Add support for tagging policy in security modules (#1241)

security/cloudtrail-master/providers.tf

@@ -1,5 +1,9 @@
 provider "aws" {
   region = var.aws_region
+
+  default_tags {
+    tags = var.tags
+  }
 }
 
 terraform {

security/cloudtrail-master/vars.tf

@@ -19,6 +19,12 @@ variable "log_group_retention_in_days" {
 }
 
 variable "kms_key_user_accounts" {
-  type = list(string)
+  type    = list(string)
   default = []
-}
+}
+
+variable "tags" {
+  type        = map(string)
+  description = "A map of tags to apply to all the resources deployed by the module"
+  default     = {}
+}

security/iam-identity-center-master/providers.tf

@@ -1,5 +1,9 @@
 provider "aws" {
   region = var.aws_region
+
+  default_tags {
+    tags = var.tags
+  }
 }
 
 terraform {

security/iam-identity-center-master/vars.tf

@@ -1,3 +1,9 @@
 variable "aws_region" {
   type = string
-}
+}
+
+variable "tags" {
+  type        = map(string)
+  description = "A map of tags to apply to all the resources deployed by the module"
+  default     = {}
+}

security/iam-roles-master/providers.tf

@@ -1,5 +1,9 @@
 provider "aws" {
   region = var.aws_region
+
+  default_tags {
+    tags = var.tags
+  }
 }
 
 terraform {

security/iam-roles-master/vars.tf

@@ -21,3 +21,9 @@ variable "create_org_account_iam_policy_name" {
   description = "Policy granting access to create new AWS Organization accounts"
   type        = string
 }
+
+variable "tags" {
+  type        = map(string)
+  description = "A map of tags to apply to all the resources deployed by the module"
+  default     = {}
+}

security/iam-roles-qa/providers.tf

@@ -1,11 +1,19 @@
 provider "aws" {
   region = var.aws_region
+
+  default_tags {
+    tags = var.tags
+  }
 }
 
 provider "aws" {
   region = var.aws_region
   alias  = "workload"
 
+  default_tags {
+    tags = var.tags
+  }
+
   assume_role {
     role_arn = "arn:aws:iam::${var.aws_workload_account_id}:role/${var.prime_role_name}"
   }

security/iam-roles-qa/vars.tf

@@ -31,3 +31,9 @@ variable "qa_iam_role_trusted_account_root_arn" {
   description = "The ARN of the account trusted to assume the role"
   type        = list(string)
 }
+
+variable "tags" {
+  type        = map(string)
+  description = "A map of tags to apply to all the resources deployed by the module"
+  default     = {}
+}

security/iam-users-master/providers.tf

@@ -1,5 +1,9 @@
 provider "aws" {
   region = var.aws_region
+
+  default_tags {
+    tags = var.tags
+  }
 }
 
 terraform {

security/iam-users-master/vars.tf

@@ -16,3 +16,9 @@ variable "core_account_role_arns" {
   description = "List of core account (e.g. Core, QA, Master, Security) root ARNs"
   type        = list(string)
 }
+
+variable "tags" {
+  type        = map(string)
+  description = "A map of tags to apply to all the resources deployed by the module"
+  default     = {}
+}

security/legacy-account-context/providers.tf

@@ -7,6 +7,10 @@ terraform {
 provider "aws" {
   region = var.aws_region
 
+  default_tags {
+    tags = var.tags
+  }
+
   # Assume role in Master account
   assume_role {
     role_arn     = "arn:aws:iam::${var.master_account_id}:role/${var.prime_role_name}"
@@ -21,6 +25,10 @@ provider "aws" {
   access_key = var.access_key_master
   secret_key = var.secret_key_master
 
+  default_tags {
+    tags = var.tags
+  }
+
   # Assume the Organizational role in Workload account
   assume_role {
     role_arn     = "arn:aws:iam::${var.account_id}:role/${var.org_role_name}"
@@ -34,6 +42,10 @@ provider "aws" {
   access_key = var.access_key_master
   secret_key = var.secret_key_master
 
+  default_tags {
+    tags = var.tags
+  }
+
   # Assume the Organizational role in Workload account
   assume_role {
     role_arn     = "arn:aws:iam::${var.account_id}:role/${var.org_role_name}"
@@ -45,6 +57,10 @@ provider "aws" {
   region = var.aws_region_sso
   alias  = "sso"
 
