cloudwire 0.2.0__tar.gz → 0.2.2__tar.gz

{cloudwire-0.2.0 → cloudwire-0.2.2}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cloudwire
-Version: 0.2.0
+Version: 0.2.2
 Summary: Scan and visualize your AWS infrastructure as an interactive graph
 License-Expression: MIT
 Project-URL: Homepage, https://github.com/hisingh_gwre/cloudwire
@@ -16,6 +16,7 @@ Classifier: Programming Language :: Python :: 3.9
 Classifier: Programming Language :: Python :: 3.10
 Classifier: Programming Language :: Python :: 3.11
 Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
 Classifier: Topic :: Internet :: WWW/HTTP
 Classifier: Topic :: System :: Systems Administration
 Requires-Python: >=3.9
@@ -24,15 +25,15 @@ Provides-Extra: dev
 Requires-Dist: twine; extra == "dev"
 Requires-Dist: build; extra == "dev"
 Provides-Extra: dependencies
-Requires-Dist: fastapi>=0.115; extra == "dependencies"
-Requires-Dist: uvicorn[standard]>=0.34; extra == "dependencies"
-Requires-Dist: boto3>=1.37; extra == "dependencies"
-Requires-Dist: botocore>=1.37; extra == "dependencies"
-Requires-Dist: networkx>=3.4; extra == "dependencies"
-Requires-Dist: pydantic>=2.11; extra == "dependencies"
-Requires-Dist: click>=8.1; extra == "dependencies"
+Requires-Dist: fastapi>=0.100; extra == "dependencies"
+Requires-Dist: uvicorn>=0.20; extra == "dependencies"
+Requires-Dist: boto3>=1.26; extra == "dependencies"
+Requires-Dist: botocore>=1.29; extra == "dependencies"
+Requires-Dist: networkx>=2.6; extra == "dependencies"
+Requires-Dist: pydantic>=2.0; extra == "dependencies"
+Requires-Dist: click>=8.0; extra == "dependencies"
 
-# cloudwire
+# Cloudwire
 
 Scan your AWS account and visualize resource dependencies as an interactive graph — directly in your browser, running entirely on your local machine.
 
@@ -55,11 +56,13 @@ That's it. The browser opens automatically at `http://localhost:8080`.
 
 ## What it looks like
 
-- Dark hacker-aesthetic graph canvas
-- Nodes represent AWS resources — Lambda functions, SQS queues, API Gateways, RDS instances, S3 buckets, and more
-- Edges represent relationships and data flow between resources
-- Click any node to inspect its attributes and connected resources
-- Search, filter by service, highlight upstream/downstream blast radius
+- Dark hacker-aesthetic graph canvas with animated data flow
+- 24 AWS services with dedicated icons, colors, and role badges
+- Edges represent real relationships — API integrations, event triggers, IAM policy inference, env var references
+- Sequential left-to-right flow layout with START/END badges showing where data enters and exits
+- Click any node to inspect its attributes, incoming/outgoing edges, and resource-specific tooltip
+- Search, filter by service, highlight upstream/downstream blast radius, find shortest path
+- Permission errors surfaced clearly — see exactly which IAM policies are missing
 
 ---
 
@@ -67,24 +70,29 @@ That's it. The browser opens automatically at `http://localhost:8080`.
 
