key: this.getTagName(),
Value: this.getTagValue()
};
}
}, {
key: 'getTagName',
value: function getTagName() {
return AUTOTAG_TAG_NAME;
}
}, {
key: 'getTagValue',
value: function getTagValue() {
return this.event.userIdentity.userName;
}
}]);
return AutotagDefaultWorker;
}();
Here is the error message I recieve in Lambda.
{
"errorMessage": "Cannot find module '/var/task/autotag'",
"errorType": "Error",
"stackTrace": [
"Function.Module._load (module.js:276:25)",
"Module.require (module.js:353:17)",
"require (internal/module.js:12:17)"
]
}
Please let me know your thoughts.
Kind Regards
-Pat
As of now, tagging is supported in IAM resources as well. This is very helpful on who has created a particular user, etc.
I was going through the docs of AWS and I there are several more resources that can be tagged:
I observed following errors in cloud watch logs regularly. This behavior was seen in 0.2.0 as well as in 0.3.0.
Auto Tag is adding tags to EC2 and S3 (not tested rest) but wonder what cases are missing
{ "errorMessage": "Cannot read property 'instancesSet' of null", "errorType": "TypeError", "stackTrace": [ "AutotagEC2Worker.getInstanceId (/var/task/workers/autotag_ec2_worker.js:105:41)", "_callee$ (/var/task/workers/autotag_ec2_worker.js:71:53)", "tryCatch (/var/task/node_modules/babel-regenerator-runtime/runtime.js:61:40)", "GeneratorFunctionPrototype.invoke [as _invoke] (/var/task/node_modules/babel-regenerator-runtime/runtime.js:329:22)", "GeneratorFunctionPrototype.prototype.(anonymous function) [as next] (/var/task/node_modules/babel-regenerator-runtime/runtime.js:94:21)", "onFulfilled (/var/task/node_modules/co/index.js:65:19)", "run (/var/task/node_modules/babel-polyfill/node_modules/core-js/modules/es6.promise.js:89:22)", "/var/task/node_modules/babel-polyfill/node_modules/core-js/modules/es6.promise.js:102:28", "flush (/var/task/node_modules/babel-polyfill/node_modules/core-js/modules/_microtask.js:18:9)", "nextTickCallbackWith0Args (node.js:415:9)" ] }
I have been using Autotag for almost a month now, and it is functioning satisfactorily in all the regions. Now, I need to cover all my accounts. Can you explain how to move with that?
Just for your review, I created a role in my other account and trusted my account where autotag is working, I also added an inline policy in my Autotag execution role to assume the role in the other account. However, it is still not working. What else is needed?