AWS Resource Groups Tagging API

2019/06/18 - AWS Resource Groups Tagging API - 9 new3 updated api methods

Changes  Update resourcegroupstaggingapi client to latest version

DisableTagPolicies (new) Link ¶

Disables tag policies for your organization and deletes all tag policies.

You can call this operation from the organization's master account only and from the us-east-1 Region only.

See also: AWS API Documentation

Request Syntax

client.disable_tag_policies()
rtype:

dict

returns:

Response Syntax

{}

Response Structure

  • (dict) --

GetTagPolicy (new) Link ¶

Returns the policy that is attached to the specified target.

You can call this operation from the organization's master account only and from the us-east-1 Region only.

See also: AWS API Documentation

Request Syntax

client.get_tag_policy(
    TargetId='string'
)
type TargetId:

string

param TargetId:

[REQUIRED]

The account ID or the root identifier of the organization. If you don't know the root ID, you can call the AWS Organizations ListRoots API to find it.

rtype:

dict

returns:

Response Syntax

{
    'Policy': 'string',
    'LastUpdated': datetime(2015, 1, 1)
}

Response Structure

  • (dict) --

    • Policy (string) --

      The policy that is attached to the specified target.

    • LastUpdated (datetime) --

      The last time this policy was updated.

PutTagPolicy (new) Link ¶

Validates the tag policy and then attaches it to the account or organization root. This policy determines whether a resource is compliant.

Validating the tag policy includes checking that the tag policy document includes the required components, uses JSON syntax, and has fewer than 5,000 characters (including spaces). For more information, see Tag Policy Structure in the AWS Resource Groups User Guide.

You can call this operation from the organization's master account only, and from the us-east-1 Region only.

See also: AWS API Documentation

Request Syntax

client.put_tag_policy(
    TargetId='string',
    Policy='string'
)
type TargetId:

string

param TargetId:

[REQUIRED]

The account ID or the root identifier of the organization. If you don't know the root ID, you can call the AWS Organizations ListRoots API to find it.

type Policy:

string

param Policy:

[REQUIRED]

The tag policy to attach to the target.

rtype:

dict

returns:

Response Syntax

{}

Response Structure

  • (dict) --

GetComplianceSummary (new) Link ¶

Returns a table that shows counts of resources that are noncompliant with their tag policies.

For more information on tag policies, see Tag Policies in the AWS Resource Groups User Guide.

You can call this operation from the organization's master account only and from the us-east-1 Region only.

See also: AWS API Documentation

Request Syntax

client.get_compliance_summary(
    TargetIdFilters=[
        'string',
    ],
    RegionFilters=[
        'string',
    ],
    ResourceTypeFilters=[
        'string',
    ],
    TagKeyFilters=[
        'string',
    ],
    GroupBy=[
        'TARGET_ID'|'REGION'|'RESOURCE_TYPE',
    ],
    MaxResults=123,
    PaginationToken='string'
)
type TargetIdFilters:

list

param TargetIdFilters:

The target identifiers (usually, specific account IDs) to limit the output by. If you use this parameter, the count of returned noncompliant resources includes only resources in the specified target IDs.

  • (string) --

type RegionFilters:

list

param RegionFilters:

A list of Regions to limit the output by. If you use this parameter, the count of returned noncompliant resources includes only resources in the specified Regions.

  • (string) --

type ResourceTypeFilters:

list

param ResourceTypeFilters:

The constraints on the resources that you want returned. The format of each resource type is service[:resourceType]. For example, specifying a resource type of ec2 returns all Amazon EC2 resources (which includes EC2 instances). Specifying a resource type of ec2:instance returns only EC2 instances.

The string for each service name and resource type is the same as that embedded in a resource's Amazon Resource Name (ARN). Consult the AWS General Reference for the following:

You can specify multiple resource types by using an array. The array can include up to 100 items. Note that the length constraint requirement applies to each resource type filter.

