From c2b5f0bf93d27a94835d1a02f6c20d00b5c1df71 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jo=C3=A3o=20Taveira=20Ara=C3=BAjo?= Date: Mon, 8 Jul 2024 11:06:03 -0700 Subject: [PATCH] feat: set account alias as tag (#159) AWS Config does not provide account alias directly. We can provide it out of band by tagging resources with the account alias which is resolved at apply time. We must piggy back on either config or configsubscription modules, since otherwise we have no resource data to extract the alias from. We don't have much choice on what to tag, since there are very few resource types across both modules. In `config`, we can only tag IAM resources. In `configsubscription`, only eventbridge rules can be tagged. --- modules/config/README.md | 2 ++ modules/config/alias.tf | 9 +++++++++ modules/config/iam.tf | 2 ++ modules/config/variables.tf | 9 +++++++++ modules/configsubscription/alias.tf | 9 +++++++++ modules/configsubscription/change.tf | 2 ++ modules/configsubscription/variables.tf | 9 ++++++++- modules/stack/README.md | 4 ++-- modules/stack/config.tf | 1 + modules/stack/configsubscription.tf | 2 ++ modules/stack/variables.tf | 2 ++ 11 files changed, 48 insertions(+), 3 deletions(-) create mode 100644 modules/config/alias.tf create mode 100644 modules/configsubscription/alias.tf diff --git a/modules/config/README.md b/modules/config/README.md index 6ac5d39..73a361a 100644 --- a/modules/config/README.md +++ b/modules/config/README.md @@ -71,6 +71,7 @@ No modules. | [aws_config_configuration_recorder_status.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_configuration_recorder_status) | resource | | [aws_config_delivery_channel.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/config_delivery_channel) | resource | | [aws_iam_role.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_account_alias.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_account_alias) | data source | | [aws_iam_policy.service_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy) | data source | | [aws_iam_policy_document.assume_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | | [aws_iam_policy_document.notifications](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source | @@ -88,6 +89,7 @@ No modules. | [name](#input\_name) | Name to set on AWS Config resources. | `string` | `"default"` | no | | [prefix](#input\_prefix) | The prefix for the specified S3 bucket. | `string` | `""` | no | | [sns\_topic\_arn](#input\_sns\_topic\_arn) | The ARN of the SNS topic that AWS Config delivers notifications to. | `string` | `null` | no | +| [tag\_account\_alias](#input\_tag\_account\_alias) | Set tag based on account alias. | `bool` | `true` | no | ## Outputs diff --git a/modules/config/alias.tf b/modules/config/alias.tf new file mode 100644 index 0000000..c5f5ccd --- /dev/null +++ b/modules/config/alias.tf @@ -0,0 +1,9 @@ +data "aws_iam_account_alias" "current" { + count = var.tag_account_alias ? 1 : 0 +} + +locals { + tags = var.tag_account_alias ? { + "observeinc.com/accountalias" = data.aws_iam_account_alias.current[0].account_alias + } : {} +} diff --git a/modules/config/iam.tf b/modules/config/iam.tf index 3506a89..a2371db 100644 --- a/modules/config/iam.tf +++ b/modules/config/iam.tf @@ -18,6 +18,8 @@ resource "aws_iam_role" "this" { policy = data.aws_iam_policy_document.notifications.json } } + + tags = local.tags } data "aws_iam_policy_document" "assume_role" { diff --git a/modules/config/variables.tf b/modules/config/variables.tf index 43fbf59..000a27b 100644 --- a/modules/config/variables.tf +++ b/modules/config/variables.tf @@ -79,3 +79,12 @@ variable "sns_topic_arn" { default = null nullable = true } + +variable "tag_account_alias" { + type = bool + description = <<-EOF + Set tag based on account alias. + EOF + default = true + nullable = false +} diff --git a/modules/configsubscription/alias.tf b/modules/configsubscription/alias.tf new file mode 100644 index 0000000..c5f5ccd --- /dev/null +++ b/modules/configsubscription/alias.tf @@ -0,0 +1,9 @@ +data "aws_iam_account_alias" "current" { + count = var.tag_account_alias ? 1 : 0 +} + +locals { + tags = var.tag_account_alias ? { + "observeinc.com/accountalias" = data.aws_iam_account_alias.current[0].account_alias + } : {} +} diff --git a/modules/configsubscription/change.tf b/modules/configsubscription/change.tf index ef24adc..8af422f 100644 --- a/modules/configsubscription/change.tf +++ b/modules/configsubscription/change.tf @@ -10,6 +10,8 @@ resource "aws_cloudwatch_event_rule" "change" { ] }, ) + + tags = local.tags } resource "aws_cloudwatch_event_target" "change" { diff --git a/modules/configsubscription/variables.tf b/modules/configsubscription/variables.tf index d5e0fcf..a0d41a2 100644 --- a/modules/configsubscription/variables.tf +++ b/modules/configsubscription/variables.tf @@ -14,4 +14,11 @@ variable "name_prefix" { nullable = false } - +variable "tag_account_alias" { + type = bool + description = <<-EOF + Set tag based on account alias. + EOF + default = true + nullable = false +} diff --git a/modules/stack/README.md b/modules/stack/README.md index 76a5f0e..012dac8 100644 --- a/modules/stack/README.md +++ b/modules/stack/README.md @@ -166,8 +166,8 @@ You can additionally configure other submodules in this manner: | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [config](#input\_config) | Variables for AWS Config collection. | 