 | Service | Scanner |
 |---------|---------|
-| API Gateway | Dedicated |
-| Lambda | Dedicated (with state) |
-| SQS | Dedicated |
-| SNS | Dedicated |
-| EventBridge | Dedicated |
-| DynamoDB | Dedicated (with state) |
-| EC2 | Dedicated (with state) |
-| ECS | Dedicated |
-| S3 | Dedicated |
-| RDS | Dedicated (with state) |
+| API Gateway | Dedicated — REST + HTTP APIs, multi-service integrations, Cognito authorizers |
+| Lambda | Dedicated — functions, event source mappings, env var references, IAM policy inference |
+| SQS | Dedicated — queues, attributes, dead letter queue edges |
+| SNS | Dedicated — topics and subscriptions |
+| EventBridge | Dedicated — rules and targets |
+| DynamoDB | Dedicated — tables, streams, global table replicas |
+| EC2 | Dedicated — instances, VPC, subnet, security group, instance profile edges |
+| ECS | Dedicated — clusters, services, task definitions, load balancer edges |
+| S3 | Dedicated — buckets and Lambda notification edges |
+| RDS | Dedicated — DB instances and clusters |
 | Step Functions | Dedicated |
 | Kinesis | Dedicated |
-| IAM | Dedicated |
-| Cognito | Dedicated |
-| CloudFront | Dedicated (with state) |
-| ElastiCache | Dedicated (with state) |
-| Glue | Dedicated |
-| AppSync | Dedicated |
+| IAM | Dedicated — roles with full policy resolution |
+| Cognito | Dedicated — user pools |
+| CloudFront | Dedicated — distributions, S3/API GW/ELB origins, Lambda@Edge |
+| Route 53 | Dedicated — hosted zones, record sets, alias target edges |
+| ElastiCache | Dedicated — cache clusters |
+| Redshift | Dedicated — clusters |
+| Glue | Dedicated — jobs, crawlers, triggers |
+| AppSync | Dedicated — GraphQL APIs |
+| Secrets Manager | Dedicated |
+| KMS | Dedicated |
+| ELB | Discovered via CloudFront, Route 53, ECS edges |
 | Everything else | Generic (tagged resources only) |
 
 ---

{cloudwire-0.2.0 → cloudwire-0.2.2}/README.md

@@ -1,4 +1,4 @@
-# cloudwire
+# Cloudwire
 
 Scan your AWS account and visualize resource dependencies as an interactive graph — directly in your browser, running entirely on your local machine.
 
@@ -21,11 +21,13 @@ That's it. The browser opens automatically at `http://localhost:8080`.
 
 ## What it looks like
 
-- Dark hacker-aesthetic graph canvas
-- Nodes represent AWS resources — Lambda functions, SQS queues, API Gateways, RDS instances, S3 buckets, and more
-- Edges represent relationships and data flow between resources
-- Click any node to inspect its attributes and connected resources
-- Search, filter by service, highlight upstream/downstream blast radius
+- Dark hacker-aesthetic graph canvas with animated data flow
+- 24 AWS services with dedicated icons, colors, and role badges
+- Edges represent real relationships — API integrations, event triggers, IAM policy inference, env var references
+- Sequential left-to-right flow layout with START/END badges showing where data enters and exits
+- Click any node to inspect its attributes, incoming/outgoing edges, and resource-specific tooltip
+- Search, filter by service, highlight upstream/downstream blast radius, find shortest path
+- Permission errors surfaced clearly — see exactly which IAM policies are missing
 
 ---
 
@@ -33,24 +35,29 @@ That's it. The browser opens automatically at `http://localhost:8080`.
 
 | Service | Scanner |
 |---------|---------|
-| API Gateway | Dedicated |
-| Lambda | Dedicated (with state) |
-| SQS | Dedicated |
-| SNS | Dedicated |
-| EventBridge | Dedicated |
-| DynamoDB | Dedicated (with state) |
-| EC2 | Dedicated (with state) |
-| ECS | Dedicated |
-| S3 | Dedicated |
-| RDS | Dedicated (with state) |
+| API Gateway | Dedicated — REST + HTTP APIs, multi-service integrations, Cognito authorizers |
+| Lambda | Dedicated — functions, event source mappings, env var references, IAM policy inference |
+| SQS | Dedicated — queues, attributes, dead letter queue edges |
+| SNS | Dedicated — topics and subscriptions |
+| EventBridge | Dedicated — rules and targets |
+| DynamoDB | Dedicated — tables, streams, global table replicas |
+| EC2 | Dedicated — instances, VPC, subnet, security group, instance profile edges |
+| ECS | Dedicated — clusters, services, task definitions, load balancer edges |
+| S3 | Dedicated — buckets and Lambda notification edges |
+| RDS | Dedicated — DB instances and clusters |
 | Step Functions | Dedicated |
 | Kinesis | Dedicated |
-| IAM | Dedicated |
-| Cognito | Dedicated |
-| CloudFront | Dedicated (with state) |
-| ElastiCache | Dedicated (with state) |
-| Glue | Dedicated |
-| AppSync | Dedicated |
+| IAM | Dedicated — roles with full policy resolution |
+| Cognito | Dedicated — user pools |
+| CloudFront | Dedicated — distributions, S3/API GW/ELB origins, Lambda@Edge |
+| Route 53 | Dedicated — hosted zones, record sets, alias target edges |
+| ElastiCache | Dedicated — cache clusters |
+| Redshift | Dedicated — clusters |
+| Glue | Dedicated — jobs, crawlers, triggers |
+| AppSync | Dedicated — GraphQL APIs |
+| Secrets Manager | Dedicated |
+| KMS | Dedicated |
+| ELB | Discovered via CloudFront, Route 53, ECS edges |
 | Everything else | Generic (tagged resources only) |
 