  • (string) --

type TagKeyFilters:

list

param TagKeyFilters:

A list of tag keys to limit the output by. If you use this parameter, the count of returned noncompliant resources includes only resources that have the specified tag keys.

  • (string) --

type GroupBy:

list

param GroupBy:

A list of attributes to group the counts of noncompliant resources by. If supplied, the counts are sorted by those attributes.

  • (string) --

type MaxResults:

integer

param MaxResults:

A limit that restricts the number of results that are returned per page.

type PaginationToken:

string

param PaginationToken:

A string that indicates that additional data is available. Leave this value empty for your initial request. If the response includes a PaginationToken, use that string for this value to request an additional page of data.

rtype:

dict

returns:

Response Syntax

{
    'SummaryList': [
        {
            'LastUpdated': datetime(2015, 1, 1),
            'TargetId': 'string',
            'Region': 'string',
            'ResourceType': 'string',
            'NonCompliantResources': 123
        },
    ],
    'PaginationToken': 'string'
}

Response Structure

  • (dict) --

    • SummaryList (list) --

      A table that shows counts of noncompliant resources.

      • (dict) --

        A count of noncompliant resources.

        • LastUpdated (datetime) --

          The timestamp that shows when this summary was generated in this Region.

        • TargetId (string) --

          The account identifier or the root identifier of the organization. If you don't know the root ID, you can call the AWS Organizations ListRoots API.

        • Region (string) --

          The AWS Region that the summary applies to.

        • ResourceType (string) --

          The resource type.

        • NonCompliantResources (integer) --

          The count of noncompliant resources.

    • PaginationToken (string) --

      A string that indicates that the response contains more data than can be returned in a single response. To receive additional data, specify this string for the PaginationToken value in a subsequent request.

StartReportCreation (new) Link ¶

Generates a report that lists all tagged resources in accounts across your organization, and whether each resource is compliant with the effective tag policy.

You can call this operation from the organization's master account only and from the us-east-1 Region only.

See also: AWS API Documentation

Request Syntax

client.start_report_creation(
    S3Bucket='string'
)
type S3Bucket:

string

param S3Bucket:

[REQUIRED]

The name of the Amazon S3 bucket where the report will be stored.

For more information on S3 bucket requirements, including an example bucket policy, see Additional Requirements for Running Organization-Wide Tag Compliance Report in the AWS Resource Groups User Guide.

rtype:

dict

returns:

Response Syntax

{}

Response Structure

  • (dict) --

DeleteTagPolicy (new) Link ¶

Deletes the policy that is attached to the specified organization root or account.

You can call this operation from the organization's master account only and from the us-east-1 Region only.

See also: AWS API Documentation

Request Syntax

client.delete_tag_policy(
    TargetId='string'
)
type TargetId:

string

param TargetId:

[REQUIRED]

The account ID or the root identifier of the organization. If you don't know the root ID, you can call the AWS Organizations ListRoots API to find it.

rtype:

dict

returns:

Response Syntax

{}

Response Structure

  • (dict) --

GetEffectiveTagPolicy (new) Link ¶

Returns the contents of the effective tag policy for the AWS account. Depending on how you use tag policies, the effective tag policy for an account is one of the following:

  • The tag policy attached to the organization that the account belongs to.

  • The tag policy attached to the account.

  • The combination of both policies if tag policies are attached to the organization root and account.

See also: AWS API Documentation

Request Syntax

client.get_effective_tag_policy(
    TargetId='string'
)
type TargetId:

string

param TargetId:

The unique identifier of the organization root or account whose tag policy you want returned.

rtype:

dict

returns:

Response Syntax

{
    'Policy': 'string',
    'LastUpdated': datetime(2015, 1, 1)
}

Response Structure

  • (dict) --

    • Policy (string) --

      The contents of the tag policy that is effective for this account.

    • LastUpdated (datetime) --

      The last time this tag policy was updated.

