serverless-tag-resources 1.2.51 → 3.0.0

package/package.json

@@ -1,10 +1,16 @@
 {
   "name": "serverless-tag-resources",
-  "version": "1.2.51",
-  "description": "Datamart Solution: Tag all aws resources",
+  "version": "3.0.0",
+  "description": "Datamart: Tag all AWS resources with dual legacy + datamart:* tag support",
   "main": "index.js",
+  "files": [
+    "index.js",
+    "src/"
+  ],
   "scripts": {
-    "test": "echo \"Error: no test specified\" && exit 1"
+    "test": "jest",
+    "test:verbose": "jest --verbose",
+    "test:coverage": "jest --coverage"
   },
   "repository": {
     "type": "git",
@@ -13,16 +19,25 @@
   "keywords": [
     "serverless",
     "tags",
-    "stage",
     "plugin",
-    "tag",
     "aws",
     "resource",
-    "tagging"
+    "tagging",
+    "datamart",
+    "finops"
   ],
   "author": "Yunier Saborit <ysaborit@gmail.com>",
   "license": "ISC",
   "dependencies": {
-    "aws-sdk": "^2.864.0"
+    "@aws-sdk/client-apigatewayv2": "^3.700.0",
+    "@aws-sdk/client-cloudformation": "^3.700.0",
+    "@aws-sdk/client-ec2": "^3.700.0",
+    "@aws-sdk/client-firehose": "^3.700.0",
+    "@aws-sdk/client-pinpoint": "^3.700.0",
+    "@aws-sdk/client-rds": "^3.700.0",
+    "@aws-sdk/client-ssm": "^3.700.0"
+  },
+  "devDependencies": {
+    "jest": "^30.3.0"
   }
 }

package/src/aws-clients.js

@@ -0,0 +1,59 @@
+"use strict";
+
+/**
+ * AWS SDK v3 client factory.
+ * Lazily creates and caches clients per service+region.
+ */
+
+const clientCache = new Map();
+
+/**
+ * Get or create an AWS SDK v3 client.
+ *
+ * @param {Function} ClientClass - SDK v3 client constructor (e.g. CloudFormationClient)
+ * @param {object} config - { region, credentials }
+ * @returns {object} cached client instance
+ */
+function getClient(ClientClass, config) {
+  const key = `${ClientClass.name}:${config.region}`;
+  if (!clientCache.has(key)) {
+    clientCache.set(key, new ClientClass(config));
+  }
+  return clientCache.get(key);
+}
+
+/**
+ * Clear client cache (useful for testing).
+ */
+function clearClients() {
+  clientCache.clear();
+}
+
+/**
+ * Extract SDK v3 compatible config from Serverless provider.
+ *
+ * @param {object} awsProvider - serverless.getProvider('aws')
+ * @returns {object} { region, credentials }
+ */
+function configFromProvider(awsProvider) {
+  const region = awsProvider.getRegion();
+  const creds = awsProvider.getCredentials();
+
+  // Serverless v3 provides credentials in different formats
+  // depending on the provider. Normalize for SDK v3.
+  const config = { region };
+
+  if (creds.credentials) {
+    config.credentials = creds.credentials;
+  } else if (creds.accessKeyId) {
+    config.credentials = {
+      accessKeyId: creds.accessKeyId,
+      secretAccessKey: creds.secretAccessKey,
+      sessionToken: creds.sessionToken,
+    };
+  }
+
+  return config;
+}
+
+module.exports = { getClient, clearClients, configFromProvider };

package/src/post-deploy/apigatewayv2.js

@@ -0,0 +1,42 @@
+"use strict";
+
+const {
+  ApiGatewayV2Client,
+  TagResourceCommand,
+} = require("@aws-sdk/client-apigatewayv2");
+const { getClient } = require("../aws-clients");
+
+async function tagApiGatewayV2(config, resource, tagsMap, partition, region, allStackResources) {
+  const client = getClient(ApiGatewayV2Client, config);
+
+  switch (resource.ResourceType) {
+    case "AWS::ApiGatewayV2::Api": {
+      const arn = `arn:${partition}:apigateway:${region}::/apis/${resource.PhysicalResourceId}`;
+      await client.send(new TagResourceCommand({ ResourceArn: arn, Tags: tagsMap }));
+      break;
+    }
+    case "AWS::ApiGatewayV2::Stage": {
+      // Find the parent API in the same stack
+      const apiResource = allStackResources.find(
+        (r) => r.ResourceType === "AWS::ApiGatewayV2::Api"
+      );
+      if (apiResource) {
+        const arn = `arn:${partition}:apigateway:${region}::/apis/${apiResource.PhysicalResourceId}/stages/${resource.PhysicalResourceId}`;
+        await client.send(new TagResourceCommand({ ResourceArn: arn, Tags: tagsMap }));
+      }
+      break;
+    }
+    case "AWS::ApiGatewayV2::DomainName": {
+      const arn = `arn:${partition}:apigateway:${region}::/domainnames/${resource.PhysicalResourceId}`;
+      await client.send(new TagResourceCommand({ ResourceArn: arn, Tags: tagsMap }));
+      break;
+    }
+    case "AWS::ApiGatewayV2::VpcLink": {
+      const arn = `arn:${partition}:apigateway:${region}::/vpclinks/${resource.PhysicalResourceId}`;
+      await client.send(new TagResourceCommand({ ResourceArn: arn, Tags: tagsMap }));
+      break;
+    }
+  }
+}
+
+module.exports = { tagApiGatewayV2 };

