serverless-tag-resources 3.1.0 → 3.1.2

package/index.js

@@ -2,8 +2,10 @@
 
 const { tagResources } = require("./src/template-tagger");
 const { updateTagsPostDeploy } = require("./src/post-deploy-tagger");
+const { removeUnwantedTags } = require("./src/post-deploy/untag");
 const { validateTags } = require("./src/validation");
 const { configFromProvider } = require("./src/aws-clients");
+const { TAGS_TO_REMOVE } = require("./src/tags");
 
 class TagResourcesServerlessPlugin {
   constructor(serverless, options) {
@@ -77,6 +79,7 @@ class TagResourcesServerlessPlugin {
     const awsProvider = this.serverless.getProvider("aws");
     const stackName = awsProvider.naming.getStackName();
 
+    // Phase 1: Tag resources that CF doesn't cover natively
     await updateTagsPostDeploy(
       this.awsConfig,
       stackName,
@@ -87,6 +90,16 @@ class TagResourcesServerlessPlugin {
       this._log.bind(this)
     );
 
+    // Phase 2: Remove unwanted tags (STAGE injected by SFW)
+    if (TAGS_TO_REMOVE.length > 0) {
+      await removeUnwantedTags(
+        this.awsConfig,
+        stackName,
+        TAGS_TO_REMOVE,
+        this._log.bind(this)
+      );
+    }
+
     this._log("TAGGING: Post-deploy tagging complete");
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "serverless-tag-resources",
-  "version": "3.1.0",
+  "version": "3.1.2",
   "description": "Datamart: Tag all AWS resources with dual legacy + datamart:* tag support",
   "main": "index.js",
   "files": [
@@ -35,7 +35,8 @@
     "@aws-sdk/client-firehose": "^3.700.0",
     "@aws-sdk/client-pinpoint": "^3.700.0",
     "@aws-sdk/client-rds": "^3.700.0",
-    "@aws-sdk/client-ssm": "^3.700.0"
+    "@aws-sdk/client-ssm": "^3.700.0",
+    "@aws-sdk/client-resource-groups-tagging-api": "^3.700.0"
   },
   "devDependencies": {
     "jest": "^30.3.0"

package/src/post-deploy/untag.js

@@ -4,94 +4,126 @@ const {
   ResourceGroupsTaggingAPIClient,
   UntagResourcesCommand,
 } = require("@aws-sdk/client-resource-groups-tagging-api");
+const {
+  CloudFormationClient,
+  DescribeStacksCommand,
+  DescribeStackResourcesCommand,
+} = require("@aws-sdk/client-cloudformation");
 const { getClient } = require("../aws-clients");
+const { SKIP_TYPES } = require("../resource-classifier");
 
 /**
- * Remove specific tags from all resources in a CloudFormation stack.
- * Uses Resource Groups Tagging API for broad coverage across resource types.
+ * Remove unwanted tags from the stack itself and all its resources.
+ * Uses Resource Groups Tagging API (UntagResources) which works on
+ * both CF stacks and individual resources.
  *
- * This is used to clean up tags injected by Serverless Framework (e.g., STAGE)
- * that conflict with the datamart:* tagging policy.
+ * No UpdateStack — only tag removal, zero infrastructure changes.
  */
-async function removeTagsFromStackResources(config, stackResources, tagKeysToRemove, partition, region, log) {
+async function removeUnwantedTags(config, stackName, tagKeysToRemove, log) {
+  const cfnClient = getClient(CloudFormationClient, config);
   const taggingClient = getClient(ResourceGroupsTaggingAPIClient, config);
 
-  // Collect ARNs of all stack resources
   const arns = [];
-  for (const resource of stackResources) {
-    const arn = buildArn(resource, partition, region);
-    if (arn) arns.push(arn);
-  }
 
-  if (arns.length === 0) {
-    log("TAGGING: No resources with ARNs to untag");
-    return;
+  // 1. Get stack ARN
+  const stackResult = await cfnClient.send(
+    new DescribeStacksCommand({ StackName: stackName })
+  );
+  const stackArn = stackResult.Stacks?.[0]?.StackId;
+  if (stackArn) arns.push(stackArn);
+
+  // 2. Get resource ARNs (deduplicated, excluding types that don't support tags)
+  const seen = new Set();
+  const resourceResult = await cfnClient.send(
+    new DescribeStackResourcesCommand({ StackName: stackName })
+  );
+  for (const resource of resourceResult.StackResources || []) {
+    if (SKIP_TYPES.has(resource.ResourceType)) continue;
+    const arn = resolveArn(resource);
+    if (arn && !seen.has(arn)) {
+      seen.add(arn);
+      arns.push(arn);
+    }
   }
 
+  if (arns.length === 0) return;
+
   // UntagResources accepts max 20 ARNs per call
   const batchSize = 20;
   let untagged = 0;
+  let skipped = 0;
 
   for (let i = 0; i < arns.length; i += batchSize) {
     const batch = arns.slice(i, i + batchSize);
     try {
-      await taggingClient.send(
+      const result = await taggingClient.send(
         new UntagResourcesCommand({
           ResourceARNList: batch,
           TagKeys: tagKeysToRemove,
         })
       );
-      untagged += batch.length;
+      const failedMap = result.FailedResourcesMap || {};
+      const failures = Object.keys(failedMap).length;
+      untagged += batch.length - failures;
+      skipped += failures;
     } catch (err) {
-      // Some resource types don't support tagging API — skip gracefully
-      log(`TAGGING: WARN untag batch ${i}-${i + batch.length}: ${err.message}`);
+      skipped += batch.length;
     }
   }
 
