serverless-tag-resources 1.2.51 → 3.1.0

package/package.json

@@ -1,28 +1,43 @@
 {
   "name": "serverless-tag-resources",
-  "version": "1.2.51",
-  "description": "Datamart Solution: Tag all aws resources",
+  "version": "3.1.0",
+  "description": "Datamart: Tag all AWS resources with dual legacy + datamart:* tag support",
   "main": "index.js",
+  "files": [
+    "index.js",
+    "src/"
+  ],
   "scripts": {
-    "test": "echo \"Error: no test specified\" && exit 1"
+    "test": "jest",
+    "test:verbose": "jest --verbose",
+    "test:coverage": "jest --coverage"
   },
   "repository": {
     "type": "git",
-    "url": "git+ssh://git@bitbucket.org:datamartcl/dm-serverless-tag-resources-plugin.git"
+    "url": "git+ssh://git@bitbucket.org/datamartcl/dm-serverless-tag-resources-plugin.git"
   },
   "keywords": [
     "serverless",
     "tags",
-    "stage",
     "plugin",
-    "tag",
     "aws",
     "resource",
-    "tagging"
+    "tagging",
+    "datamart",
+    "finops"
   ],
   "author": "Yunier Saborit <ysaborit@gmail.com>",
   "license": "ISC",
   "dependencies": {
-    "aws-sdk": "^2.864.0"
+    "@aws-sdk/client-apigatewayv2": "^3.700.0",
+    "@aws-sdk/client-cloudformation": "^3.700.0",
+    "@aws-sdk/client-ec2": "^3.700.0",
+    "@aws-sdk/client-firehose": "^3.700.0",
+    "@aws-sdk/client-pinpoint": "^3.700.0",
+    "@aws-sdk/client-rds": "^3.700.0",
+    "@aws-sdk/client-ssm": "^3.700.0"
+  },
+  "devDependencies": {
+    "jest": "^30.3.0"
   }
 }

package/src/aws-clients.js

@@ -0,0 +1,59 @@
+"use strict";
+
+/**
+ * AWS SDK v3 client factory.
+ * Lazily creates and caches clients per service+region.
+ */
+
+const clientCache = new Map();
+
+/**
+ * Get or create an AWS SDK v3 client.
+ *
+ * @param {Function} ClientClass - SDK v3 client constructor (e.g. CloudFormationClient)
+ * @param {object} config - { region, credentials }
+ * @returns {object} cached client instance
+ */
+function getClient(ClientClass, config) {
+  const key = `${ClientClass.name}:${config.region}`;
+  if (!clientCache.has(key)) {
+    clientCache.set(key, new ClientClass(config));
+  }
+  return clientCache.get(key);
+}
+
+/**
+ * Clear client cache (useful for testing).
+ */
+function clearClients() {
+  clientCache.clear();
+}
+
+/**
+ * Extract SDK v3 compatible config from Serverless provider.
+ *
+ * @param {object} awsProvider - serverless.getProvider('aws')
+ * @returns {object} { region, credentials }
+ */
+function configFromProvider(awsProvider) {
+  const region = awsProvider.getRegion();
+  const creds = awsProvider.getCredentials();
+
+  // Serverless v3 provides credentials in different formats
+  // depending on the provider. Normalize for SDK v3.
+  const config = { region };
+
+  if (creds.credentials) {
+    config.credentials = creds.credentials;
+  } else if (creds.accessKeyId) {
+    config.credentials = {
+      accessKeyId: creds.accessKeyId,
+      secretAccessKey: creds.secretAccessKey,
+      sessionToken: creds.sessionToken,
+    };
+  }
+
+  return config;
+}
+
+module.exports = { getClient, clearClients, configFromProvider };