 ---

{cloudwire-0.2.0 → cloudwire-0.2.2}/cloudwire/__init__.py

@@ -1,3 +1,3 @@
 """CloudWire — scan and visualize your AWS infrastructure."""
 
-__version__ = "0.2.0"
+__version__ = "0.2.2"

cloudwire-0.2.2/cloudwire/app/graph_store.py

@@ -0,0 +1,172 @@
+from __future__ import annotations
+
+from datetime import datetime, timezone
+from threading import Lock
+from typing import Any, Dict, List, Set
+
+import networkx as nx
+
+
+class GraphStore:
+    def __init__(self) -> None:
+        self.graph = nx.DiGraph()
+        self.metadata: Dict[str, Any] = {
+            "last_scan_at": None,
+            "region": None,
+            "scanned_services": [],
+            "warnings": [],
+        }
+        self._lock = Lock()
+
+    def reset(self, *, region: str, services: List[str]) -> None:
+        with self._lock:
+            self.graph = nx.DiGraph()
+            self.metadata = {
+                "last_scan_at": datetime.now(timezone.utc).isoformat(),
+                "region": region,
+                "scanned_services": services,
+                "warnings": [],
+            }
+
+    def add_warning(self, warning: str) -> None:
+        with self._lock:
+            self.metadata.setdefault("warnings", []).append(warning)
+
+    def update_metadata(self, **kwargs: Any) -> None:
+        with self._lock:
+            self.metadata.update(kwargs)
+
+    def add_node(self, node_id: str, **attrs: Any) -> None:
+        with self._lock:
+            current = self.graph.nodes[node_id] if self.graph.has_node(node_id) else {}
+            merged = {**current, **attrs}
+            merged["id"] = node_id
+            self.graph.add_node(node_id, **merged)
+
+    def add_edge(self, source: str, target: str, **attrs: Any) -> None:
+        with self._lock:
+            current = self.graph.get_edge_data(source, target, default={})
+            merged = {**current, **attrs}
+            self.graph.add_edge(source, target, **merged)
+
+    def _serialize_node(self, node_id: str, attrs: Dict[str, Any]) -> Dict[str, Any]:
+        payload = {"id": node_id}
+        payload.update(attrs)
+        return payload
+
+    def _serialize_edge(self, source: str, target: str, attrs: Dict[str, Any]) -> Dict[str, Any]:
+        payload = {"id": f"{source}\u2192{target}", "source": source, "target": target}
+        payload.update(attrs)
+        return payload
+
+    def get_graph_payload(self) -> Dict[str, Any]:
+        with self._lock:
+            nodes = [self._serialize_node(node_id, attrs) for node_id, attrs in self.graph.nodes(data=True)]
+            edges = [
+                self._serialize_edge(source, target, attrs)
+                for source, target, attrs in self.graph.edges(data=True)
+            ]
+            metadata = dict(self.metadata)
+            metadata["node_count"] = len(nodes)
+            metadata["edge_count"] = len(edges)
+            return {"nodes": nodes, "edges": edges, "metadata": metadata}
+
+    def _node_matches_arns(self, node_id: str, attrs: Dict[str, Any], allowed_arns: Set[str]) -> bool:
+        """Check if a node matches any of the allowed ARNs.
+
+        Tries multiple fields since scanners are inconsistent about ARN storage:
+          1. 'real_arn' attribute (set by _fetch_and_apply_tags — always a proper ARN)
+          2. 'arn' attribute directly
+          3. The embedded ARN in node_id (format 'service:arn')
+        Returns False for nodes without any ARN-like attribute (synthetic/connector nodes).
+        """
+        real_arn = attrs.get("real_arn")
+        if real_arn and real_arn in allowed_arns:
+            return True
+        node_arn = attrs.get("arn")
+        if node_arn and node_arn in allowed_arns:
+            return True
+        arn_in_id = node_id.split(":", 1)[1] if ":" in node_id else ""
+        if arn_in_id in allowed_arns:
+            return True
+        return False
+
+    def filter_by_arns(self, allowed_arns: Set[str]) -> int:
+        """Remove nodes that don't match the allowed ARNs, preserving neighbors.
+
+        Keeps:
+          - Nodes whose ARN matches the allowed set (the "seed" nodes)
+          - Direct neighbors of seed nodes (1-hop) so connected context is visible
+          - VPC infrastructure ancestors of kept nodes (so VPC containers, IGWs,
+            route tables, and Internet anchor nodes remain for topology context)
+          - Nodes without any ARN-like attribute (synthetic/connector nodes)
+        Returns the number of nodes removed.
+        """
+        with self._lock:
+            # Phase 1: identify seed nodes (directly matched by ARN)
+            seed_ids: Set[str] = set()
+            no_arn_ids: Set[str] = set()
+            for node_id, attrs in self.graph.nodes(data=True):
+                if self._node_matches_arns(node_id, attrs, allowed_arns):
+                    seed_ids.add(node_id)
+                elif not attrs.get("real_arn") and not attrs.get("arn"):
+                    no_arn_ids.add(node_id)
+
+            # Phase 2: expand to direct neighbors of seeds (1-hop)
+            keep_ids = set(seed_ids) | no_arn_ids
+            for seed_id in seed_ids:
+                for neighbor in self.graph.predecessors(seed_id):
+                    keep_ids.add(neighbor)
+                for neighbor in self.graph.successors(seed_id):
+                    keep_ids.add(neighbor)
+
+            # Phase 3: walk VPC infrastructure ancestors so topology context
+            # (VPC → subnet → resource, IGW → VPC, RTB → subnet) stays intact.
+            # For any kept VPC infra node, also keep its predecessors/successors
+            # that are VPC infra, up the containment chain.
+            vpc_frontier = [
+                nid for nid in keep_ids
+                if self.graph.nodes[nid].get("service") == "vpc"
+            ]
+            visited = set(vpc_frontier)
+            while vpc_frontier:
+                nid = vpc_frontier.pop()
+                for neighbor in self.graph.predecessors(nid):
+                    if neighbor not in keep_ids and neighbor not in visited:
+                        attrs = self.graph.nodes[neighbor]
+                        if attrs.get("service") == "vpc":
+                            keep_ids.add(neighbor)
+                            visited.add(neighbor)
+                            vpc_frontier.append(neighbor)
+                for neighbor in self.graph.successors(nid):
+                    if neighbor not in keep_ids and neighbor not in visited:
+                        attrs = self.graph.nodes[neighbor]
+                        if attrs.get("service") == "vpc":
+                            keep_ids.add(neighbor)
+                            visited.add(neighbor)
+                            vpc_frontier.append(neighbor)
+
+            # Phase 4: remove everything else
+            nodes_to_remove = [
+                node_id for node_id in self.graph.nodes()
+                if node_id not in keep_ids
+            ]
+            for node_id in nodes_to_remove:
+                self.graph.remove_node(node_id)
+            return len(nodes_to_remove)
+
+    def get_resource_payload(self, resource_id: str) -> Dict[str, Any]:
+        with self._lock:
+            if not self.graph.has_node(resource_id):
+                raise KeyError(resource_id)
+
+            node = self._serialize_node(resource_id, dict(self.graph.nodes[resource_id]))
+            incoming = [
+                self._serialize_edge(source, resource_id, dict(attrs))
+                for source, _, attrs in self.graph.in_edges(resource_id, data=True)
+            ]
+            outgoing = [
+                self._serialize_edge(resource_id, target, dict(attrs))
+                for _, target, attrs in self.graph.out_edges(resource_id, data=True)
+            ]
+            return {"node": node, "incoming": incoming, "outgoing": outgoing}