DescribeReportCreation (new) Link ¶

Describes the status of the StartReportCreation operation.

You can call this operation from the organization's master account only and from the us-east-1 Region only.

See also: AWS API Documentation

Request Syntax

client.describe_report_creation()
rtype:

dict

returns:

Response Syntax

{
    'Status': 'string',
    'S3Location': 'string',
    'ErrorMessage': 'string'
}

Response Structure

  • (dict) --

    • Status (string) --

      Reports the status of the operation.

      The operation status can be one of the following:

      • RUNNING: Report generation is in progress.

      • SUCCEEDED: Report generation is complete. You can open the report from the Amazon S3 bucket you specified when you ran StartReportGeneration.

      • FAILED: Report generation timed out or the Amazon S3 bucket is not accessible.

    • S3Location (string) --

      The path to the Amazon S3 bucket where the report is stored.

    • ErrorMessage (string) --

      Details of the common errors that all operations return.

EnableTagPolicies (new) Link ¶

Enables tag policies for your organization. To use tag policies, you must be using AWS Organizations with all features enabled.

You can call this operation from the organization's master account only and from the us-east-1 Region only.

This operation does the following:

  • Enables tag policies for the specified organization.

  • Calls the EnableAWSServiceAccess API on your behalf to allow service access with the tagpolicies.tag.amazonaws.com service principal.

  • Creates a service-linked role named AWSServiceRoleForTagPolicies.

For more information on tag policies, see Tag Policies in the AWS Resource Groups User Guide.

See also: AWS API Documentation

Request Syntax

client.enable_tag_policies(
    RootId='string'
)
type RootId:

string

param RootId:

[REQUIRED]

The root identifier of the organization. If you don't know the root ID, you can call the AWS Organizations ListRoots API to find it.

rtype:

dict

returns:

Response Syntax

{}

Response Structure

  • (dict) --

GetResources (updated) Link ¶
Changes (request, response)
Request 
{'ExcludeCompliantResources': 'boolean',
 'IncludeComplianceDetails': 'boolean',
 'Policy': 'string'}
Response 
{'ResourceTagMappingList': {'ComplianceDetails': {'ComplianceStatus': 'boolean',
                                                  'InvalidKeys': ['string'],
                                                  'InvalidValues': ['string'],
                                                  'MissingKeys': ['string']}}}

Returns all the tagged or previously tagged resources that are located in the specified Region for the AWS account.

Depending on what information you want returned, you can also specify the following:

  • Filters that specify what tags and resource types you want returned. The response includes all tags that are associated with the requested resources.

  • Information about compliance with tag policies. If supplied, the compliance check follows the specified tag policy instead of following the effective tag policy. For more information on tag policies, see Tag Policies in the AWS Resource Groups User Guide.

See also: AWS API Documentation

Request Syntax

client.get_resources(
    PaginationToken='string',
    TagFilters=[
        {
            'Key': 'string',
            'Values': [
                'string',
            ]
        },
    ],
    ResourcesPerPage=123,
    TagsPerPage=123,
    ResourceTypeFilters=[
        'string',
    ],
    IncludeComplianceDetails=True|False,
    ExcludeCompliantResources=True|False,
    Policy='string'
)
type PaginationToken:

string

param PaginationToken:

A string that indicates that additional data is available. Leave this value empty for your initial request. If the response includes a PaginationToken, use that string for this value to request an additional page of data.

type TagFilters:

list

param TagFilters:

A list of TagFilters (keys and values). Each TagFilter specified must contain a key with values as optional. A request can include up to 50 keys, and each key can include up to 20 values.

Note the following when deciding how to use TagFilters:

  • If you do specify a TagFilter, the response returns only those resources that are currently associated with the specified tag.

  • If you don't specify a TagFilter, the response includes all resources that were ever associated with tags. Resources that currently don't have associated tags are shown with an empty tag set, like this: "Tags": [].

