AWS TagSyncTask is an automatic tag synchronization mechanism that helps you effortlessly onboard resources with a specified tag key-value pair to your application. In this post, I’ll walk you through how to use TagSyncTask to automatically onboard or off-board multiple resources to your AWS application in just a few steps using an example scenario.
Scenario
Here, let's consider a scenario where multiple resources tagged with either tag key-value pair Project=ProjectX or Project=ProjectY need to be included as part of an AWS AppRegistry application called ProjectSync. For simplicity, let’s also assume that all these resources are either SQS queues or S3 buckets.
Instead of manually associating all these resources to the application, the process can be streamlined by using AWS TagSyncTask.
Let's get started
For simplicity, let's assume the role used to access the AWS account has Administrator permissions.
Prerequisite
Step 1. Create a permission policy to tag resources.
Navigate to the IAM console in the AWS account. Click on Policies on the left-hand side panel and click Create Policy.
![AWS account]()
Create a policy with the below permissions. This policy allows permissions required by resource-groups service to onboard and off-board resources to an application, along with permissions required to tag different resource types. In our case, the resources are sqs queues and s3 buckets.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"tag:GetResources",
"tag:UntagResources",
"tag:TagResources",
"resource-groups:GroupResources",
"resource-groups:UngroupResources",
"resource-groups:Untag",
"resource-groups:Tag",
"sqs:TagQueue",
"sqs:UntagQueue",
"s3:PutBucketTagging",
"s3:GetBucketTagging"
],
"Resource": "*"
}
]
}
![Specify permission]()
Click Next and create the policy with the name TagSyncTaskPolicy and description Policy to be used for the TagSync Task role.
Step 2. Create a role to be used by tag-sync tasks to onboard and off-board resources from the application.
Navigate to the IAM console in the AWS account. Click on Roles on the left-hand side panel and click Create Role.
![Create Role]()
Create a role with a custom trust policy using the trust policy below.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Principal": {
"Service": "resource-groups.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
![Trusted Entity]()
Add the previously created permission policy to the role.
![Created permission policy]()
Click Next and create the role with the name RoleTagSyncTask and a description of the role used by the Tag sync task.
Onboard resources using tag-sync task
Navigate to myApplications Console in the AWS Account. Choose the project ProjectSync.
![RoleTagSync]()
Click on Manage Resources. This will open the below page.
![Manage Resources]()
Click on Create tag-sync. Specify the role created and tag the key and value to onboard the resources to the application. First, let's create a task to onboard all resources that have the tag key-value pair Project = ProjectX.
![Create tag-sync]()
Acknowledge to enable Group LifeCycle Events and Cloud-formation stack update.
Confirm and create the task. This will start onboarding the resources with the tag key-value pair Project=ProjectX to the application.
Upon refreshing the page, the resources with the tag key are added to the application.
![Group LifeCycle Events]()
Similarly, let's create a tag-sync task to onboard resources tagged with the tag key-value pair Project=ProjectY.
![Tag key-value pair]()
Upon successful creation and after a refresh, more resources are added to the application.
Off-board resources from the application
The resources can be removed from the application simply by removing the tag. In this case, remove the tag, Project=ProjectX or Project=ProjectY from the resource that needs to be off-boarded.
Consider the example scenario where the S3 bucket needs to be off-boarded from the application. This can be done simply by removing the tag Project=ProjectY added to the resource.
![S3 bucket]()
![Manage]()
Handling Failures
Failures encountered when onboarding or off-boarding resources from the application are listed under Resource tagging error status.
More Details in the next blog post.