The team here was trying to align AWS resources for billing by using tags. Seems easy enough. However, we were having issues trying to figure out which EC2 instances were not tagged. We also wanted to find EC2 instances that are missing a ROLE tag. We searched high and low and found that several people needed a solution. We tried to cobble something together with the AWS CLI and then Ansible. We could not come up with a viable solution. So, we did what any could DevOps team should do: We opened a ticket with AWS Support.

The response from AWS came quickly and succinctly. Here is what we came up with after their input.

Display instances that have no tags:

aws ec2 describe-instances --query "Reservations[].Instances[].[InstanceId, Tags]" --output text | grep None | awk '{print $1}'

Display instances that are missing a specific tag (defined by key):

aws ec2 describe-instances --query "Reservations[].Instances[].{ID: InstanceId, Tag: Tags[].Key}" --output text | grep -v ROLE

Voila! Problem solved, right? Not quite. We noticed that the output formats are very different based on region.

In eu-central-1, we are seeing instances in this format:

i-cd5ade70  
TAG    Name  
TAG    OWNER  
TAG    SYSTEM  

Inus-east-1, we are seeing instances in this format:

i-0d879e60cb5053af3 ['aws:autoscaling:groupName', 'Name']

We are thinking that the API versions in each region were different but aren't positive. How did we fix this? We needed a consistent format and we landed on JSON. However, now we have a screen full of JSON that while consistently formatted isn't easily editable.

Enter jq. jq is a lightweight and flexible command-line JSON processor.

Yeah, I know..another third-party tool. However, when all you have to do is pipe the AWS command to jq -c '.[]' to get a grep -v-able output, it is well worth it.

aws ec2 describe-instances --query "Reservations[].Instances[].{ID: InstanceId, Tag: Tags[].Key}" --output json | jq -c '.[]' | grep -v ROLE  

jq is available from Brew, Epel, and the jq website.