  • If you specify more than one filter in a single request, the response returns only those resources that satisfy all specified filters.

  • If you specify a filter that contains more than one value for a key, the response returns resources that match any of the specified values for that key.

  • If you don't specify any values for a key, the response returns resources that are tagged with that key irrespective of the value. For example, for filters: filter1 = {key1, {value1}}, filter2 = {key2, {value2,value3,value4}} , filter3 = {key3}:

    • GetResources( {filter1} ) returns resources tagged with key1=value1

    • GetResources( {filter2} ) returns resources tagged with key2=value2 or key2=value3 or key2=value4

    • GetResources( {filter3} ) returns resources tagged with any tag containing key3 as its tag key, irrespective of its value

    • GetResources( {filter1,filter2,filter3} ) returns resources tagged with ( key1=value1) and ( key2=value2 or key2=value3 or key2=value4) and (key3, irrespective of the value)

  • (dict) --

    A list of tags (keys and values) that are used to specify the associated resources.

    • Key (string) --

      One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.

    • Values (list) --

      The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key).

      • (string) --

type ResourcesPerPage:

integer

param ResourcesPerPage:

A limit that restricts the number of resources returned by GetResources in paginated output. You can set ResourcesPerPage to a minimum of 1 item and the maximum of 100 items.

type TagsPerPage:

integer

param TagsPerPage:

A limit that restricts the number of tags (key and value pairs) returned by GetResources in paginated output. A resource with no tags is counted as having one tag (one key and value pair).

GetResources does not split a resource and its associated tags across pages. If the specified TagsPerPage would cause such a break, a PaginationToken is returned in place of the affected resource and its tags. Use that token in another request to get the remaining data. For example, if you specify a TagsPerPage of 100 and the account has 22 resources with 10 tags each (meaning that each resource has 10 key and value pairs), the output will consist of 3 pages, with the first page displaying the first 10 resources, each with its 10 tags, the second page displaying the next 10 resources each with its 10 tags, and the third page displaying the remaining 2 resources, each with its 10 tags.

You can set TagsPerPage to a minimum of 100 items and the maximum of 500 items.

type ResourceTypeFilters:

list

param ResourceTypeFilters:

The constraints on the resources that you want returned. The format of each resource type is service[:resourceType]. For example, specifying a resource type of ec2 returns all Amazon EC2 resources (which includes EC2 instances). Specifying a resource type of ec2:instance returns only EC2 instances.

The string for each service name and resource type is the same as that embedded in a resource's Amazon Resource Name (ARN). Consult the AWS General Reference for the following:

You can specify multiple resource types by using an array. The array can include up to 100 items. Note that the length constraint requirement applies to each resource type filter.

  • (string) --

type IncludeComplianceDetails:

boolean

param IncludeComplianceDetails:

Specifies whether to include details regarding the compliance with the effective tag policy. Set this to true to determine whether resources are compliant with the tag policy and to get details.

type ExcludeCompliantResources:

boolean

param ExcludeCompliantResources:

Specifies whether to exclude resources that are compliant with the tag policy. Set this to true if you are interested in retrieving information on noncompliant resources only.

You can use this parameter only if the IncludeComplianceDetails parameter is also set to true.

type Policy:

string

param Policy:

The tag policy to check resources against for compliance. If supplied, the compliance check follows the specified tag policy instead of following the effective tag policy. Using this parameter to specify a tag policy is useful for testing new tag policies before attaching them to a target.

You can only use this parameter if the IncludeComplianceDetails parameter is also set to true.

rtype:

dict

returns:

Response Syntax

{
    'PaginationToken': 'string',
    'ResourceTagMappingList': [
        {
            'ResourceARN': 'string',
            'Tags': [
                {
                    'Key': 'string',
                    'Value': 'string'
                },
            ],
            'ComplianceDetails': {
                'MissingKeys': [
                    'string',
                ],
                'InvalidKeys': [
                    'string',
                ],
                'InvalidValues': [
                    'string',
                ],
                'ComplianceStatus': True|False
            }
        },
    ]
}

Response Structure

  • (dict) --

    • PaginationToken (string) --

      A string that indicates that the response contains more data than can be returned in a single response. To receive additional data, specify this string for the PaginationToken value in a subsequent request.

