IAMInstanceProfile and IAMInstanceProfileRole don't support tags

[hs-siso]

Description

I am having an automated script to remove IAM resources based on a specific tag.

In the config file I have the following filtering applied:

        - property: 'tag:expiration_date'
          type: dateOlderThan
          value: 0

which works for IAMRole, IAMPolicy, and IAMRolePolicyAttachment but does not work for IAMInstanceProfileRole and IAMInstanceProfile.

Unfortunately these two IAM resources don't support filtering by tag.

The actual error:

global - IAMInstanceProfile - manual-destoy-env - would remove
global - IAMInstanceProfileRole - manual-destoy-env -> manual-destoy-env - would remove

There is an enforced dependency when trying to remove global IAM resources. Hence, removing an IAM role won't work if IAMInstanceProfile and IAMInstanceProfile haven't been removed previously.

Can anyone help with this, please?

[mavogel]

Hi @hs-siso, I recently added it for IAMRole in this PR: #731, however for IAMInstanceProfileRole it's still missing. I took the tf provider as a baseline, if I could find tags there: see here.

Feel free to take my PR as a baseline and create one with the missing ones :)

[hs-siso]

Hey @mavogel, I don't have write access to create branch and propose a fix for this though:

You’re making changes in a project you don’t have write access to.

Will you be able to help sort this out?

I'll fork and push a PR from there, sorry for the noise.

[hs-siso]

I have built from master and executed a test locally with the change that you've merged and am still observing that only the Name property is filled up. The Tags aren't.

Here's an example for a test environment (aws-nuke targeting InstanceProfile only):

global - IAMInstanceProfile - role-witty-fear-postgres-v10 - [Name: "role-witty-fear-postgres-v10"] - would remove

whereas with aws cli I can strictly observe that the Tags are there:

ᐅ aws iam get-instance-profile --instance-profile-name role-witty-fear-postgres-v10 --output json | jq '.InstanceProfile.Tags'
[
  {
    "Key": "owner",
    "Value": "someone"
  },
  {
    "Key": "cluster",
    "Value": "witty-fear-postgres-v10"
  },
  {
    "Key": "resource_owner",
    "Value": "someone"
  },
  {
    "Key": "expiration_date",
    "Value": "2022-01-27T23:28:12Z"
  },
  ... OTHER TAGS CLEARED OUT FOR VISIBILITY
]

I am new to Golang so any help will be appreciated :)

Thanks

[hs-siso]

I dove into the details of why we the tags aren't obtained even though the fix was implemented and figured out that the ListInstanceProfiles from the go SDK does not return tags.

Src: https://raw.githubusercontent.com/aws/aws-sdk-go/main/service/iam/api.go

// IAM resource-listing operations return a subset of the available attributes
// for the resource. For example, this operation does not return tags, even
// though they are an attribute of the returned object. To view all of the information
// for an instance profile, see GetInstanceProfile.

I'll try to propose a fix for this later today.

[hs-siso]

Closing the issue as the suggested fix was merged into master. 🎉

[hs-siso]

@svenwltr @der-eismann Is there a change to tag a 2.17.1 release with these changes incorporated as the 2.17.0 that was released doesn't have them?