package/src/post-deploy/apigatewayv2.js

@@ -0,0 +1,42 @@
+"use strict";
+
+const {
+  ApiGatewayV2Client,
+  TagResourceCommand,
+} = require("@aws-sdk/client-apigatewayv2");
+const { getClient } = require("../aws-clients");
+
+async function tagApiGatewayV2(config, resource, tagsMap, partition, region, allStackResources) {
+  const client = getClient(ApiGatewayV2Client, config);
+
+  switch (resource.ResourceType) {
+    case "AWS::ApiGatewayV2::Api": {
+      const arn = `arn:${partition}:apigateway:${region}::/apis/${resource.PhysicalResourceId}`;
+      await client.send(new TagResourceCommand({ ResourceArn: arn, Tags: tagsMap }));
+      break;
+    }
+    case "AWS::ApiGatewayV2::Stage": {
+      // Find the parent API in the same stack
+      const apiResource = allStackResources.find(
+        (r) => r.ResourceType === "AWS::ApiGatewayV2::Api"
+      );
+      if (apiResource) {
+        const arn = `arn:${partition}:apigateway:${region}::/apis/${apiResource.PhysicalResourceId}/stages/${resource.PhysicalResourceId}`;
+        await client.send(new TagResourceCommand({ ResourceArn: arn, Tags: tagsMap }));
+      }
+      break;
+    }
+    case "AWS::ApiGatewayV2::DomainName": {
+      const arn = `arn:${partition}:apigateway:${region}::/domainnames/${resource.PhysicalResourceId}`;
+      await client.send(new TagResourceCommand({ ResourceArn: arn, Tags: tagsMap }));
+      break;
+    }
+    case "AWS::ApiGatewayV2::VpcLink": {
+      const arn = `arn:${partition}:apigateway:${region}::/vpclinks/${resource.PhysicalResourceId}`;
+      await client.send(new TagResourceCommand({ ResourceArn: arn, Tags: tagsMap }));
+      break;
+    }
+  }
+}
+
+module.exports = { tagApiGatewayV2 };

package/src/post-deploy/ec2-related.js

@@ -0,0 +1,78 @@
+"use strict";
+
+const {
+  EC2Client,
+  DescribeInstancesCommand,
+  DescribeAddressesCommand,
+  CreateTagsCommand,
+} = require("@aws-sdk/client-ec2");
+const { getClient, } = require("../aws-clients");
+const { excludeAwsTags } = require("../tags");
+
+/**
+ * Tag EC2 instance related resources: EBS volumes, ENIs, EIPs, Security Groups.
+ */
+async function tagEC2RelatedResources(config, resource, tags) {
+  const client = getClient(EC2Client, config);
+
+  const describeResult = await client.send(
+    new DescribeInstancesCommand({
+      InstanceIds: [resource.PhysicalResourceId],
+    })
+  );
+
+  const resourceIds = [];
+
+  for (const reservation of describeResult.Reservations || []) {
+    const ownerId = reservation.OwnerId;
+
+    for (const instance of reservation.Instances || []) {
+      // EBS Volumes
+      for (const bdm of instance.BlockDeviceMappings || []) {
+        if (bdm.Ebs && bdm.Ebs.VolumeId) {
+          resourceIds.push(bdm.Ebs.VolumeId);
+        }
+      }
+
+      // Network Interfaces
+      for (const eni of instance.NetworkInterfaces || []) {
+        resourceIds.push(eni.NetworkInterfaceId);
+
+        // Elastic IPs (only if owned by same account)
+        if (eni.Association && eni.Association.IpOwnerId === ownerId) {
+          const eipResult = await client.send(
+            new DescribeAddressesCommand({
+              PublicIps: [eni.Association.PublicIp],
+            })
+          );
+          for (const addr of eipResult.Addresses || []) {
+            resourceIds.push(addr.AllocationId);
+          }
+        }
+
+        // Security Groups
+        for (const sg of eni.Groups || []) {
+          resourceIds.push(sg.GroupId);
+        }
+      }
+    }
+  }
+
+  if (resourceIds.length > 0) {
+    // Use existing instance tags (excluding aws: reserved) as base
+    const instanceTags =
+      describeResult.Reservations?.[0]?.Instances?.[0]?.Tags || [];
+    const filteredTags = excludeAwsTags(instanceTags);
+
+    await client.send(
+      new CreateTagsCommand({
+        Resources: resourceIds,
+        Tags: filteredTags.length > 0 ? filteredTags : tags,
+      })
+    );
+  }
+
+  return resourceIds;
+}
+
+module.exports = { tagEC2RelatedResources };

