feat: set account alias as tag (#159)

AWS Config does not provide account alias directly. We can provide it out of band by tagging resources with the account alias which is resolved at apply time. We must piggy back on either config or configsubscription modules, since otherwise we have no resource data to extract the alias from. We don't have much choice on what to tag, since there are very few resource types across both modules. In `config`, we can only tag IAM resources. In `configsubscription`, only eventbridge rules can be tagged.
observeinc · Jul 8, 2024 · c2b5f0b · c2b5f0b
1 parent e252b14
commit c2b5f0b
Show file tree

Hide file tree

Showing 11 changed files with 48 additions and 3 deletions.
diff --git a/modules/config/README.md b/modules/config/README.md
@@ -71,6 +71,7 @@ No modules.
 | [aws_config_configuration_recorder_status.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_configuration_recorder_status) | resource |
 | [aws_config_delivery_channel.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_delivery_channel) | resource |
 | [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_account_alias.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_account_alias) | data source |
 | [aws_iam_policy.service_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source |
 | [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.notifications](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
@@ -88,6 +89,7 @@ No modules.
 | <a name="input_name"></a> [name](#input\_name) | Name to set on AWS Config resources. | `string` | `"default"` | no |
 | <a name="input_prefix"></a> [prefix](#input\_prefix) | The prefix for the specified S3 bucket. | `string` | `""` | no |
 | <a name="input_sns_topic_arn"></a> [sns\_topic\_arn](#input\_sns\_topic\_arn) | The ARN of the SNS topic that AWS Config delivers notifications to. | `string` | `null` | no |
+| <a name="input_tag_account_alias"></a> [tag\_account\_alias](#input\_tag\_account\_alias) | Set tag based on account alias. | `bool` | `true` | no |
 
 ## Outputs
 

diff --git a/modules/config/alias.tf b/modules/config/alias.tf
@@ -0,0 +1,9 @@
+data "aws_iam_account_alias" "current" {
+  count = var.tag_account_alias ? 1 : 0
+}
+
+locals {
+  tags = var.tag_account_alias ? {
+    "observeinc.com/accountalias" = data.aws_iam_account_alias.current[0].account_alias
+  } : {}
+}
diff --git a/modules/config/iam.tf b/modules/config/iam.tf
@@ -18,6 +18,8 @@ resource "aws_iam_role" "this" {
       policy = data.aws_iam_policy_document.notifications.json
     }
   }
+
+  tags = local.tags
 }
 
 data "aws_iam_policy_document" "assume_role" {

diff --git a/modules/config/variables.tf b/modules/config/variables.tf
@@ -79,3 +79,12 @@ variable "sns_topic_arn" {
   default     = null
   nullable    = true
 }
+
+variable "tag_account_alias" {
+  type        = bool
+  description = <<-EOF
+    Set tag based on account alias.
+  EOF
+  default     = true
+  nullable    = false
+}
diff --git a/modules/configsubscription/alias.tf b/modules/configsubscription/alias.tf
@@ -0,0 +1,9 @@
+data "aws_iam_account_alias" "current" {
+  count = var.tag_account_alias ? 1 : 0
+}
+
+locals {
+  tags = var.tag_account_alias ? {
+    "observeinc.com/accountalias" = data.aws_iam_account_alias.current[0].account_alias
+  } : {}
+}
diff --git a/modules/configsubscription/change.tf b/modules/configsubscription/change.tf
@@ -10,6 +10,8 @@ resource "aws_cloudwatch_event_rule" "change" {
       ]
     },
   )
+
+  tags = local.tags
 }
 
 resource "aws_cloudwatch_event_target" "change" {

diff --git a/modules/configsubscription/variables.tf b/modules/configsubscription/variables.tf
@@ -14,4 +14,11 @@ variable "name_prefix" {
   nullable    = false
 }
 