{cloudwire-0.2.0 → cloudwire-0.2.2}/cloudwire/app/main.py

@@ -23,12 +23,17 @@ from fastapi.responses import FileResponse, JSONResponse
 from fastapi.staticfiles import StaticFiles
 
 from .models import (
+    _REGION_RE,
     APIErrorResponse,
     GraphResponse,
     ResourceResponse,
     ScanJobCreateResponse,
     ScanJobStatusResponse,
     ScanRequest,
+    TagKeysResponse,
+    TagResourcesResponse,
+    TagValuesResponse,
+    normalize_service_name,
 )
 from .scan_jobs import ScanJobStore
 from .scanner import AWSGraphScanner, ScanCancelledError, ScanExecutionOptions
@@ -68,15 +73,9 @@ def _error_payload(code: str, message: str, details: Optional[Any] = None) -> Di
 
 
 def _normalize_services(services: List[str]) -> List[str]:
-    aliases = {
-        "api-gateway": "apigateway",
-        "apigw": "apigateway",
-        "event-bridge": "eventbridge",
-        "events": "eventbridge",
-    }
     normalized = []
     for service in services:
-        key = aliases.get(service.lower().strip(), service.lower().strip())
+        key = normalize_service_name(service)
         if key and key not in normalized:
             normalized.append(key)
     return normalized
@@ -225,6 +224,40 @@ async def unexpected_exception_handler(_: Request, exc: Exception) -> JSONRespon
     )
 
 
+# ---------------------------------------------------------------------------
+# Tag discovery helper
+# ---------------------------------------------------------------------------
+
+def _tagging_client(region: str):
+    session = boto3.session.Session(region_name=region)
+    return session.client(
+        "resourcegroupstaggingapi",
+        config=Config(
+            retries={"mode": "adaptive", "max_attempts": 10},
+            max_pool_connections=8,
+            connect_timeout=3,
+            read_timeout=10,
+        ),
+    )
+
+
+def _validate_region(region: str) -> str:
+    cleaned = region.strip()
+    if not cleaned or not _REGION_RE.match(cleaned):
+        raise APIError(
+            status_code=422,
+            code="validation_error",
+            message=f"'{cleaned}' is not a valid AWS region identifier (e.g. us-east-1)",
+        )
+    return cleaned
+
+
+def _service_from_arn(arn: str) -> str:
+    parts = arn.split(":")
+    service = parts[2] if len(parts) > 2 else ""
+    return service if service else ""
+
+
 # ---------------------------------------------------------------------------
 # Scan runner (background thread)
 # ---------------------------------------------------------------------------
@@ -236,6 +269,7 @@ def _run_scan_job(
     services: List[str],
     account_id: str,
     options: ScanExecutionOptions,
+    tag_arns: Optional[List[str]] = None,
 ) -> None:
     job_store.mark_running(job_id)
     if job_store.is_cancel_requested(job_id):
@@ -264,6 +298,12 @@ def _run_scan_job(
         if job_store.is_cancel_requested(job_id):
             job_store.mark_cancelled(job_id)
             return
+        # Post-scan ARN filtering for tag-based scans
+        if tag_arns:
+            allowed = set(tag_arns)
+            removed = job.graph_store.filter_by_arns(allowed)
+            if removed:
+                job.graph_store.add_warning(f"Tag filter removed {removed} resource(s) not matching selected tags or their neighbors.")
         job_store.mark_completed(job_id, ttl_seconds=_cache_ttl_seconds(options.mode))
     except ScanCancelledError:
         job.graph_store.add_warning("Scan cancelled by user request.")
@@ -326,6 +366,8 @@ def create_scan_job(payload: ScanRequest) -> Dict[str, Any]:
     options = _resolve_scan_options(payload)
     account_id = _resolve_account_id(payload.region)
 