-  log(`TAGGING: Removed [${tagKeysToRemove.join(", ")}] from ${untagged} resources`);
+  log(`TAGGING: Removed [${tagKeysToRemove.join(", ")}] from ${untagged} resources (${skipped} skipped)`);
 }
 
 /**
- * Build ARN from CloudFormation StackResource.
- * Uses PhysicalResourceId which is usually the ARN or resource ID.
+ * Resolve the ARN of a stack resource.
+ * PhysicalResourceId is sometimes the ARN, sometimes just the name/ID.
  */
-function buildArn(resource, partition, region) {
+function resolveArn(resource) {
   const physicalId = resource.PhysicalResourceId;
   if (!physicalId) return null;
 
-  // If it's already an ARN, use it directly
+  // Already an ARN
   if (physicalId.startsWith("arn:")) return physicalId;
 
-  // For some resource types, we can construct the ARN
-  const accountId = extractAccountId(resource);
-  const type = resource.ResourceType;
+  // Extract account from stack ARN
+  const stackId = resource.StackId || "";
+  const parts = stackId.split(":");
+  if (parts.length < 5) return null;
+  const partition = parts[1];
+  const region = parts[3];
+  const account = parts[4];
 
-  const arnBuilders = {
+  // Build ARN by resource type
+  const type = resource.ResourceType;
+  const builders = {
     "AWS::Lambda::Function": () =>
-      `arn:${partition}:lambda:${region}:${accountId}:function:${physicalId}`,
+      `arn:${partition}:lambda:${region}:${account}:function:${physicalId}`,
     "AWS::SNS::Topic": () =>
-      `arn:${partition}:sns:${region}:${accountId}:${physicalId}`,
-    "AWS::SQS::Queue": () => null, // Queue URL, not name — skip
+      `arn:${partition}:sns:${region}:${account}:${physicalId}`,
     "AWS::Events::EventBus": () =>
-      `arn:${partition}:events:${region}:${accountId}:event-bus/${physicalId}`,
-    "AWS::Events::Rule": () => null, // Complex ARN — skip
+      `arn:${partition}:events:${region}:${account}:event-bus/${physicalId}`,
+    "AWS::Events::Rule": () =>
+      `arn:${partition}:events:${region}:${account}:rule/${physicalId}`,
+    "AWS::Logs::LogGroup": () =>
+      `arn:${partition}:logs:${region}:${account}:log-group:${physicalId}`,
+    "AWS::IAM::Role": () =>
+      `arn:${partition}:iam::${account}:role/${physicalId}`,
+    "AWS::S3::Bucket": () =>
+      `arn:${partition}:s3:::${physicalId}`,
+    "AWS::SSM::Parameter": () =>
+      `arn:${partition}:ssm:${region}:${account}:parameter${physicalId.startsWith("/") ? "" : "/"}${physicalId}`,
+    "AWS::KMS::Key": () =>
+      `arn:${partition}:kms:${region}:${account}:key/${physicalId}`,
+    "AWS::CodeBuild::Project": () =>
+      `arn:${partition}:codebuild:${region}:${account}:project/${physicalId}`,
     "AWS::ApiGateway::RestApi": () =>
       `arn:${partition}:apigateway:${region}::/restapis/${physicalId}`,
-    "AWS::Logs::LogGroup": () =>
-      `arn:${partition}:logs:${region}:${accountId}:log-group:${physicalId}`,
+    "AWS::WAFv2::WebACL": () =>
+      `arn:${partition}:wafv2:${region}:${account}:regional/webacl/${physicalId}`,
   };
 
-  const builder = arnBuilders[type];
-  if (builder) return builder();
-
-  return null;
-}
-
-function extractAccountId(resource) {
-  // StackId contains the account ID
-  const stackId = resource.StackId || "";
-  const parts = stackId.split(":");
-  return parts.length >= 5 ? parts[4] : "";
+  const builder = builders[type];
+  return builder ? builder() : null;
 }
 
-module.exports = { removeTagsFromStackResources };
+module.exports = { removeUnwantedTags };

package/src/post-deploy-tagger.js

@@ -5,9 +5,8 @@ const {
   DescribeStackResourcesCommand,
 } = require("@aws-sdk/client-cloudformation");
 const { getClient } = require("./aws-clients");
-const { buildListTags, buildDictTags, TAGS_TO_REMOVE } = require("./tags");
+const { buildListTags, buildDictTags } = require("./tags");
 const { needsPostDeployTagging, DICT_BASED_TYPES, API_ONLY_TYPES, RELATED_TYPES } = require("./resource-classifier");
-const { removeTagsFromStackResources } = require("./post-deploy/untag");
 
 const { tagSSMParameter } = require("./post-deploy/ssm");
 const { tagPinpointApp } = require("./post-deploy/pinpoint");
@@ -92,11 +91,6 @@ async function updateTagsPostDeploy(config, stackName, stackTags, stage, partiti
     }
   }
 
-  // Remove unwanted tags injected by SFW (STAGE)
-  if (TAGS_TO_REMOVE.length > 0) {
-    log(`TAGGING: Removing unwanted tags: ${TAGS_TO_REMOVE.join(", ")}`);
-    await removeTagsFromStackResources(config, allResources, TAGS_TO_REMOVE, partition, region, log);
-  }
 }
 
 module.exports = { updateTagsPostDeploy };

package/src/resource-classifier.js

@@ -264,6 +264,7 @@ const SKIP_TYPES = new Set([
   // Glue
   "AWS::Glue::Database",
   "AWS::Glue::Classifier",
+  "AWS::Glue::Crawler",
   "AWS::Glue::Connection",
   "AWS::Glue::DataCatalogEncryptionSettings",
   "AWS::Glue::Partition",