Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

The iam.iam-policy is not obeying tag absence filters

See original GitHub issue

Describe the bug

The AWS Resource iam.iam-policy is not obeying tag filters

To Reproduce

Create an IAM Policy which has three tags ‘Alpha’, ‘Bravo’ and ‘Charlie’
Create a Cloud Custodian Policy to find IAM Policies missing AWS Tags:

policies:
  - name: tag-noncompliance-aws-iam-policy
    mode: 
      type: pull
    resource: aws.iam-policy
    filters:
      - or:
          - "tag:Alpha": absent
          - "tag:Bravo": absent
          - "tag:Charlie": absent

Run the policy and observe that tagged resources are returned when they do not match any absent tag filter.

Expected behavior

The tagged policies should not be returned as they have all of the tags which we are filtering on being absent.

Background (please complete the following information):

OS: OSX 10.15.7
Python Version: 3.7.6
Custodian Version: 0.9.11
Tool Version: N/A
Cloud Provider: AWS
Policy: [please exclude any account/sensitive information]

policies:
  - name: tag-noncompliance-aws-iam-policy
    mode: 
      type: pull
    resource: aws.iam-policy
    filters:
      - or:
          - "tag:Alpha": absent
          - "tag:Bravo": absent
          - "tag:Charlie": absent

Traceback: N/A No error.
custodian version --debug output

Please copy/paste the following info along with any bug reports:

Custodian:   0.9.11
Python:      3.7.6 (v3.7.6:43364a7ae0, Dec 18 2019, 14:18:50)
             [Clang 6.0 (clang-600.0.57)]
Platform:    posix.uname_result(sysname='Darwin', nodename='TASTLE-M-72NB', release='19.6.0', version='Darwin Kernel Version 19.6.0: Tue Jan 12 22:13:05 PST 2021; root:xnu-6153.141.16~1/RELEASE_X86_64', machine='x86_64')
Using venv:  True
Docker: False
Installed:

argcomplete==1.12.2
attrs==20.3.0
boto3==1.17.33
botocore==1.20.33
importlib-metadata==3.7.3
jmespath==0.10.0
jsonpickle==1.3
jsonschema==3.2.0
pyrsistent==0.17.3
python-dateutil==2.8.1
pyyaml==5.4.1
s3transfer==0.3.6
setuptools==41.2.0
six==1.15.0
tabulate==0.8.9
typing-extensions==3.7.4.3
urllib3==1.26.4
zipp==3.4.1

Additional context

I suspect that the tags on the IAM Policy are not being loaded at all. This is why the policy filtering on them being absent always matches. It always matches because no tags are present.

Issue Analytics

State:
Created 2 years ago
Comments:6 (6 by maintainers)

Top GitHub Comments

1reaction

trastlecommented, Jun 14, 2021

Thanks @ajkerrigan I’ve opened a PR for the change here: https://github.com/cloud-custodian/cloud-custodian/pull/6751

I’d seen universal_taggable during my earlier investigation but I’d removed that change from my patch as unnecessary as I couldn’t see that it was doing. Which makes sense now as in this instance I was not trying to mutate tags using c7n.

0reactions

ajkerrigancommented, Jun 10, 2021

That’s great news @trastle, thanks for sticking with this one!

For the record I was dead wrong - I was working in us-east-2 which let me set but not see tags on global IAM resources. Silly, silly. Custodian is smart enough to flip to us-east-1 and “just work” in those cases.

As far as applying tags goes, I’d suggest specifying universal_taggable as in this example. A PR with the universal_augment and universal_taggable bits would be most appreciated.