+    tag_arns = payload.tag_arns
+
     cache_key = ScanJobStore.build_cache_key(
         account_id=account_id,
         region=payload.region,
@@ -333,6 +375,7 @@ def create_scan_job(payload: ScanRequest) -> Dict[str, Any]:
         mode=options.mode,
         include_iam_inference=options.include_iam_inference,
         include_resource_describes=options.include_resource_describes,
+        tag_arns=tag_arns,
     )
     reusable_job_id, cached = job_store.find_reusable_job(
         cache_key=cache_key,
@@ -357,6 +400,8 @@ def create_scan_job(payload: ScanRequest) -> Dict[str, Any]:
         include_iam_inference=options.include_iam_inference,
         include_resource_describes=options.include_resource_describes,
     )
+    # Capture tag_arns in local scope for the lambda closure
+    _tag_arns = tag_arns
     job_store.submit_job(
         job.id,
         lambda: _run_scan_job(
@@ -365,6 +410,7 @@ def create_scan_job(payload: ScanRequest) -> Dict[str, Any]:
             services=services,
             account_id=account_id,
             options=options,
+            tag_arns=_tag_arns,
         ),
     )
     return {
@@ -429,6 +475,148 @@ def stop_scan_job(job_id: str) -> Dict[str, Any]:
         ) from exc
 
