[noirbot]

I'm amused that you think "cloud providers have bad APIs" is a bold claim instead of the default state of things. Things as basic as IAM Groups in AWS aren't taggable: https://registry.terraform.io/providers/hashicorp/aws/latest...

IAM Users are taggable, but to get the tags on a given user, you must request them one user at a time from a known list of users. The "List all users" call doesn't return their tags. Obviously this is less of an issue for the TF state use case, but does add to the API call overhead for any tag-based approach.

[tedivm]

My favorite is that you can look up some resources by tag directly, but other resources have to use the special resource tagging api. The AWS API also silently fails, on purpose, for some things- try looking up quotas for Organizations as an example and you'll end up with an empty array instead of the actual quotas.

Cloud providers having bad APIs is definitely the default state.