Work around the resourcegroupsapi being broken if called outside us-east-1

[andrewjhumphrey]

We use the resourcegroupstaggingapi to efficiently fetch tagging information for policies, sadly it returns incorrect information when used outside of the us-east-1 for global resources like IAM policies. This is expected behaviour according to AWS support (this link only works in the customer-staging account).

You can test this for yourself by running something like this in an account you have access to:

% aws resourcegroupstaggingapi get-resources --resource-arn-list arn:aws:iam::<ACCOUNTNUMBER>:policy/SSO-Glue-Read-Only --region us-east-1
{
    "ResourceTagMappingList": [
        {
            "ResourceARN": "arn:aws:iam::090413119358:policy/SSO-Glue-Read-Only",
            "Tags": [
                {
                    "Key": "iamy-ignore",
                    "Value": "true"
                }
            ]
        }
    ]
}
% aws resourcegroupstaggingapi get-resources --resource-arn-list arn:aws:iam::<ACCOUNTNUMBER>:policy/SSO-Glue-Read-Only --region eu-west-1
{
    "ResourceTagMappingList": []
}

So this PR forces the use of us-east-1 for the resourcegroupstaggingapi, ignoring whatever config file or environment variable settings the user has.

[simpson-ross]

👍 to the change (and thanks!)

😢 to tabs-vs-spaces

[petervandoros]

Tested and confirmed working 🎉

Thanks!

[andrewjhumphrey]

😢 to tabs-vs-spaces
Fixed, but now you have to +1 again, sorry.

[viraptor]

Are bucket policies also considered global? Will they be found correctly after this change?

[andrewjhumphrey]

Are bucket policies also considered global? Will they be found correctly after this change?

I wondered the same thing, but there is power in diversity 😄 bucket tags are fetched through a different mechanism:

https://github.com/envato/iamy/blob/main/iamy/s3.go#L165-L183