+  default_tags {
+    tags = var.tags
+  }
+
   # Assume role in Master account
   assume_role {
     role_arn     = "arn:aws:iam::${var.master_account_id}:role/${var.prime_role_name}"
@@ -58,6 +74,11 @@ provider "aws" {
   alias      = "workload_eu-west-1"
   access_key = var.access_key_master
   secret_key = var.secret_key_master
+
+  default_tags {
+    tags = var.tags
+  }
+
   assume_role {
     role_arn     = module.org_account.org_role_arn
     session_name = var.aws_session_name
@@ -69,6 +90,11 @@ provider "aws" {
   alias      = "workload_eu-west-2"
   access_key = var.access_key_master
   secret_key = var.secret_key_master
+
+  default_tags {
+    tags = var.tags
+  }
+
   assume_role {
     role_arn     = module.org_account.org_role_arn
     session_name = var.aws_session_name
@@ -80,6 +106,11 @@ provider "aws" {
   alias      = "workload_eu-west-3"
   access_key = var.access_key_master
   secret_key = var.secret_key_master
+
+  default_tags {
+    tags = var.tags
+  }
+
   assume_role {
     role_arn     = module.org_account.org_role_arn
     session_name = var.aws_session_name
@@ -92,6 +123,11 @@ provider "aws" {
   alias      = "workload_us-east-1"
   access_key = var.access_key_master
   secret_key = var.secret_key_master
+
+  default_tags {
+    tags = var.tags
+  }
+
   assume_role {
     role_arn     = module.org_account.org_role_arn
     session_name = var.aws_session_name
@@ -103,6 +139,11 @@ provider "aws" {
   alias      = "workload_us-east-2"
   access_key = var.access_key_master
   secret_key = var.secret_key_master
+
+  default_tags {
+    tags = var.tags
+  }
+
   assume_role {
     role_arn     = module.org_account.org_role_arn
     session_name = var.aws_session_name
@@ -114,6 +155,11 @@ provider "aws" {
   alias      = "workload_us-west-1"
   access_key = var.access_key_master
   secret_key = var.secret_key_master
+
+  default_tags {
+    tags = var.tags
+  }
+
   assume_role {
     role_arn     = module.org_account.org_role_arn
     session_name = var.aws_session_name
@@ -125,6 +171,11 @@ provider "aws" {
   alias      = "workload_us-west-2"
   access_key = var.access_key_master
   secret_key = var.secret_key_master
+
+  default_tags {
+    tags = var.tags
+  }
+
   assume_role {
     role_arn     = module.org_account.org_role_arn
     session_name = var.aws_session_name

security/legacy-account-context/vars.tf

@@ -125,27 +125,27 @@ variable "deploy_backup" {
 }
 
 variable "aws_backup_settings_resource_type_opt_in_preference" {
-  type = object({})
+  type        = object({})
   description = "A map of services along with the opt-in preferences for the Region"
-  default = {}
+  default     = {}
 }
 
 variable "aws_backup_resource_type_management_preference" {
-  type = object({})
+  type        = object({})
   description = "A map of services along with the management preferences for the Region"
-  default = {}
+  default     = {}
 }
 
 variable "aws_backup_vault_name_new" {
-  type = string
+  type        = string
   description = "Name of the AWS Backup vault"
-  default = null
+  default     = null
 }
 
 variable "aws_backup_vault_name" {
-  type = string
+  type        = string
   description = "Name of the AWS Backup vault. This is the name of the vault we created initially and will be removed eventually."
-  default = null
+  default     = null
 }
 
 variable "aws_backup_plans" {
@@ -164,7 +164,7 @@ variable "aws_backup_plans" {
         lifecycle = object({
           cold_storage_after = optional(number)
           delete_after       = optional(number)
-        }
+          }
         )
       })))
 
@@ -204,12 +204,17 @@ variable "aws_backup_plans" {
     }))
   }))
   description = "A list of backup plans."
-  default = []
+  default     = []
 }
 
 variable "aws_backup_tags" {
-  type = object({})
+  type        = object({})
   description = "A map of tags to apply to the backup components"
-  default = {}
+  default     = {}
 }
 
+variable "tags" {
+  type        = map(string)
+  description = "A map of tags to apply to all the resources deployed by the module"
+  default     = {}
+}