Only get existing resources with ResourceGroupTaggingAPI

Question

I am using the AWS ResourceGroupTagginApi (the get-resources command, https://docs.aws.amazon.com/cli/latest/reference/resourcegroupstaggingapi/get-resources.html) to list all my resources in my account and check if the tags are setup as I want to.

No I notice that the get-resources command also returns resources, that I have already deleted.

The advantage of the ResourceGroupTagginApi for me is, that I can get all resources and there tags using one command, and I don't have to call the service specific apis (which I would have to implement for every service separately).

How can I only return resources that have not been deleted? Or how can I filter the resources out, that have already been deleted without using the service specific APIs?

Answer 1

I wanted to do this and couldn't find a way to do it. As my employer has an AWS support contract I raised a ticket for this; the important bit of the response was:

Please note that, currently, this is a known issue with Resource Groups Tagging, where the stale/deleted resource tags are still being returned when calling get-resources. I have added your case to the known issue to better prioritize the development.

so hopefully this may get fixed in the future.

Answer 2

I've experienced the same "dangling tags" misbehavior, referenced at repost.aws and in the boto3 project. In my case I have some extra data since I'm using a script in an attempt to sanity check actual state after executing IaC destroy processes:

  echo "Scanning account for profile ${AWS_PROFILE} for all resources.."
  REGIONS="us-east-1 us-east-2 us-west-1 us-west-2"
  for _REGION in $REGIONS ; do
    printf "Dumping all resources in ${GREEN}${_REGION}${RESET} for profile ${AWS_PROFILE} into file: all-resources-in-${GREEN}${_REGION}${RESET}.json.."
    aws resourcegroupstaggingapi get-resources --region $_REGION > all-resources-in-${_REGION}.json
    echo ". found ${GREEN}$(grep ResourceARN all-resources-in-${_REGION}.json | wc -l) ${RESET}ResourceARNs"
  done                                                                                                                                                                                                                                                                                                                                                                              

My only addition to the conversation here is that there appears to be a clear pattern that only some resources seem to stick around after deletion. In my current project, I've only noticed the following resources with "sticky tags":

1. NAT Gateways
2. Security Groups

...and of these, 1. NAT Gateways are the most sticky. I regularly observe that the Security Groups drop off the list first, then the NAT Gateways. Perhaps this is a hint about root cause, or perhaps it's a red herring.

Note that this is in a terraform project that is creating/destroying of course but a tiny subset of AWS resource types, but it does include at least: VPCs, Subnets, RTs, IGW, NatGw, SGs, ACLs, EC2, EKS, Managed Node Groups, ElasticIps, LaunchTemplates, AutoscalingGroups, etc..

So, I'm proposing that you identify which resource types are consistently "sticky" in your environment, and filter those out.