 
+# ---------------------------------------------------------------------------
+# Tag discovery endpoints
+# ---------------------------------------------------------------------------
+
+def _handle_tagging_error(exc: Exception, region: str, operation: str):
+    """Convert AWS errors from tagging API to APIError."""
+    logger.warning("Tag API error in %s (region=%s): %s: %s", operation, region, type(exc).__name__, exc)
+    if isinstance(exc, (NoCredentialsError, PartialCredentialsError, CredentialRetrievalError)):
+        raise APIError(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            code="aws_credentials_missing",
+            message=_friendly_exception_message(exc),
+        ) from exc
+    if isinstance(exc, ClientError):
+        aws_code = exc.response.get("Error", {}).get("Code", "")
+        aws_message = exc.response.get("Error", {}).get("Message", "")
+        if aws_code in ("AccessDenied", "AccessDeniedException", "UnauthorizedAccess", "UnauthorizedOperation"):
+            raise APIError(
+                status_code=status.HTTP_403_FORBIDDEN,
+                code="tags_access_denied",
+                message=f"Access denied for {operation}. Ensure the IAM role has tag:GetTagKeys, tag:GetTagValues, and tag:GetResources permissions. ({aws_code}: {aws_message})",
+                details={"aws_error_code": aws_code, "region": region},
+            ) from exc
+        raise APIError(
+            status_code=status.HTTP_502_BAD_GATEWAY,
+            code="tags_api_error",
+            message=f"AWS tagging API error: {aws_code}: {aws_message}" if aws_message else _friendly_exception_message(exc),
+            details={"aws_error_code": aws_code, "region": region},
+        ) from exc
+    if isinstance(exc, (EndpointConnectionError, ConnectTimeoutError, ReadTimeoutError)):
+        raise APIError(
+            status_code=status.HTTP_502_BAD_GATEWAY,
+            code="aws_endpoint_unreachable",
+            message=_friendly_exception_message(exc),
+            details={"region": region},
+        ) from exc
+    if isinstance(exc, BotoCoreError):
+        raise APIError(
+            status_code=status.HTTP_502_BAD_GATEWAY,
+            code="tags_api_error",
+            message=_friendly_exception_message(exc),
+            details={"region": region},
+        ) from exc
+    # Fallback for unexpected exception types
+    raise APIError(
+        status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+        code="unexpected_error",
+        message=_friendly_exception_message(exc),
+    ) from exc
+
+
+@api.get(
+    "/tags/keys",
+    response_model=TagKeysResponse,
+    responses={401: {"model": APIErrorResponse}, 403: {"model": APIErrorResponse}, 502: {"model": APIErrorResponse}},
+)
+def get_tag_keys(region: str = Query(default="us-east-1")) -> Dict[str, Any]:
+    region = _validate_region(region)
+    try:
+        client = _tagging_client(region)
+        keys = []
+        paginator = client.get_paginator("get_tag_keys")
+        for page in paginator.paginate():
+            keys.extend(page.get("TagKeys", []))
+        return {"keys": sorted(set(keys))}
+    except Exception as exc:
+        _handle_tagging_error(exc, region, "get_tag_keys")
+
+
+@api.get(
+    "/tags/values",
+    response_model=TagValuesResponse,
+    responses={401: {"model": APIErrorResponse}, 403: {"model": APIErrorResponse}, 502: {"model": APIErrorResponse}},
+)
+def get_tag_values(
+    region: str = Query(default="us-east-1"),
+    key: str = Query(..., min_length=1),
+) -> Dict[str, Any]:
+    region = _validate_region(region)
+    try:
+        client = _tagging_client(region)
+        values = []
+        paginator = client.get_paginator("get_tag_values")
+        for page in paginator.paginate(Key=key):
+            values.extend(page.get("TagValues", []))
+        return {"key": key, "values": sorted(set(values))}
+    except Exception as exc:
+        _handle_tagging_error(exc, region, "get_tag_values")
+
+
+@api.get(
+    "/tags/resources",
+    response_model=TagResourcesResponse,
+    responses={401: {"model": APIErrorResponse}, 403: {"model": APIErrorResponse}, 502: {"model": APIErrorResponse}},
+)
+def get_tag_resources(
+    region: str = Query(default="us-east-1"),
+    tag_filters: str = Query(..., description="JSON array of {Key, Values} filter objects"),
+) -> Dict[str, Any]:
+    import json as _json
+
+    region = _validate_region(region)
+
+    try:
+        parsed_filters = _json.loads(tag_filters)
+        if not isinstance(parsed_filters, list):
+            raise ValueError("tag_filters must be a JSON array")
+        for i, entry in enumerate(parsed_filters):
+            if not isinstance(entry, dict):
+                raise ValueError(f"tag_filters[{i}] must be an object")
+            if "Key" not in entry:
+                raise ValueError(f"tag_filters[{i}] is missing required field 'Key'")
+            if not isinstance(entry.get("Key"), str):
+                raise ValueError(f"tag_filters[{i}].Key must be a string")
+            if "Values" in entry and not isinstance(entry["Values"], list):
+                raise ValueError(f"tag_filters[{i}].Values must be an array")
+    except (ValueError, _json.JSONDecodeError) as exc:
+        raise APIError(
+            status_code=status.HTTP_422_UNPROCESSABLE_ENTITY,
+            code="validation_error",
+            message=f"Invalid tag_filters JSON: {exc}",
+        ) from exc
+
+    try:
+        client = _tagging_client(region)
+        arns = []
+        paginator = client.get_paginator("get_resources")
+        for page in paginator.paginate(
+            TagFilters=parsed_filters,
+            ResourcesPerPage=100,
+        ):
+            for entry in page.get("ResourceTagMappingList", []):
+                arn = entry.get("ResourceARN")
+                if arn:
+                    arns.append(arn)
+
+        services = sorted(s for s in set(_service_from_arn(arn) for arn in arns) if s)
+        return {"arns": arns, "services": services}
+    except Exception as exc:
+        _handle_tagging_error(exc, region, "get_resources")
+
+
 app.include_router(api)
 
 # ---------------------------------------------------------------------------