Disclaimer: This is sample code for non-production usage. You should work with your security and legal teams to meet your organizational security, regulatory, and compliance requirements before deployment. You are responsible for testing, securing, and optimizing this solution as appropriate for production use based on your specific quality control practices and standards. Deploying this solution may incur AWS charges for Lambda, EventBridge, CloudWatch, SSM Parameter Store, SQS, and SNS. Under the AWS Shared Responsibility Model, you are responsible for security decisions in the cloud, including the IAM roles and policies deployed by this solution.
Automatic AWS resource tagging for MAP 2.0 credit tracking.
Customers miss MAP 2.0 credits because engineers forget to tag resources, scripts create resources without tags, and dependent resources (EBS volumes, snapshots, read replicas) go untagged. This solution catches resource creation events via CloudTrail → EventBridge → SQS → Lambda and applies the map-migrated tag automatically — typically within 60–90 seconds, across 154 resource types.
Open configurator.html in a browser, fill in your MAP Engagement ID and details, click Generate & Download.
# AWS CloudShell (recommended) — upload deploy.sh, then:
bash deploy.sh
# Or local AWS CLI with credentials configured:
bash deploy.shOne file. One command. Done.
aws s3 mb s3://test-map-$(date +%s) && sleep 90
aws s3api get-bucket-tagging --bucket test-map-XXXXX
# Expected: {"TagSet": [{"Key": "map-migrated", "Value": "mig1234567890"}]}- Open
configurator.html→ Editor tab - Enter MPE ID, choose add/remove, enter account IDs
- Click Generate update.sh → download and run:
bash update.shNo redeployment needed — updates the account scope across all existing stack instances.
- Open
configurator.html→ Delete existing deployment tab - Select region; by default every
map-auto-tagger-mig*stack/stackset is removed. Optionally scope to specific MPE(s). - Type
DELETEto confirm → Generate delete.sh → download and run:
bash delete-all.sh # or delete-<mpe>.sh if scopedThe S3 staging bucket is deleted only when no other MAP Auto-Tagger deployments remain in the account. map-migrated tags on already-tagged AWS resources are preserved (MAP credits remain intact).
Prior versions used fixed resource names (map-auto-tagger). The current version uses MPE-ID-namespaced names (map-auto-tagger-mig111). Running deploy.sh without removing the old stack will deploy both side by side. Delete the old stack first:
aws cloudformation delete-stack --stack-name map-auto-tagger
aws cloudformation wait stack-delete-complete --stack-name map-auto-tagger
bash deploy.sh| File | Description |
|---|---|
configurator.html |
Self-service UI (built output). Generates deploy.sh for new deployments, update.sh for day-2 account changes (Editor tab), upgrade.sh for template-version upgrades (Upgrade tab), and delete.sh for clean removal (Delete tab). |
src/ |
Modular source files — CSS, HTML skeleton, JS modules, i18n, per-service definitions, Lambda Python |
scripts/build.js |
Build script — assembles configurator.html from src/ |
CHANGELOG.md |
Version history |
npm install # install dependencies (first time)
npm run build # assemble configurator.html from src/
npm test # run unit tests (vitest)
npm run verify # sanity-check the built outputSource files live in src/. Edit there, run npm run build, open configurator.html to test.
Adding a new AWS service: drop a .js file in src/js/services/ following the format in DEVELOPMENT.md, then npm run build.
For the full source structure, build process, and extension guide, see DEVELOPMENT.md.
| Component | Monthly Cost |
|---|---|
| Lambda — Auto-Tagger (100–1,000 invocations/day) | $0.10 – $2.00 |
| Lambda — Reconciliation (1/day) + Preflight (1 at deploy) | < $0.01 |
| EventBridge + SQS + SSM | $0.01 – $0.20 |
| Total per account | < $2/month |
| Document | Description |
|---|---|
| OVERVIEW.md | How it works — architecture, deployment, auto-deployment, SSM scope, cost |
| INSTRUCTIONS.md | Deployment steps, day-2 operations (update.sh), monitoring, upgrade path, FAQ |
| COVERAGE.md | Supported services (154 resource types) and E2E test coverage matrix |
| LIMITATIONS.md | Hard constraints — management account, SCPs, latency, upgrade gotcha |
| MAP_TAGGING_GAP_ANALYSIS.md | What can't be tagged and why (AWS API limitations, customer-side config) |
| CHANGELOG.md | Version history and release notes |
This project is licensed under the MIT-0 license.