aws_iam_user doesn't work via new feature #101 in v0.8.0 about awsweeper HOT 8 OPEN

The problem is that the AWS API returns always empty tags for aws_iam_user resources (tags must be fetched via a separate API call). Do you see any tags? This will be fixed in my PR #102 that fetches all tags via Terraform.

I'll merge that later today.

from awsweeper.

Hi @showerlee,

1. Yes, you want to use #100, which fixes that inline policies are deleted from a user first before deleting the user (otherwise deleting the user fails).

2. What you see here are just attachments of policies to the users (the policies themselves are not deleted). The attachments have no tags. Maybe its confusing to show aws_iam_user_policy_attachment resources and they should be hidden from the printed list of resources (they are not real resources, same as inline policies aka. aws_iam_user_policy resources)?

You can use #100 already if you want (tests are green).

from awsweeper.

The install.sh script only works for official releases and I haven't released a new version yet (I will release v0.9.0 tomorrow that includes all the changes).

For now, you can clone the master branch and run go build.

from awsweeper.

Got it, #102 would be a big change.
Looking forward to seeing any magic. 👍

from awsweeper.

I merged the PR and tags are working now. However, I still need to work something out to delete aws_iam_user_policy_attachment resources. If policies are attached, IAM users can currently not be deleted. Fix is coming in #100

from awsweeper.

Hi @jckuester , based on my scenario,
I have two questions:

1. For now all my iam users are attached to an Inline policy from group xxx, so is that still the very case needs to fix via coming #100 since I still can filter out all the users with proper owner tag configured after install the latest version.

2. I saw awsweeper prints a bunch of AWS managed policies and Customer managed that needs to be deleted in aws_iam_user_policy_attachment

---
	Type: aws_iam_user_policy_attachment
	Found: 11

		Id:		arn:aws:iam::xxxxxx:policy/xxx_training_group_accesskey_policy

		Id:		arn:aws:iam::xxxxxx:policy/xxx_training_group_accesskey_policy

		Id:		arn:aws:iam::xxxxxx:policy/xxx_training_group_accesskey_policy

		Id:		arn:aws:iam::aws:policy/AmazonRDSFullAccess

		Id:		arn:aws:iam::aws:policy/AmazonEC2FullAccess

		Id:		arn:aws:iam::aws:policy/IAMFullAccess

		Id:		arn:aws:iam::aws:policy/AmazonS3FullAccess

		Id:		arn:aws:iam::aws:policy/CloudWatchFullAccess

		Id:		arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess

		Id:		arn:aws:iam::xxxxxxx:policy/xxxx_training_group_accesskey_policy

		Id:		arn:aws:iam::xxxxxxx:policy/xxx_training_group_accesskey_policy

	---

I can't see what is the tag in those policies and how to add/delete tag to a current policy. Is that what we expected?

Feel free to let me know what's your thought.

from awsweeper.

Hi @jckuester , thanks for the detailed explanation.
Looks the #100 doesn't take into effect.
After I removed old ./bin/awsweeper, .terradozer and reinstall 0.8.0.
I still filter out all the IAM users with proper tag that shouldn't be removed.

Is there anything else I need to config for #100 ?

from awsweeper.

Released in https://github.com/jckuester/awsweeper/releases/tag/v0.9.0

from awsweeper.