AWS Tag Policy Configuration Using Terraform

Terraform AWS tag Policy

In this blog, you will learn to configure AWS Tag Policies using Terraform. I have added step-by-step guides for the whole setup.

Terraform Tag Policy Deployment Workflow

Here is the workflow explanation

  1. Download the Terraform code from the GitHub repository into your system where you have installed Terraform and AWS CLI.
  2. Run the specific script which contains tag-policy module by passing proper variables in the variable file.
  3. Terraform will execute the tag-policy module to create a policy to enforce compliance for specific resources such as EC2 Instances, Security Groups, AWS Lambda, etc.
  4. The newly created policy will be associated with the account that we have mentioned in the variables file.
  5. The policy ID will be shown in the output as part of the Terraform configuration.
  6. Terraform will automatically save the state file in the S3 bucket in your AWS account.

Terraform Tag Policy Code Repository

The Tag Policy Terraform code is included in the Terraform AWS repository. To follow the guide, clone the repository to your workstation.

git clone https://github.com/techiescamp/terraform-aws.git

Fork and clone the repository if you intend to reuse and make changes as per your requirements.

Terraform AWS Organization’s Tag Policy Provisioning Workflow

The Terraform script for Tag Policy is structured in the following way.

├──infra
│   ├── tag-policy
│   │   ├── main.tf
|   |   ├── outputs.tf
│   │   └── variables.tf
├──modules
│   ├── tag-policy
│   │   ├── main.tf
│   │   ├── outputs.tf
│   │   └── variables.tf
└──vars
    └── dev
        └── tag-policy.tfvars

vars folder contains the variables file named tag-policy.tfvars

infra/tag-policy folder contains the terraform code (main.tf) that calls the Tag Policy module from the modules directory.

The modules directory contains the following resources:

tag-policy Module: The tag-policy module contains an AWS Organizations policy creation block with JSON code to create tags with specified tag keys, tag values, and enforcement for values.

The policy attachment block is used to attach the created policy to a related account using the account ID.

      Implementing Tag Policy Using Terraform

      Follow the steps provided in this section to implement a tag policy in an AWS account.

      Assuming the “terraform-aws” folder as the root directory for this guide.

      Step 1: Adjust the variables for the tag-policy module.

      Open the vars/dev/tag-policy.tfvars file and edit the variables based on your requirements. Primarily, you may want to change target_id and enforce_for_values.

      Additionally, you can change tag_value and region if you want.

      # Tag Policy Vars
      region      = "eu-north-1"
      policy_name = "Techiescamp"
      policy_type = "TAG_POLICY"
      target_id   = "814200988517"
      
      name_tag_key         = "Name"
      environment_tag_key  = "Environment"
      owner_tag_key        = "Owner"
      owner_tag_value      = ["techiescamp"]
      costcenter_tag_key   = "CostCenter"
      costcenter_tag_value = ["techiescamp-commerce"]
      application_tag_key  = "Application"
      enforce_for_values   = ["dynamodb:*", "ec2:dhcp-options", "ec2:elastic-ip", "ec2:fpga-image", "ec2:instance",
                              "ec2:internet-gateway", "ec2:launch-template", "ec2:natgateway", "ec2:network-acl",
                              "ec2:network-interface", "ec2:route-table", "ec2:security-group", "ec2:snapshot",
                              "ec2:subnet", "ec2:volume", "ec2:vpc", "ec2:vpc-endpoint", "ec2:vpc-endpoint-service",
                              "ec2:vpc-peering-connection", "ec2:vpn-connection", "ec2:vpn-gateway", "elasticfilesystem:*",
                              "elasticloadbalancing:*", "iam:instance-profile", "iam:mfa", "iam:policy", "kms:*",
                              "lambda:*", "rds:cluster-pg", "rds:cluster-endpoint", "rds:es", "rds:og", "rds:pg", "rds:db-proxy",
                              "rds:db-proxy-endpoint", "rds:ri", "rds:secgrp", "rds:subgrp", "rds:target-group", "resource-groups:*",
                              "route53:hostedzone", "s3:bucket", "s3:bucket"]                
      
      

      Step 2: Initialize Terraform Configuration:

      Once the modifications are completed, save the code.

      Open the parent directory.

      cd infra/tag-policy

      Inside the “tag-policy” folder, you will find the “main.tf” file, which contains the configurations of the tag-policy module.

      provider "aws" {
        region = var.region
      }
      
      module "tag-policy" {
        source      = "../../modules/tag-policy"
        region      = var.region
        policy_name = var.policy_name
        policy_type = var.policy_type
        target_id   = var.target_id
      
        name_tag_key         = var.name_tag_key
        environment_tag_key  = var.environment_tag_key
        owner_tag_key        = var.owner_tag_key
        owner_tag_value      = var.owner_tag_value
        costcenter_tag_key   = var.costcenter_tag_key
        costcenter_tag_value = var.costcenter_tag_value
        application_tag_key  = var.application_tag_key
        enforce_for_values   = var.enforce_for_values
      }

      Step 3: Verify Terraform Plan

      Assuming you are in the infra/tag-policy directory, and to preview the changes, use the Terraform plan command.

      terraform plan -var-file=../../vars/dev/tag-polcy.tfvars

      Step 4: Apply Terraform Changes

      Apply the Terraform configuration to create the AWS resources by using the following command.

      terraform apply -var-file=../../vars/dev/tag-policy.tfvars

      Confirm the action by typing “yes” when prompted.

      Terraform will now implement the tag policy based on your customized configuration.

      Step 5: Validate the Output

      After applying the Terraform configuration, use the Terraform output command to retrieve essential details

      The output.tf file is configured to show the Policy ID as the output.

      Verify the output to ensure that the tag policy has been successfully implemented in your AWS account.

      Step 6: Clean Up Setup

      If you plan to remove the tag policy across your AWS account, you can destroy the configuration using the Terraform destroy command.

      terraform destroy -var-file=../../vars/dev/tag-policy.tfvars

      Confirm the action by typing “yes” when prompted. Terraform will remove all the resources created in the previous steps.

      Conclusion

      Using a Tag Policy will improve the organization’s tagging strategy and prevent users from creating resources with non-compliant tags.

      With AWS Resource Groups & Tag Editor, resources and their related tags can be effectively managed. This service allows for filtering AWS Resources based on tags, making resource management more efficient and organized.

      You can also check out the AWS autoscaling terraform guide to deploy autoscaling groups and AWS load balancers using Terraform.

      1 comment
      1. I don’t see tag-policy under cd environments/dev/tag-policy, instead i can see
        cd infra/tag-policy. Kindly update in to doc.

        Thanks for an amazing block about tag policy.

      Leave a Reply

      Your email address will not be published. Required fields are marked *

      You May Also Like