package/src/post-deploy/firehose.js

@@ -0,0 +1,20 @@
+"use strict";
+
+const {
+  FirehoseClient,
+  TagDeliveryStreamCommand,
+} = require("@aws-sdk/client-firehose");
+const { getClient } = require("../aws-clients");
+
+async function tagFirehoseStream(config, resource, tags) {
+  const client = getClient(FirehoseClient, config);
+
+  await client.send(
+    new TagDeliveryStreamCommand({
+      DeliveryStreamName: resource.PhysicalResourceId,
+      Tags: tags,
+    })
+  );
+}
+
+module.exports = { tagFirehoseStream };

package/src/post-deploy/pinpoint.js

@@ -0,0 +1,25 @@
+"use strict";
+
+const {
+  PinpointClient,
+  GetAppCommand,
+  TagResourceCommand,
+} = require("@aws-sdk/client-pinpoint");
+const { getClient } = require("../aws-clients");
+
+async function tagPinpointApp(config, resource, tagsMap) {
+  const client = getClient(PinpointClient, config);
+
+  const app = await client.send(
+    new GetAppCommand({ ApplicationId: resource.PhysicalResourceId })
+  );
+
+  await client.send(
+    new TagResourceCommand({
+      ResourceArn: app.ApplicationResponse.Arn,
+      TagsModel: { tags: tagsMap },
+    })
+  );
+}
+
+module.exports = { tagPinpointApp };

package/src/post-deploy/rds.js

@@ -0,0 +1,16 @@
+"use strict";
+
+const { RDSClient, AddTagsToResourceCommand } = require("@aws-sdk/client-rds");
+const { getClient } = require("../aws-clients");
+
+async function tagRDSCluster(config, resource, tags, partition, region) {
+  const client = getClient(RDSClient, config);
+  const accountId = resource.StackId.split(":")[4];
+  const arn = `arn:${partition}:rds:${region}:${accountId}:cluster:${resource.PhysicalResourceId}`;
+
+  await client.send(
+    new AddTagsToResourceCommand({ ResourceName: arn, Tags: tags })
+  );
+}
+
+module.exports = { tagRDSCluster };

package/src/post-deploy/ssm.js

@@ -0,0 +1,16 @@
+"use strict";
+
+const { SSMClient, AddTagsToResourceCommand } = require("@aws-sdk/client-ssm");
+const { getClient } = require("../aws-clients");
+
+async function tagSSMParameter(config, resource, tags) {
+  const client = getClient(SSMClient, config);
+  const command = new AddTagsToResourceCommand({
+    ResourceId: resource.PhysicalResourceId,
+    ResourceType: "Parameter",
+    Tags: tags,
+  });
+  await client.send(command);
+}
+
+module.exports = { tagSSMParameter };

