From 61541ccc524a423af0365d73bf25a4d6a0b85ffd Mon Sep 17 00:00:00 2001 From: "Audun V. Nes" Date: Mon, 18 Dec 2023 10:10:54 +0100 Subject: [PATCH] Add support for tagging policy in security modules (#1241) --- security/cloudtrail-master/providers.tf | 4 + security/cloudtrail-master/vars.tf | 10 ++- .../iam-identity-center-master/providers.tf | 4 + security/iam-identity-center-master/vars.tf | 8 +- security/iam-roles-master/providers.tf | 4 + security/iam-roles-master/vars.tf | 6 ++ security/iam-roles-qa/providers.tf | 8 ++ security/iam-roles-qa/vars.tf | 6 ++ security/iam-users-master/providers.tf | 4 + security/iam-users-master/vars.tf | 6 ++ security/legacy-account-context/providers.tf | 51 +++++++++++++ security/legacy-account-context/vars.tf | 29 ++++--- security/org-account-assume/providers.tf | 36 +++++++++ security/org-account-assume/vars.tf | 6 ++ security/org-account-context/providers.tf | 57 ++++++++++++++ security/org-account-context/vars.tf | 28 ++++--- security/org-account/providers.tf | 76 +++++++++++++++++++ security/org-account/vars.tf | 6 ++ security/org-capability-root/providers.tf | 4 + security/org-capability-root/vars.tf | 6 ++ .../providers.tf | 4 + .../vars.tf | 8 +- security/org-policies/providers.tf | 4 + security/org-policies/vars.tf | 8 +- security/ssh-keypair/providers.tf | 4 + security/ssh-keypair/vars.tf | 6 ++ 26 files changed, 365 insertions(+), 28 deletions(-) diff --git a/security/cloudtrail-master/providers.tf b/security/cloudtrail-master/providers.tf index 76a08df97..e92c7dead 100644 --- a/security/cloudtrail-master/providers.tf +++ b/security/cloudtrail-master/providers.tf @@ -1,5 +1,9 @@ provider "aws" { region = var.aws_region + + default_tags { + tags = var.tags + } } terraform { diff --git a/security/cloudtrail-master/vars.tf b/security/cloudtrail-master/vars.tf index 7fa9f6211..9ab136b3b 100644 --- a/security/cloudtrail-master/vars.tf +++ b/security/cloudtrail-master/vars.tf @@ -19,6 +19,12 @@ variable "log_group_retention_in_days" { } variable "kms_key_user_accounts" { - type = list(string) + type = list(string) default = [] -} \ No newline at end of file +} + +variable "tags" { + type = map(string) + description = "A map of tags to apply to all the resources deployed by the module" + default = {} +} diff --git a/security/iam-identity-center-master/providers.tf b/security/iam-identity-center-master/providers.tf index 25f59b974..37cc807e5 100644 --- a/security/iam-identity-center-master/providers.tf +++ b/security/iam-identity-center-master/providers.tf @@ -1,5 +1,9 @@ provider "aws" { region = var.aws_region + + default_tags { + tags = var.tags + } } terraform { diff --git a/security/iam-identity-center-master/vars.tf b/security/iam-identity-center-master/vars.tf index 4f8fa840b..0b9981aec 100644 --- a/security/iam-identity-center-master/vars.tf +++ b/security/iam-identity-center-master/vars.tf @@ -1,3 +1,9 @@ variable "aws_region" { type = string -} \ No newline at end of file +} + +variable "tags" { + type = map(string) + description = "A map of tags to apply to all the resources deployed by the module" + default = {} +} diff --git a/security/iam-roles-master/providers.tf b/security/iam-roles-master/providers.tf index 25f59b974..37cc807e5 100644 --- a/security/iam-roles-master/providers.tf +++ b/security/iam-roles-master/providers.tf @@ -1,5 +1,9 @@ provider "aws" { region = var.aws_region + + default_tags { + tags = var.tags + } } terraform { diff --git a/security/iam-roles-master/vars.tf b/security/iam-roles-master/vars.tf index 4440d3381..403366043 100644 --- a/security/iam-roles-master/vars.tf +++ b/security/iam-roles-master/vars.tf @@ -21,3 +21,9 @@ variable "create_org_account_iam_policy_name" { description = "Policy granting access to create new AWS Organization accounts" type = string } + +variable "tags" { + type = map(string) + description = "A map of tags to apply to all the resources deployed by the module" + default = {} +} diff --git a/security/iam-roles-qa/providers.tf b/security/iam-roles-qa/providers.tf index e513e56b4..b96adec9b 100644 --- a/security/iam-roles-qa/providers.tf +++ b/security/iam-roles-qa/providers.tf @@ -1,11 +1,19 @@ provider "aws" { region = var.aws_region + + default_tags { + tags = var.tags + } } provider "aws" { region = var.aws_region alias = "workload" + default_tags { + tags = var.tags + } + assume_role { role_arn = "arn:aws:iam::${var.aws_workload_account_id}:role/${var.prime_role_name}" } diff --git a/security/iam-roles-qa/vars.tf b/security/iam-roles-qa/vars.tf index 41e9a391a..5c482a5cd 100644 --- a/security/iam-roles-qa/vars.tf +++ b/security/iam-roles-qa/vars.tf @@ -31,3 +31,9 @@ variable "qa_iam_role_trusted_account_root_arn" { description = "The ARN of the account trusted to assume the role" type = list(string) } + +variable "tags" { + type = map(string) + description = "A map of tags to apply to all the resources deployed by the module" + default = {} +} diff --git a/security/iam-users-master/providers.tf b/security/iam-users-master/providers.tf index 25f59b974..37cc807e5 100644 --- a/security/iam-users-master/providers.tf +++ b/security/iam-users-master/providers.tf @@ -1,5 +1,9 @@ provider "aws" { region = var.aws_region + + default_tags { + tags = var.tags + } } terraform { diff --git a/security/iam-users-master/vars.tf b/security/iam-users-master/vars.tf index 2de3ff2ce..92bec42e3 100644 --- a/security/iam-users-master/vars.tf +++ b/security/iam-users-master/vars.tf @@ -16,3 +16,9 @@ variable "core_account_role_arns" { description = "List of core account (e.g. Core, QA, Master, Security) root ARNs" type = list(string) } + +variable "tags" { + type = map(string) + description = "A map of tags to apply to all the resources deployed by the module" + default = {} +} diff --git a/security/legacy-account-context/providers.tf b/security/legacy-account-context/providers.tf index 3dd581150..1a73f85fa 100644 --- a/security/legacy-account-context/providers.tf +++ b/security/legacy-account-context/providers.tf @@ -7,6 +7,10 @@ terraform { provider "aws" { region = var.aws_region + default_tags { + tags = var.tags + } + # Assume role in Master account assume_role { role_arn = "arn:aws:iam::${var.master_account_id}:role/${var.prime_role_name}" @@ -21,6 +25,10 @@ provider "aws" { access_key = var.access_key_master secret_key = var.secret_key_master + default_tags { + tags = var.tags + } + # Assume the Organizational role in Workload account assume_role { role_arn = "arn:aws:iam::${var.account_id}:role/${var.org_role_name}" @@ -34,6 +42,10 @@ provider "aws" { access_key = var.access_key_master secret_key = var.secret_key_master + default_tags { + tags = var.tags + } + # Assume the Organizational role in Workload account assume_role { role_arn = "arn:aws:iam::${var.account_id}:role/${var.org_role_name}" @@ -45,6 +57,10 @@ provider "aws" { region = var.aws_region_sso alias = "sso" + default_tags { + tags = var.tags + } + # Assume role in Master account assume_role { role_arn = "arn:aws:iam::${var.master_account_id}:role/${var.prime_role_name}" @@ -58,6 +74,11 @@ provider "aws" { alias = "workload_eu-west-1" access_key = var.access_key_master secret_key = var.secret_key_master + + default_tags { + tags = var.tags + } + assume_role { role_arn = module.org_account.org_role_arn session_name = var.aws_session_name @@ -69,6 +90,11 @@ provider "aws" { alias = "workload_eu-west-2" access_key = var.access_key_master secret_key = var.secret_key_master + + default_tags { + tags = var.tags + } + assume_role { role_arn = module.org_account.org_role_arn session_name = var.aws_session_name @@ -80,6 +106,11 @@ provider "aws" { alias = "workload_eu-west-3" access_key = var.access_key_master secret_key = var.secret_key_master + + default_tags { + tags = var.tags + } + assume_role { role_arn = module.org_account.org_role_arn session_name = var.aws_session_name @@ -92,6 +123,11 @@ provider "aws" { alias = "workload_us-east-1" access_key = var.access_key_master secret_key = var.secret_key_master + + default_tags { + tags = var.tags + } + assume_role { role_arn = module.org_account.org_role_arn session_name = var.aws_session_name @@ -103,6 +139,11 @@ provider "aws" { alias = "workload_us-east-2" access_key = var.access_key_master secret_key = var.secret_key_master + + default_tags { + tags = var.tags + } + assume_role { role_arn = module.org_account.org_role_arn session_name = var.aws_session_name @@ -114,6 +155,11 @@ provider "aws" { alias = "workload_us-west-1" access_key = var.access_key_master secret_key = var.secret_key_master + + default_tags { + tags = var.tags + } + assume_role { role_arn = module.org_account.org_role_arn session_name = var.aws_session_name @@ -125,6 +171,11 @@ provider "aws" { alias = "workload_us-west-2" access_key = var.access_key_master secret_key = var.secret_key_master + + default_tags { + tags = var.tags + } + assume_role { role_arn = module.org_account.org_role_arn session_name = var.aws_session_name diff --git a/security/legacy-account-context/vars.tf b/security/legacy-account-context/vars.tf index d396883a0..bd0fdca90 100644 --- a/security/legacy-account-context/vars.tf +++ b/security/legacy-account-context/vars.tf @@ -125,27 +125,27 @@ variable "deploy_backup" { } variable "aws_backup_settings_resource_type_opt_in_preference" { - type = object({}) + type = object({}) description = "A map of services along with the opt-in preferences for the Region" - default = {} + default = {} } variable "aws_backup_resource_type_management_preference" { - type = object({}) + type = object({}) description = "A map of services along with the management preferences for the Region" - default = {} + default = {} } variable "aws_backup_vault_name_new" { - type = string + type = string description = "Name of the AWS Backup vault" - default = null + default = null } variable "aws_backup_vault_name" { - type = string + type = string description = "Name of the AWS Backup vault. This is the name of the vault we created initially and will be removed eventually." - default = null + default = null } variable "aws_backup_plans" { @@ -164,7 +164,7 @@ variable "aws_backup_plans" { lifecycle = object({ cold_storage_after = optional(number) delete_after = optional(number) - } + } ) }))) @@ -204,12 +204,17 @@ variable "aws_backup_plans" { })) })) description = "A list of backup plans." - default = [] + default = [] } variable "aws_backup_tags" { - type = object({}) + type = object({}) description = "A map of tags to apply to the backup components" - default = {} + default = {} } +variable "tags" { + type = map(string) + description = "A map of tags to apply to all the resources deployed by the module" + default = {} +} diff --git a/security/org-account-assume/providers.tf b/security/org-account-assume/providers.tf index 706e19b54..cd7e7a9ea 100644 --- a/security/org-account-assume/providers.tf +++ b/security/org-account-assume/providers.tf @@ -1,6 +1,10 @@ provider "aws" { region = var.aws_region + default_tags { + tags = var.tags + } + # Assume role in Master account assume_role { role_arn = "arn:aws:iam::${var.master_account_id}:role/${var.prime_role_name}" @@ -11,11 +15,19 @@ provider "aws" { provider "aws" { region = var.aws_region alias = "core" + + default_tags { + tags = var.tags + } } provider "aws" { region = var.aws_region + default_tags { + tags = var.tags + } + # Need explicit credentials in Master, to be able to assume Organizational Role in Workload account access_key = var.access_key_master secret_key = var.secret_key_master @@ -32,6 +44,10 @@ provider "aws" { provider "aws" { region = var.aws_region_2 + default_tags { + tags = var.tags + } + # Need explicit credentials in Master, to be able to assume Organizational Role in Workload account access_key = var.access_key_master secret_key = var.secret_key_master @@ -49,6 +65,10 @@ provider "aws" { region = var.aws_region_sso alias = "sso" + default_tags { + tags = var.tags + } + # Assume role in Master account assume_role { role_arn = "arn:aws:iam::${var.master_account_id}:role/${var.prime_role_name}" @@ -61,6 +81,10 @@ provider "aws" { region = "us-east-1" alias = "workload_us-east-1" + default_tags { + tags = var.tags + } + access_key = var.access_key_master secret_key = var.secret_key_master @@ -75,6 +99,10 @@ provider "aws" { region = "us-east-2" alias = "workload_us-east-2" + default_tags { + tags = var.tags + } + access_key = var.access_key_master secret_key = var.secret_key_master @@ -89,6 +117,10 @@ provider "aws" { region = "us-west-1" alias = "workload_us-west-1" + default_tags { + tags = var.tags + } + access_key = var.access_key_master secret_key = var.secret_key_master @@ -106,6 +138,10 @@ provider "aws" { access_key = var.access_key_master secret_key = var.secret_key_master + default_tags { + tags = var.tags + } + # Assume the Organizational role in Workload account assume_role { role_arn = module.org_account.org_role_arn diff --git a/security/org-account-assume/vars.tf b/security/org-account-assume/vars.tf index f518f614d..6cc1f2811 100644 --- a/security/org-account-assume/vars.tf +++ b/security/org-account-assume/vars.tf @@ -128,3 +128,9 @@ variable "hardened_security_contact_email" { variable "hardened_security_contact_phone_number" { type = string } + +variable "tags" { + type = map(string) + description = "A map of tags to apply to all the resources deployed by the module" + default = {} +} diff --git a/security/org-account-context/providers.tf b/security/org-account-context/providers.tf index fe1732143..930b90d3e 100644 --- a/security/org-account-context/providers.tf +++ b/security/org-account-context/providers.tf @@ -1,6 +1,10 @@ provider "aws" { region = var.aws_region + default_tags { + tags = var.tags + } + # Assume role in Master account assume_role { role_arn = "arn:aws:iam::${var.master_account_id}:role/${var.prime_role_name}" @@ -11,12 +15,20 @@ provider "aws" { provider "aws" { region = var.aws_region alias = "core" # this provider does not seem to be used? + + default_tags { + tags = var.tags + } } provider "aws" { region = var.aws_region alias = "shared" + default_tags { + tags = var.tags + } + # Assume role in Shared account assume_role { role_arn = "arn:aws:iam::${var.shared_account_id}:role/${var.prime_role_name}" @@ -28,6 +40,10 @@ provider "aws" { region = var.aws_region alias = "workload" + default_tags { + tags = var.tags + } + # Need explicit credentials in Master, to be able to assume Organizational Role in Workload account access_key = var.access_key_master secret_key = var.secret_key_master @@ -43,6 +59,10 @@ provider "aws" { region = var.aws_region_2 alias = "workload_2" + default_tags { + tags = var.tags + } + # Need explicit credentials in Master, to be able to assume Organizational Role in Workload account access_key = var.access_key_master secret_key = var.secret_key_master @@ -58,6 +78,10 @@ provider "aws" { region = var.aws_region_sso alias = "sso" + default_tags { + tags = var.tags + } + # Assume role in Master account assume_role { role_arn = "arn:aws:iam::${var.master_account_id}:role/${var.prime_role_name}" @@ -70,6 +94,10 @@ provider "aws" { region = "eu-west-1" alias = "workload_eu-west-1" + default_tags { + tags = var.tags + } + # Need explicit credentials in Master, to be able to assume Organizational Role in Workload account access_key = var.access_key_master secret_key = var.secret_key_master @@ -80,10 +108,15 @@ provider "aws" { session_name = var.aws_session_name } } + provider "aws" { region = "eu-west-2" alias = "workload_eu-west-2" + default_tags { + tags = var.tags + } + # Need explicit credentials in Master, to be able to assume Organizational Role in Workload account access_key = var.access_key_master secret_key = var.secret_key_master @@ -94,10 +127,15 @@ provider "aws" { session_name = var.aws_session_name } } + provider "aws" { region = "eu-west-3" alias = "workload_eu-west-3" + default_tags { + tags = var.tags + } + # Need explicit credentials in Master, to be able to assume Organizational Role in Workload account access_key = var.access_key_master secret_key = var.secret_key_master @@ -114,6 +152,10 @@ provider "aws" { region = "us-east-1" alias = "workload_us-east-1" + default_tags { + tags = var.tags + } + # Need explicit credentials in Master, to be able to assume Organizational Role in Workload account access_key = var.access_key_master secret_key = var.secret_key_master @@ -124,10 +166,15 @@ provider "aws" { session_name = var.aws_session_name } } + provider "aws" { region = "us-east-2" alias = "workload_us-east-2" + default_tags { + tags = var.tags + } + # Need explicit credentials in Master, to be able to assume Organizational Role in Workload account access_key = var.access_key_master secret_key = var.secret_key_master @@ -138,10 +185,15 @@ provider "aws" { session_name = var.aws_session_name } } + provider "aws" { region = "us-west-1" alias = "workload_us-west-1" + default_tags { + tags = var.tags + } + # Need explicit credentials in Master, to be able to assume Organizational Role in Workload account access_key = var.access_key_master secret_key = var.secret_key_master @@ -152,10 +204,15 @@ provider "aws" { session_name = var.aws_session_name } } + provider "aws" { region = "us-west-2" alias = "workload_us-west-2" + default_tags { + tags = var.tags + } + # Need explicit credentials in Master, to be able to assume Organizational Role in Workload account access_key = var.access_key_master secret_key = var.secret_key_master diff --git a/security/org-account-context/vars.tf b/security/org-account-context/vars.tf index 2538c86dc..f46432f84 100644 --- a/security/org-account-context/vars.tf +++ b/security/org-account-context/vars.tf @@ -207,27 +207,27 @@ variable "deploy_backup" { } variable "aws_backup_settings_resource_type_opt_in_preference" { - type = map(any) + type = map(any) description = "A map of services along with the opt-in preferences for the Region" - default = {} + default = {} } variable "aws_backup_resource_type_management_preference" { - type = map(any) + type = map(any) description = "A map of services along with the management preferences for the Region" - default = {} + default = {} } variable "aws_backup_vault_name" { - type = string + type = string description = "Name of the AWS Backup vault. This is the name of the vault we created initially and will be removed eventually." - default = null + default = null } variable "aws_backup_vault_name_new" { - type = string + type = string description = "Name of the AWS Backup vault" - default = null + default = null } @@ -247,7 +247,7 @@ variable "aws_backup_plans" { lifecycle = object({ cold_storage_after = optional(number) delete_after = optional(number) - } + } ) }))) @@ -287,10 +287,16 @@ variable "aws_backup_plans" { })) })) description = "A list of backup plans." - default = [] + default = [] } variable "aws_backup_tags" { - type = map(string) + type = map(string) description = "A map of tags to apply to the backup components" } + +variable "tags" { + type = map(string) + description = "A map of tags to apply to all the resources deployed by the module" + default = {} +} diff --git a/security/org-account/providers.tf b/security/org-account/providers.tf index bde4ce1a0..10ac0e3fa 100644 --- a/security/org-account/providers.tf +++ b/security/org-account/providers.tf @@ -1,10 +1,18 @@ provider "aws" { region = var.aws_region + + default_tags { + tags = var.tags + } } provider "aws" { region = var.aws_region + default_tags { + tags = var.tags + } + # Assume the Organizational role in Workload account assume_role { role_arn = module.org_account.org_role_arn @@ -16,6 +24,10 @@ provider "aws" { provider "aws" { region = var.aws_region_2 + default_tags { + tags = var.tags + } + # Assume