-
+variable "tag_account_alias" {
+  type        = bool
+  description = <<-EOF
+    Set tag based on account alias.
+  EOF
+  default     = true
+  nullable    = false
+}
diff --git a/modules/stack/README.md b/modules/stack/README.md
@@ -166,8 +166,8 @@ You can additionally configure other submodules in this manner:
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_config"></a> [config](#input\_config) | Variables for AWS Config collection. | <pre>object({<br>    include_resource_types        = list(string)<br>    exclude_resource_types        = optional(list(string))<br>    delivery_frequency            = optional(string)<br>    include_global_resource_types = optional(bool)<br>  })</pre> | `null` | no |
-| <a name="input_configsubscription"></a> [configsubscription](#input\_configsubscription) | Variables for AWS Config subscription. | <pre>object({<br>    delivery_bucket_name = string<br>  })</pre> | `null` | no |
+| <a name="input_config"></a> [config](#input\_config) | Variables for AWS Config collection. | <pre>object({<br>    include_resource_types        = list(string)<br>    exclude_resource_types        = optional(list(string))<br>    delivery_frequency            = optional(string)<br>    include_global_resource_types = optional(bool)<br>    tag_account_alias             = optional(bool)<br>  })</pre> | `null` | no |
+| <a name="input_configsubscription"></a> [configsubscription](#input\_configsubscription) | Variables for AWS Config subscription. | <pre>object({<br>    delivery_bucket_name = string<br>    tag_account_alias    = optional(bool)<br>  })</pre> | `null` | no |
 | <a name="input_debug_endpoint"></a> [debug\_endpoint](#input\_debug\_endpoint) | Endpoint to send debugging telemetry to. Sets OTEL\_EXPORTER\_OTLP\_ENDPOINT environment variable for supported lambda functions. | `string` | `null` | no |
 | <a name="input_destination"></a> [destination](#input\_destination) | Destination filedrop | <pre>object({<br>    arn    = optional(string, "")<br>    bucket = optional(string, "")<br>    prefix = optional(string, "")<br>    # exclusively for backward compatible HTTP endpoint<br>    uri = optional(string, "")<br>  })</pre> | n/a | yes |
 | <a name="input_forwarder"></a> [forwarder](#input\_forwarder) | Variables for forwarder module. | <pre>object({<br>    source_bucket_names                      = optional(list(string), [])<br>    source_object_keys                       = optional(list(string))<br>    source_topic_arns                        = optional(list(string), [])<br>    content_type_overrides                   = optional(list(object({ pattern = string, content_type = string })), [])<br>    max_file_size                            = optional(number)<br>    lambda_memory_size                       = optional(number)<br>    lambda_timeout                           = optional(number)<br>    lambda_env_vars                          = optional(map(string))<br>    retention_in_days                        = optional(number)<br>    queue_max_receive_count                  = optional(number)<br>    queue_delay_seconds                      = optional(number)<br>    queue_message_retention_seconds          = optional(number)<br>    queue_batch_size                         = optional(number)<br>    queue_maximum_batching_window_in_seconds = optional(number)<br>    code_uri                                 = optional(string)<br>    sam_release_version                      = optional(string)<br>  })</pre> | `{}` | no |

diff --git a/modules/stack/config.tf b/modules/stack/config.tf
@@ -10,6 +10,7 @@ module "config" {
   exclude_resource_types        = var.config.exclude_resource_types
   delivery_frequency            = var.config.delivery_frequency
   include_global_resource_types = var.config.include_global_resource_types
+  tag_account_alias             = var.config.tag_account_alias
 
   depends_on = [aws_s3_bucket_notification.this]
 }
diff --git a/modules/stack/configsubscription.tf b/modules/stack/configsubscription.tf
@@ -4,5 +4,7 @@ module "configsubscription" {
 
   name_prefix = local.name_prefix
   target_arn  = module.forwarder.queue_arn
+
+  tag_account_alias = var.configsubscription.tag_account_alias
 }
 
diff --git a/modules/stack/variables.tf b/modules/stack/variables.tf
@@ -59,6 +59,7 @@ variable "config" {
     exclude_resource_types        = optional(list(string))
     delivery_frequency            = optional(string)
     include_global_resource_types = optional(bool)
+    tag_account_alias             = optional(bool)
   })
   default = null
 }
@@ -69,6 +70,7 @@ variable "configsubscription" {
   EOF
   type = object({
     delivery_bucket_name = string
+    tag_account_alias    = optional(bool)
   })
   default = null
 }
-Original file line number
+Diff line change
@@ Expand Up / @@ -18,6 +18,8 @@ resource "aws_iam_role" "this" { @@
           policy = data.aws_iam_policy_document.notifications.json
         }
       }
+      tags = local.tags
     }
     data "aws_iam_policy_document" "assume_role" {
@@ Expand Down @@