package/src/post-deploy/ec2-related.js

@@ -0,0 +1,78 @@
+"use strict";
+
+const {
+  EC2Client,
+  DescribeInstancesCommand,
+  DescribeAddressesCommand,
+  CreateTagsCommand,
+} = require("@aws-sdk/client-ec2");
+const { getClient, } = require("../aws-clients");
+const { excludeAwsTags } = require("../tags");
+
+/**
+ * Tag EC2 instance related resources: EBS volumes, ENIs, EIPs, Security Groups.
+ */
+async function tagEC2RelatedResources(config, resource, tags) {
+  const client = getClient(EC2Client, config);
+
+  const describeResult = await client.send(
+    new DescribeInstancesCommand({
+      InstanceIds: [resource.PhysicalResourceId],
+    })
+  );
+
+  const resourceIds = [];
+
+  for (const reservation of describeResult.Reservations || []) {
+    const ownerId = reservation.OwnerId;
+
+    for (const instance of reservation.Instances || []) {
+      // EBS Volumes
+      for (const bdm of instance.BlockDeviceMappings || []) {
+        if (bdm.Ebs && bdm.Ebs.VolumeId) {
+          resourceIds.push(bdm.Ebs.VolumeId);
+        }
+      }
+
+      // Network Interfaces
+      for (const eni of instance.NetworkInterfaces || []) {
+        resourceIds.push(eni.NetworkInterfaceId);
+
+        // Elastic IPs (only if owned by same account)
+        if (eni.Association && eni.Association.IpOwnerId === ownerId) {
+          const eipResult = await client.send(
+            new DescribeAddressesCommand({
+              PublicIps: [eni.Association.PublicIp],
+            })
+          );
+          for (const addr of eipResult.Addresses || []) {
+            resourceIds.push(addr.AllocationId);
+          }
+        }
+
+        // Security Groups
+        for (const sg of eni.Groups || []) {
+          resourceIds.push(sg.GroupId);
+        }
+      }
+    }
+  }
+
+  if (resourceIds.length > 0) {
+    // Use existing instance tags (excluding aws: reserved) as base
+    const instanceTags =
+      describeResult.Reservations?.[0]?.Instances?.[0]?.Tags || [];
+    const filteredTags = excludeAwsTags(instanceTags);
+
+    await client.send(
+      new CreateTagsCommand({
+        Resources: resourceIds,
+        Tags: filteredTags.length > 0 ? filteredTags : tags,
+      })
+    );
+  }
+
+  return resourceIds;
+}
+
+module.exports = { tagEC2RelatedResources };

package/src/post-deploy/firehose.js

@@ -0,0 +1,20 @@
+"use strict";
+
+const {
+  FirehoseClient,
+  TagDeliveryStreamCommand,
+} = require("@aws-sdk/client-firehose");
+const { getClient } = require("../aws-clients");
+
+async function tagFirehoseStream(config, resource, tags) {
+  const client = getClient(FirehoseClient, config);
+
+  await client.send(
+    new TagDeliveryStreamCommand({
+      DeliveryStreamName: resource.PhysicalResourceId,
+      Tags: tags,
+    })
+  );
+}
+
+module.exports = { tagFirehoseStream };

package/src/post-deploy/pinpoint.js

@@ -0,0 +1,25 @@
+"use strict";
+
+const {
+  PinpointClient,
+  GetAppCommand,
+  TagResourceCommand,
+} = require("@aws-sdk/client-pinpoint");
+const { getClient } = require("../aws-clients");
+
+async function tagPinpointApp(config, resource, tagsMap) {
+  const client = getClient(PinpointClient, config);
+
+  const app = await client.send(
+    new GetAppCommand({ ApplicationId: resource.PhysicalResourceId })
+  );
+
+  await client.send(
+    new TagResourceCommand({
+      ResourceArn: app.ApplicationResponse.Arn,
+      TagsModel: { tags: tagsMap },
+    })
+  );
+}
+
+module.exports = { tagPinpointApp };

package/src/post-deploy/rds.js

@@ -0,0 +1,16 @@
+"use strict";
+
+const { RDSClient, AddTagsToResourceCommand } = require("@aws-sdk/client-rds");
+const { getClient } = require("../aws-clients");
+
+async function tagRDSCluster(config, resource, tags, partition, region) {
+  const client = getClient(RDSClient, config);
+  const accountId = resource.StackId.split(":")[4];
+  const arn = `arn:${partition}:rds:${region}:${accountId}:cluster:${resource.PhysicalResourceId}`;
+
+  await client.send(
+    new AddTagsToResourceCommand({ ResourceName: arn, Tags: tags })
+  );
+}
+
+module.exports = { tagRDSCluster };