the Organizational role in Workload account assume_role { role_arn = module.org_account.org_role_arn @@ -29,6 +41,10 @@ provider "aws" { region = "eu-west-1" alias = "workload_eu-west-1" + default_tags { + tags = var.tags + } + # Assume the Organizational role in Workload account assume_role { @@ -39,6 +55,10 @@ provider "aws" { region = "eu-west-2" alias = "workload_eu-west-2" + default_tags { + tags = var.tags + } + # Assume the Organizational role in Workload account assume_role { role_arn = module.org_account.org_role_arn @@ -48,6 +68,10 @@ provider "aws" { region = "eu-west-3" alias = "workload_eu-west-3" + default_tags { + tags = var.tags + } + # Assume the Organizational role in Workload account assume_role { @@ -59,6 +83,10 @@ provider "aws" { region = "eu-north-1" alias = "workload_eu-north-1" + default_tags { + tags = var.tags + } + # Assume the Organizational role in Workload account assume_role { @@ -71,6 +99,10 @@ provider "aws" { region = "us-east-1" alias = "workload_us-east-1" + default_tags { + tags = var.tags + } + # Assume the Organizational role in Workload account assume_role { role_arn = module.org_account.org_role_arn @@ -81,6 +113,10 @@ provider "aws" { region = "us-east-2" alias = "workload_us-east-2" + default_tags { + tags = var.tags + } + # Assume the Organizational role in Workload account assume_role { role_arn = module.org_account.org_role_arn @@ -91,6 +127,10 @@ provider "aws" { region = "us-west-1" alias = "workload_us-west-1" + default_tags { + tags = var.tags + } + # Assume the Organizational role in Workload account assume_role { role_arn = module.org_account.org_role_arn @@ -101,6 +141,10 @@ provider "aws" { region = "us-west-2" alias = "workload_us-west-2" + default_tags { + tags = var.tags + } + # Assume the Organizational role in Workload account assume_role { role_arn = module.org_account.org_role_arn @@ -112,6 +156,10 @@ provider "aws" { region = "ap-south-1" alias = "workload_ap-south-1" + default_tags { + tags = var.tags + } + # Assume the Organizational role in Workload account assume_role { role_arn = module.org_account.org_role_arn @@ -122,6 +170,10 @@ provider "aws" { region = "ap-northeast-3" alias = "workload_ap-northeast-3" + default_tags { + tags = var.tags + } + # Assume the Organizational role in Workload account assume_role { role_arn = module.org_account.org_role_arn @@ -132,6 +184,10 @@ provider "aws" { region = "ap-northeast-2" alias = "workload_ap-northeast-2" + default_tags { + tags = var.tags + } + # Assume the Organizational role in Workload account assume_role { role_arn = module.org_account.org_role_arn @@ -142,6 +198,10 @@ provider "aws" { region = "ap-southeast-1" alias = "workload_ap-southeast-1" + default_tags { + tags = var.tags + } + # Assume the Organizational role in Workload account assume_role { role_arn = module.org_account.org_role_arn @@ -152,6 +212,10 @@ provider "aws" { region = "ap-southeast-2" alias = "workload_ap-southeast-2" + default_tags { + tags = var.tags + } + # Assume the Organizational role in Workload account assume_role { role_arn = module.org_account.org_role_arn @@ -162,6 +226,10 @@ provider "aws" { region = "ap-northeast-1" alias = "workload_ap-northeast-1" + default_tags { + tags = var.tags + } + # Assume the Organizational role in Workload account assume_role { role_arn = module.org_account.org_role_arn @@ -173,6 +241,10 @@ provider "aws" { region = "ca-central-1" alias = "workload_ca-central-1" + default_tags { + tags = var.tags + } + # Assume the Organizational role in Workload account assume_role { role_arn = module.org_account.org_role_arn @@ -184,6 +256,10 @@ provider "aws" { region = "sa-east-1" alias = "workload_sa-east-1" + default_tags { + tags = var.tags + } + # Assume the Organizational role in Workload account assume_role { role_arn = module.org_account.org_role_arn diff --git a/security/org-account/vars.tf b/security/org-account/vars.tf index b15bf440a..1aa0fd87a 