feat: set account alias as tag

AWS Config does not provide account alias directly. We can provide it
out of band by tagging resources with the account alias which is
resolved at apply time. We must piggy back on either config or
configsubscription modules, since otherwise we have no resource data to
extract the alias from.

We don't have much choice on what to tag, since there are very few
resource types across both modules. In `config`, we can only tag IAM
resources. In `configsubscription`, only eventbridge rules can be
tagged.

modules/config/README.md

@@ -71,6 +71,7 @@ No modules.
 | [aws_config_configuration_recorder_status.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_configuration_recorder_status) | resource |
 | [aws_config_delivery_channel.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_delivery_channel) | resource |
 | [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_account_alias.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_account_alias) | data source |
 | [aws_iam_policy.service_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
 | [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.notifications](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -88,6 +89,7 @@ No modules.
 | <a name="input_name"></a> [name](#input\_name) | Name to set on AWS Config resources. | `string` | `"default"` | no |
 | <a name="input_prefix"></a> [prefix](#input\_prefix) | The prefix for the specified S3 bucket. | `string` | `""` | no |
 | <a name="input_sns_topic_arn"></a> [sns\_topic\_arn](#input\_sns\_topic\_arn) | The ARN of the SNS topic that AWS Config delivers notifications to. | `string` | `null` | no |
+| <a name="input_tag_account_alias"></a> [tag\_account\_alias](#input\_tag\_account\_alias) | Set tag based on account alias. | `bool` | `true` | no |
 
 ## Outputs
 

modules/config/alias.tf

@@ -0,0 +1,9 @@
+data "aws_iam_account_alias" "current" {
+  count = var.tag_account_alias ? 1 : 0
+}
+
+locals {
+  tags = var.tag_account_alias ? {
+    "observeinc.com/accountalias" = data.aws_iam_account_alias.current[0].account_alias
+  } : {}
+}

modules/config/iam.tf

@@ -18,6 +18,8 @@ resource "aws_iam_role" "this" {
       policy = data.aws_iam_policy_document.notifications.json
     }
   }
+
+  tags = local.tags
 }
 
 data "aws_iam_policy_document" "assume_role" {

modules/config/variables.tf

@@ -79,3 +79,12 @@ variable "sns_topic_arn" {
   default     = null
   nullable    = true
 }
+
+variable "tag_account_alias" {
+  type        = bool
+  description = <<-EOF
+    Set tag based on account alias.
+  EOF
+  default     = true
+  nullable    = false
+}

modules/configsubscription/alias.tf

@@ -0,0 +1,9 @@
+data "aws_iam_account_alias" "current" {
+  count = var.tag_account_alias ? 1 : 0
+}
+
+locals {
+  tags = var.tag_account_alias ? {
+    "observeinc.com/accountalias" = data.aws_iam_account_alias.current[0].account_alias
+  } : {}
+}

modules/configsubscription/change.tf

@@ -10,6 +10,8 @@ resource "aws_cloudwatch_event_rule" "change" {
       ]
     },
   )
+
+  tags = local.tags
 }
 
 resource "aws_cloudwatch_event_target" "change" {

modules/configsubscription/variables.tf

@@ -14,4 +14,11 @@ variable "name_prefix" {
   nullable    = false
 }
 
-
+variable "tag_account_alias" {
+  type        = bool
+  description = <<-EOF
+    Set tag based on account alias.
+  EOF
+  default     = true
+  nullable    = false
+}