package/src/post-deploy/ssm.js

@@ -0,0 +1,16 @@
+"use strict";
+
+const { SSMClient, AddTagsToResourceCommand } = require("@aws-sdk/client-ssm");
+const { getClient } = require("../aws-clients");
+
+async function tagSSMParameter(config, resource, tags) {
+  const client = getClient(SSMClient, config);
+  const command = new AddTagsToResourceCommand({
+    ResourceId: resource.PhysicalResourceId,
+    ResourceType: "Parameter",
+    Tags: tags,
+  });
+  await client.send(command);
+}
+
+module.exports = { tagSSMParameter };

package/src/post-deploy-tagger.js

@@ -0,0 +1,95 @@
+"use strict";
+
+const {
+  CloudFormationClient,
+  DescribeStackResourcesCommand,
+} = require("@aws-sdk/client-cloudformation");
+const { getClient } = require("./aws-clients");
+const { buildListTags, buildDictTags } = require("./tags");
+const { needsPostDeployTagging, DICT_BASED_TYPES, API_ONLY_TYPES, RELATED_TYPES } = require("./resource-classifier");
+
+const { tagSSMParameter } = require("./post-deploy/ssm");
+const { tagPinpointApp } = require("./post-deploy/pinpoint");
+const { tagApiGatewayV2 } = require("./post-deploy/apigatewayv2");
+const { tagRDSCluster } = require("./post-deploy/rds");
+const { tagFirehoseStream } = require("./post-deploy/firehose");
+const { tagEC2RelatedResources } = require("./post-deploy/ec2-related");
+
+/**
+ * Post-Deploy Tagger — Hook: after:deploy:deploy
+ *
+ * Tags resources that cannot be fully tagged in the CF template:
+ * dict-based, API-only, and related resources.
+ */
+async function updateTagsPostDeploy(config, stackName, stackTags, stage, partition, region, log) {
+  const cfnClient = getClient(CloudFormationClient, config);
+
+  const result = await cfnClient.send(
+    new DescribeStackResourcesCommand({ StackName: stackName })
+  );
+
+  const allResources = result.StackResources || [];
+
+  for (const resource of allResources) {
+    const type = resource.ResourceType;
+    if (!needsPostDeployTagging(type)) continue;
+
+    const logicalId = resource.LogicalResourceId;
+    const listTags = buildListTags(stackTags, stage, logicalId);
+    const dictTags = buildDictTags(stackTags, stage, logicalId);
+
+    try {
+      // Dict-based types: need API call because CF template tagging
+      // may not fully propagate for some of these types
+      if (DICT_BASED_TYPES.has(type)) {
+        switch (type) {
+          case "AWS::SSM::Parameter":
+            await tagSSMParameter(config, resource, listTags);
+            log(`TAGGING: post-deploy SSM Parameter ${logicalId}`);
+            break;
+          case "AWS::Pinpoint::App":
+            await tagPinpointApp(config, resource, dictTags);
+            log(`TAGGING: post-deploy Pinpoint App ${logicalId}`);
+            break;
+          case "AWS::ApiGatewayV2::Api":
+          case "AWS::ApiGatewayV2::Stage":
+          case "AWS::ApiGatewayV2::DomainName":
+          case "AWS::ApiGatewayV2::VpcLink":
+            await tagApiGatewayV2(config, resource, dictTags, partition, region, allResources);
+            log(`TAGGING: post-deploy ${type} ${logicalId}`);
+            break;
+          // Glue and Batch are tagged in template (dict-based), no post-deploy needed
+        }
+      }
+
+      // API-only types: not tagged in template at all
+      if (API_ONLY_TYPES.has(type)) {
+        switch (type) {
+          case "AWS::RDS::DBCluster":
+            await tagRDSCluster(config, resource, listTags, partition, region);
+            log(`TAGGING: post-deploy RDS Cluster ${logicalId}`);
+            break;
+          case "AWS::KinesisFirehose::DeliveryStream":
+            await tagFirehoseStream(config, resource, listTags);
+            log(`TAGGING: post-deploy Firehose ${logicalId}`);
+            break;
+        }
+      }
+
+      // Related types: tag associated resources (volumes, ENIs, etc.)
+      if (RELATED_TYPES.has(type)) {
+        switch (type) {
+          case "AWS::EC2::Instance": {
+            const relatedIds = await tagEC2RelatedResources(config, resource, listTags);
+            log(`TAGGING: post-deploy EC2 related resources for ${logicalId}: ${relatedIds.length} resources`);
+            break;
+          }
+        }
+      }
+    } catch (err) {
+      log(`TAGGING: ERROR post-deploy ${type} ${logicalId}: ${err.message}`);
+    }
+  }
+}
+
+module.exports = { updateTagsPostDeploy };