object({
    include_resource_types        = list(string)
    exclude_resource_types        = optional(list(string))
    delivery_frequency            = optional(string)
    include_global_resource_types = optional(bool)
  })
| `null` | no | -| [configsubscription](#input\_configsubscription) | Variables for AWS Config subscription. | 
object({
    delivery_bucket_name = string
  })
| `null` | no | +| [config](#input\_config) | Variables for AWS Config collection. | 
object({
    include_resource_types        = list(string)
    exclude_resource_types        = optional(list(string))
    delivery_frequency            = optional(string)
    include_global_resource_types = optional(bool)
    tag_account_alias             = optional(bool)
  })
| `null` | no | +| [configsubscription](#input\_configsubscription) | Variables for AWS Config subscription. | 
object({
    delivery_bucket_name = string
    tag_account_alias    = optional(bool)
  })
| `null` | no | | [debug\_endpoint](#input\_debug\_endpoint) | Endpoint to send debugging telemetry to. Sets OTEL\_EXPORTER\_OTLP\_ENDPOINT environment variable for supported lambda functions. | `string` | `null` | no | | [destination](#input\_destination) | Destination filedrop | 
object({
    arn    = optional(string, "")
    bucket = optional(string, "")
    prefix = optional(string, "")
    # exclusively for backward compatible HTTP endpoint
    uri = optional(string, "")
  })
| n/a | yes | | [forwarder](#input\_forwarder) | Variables for forwarder module. | 
object({
    source_bucket_names                      = optional(list(string), [])
    source_object_keys                       = optional(list(string))
    source_topic_arns                        = optional(list(string), [])
    content_type_overrides                   = optional(list(object({ pattern = string, content_type = string })), [])
    max_file_size                            = optional(number)
    lambda_memory_size                       = optional(number)
    lambda_timeout                           = optional(number)
    lambda_env_vars                          = optional(map(string))
    retention_in_days                        = optional(number)
    queue_max_receive_count                  = optional(number)
    queue_delay_seconds                      = optional(number)
    queue_message_retention_seconds          = optional(number)
    queue_batch_size                         = optional(number)
    queue_maximum_batching_window_in_seconds = optional(number)
    code_uri                                 = optional(string)
    sam_release_version                      = optional(string)
  })
| `{}` | no | diff --git a/modules/stack/config.tf b/modules/stack/config.tf index 623010a..034486a 100644 --- a/modules/stack/config.tf +++ b/modules/stack/config.tf @@ -10,6 +10,7 @@ module "config" { exclude_resource_types = var.config.exclude_resource_types delivery_frequency = var.config.delivery_frequency include_global_resource_types = var.config.include_global_resource_types + tag_account_alias = var.config.tag_account_alias depends_on = [aws_s3_bucket_notification.this] } diff --git a/modules/stack/configsubscription.tf b/modules/stack/configsubscription.tf index 19784d4..2cb5441 100644 --- a/modules/stack/configsubscription.tf +++ b/modules/stack/configsubscription.tf @@ -4,5 +4,7 @@ module "configsubscription" { name_prefix = local.name_prefix target_arn = module.forwarder.queue_arn + + tag_account_alias = var.configsubscription.tag_account_alias } diff --git a/modules/stack/variables.tf b/modules/stack/variables.tf index 76211b4..409e612 100644 --- a/modules/stack/variables.tf +++ b/modules/stack/variables.tf @@ -59,6 +59,7 @@ variable "config" { exclude_resource_types = optional(list(string)) delivery_frequency = optional(string) include_global_resource_types = optional(bool) + tag_account_alias = optional(bool) }) default = null } @@ -69,6 +70,7 @@ variable "configsubscription" { EOF type = object({ delivery_bucket_name = string + tag_account_alias = optional(bool) }) default = null }