package/src/post-deploy/untag.js

@@ -0,0 +1,97 @@
+"use strict";
+
+const {
+  ResourceGroupsTaggingAPIClient,
+  UntagResourcesCommand,
+} = require("@aws-sdk/client-resource-groups-tagging-api");
+const { getClient } = require("../aws-clients");
+
+/**
+ * Remove specific tags from all resources in a CloudFormation stack.
+ * Uses Resource Groups Tagging API for broad coverage across resource types.
+ *
+ * This is used to clean up tags injected by Serverless Framework (e.g., STAGE)
+ * that conflict with the datamart:* tagging policy.
+ */
+async function removeTagsFromStackResources(config, stackResources, tagKeysToRemove, partition, region, log) {
+  const taggingClient = getClient(ResourceGroupsTaggingAPIClient, config);
+
+  // Collect ARNs of all stack resources
+  const arns = [];
+  for (const resource of stackResources) {
+    const arn = buildArn(resource, partition, region);
+    if (arn) arns.push(arn);
+  }
+
+  if (arns.length === 0) {
+    log("TAGGING: No resources with ARNs to untag");
+    return;
+  }
+
+  // UntagResources accepts max 20 ARNs per call
+  const batchSize = 20;
+  let untagged = 0;
+
+  for (let i = 0; i < arns.length; i += batchSize) {
+    const batch = arns.slice(i, i + batchSize);
+    try {
+      await taggingClient.send(
+        new UntagResourcesCommand({
+          ResourceARNList: batch,
+          TagKeys: tagKeysToRemove,
+        })
+      );
+      untagged += batch.length;
+    } catch (err) {
+      // Some resource types don't support tagging API — skip gracefully
+      log(`TAGGING: WARN untag batch ${i}-${i + batch.length}: ${err.message}`);
+    }
+  }
+
+  log(`TAGGING: Removed [${tagKeysToRemove.join(", ")}] from ${untagged} resources`);
+}
+
+/**
+ * Build ARN from CloudFormation StackResource.
+ * Uses PhysicalResourceId which is usually the ARN or resource ID.
+ */
+function buildArn(resource, partition, region) {
+  const physicalId = resource.PhysicalResourceId;
+  if (!physicalId) return null;
+
+  // If it's already an ARN, use it directly
+  if (physicalId.startsWith("arn:")) return physicalId;
+
+  // For some resource types, we can construct the ARN
+  const accountId = extractAccountId(resource);
+  const type = resource.ResourceType;
+
+  const arnBuilders = {
+    "AWS::Lambda::Function": () =>
+      `arn:${partition}:lambda:${region}:${accountId}:function:${physicalId}`,
+    "AWS::SNS::Topic": () =>
+      `arn:${partition}:sns:${region}:${accountId}:${physicalId}`,
+    "AWS::SQS::Queue": () => null, // Queue URL, not name — skip
+    "AWS::Events::EventBus": () =>
+      `arn:${partition}:events:${region}:${accountId}:event-bus/${physicalId}`,
+    "AWS::Events::Rule": () => null, // Complex ARN — skip
+    "AWS::ApiGateway::RestApi": () =>
+      `arn:${partition}:apigateway:${region}::/restapis/${physicalId}`,
+    "AWS::Logs::LogGroup": () =>
+      `arn:${partition}:logs:${region}:${accountId}:log-group:${physicalId}`,
+  };
+
+  const builder = arnBuilders[type];
+  if (builder) return builder();
+
+  return null;
+}
+
+function extractAccountId(resource) {
+  // StackId contains the account ID
+  const stackId = resource.StackId || "";
+  const parts = stackId.split(":");
+  return parts.length >= 5 ? parts[4] : "";
+}
+
+module.exports = { removeTagsFromStackResources };

