Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support multiple AWS accounts or multiple configs #6

Open
chrisdlangton opened this issue May 9, 2022 · 1 comment
Open

Support multiple AWS accounts or multiple configs #6

chrisdlangton opened this issue May 9, 2022 · 1 comment

Comments

@chrisdlangton
Copy link

I love the project, I ran it and was quite surprised by the results
Using AWS console is pretty terrible experience, and without 10,000s lines of code for AWS Config Custom Rules most of the output of this tool is hidden from users!

That is to say, this simple tool saves me writing all those AWS Config custom rules!

I have a plan to produce 1000s lines of JSON for SCP, and there is no way I am going to write that by hand, so I am making a generator to produce the desired SCPs - but to code that I need to get a handle on our tags used across the organisation on all of our accounts

The only way to use this tool is to use the hardcoded config path ~/.tagger/config.ini which supports reporting on a single account, and to make this tool support multiple accounts I need to run tagger in sequence per account by programmatically creating this hardcoded config file before running tagger each time - not ideal
This is even less trivial than explained because our access is via assume-role (best practice) and tagger doesn't support IAM Roles.. meaning we need to run a separate script to prepare the ~/.aws/config with the session needed for tagger in advance also, and the session is limited to 1 hour making that other script a just-in-time execution for tagger AND tagger still may fail if it runs longer than 1 hour (which it did over night due to API rate limits)

All the above challenges are easily addressed by adding simple boto3 iam role support and a tagger config per execution. specifically:

  • support -c | --config-path cli argument, instead of hardcoding TAGGER_PATH and FILE_PATH
  • support IAM Role
  • support graceful IAM Role expiry and re-assume

These really just are basic things that need to be done to make tagger usable in any situation with more than a single AWS account (any AWS Organizations would have many aws accounts)

I have limited time, but I can provide limited help if these are features you want. maybe get a PR started and add in a draft of these features
@tobHai
Copy link
Contributor

tobHai commented Feb 6, 2023

Thanks for the feedback!
Your suggestions totally make sense, I will have a look if I can find some time to implement a draft!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@chrisdlangton @tobHai