    • ResourceTagMappingList (list) --

      A list of resource ARNs and the tags (keys and values) associated with each.

      • (dict) --

        A list of resource ARNs and the tags (keys and values) that are associated with each.

        • ResourceARN (string) --

          The ARN of the resource.

        • Tags (list) --

          The tags that have been applied to one or more AWS resources.

          • (dict) --

            The metadata that you apply to AWS resources to help you categorize and organize them. Each tag consists of a key and an optional value, both of which you define. For more information, see Tag Basics in the Amazon EC2 User Guide for Linux Instances.

            • Key (string) --

              One part of a key-value pair that make up a tag. A key is a general label that acts like a category for more specific tag values.

            • Value (string) --

              The optional part of a key-value pair that make up a tag. A value acts as a descriptor within a tag category (key).

        • ComplianceDetails (dict) --

          Details on whether a resource is compliant with the effective tag policy, including information about any noncompliant tag keys.

          • MissingKeys (list) --

            A tag key that is required by the effective tag policy is missing.

            • (string) --

          • InvalidKeys (list) --

            The tag key is noncompliant with the effective tag policy.

            • (string) --

          • InvalidValues (list) --

            The tag value is noncompliant with the effective tag policy.

            • (string) --

          • ComplianceStatus (boolean) --

            Whether a resource is compliant with the effective tag policy.

GetTagKeys (updated) Link ¶
Changes (request) 
{'MaxResults': 'integer'}

Returns all tag keys in the specified Region for the AWS account.

See also: AWS API Documentation

Request Syntax

client.get_tag_keys(
    PaginationToken='string',
    MaxResults=123
)
type PaginationToken:

string

param PaginationToken:

A string that indicates that additional data is available. Leave this value empty for your initial request. If the response includes a PaginationToken, use that string for this value to request an additional page of data.

type MaxResults:

integer

param MaxResults:

A limit that restricts the number of results that are returned per page.

rtype:

dict

returns:

Response Syntax

{
    'PaginationToken': 'string',
    'TagKeys': [
        'string',
    ]
}

Response Structure

  • (dict) --

    • PaginationToken (string) --

      A string that indicates that the response contains more data than can be returned in a single response. To receive additional data, specify this string for the PaginationToken value in a subsequent request.

    • TagKeys (list) --

      A list of all tag keys in the AWS account.

      • (string) --

GetTagValues (updated) Link ¶
Changes (request) 
{'MaxResults': 'integer'}

Returns all tag values for the specified key in the specified Region for the AWS account.

See also: AWS API Documentation

Request Syntax

client.get_tag_values(
    PaginationToken='string',
    Key='string',
    MaxResults=123
)
type PaginationToken:

string

param PaginationToken:

A string that indicates that additional data is available. Leave this value empty for your initial request. If the response includes a PaginationToken, use that string for this value to request an additional page of data.

type Key:

string

param Key:

[REQUIRED]

The key for which you want to list all existing values in the specified Region for the AWS account.

type MaxResults:

integer

param MaxResults:

A limit that restricts the number of results that are returned per page.

rtype:

dict

returns:

Response Syntax

{
    'PaginationToken': 'string',
    'TagValues': [
        'string',
    ]
}

Response Structure

  • (dict) --

    • PaginationToken (string) --

      A string that indicates that the response contains more data than can be returned in a single response. To receive additional data, specify this string for the PaginationToken value in a subsequent request.

    • TagValues (list) --

      A list of all tag values for the specified key in the AWS account.

      • (string) --