In this blog, you will learn to configure AWS Tag Policies using Terraform. I have added step-by-step guides for the whole setup.
Terraform Tag Policy Deployment Workflow
Here is the workflow explanation
- Download the Terraform code from the GitHub repository into your system where you have installed Terraform and AWS CLI.
- Run the specific script which contains
tag-policymodule by passing proper variables in the variable file. - Terraform will execute the
tag-policymodule to create a policy to enforce compliance for specific resources such as EC2 Instances, Security Groups, AWS Lambda, etc. - The newly created policy will be associated with the account that we have mentioned in the variables file.
- The policy ID will be shown in the output as part of the Terraform configuration.
- Terraform will automatically save the state file in the S3 bucket in your AWS account.
Terraform Tag Policy Code Repository
The Tag Policy Terraform code is included in the Terraform AWS repository. To follow the guide, clone the repository to your workstation.
git clone https://github.com/techiescamp/terraform-aws.gitFork and clone the repository if you intend to reuse and make changes as per your requirements.
Terraform AWS Organizationโs Tag Policy Provisioning Workflow
The Terraform script for Tag Policy is structured in the following way.
โโโinfra
โ โโโ tag-policy
โ โ โโโ main.tf
| | โโโ outputs.tf
โ โ โโโ variables.tf
โโโmodules
โ โโโ tag-policy
โ โ โโโ main.tf
โ โ โโโ outputs.tf
โ โ โโโ variables.tf
โโโvars
โโโ dev
โโโ tag-policy.tfvars
vars folder contains the variables file named tag-policy.tfvars
infra/tag-policy folder contains the terraform code (main.tf) that calls the Tag Policy module from the modules directory.
The modules directory contains the following resources:
tag-policy Module: The tag-policy module contains an AWS Organizations policy creation block with JSON code to create tags with specified tag keys, tag values, and enforcement for values.
The policy attachment block is used to attach the created policy to a related account using the account ID.
Implementing Tag Policy Using Terraform
Follow the steps provided in this section to implement a tag policy in an AWS account.
Assuming the "terraform-aws" folder as the root directory for this guide.
Step 1: Adjust the variables for the tag-policy module.
Open the vars/dev/tag-policy.tfvars file and edit the variables based on your requirements. Primarily, you may want to change target_id and enforce_for_values.
Additionally, you can change tag_value and region if you want.
# Tag Policy Vars
region = "eu-north-1"
policy_name = "Techiescamp"
policy_type = "TAG_POLICY"
target_id = "814200988517"
name_tag_key = "Name"
environment_tag_key = "Environment"
owner_tag_key = "Owner"
owner_tag_value = ["techiescamp"]
costcenter_tag_key = "CostCenter"
costcenter_tag_value = ["techiescamp-commerce"]
application_tag_key = "Application"
enforce_for_values = ["dynamodb:*", "ec2:dhcp-options", "ec2:elastic-ip", "ec2:fpga-image", "ec2:instance",
"ec2:internet-gateway", "ec2:launch-template", "ec2:natgateway", "ec2:network-acl",
"ec2:network-interface", "ec2:route-table", "ec2:security-group", "ec2:snapshot",
"ec2:subnet", "ec2:volume", "ec2:vpc", "ec2:vpc-endpoint", "ec2:vpc-endpoint-service",
"ec2:vpc-peering-connection", "ec2:vpn-connection", "ec2:vpn-gateway", "elasticfilesystem:*",
"elasticloadbalancing:*", "iam:instance-profile", "iam:mfa", "iam:policy", "kms:*",
"lambda:*", "rds:cluster-pg", "rds:cluster-endpoint", "rds:es", "rds:og", "rds:pg", "rds:db-proxy",
"rds:db-proxy-endpoint", "rds:ri", "rds:secgrp", "rds:subgrp", "rds:target-group", "resource-groups:*",
"route53:hostedzone", "s3:bucket", "s3:bucket"]
Step 2: Initialize Terraform Configuration:
Once the modifications are completed, save the code.
Open the parent directory.
cd infra/tag-policyInside the "tag-policy" folder, you will find the "main.tf" file, which contains the configurations of the tag-policy module.
provider "aws" {
region = var.region
}
module "tag-policy" {
source = "../../modules/tag-policy"
region = var.region
policy_name = var.policy_name
policy_type = var.policy_type
target_id = var.target_id
name_tag_key = var.name_tag_key
environment_tag_key = var.environment_tag_key
owner_tag_key = var.owner_tag_key
owner_tag_value = var.owner_tag_value
costcenter_tag_key = var.costcenter_tag_key
costcenter_tag_value = var.costcenter_tag_value
application_tag_key = var.application_tag_key
enforce_for_values = var.enforce_for_values
}Step 3: Verify Terraform Plan
Assuming you are in the infra/tag-policy directory, and to preview the changes, use the Terraform plan command.
terraform plan -var-file=../../vars/dev/tag-polcy.tfvarsStep 4: Apply Terraform Changes
Apply the Terraform configuration to create the AWS resources by using the following command.
terraform apply -var-file=../../vars/dev/tag-policy.tfvarsConfirm the action by typing "yes" when prompted.
Terraform will now implement the tag policy based on your customized configuration.
Step 5: Validate the Output
After applying the Terraform configuration, use the Terraform output command to retrieve essential details
The output.tf file is configured to show the Policy ID as the output.
Verify the output to ensure that the tag policy has been successfully implemented in your AWS account.
Step 6: Clean Up Setup
If you plan to remove the tag policy across your AWS account, you can destroy the configuration using the Terraform destroy command.
terraform destroy -var-file=../../vars/dev/tag-policy.tfvarsConfirm the action by typing "yes" when prompted. Terraform will remove all the resources created in the previous steps.
Conclusion
Using a Tag Policy will improve the organization's tagging strategy and prevent users from creating resources with non-compliant tags.
With AWS Resource Groups & Tag Editor, resources and their related tags can be effectively managed. This service allows for filtering AWS Resources based on tags, making resource management more efficient and organized.
You can also check out the AWS autoscaling terraform guide to deploy autoscaling groups and AWS load balancers using Terraform.