package/src/post-deploy-tagger.js

@@ -0,0 +1,102 @@
+"use strict";
+
+const {
+  CloudFormationClient,
+  DescribeStackResourcesCommand,
+} = require("@aws-sdk/client-cloudformation");
+const { getClient } = require("./aws-clients");
+const { buildListTags, buildDictTags, TAGS_TO_REMOVE } = require("./tags");
+const { needsPostDeployTagging, DICT_BASED_TYPES, API_ONLY_TYPES, RELATED_TYPES } = require("./resource-classifier");
+const { removeTagsFromStackResources } = require("./post-deploy/untag");
+
+const { tagSSMParameter } = require("./post-deploy/ssm");
+const { tagPinpointApp } = require("./post-deploy/pinpoint");
+const { tagApiGatewayV2 } = require("./post-deploy/apigatewayv2");
+const { tagRDSCluster } = require("./post-deploy/rds");
+const { tagFirehoseStream } = require("./post-deploy/firehose");
+const { tagEC2RelatedResources } = require("./post-deploy/ec2-related");
+
+/**
+ * Post-Deploy Tagger — Hook: after:deploy:deploy
+ *
+ * Tags resources that cannot be fully tagged in the CF template:
+ * dict-based, API-only, and related resources.
+ */
+async function updateTagsPostDeploy(config, stackName, stackTags, stage, partition, region, log) {
+  const cfnClient = getClient(CloudFormationClient, config);
+
+  const result = await cfnClient.send(
+    new DescribeStackResourcesCommand({ StackName: stackName })
+  );
+
+  const allResources = result.StackResources || [];
+
+  for (const resource of allResources) {
+    const type = resource.ResourceType;
+    if (!needsPostDeployTagging(type)) continue;
+
+    const logicalId = resource.LogicalResourceId;
+    const listTags = buildListTags(stackTags, stage, logicalId);
+    const dictTags = buildDictTags(stackTags, stage, logicalId);
+
+    try {
+      // Dict-based types: need API call because CF template tagging
+      // may not fully propagate for some of these types
+      if (DICT_BASED_TYPES.has(type)) {
+        switch (type) {
+          case "AWS::SSM::Parameter":
+            await tagSSMParameter(config, resource, listTags);
+            log(`TAGGING: post-deploy SSM Parameter ${logicalId}`);
+            break;
+          case "AWS::Pinpoint::App":
+            await tagPinpointApp(config, resource, dictTags);
+            log(`TAGGING: post-deploy Pinpoint App ${logicalId}`);
+            break;
+          case "AWS::ApiGatewayV2::Api":
+          case "AWS::ApiGatewayV2::Stage":
+          case "AWS::ApiGatewayV2::DomainName":
+          case "AWS::ApiGatewayV2::VpcLink":
+            await tagApiGatewayV2(config, resource, dictTags, partition, region, allResources);
+            log(`TAGGING: post-deploy ${type} ${logicalId}`);
+            break;
+          // Glue and Batch are tagged in template (dict-based), no post-deploy needed
+        }
+      }
+
+      // API-only types: not tagged in template at all
+      if (API_ONLY_TYPES.has(type)) {
+        switch (type) {
+          case "AWS::RDS::DBCluster":
+            await tagRDSCluster(config, resource, listTags, partition, region);
+            log(`TAGGING: post-deploy RDS Cluster ${logicalId}`);
+            break;
+          case "AWS::KinesisFirehose::DeliveryStream":
+            await tagFirehoseStream(config, resource, listTags);
+            log(`TAGGING: post-deploy Firehose ${logicalId}`);
+            break;
+        }
+      }
+
+      // Related types: tag associated resources (volumes, ENIs, etc.)
+      if (RELATED_TYPES.has(type)) {
+        switch (type) {
+          case "AWS::EC2::Instance": {
+            const relatedIds = await tagEC2RelatedResources(config, resource, listTags);
+            log(`TAGGING: post-deploy EC2 related resources for ${logicalId}: ${relatedIds.length} resources`);
+            break;
+          }
+        }
+      }
+    } catch (err) {
+      log(`TAGGING: ERROR post-deploy ${type} ${logicalId}: ${err.message}`);
+    }
+  }
+
+  // Remove unwanted tags injected by SFW (STAGE)
+  if (TAGS_TO_REMOVE.length > 0) {
+    log(`TAGGING: Removing unwanted tags: ${TAGS_TO_REMOVE.join(", ")}`);
+    await removeTagsFromStackResources(config, allResources, TAGS_TO_REMOVE, partition, region, log);
+  }
+}
+
+module.exports = { updateTagsPostDeploy };