aws_iam_user doesn't work via new feature #101 in v0.8.0

[showerlee]

Hi @jckuester , just let you know there may be a bug happened for aws_iam_user of #101
I confirmed all the iam users in my aws account have already tagged the Owner and the awsweeper policy with following:

aws_iam_user:
  - tags:
      NOT(Owner): .*

The result after applying this policy shows up it will filler out entire iam users which actually shouldn't be filler out.

For the other resources applying the same #101 pattern, they look good for now.

Feel free to let me know if anything miss-config from my side.

[jckuester]

The problem is that the AWS API returns always empty tags for aws_iam_user resources (tags must be fetched via a separate API call). Do you see any tags? This will be fixed in my PR #102 that fetches all tags via Terraform.

I'll merge that later today.

[showerlee]

Got it, #102 would be a big change.
Looking forward to seeing any magic. 👍

[jckuester]

I merged the PR and tags are working now. However, I still need to work something out to delete aws_iam_user_policy_attachment resources. If policies are attached, IAM users can currently not be deleted. Fix is coming in #100

[showerlee]

Hi @jckuester , based on my scenario,
I have two questions:

1. For now all my iam users are attached to an Inline policy from group xxx, so is that still the very case needs to fix via coming Handle inline and attached policies for iam_user resource #100 since I still can filter out all the users with proper owner tag configured after install the latest version.

2. I saw awsweeper prints a bunch of AWS managed policies and Customer managed that needs to be deleted in aws_iam_user_policy_attachment

---
	Type: aws_iam_user_policy_attachment
	Found: 11

		Id:		arn:aws:iam::xxxxxx:policy/xxx_training_group_accesskey_policy

		Id:		arn:aws:iam::xxxxxx:policy/xxx_training_group_accesskey_policy

		Id:		arn:aws:iam::xxxxxx:policy/xxx_training_group_accesskey_policy

		Id:		arn:aws:iam::aws:policy/AmazonRDSFullAccess

		Id:		arn:aws:iam::aws:policy/AmazonEC2FullAccess

		Id:		arn:aws:iam::aws:policy/IAMFullAccess

		Id:		arn:aws:iam::aws:policy/AmazonS3FullAccess

		Id:		arn:aws:iam::aws:policy/CloudWatchFullAccess

		Id:		arn:aws:iam::aws:policy/AmazonDynamoDBFullAccess

		Id:		arn:aws:iam::xxxxxxx:policy/xxxx_training_group_accesskey_policy

		Id:		arn:aws:iam::xxxxxxx:policy/xxx_training_group_accesskey_policy

	---

I can't see what is the tag in those policies and how to add/delete tag to a current policy. Is that what we expected?

Feel free to let me know what's your thought.

[jckuester]

Hi @showerlee,

1. Yes, you want to use Handle inline and attached policies for iam_user resource #100, which fixes that inline policies are deleted from a user first before deleting the user (otherwise deleting the user fails).

2. What you see here are just attachments of policies to the users (the policies themselves are not deleted). The attachments have no tags. Maybe its confusing to show aws_iam_user_policy_attachment resources and they should be hidden from the printed list of resources (they are not real resources, same as inline policies aka. aws_iam_user_policy resources)?

You can use #100 already if you want (tests are green).

[showerlee]

Hi @jckuester , thanks for the detailed explanation.
Looks the #100 doesn't take into effect.
After I removed old ./bin/awsweeper, .terradozer and reinstall 0.8.0.
I still filter out all the IAM users with proper tag that shouldn't be removed.

Is there anything else I need to config for #100 ?

[jckuester]

The install.sh script only works for official releases and I haven't released a new version yet (I will release v0.9.0 tomorrow that includes all the changes).

For now, you can clone the master branch and run go build.

[jckuester]

Released in https://github.com/jckuester/awsweeper/releases/tag/v0.9.0