100644 --- a/security/org-account/vars.tf +++ b/security/org-account/vars.tf @@ -40,3 +40,9 @@ variable "master_account_id" { type = string description = "The AWS account ID of the Organizations Master account" } + +variable "tags" { + type = map(string) + description = "A map of tags to apply to all the resources deployed by the module" + default = {} +} diff --git a/security/org-capability-root/providers.tf b/security/org-capability-root/providers.tf index 25f59b974..37cc807e5 100644 --- a/security/org-capability-root/providers.tf +++ b/security/org-capability-root/providers.tf @@ -1,5 +1,9 @@ provider "aws" { region = var.aws_region + + default_tags { + tags = var.tags + } } terraform { diff --git a/security/org-capability-root/vars.tf b/security/org-capability-root/vars.tf index cef27724f..3225bd307 100644 --- a/security/org-capability-root/vars.tf +++ b/security/org-capability-root/vars.tf @@ -5,3 +5,9 @@ variable "aws_region" { variable "capability_ou_name" { type = string } + +variable "tags" { + type = map(string) + description = "A map of tags to apply to all the resources deployed by the module" + default = {} +} diff --git a/security/org-delegated-administrator-master/providers.tf b/security/org-delegated-administrator-master/providers.tf index 25f59b974..37cc807e5 100644 --- a/security/org-delegated-administrator-master/providers.tf +++ b/security/org-delegated-administrator-master/providers.tf @@ -1,5 +1,9 @@ provider "aws" { region = var.aws_region + + default_tags { + tags = var.tags + } } terraform { diff --git a/security/org-delegated-administrator-master/vars.tf b/security/org-delegated-administrator-master/vars.tf index 055bf0211..2677933b9 100644 --- a/security/org-delegated-administrator-master/vars.tf +++ b/security/org-delegated-administrator-master/vars.tf @@ -4,8 +4,14 @@ variable "aws_region" { variable "delegated_administrators" { type = list(object({ - account_id = string + account_id = string service_principal = string })) description = "List of delegated administrators to be configured. Each objects consists of the `account_id` which will be registered as a delegated administrator and a `service_principal` which will be the AWS service to make the member account an administrator of." } + +variable "tags" { + type = map(string) + description = "A map of tags to apply to all the resources deployed by the module" + default = {} +} diff --git a/security/org-policies/providers.tf b/security/org-policies/providers.tf index 25f59b974..37cc807e5 100644 --- a/security/org-policies/providers.tf +++ b/security/org-policies/providers.tf @@ -1,5 +1,9 @@ provider "aws" { region = var.aws_region + + default_tags { + tags = var.tags + } } terraform { diff --git a/security/org-policies/vars.tf b/security/org-policies/vars.tf index bbf9e927f..0aa5f73dd 100644 --- a/security/org-policies/vars.tf +++ b/security/org-policies/vars.tf @@ -23,6 +23,12 @@ variable "resource_owner_tag_value" { } variable "ec2_exempted_accounts" { - type = list(string) + type = list(string) default = [] } + +variable "tags" { + type = map(string) + description = "A map of tags to apply to all the resources deployed by the module" + default = {} +} diff --git a/security/ssh-keypair/providers.tf b/security/ssh-keypair/providers.tf index bccf5b468..199f4e303 100644 --- a/security/ssh-keypair/providers.tf +++ b/security/ssh-keypair/providers.tf @@ -6,6 +6,10 @@ terraform { provider "aws" { region = var.aws_region + default_tags { + tags = var.tags + } + assume_role { role_arn = var.aws_assume_role_arn } diff --git a/security/ssh-keypair/vars.tf b/security/ssh-keypair/vars.tf index aad7076a6..d260cd4f7 100644 --- a/security/ssh-keypair/vars.tf +++ b/security/ssh-keypair/vars.tf @@ -18,3 +18,9 @@ variable "deploy" { type = bool default = true } + +variable "tags" { + type = map(string) + description = "A map of tags to apply to all the resources deployed by the module" + default = {} +}