Merge pull request #51 from bitovi/42-all-aws-resources-should-have-tagsname

arm4b · web-flow · commit 2733cef37026 · 2023-02-27T15:38:15.000Z
Adding additional_tags and tagging
diff --git a/README.md b/README.md
@@ -75,6 +75,7 @@ The following inputs can be used as `steps.with` keys:
 | `aws_ec2_instance_profile` | string | | [The AWS IAM instance profile](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html) to use for the EC2 instance. Use if you want to pass an AWS role with specific permissions granted to the instance |
 | `aws_resource_identifier` | string | `${org}-${repo}-${branch}` | Auto-generated by default so it's unique for org/repo/branch. Set to override with custom naming the unique AWS resource identifier for the deployment. |
 | `aws_create_vpc` | bool | `false` | Whether an AWS VPC should be created in the action. Otherwise, the existing default VPC will be used. |
+| `aws_extra_tags` | json | | A list of additional tags that will be included on created resources. Example: `{"key1": "value1", "key2": "value2"}`. |
 | `infrastructure_only` | bool | `false` | Set to true to provision infrastructure (with Terraform) but skip the app deployment (with ansible) |
 | **Teraform configuration** |
 | `tf_state_bucket` | string | `${org}-${repo}-${branch}-tf-state` | AWS S3 bucket to use for Terraform state. By default, a new deployment will be created for each unique branch. Hardcode if you want to keep a shared resource state between the several branches. |
diff --git a/action.yaml b/action.yaml
@@ -33,10 +33,15 @@ inputs:
   aws_create_vpc:
     description: 'Bool, whether an AWS VPC should be created in the action. Otherwise, the existing default VPC will be used.'
     default: "false"
+  aws_extra_tags:
+    description: 'A list of additional tags that will be included on created resources. Example: `{"key1": "value1", "key2": "value2"}`'
+    required: false
+    default: '{}'
   infrastructure_only:
     description: 'Set to true to provision infrastructure (with Terraform) but skip the app deployment (with ansible)'
     default: "false"
 
+
   # Terraform configuration
   tf_state_bucket:
     description: 'AWS S3 bucket to use for Terraform state. Defaults to `${org}-${repo}-${branch}-tf-state`'
@@ -94,6 +99,8 @@ runs:
         STACK_DESTROY: ${{ inputs.tf_stack_destroy }}
         AWS_RESOURCE_IDENTIFIER: ${{ inputs.aws_resource_identifier }}
         CREATE_VPC: ${{ inputs.aws_create_vpc }}
+        AWS_EXTRA_TAGS: ${{ inputs.aws_extra_tags }}
+
 
         # Skip ansible deployment if deploying only infrastructure
         ANSIBLE_SKIP_DEPLOY: ${{ inputs.infrastructure_only }}
diff --git a/operations/_scripts/generate/generate_provider.sh b/operations/_scripts/generate/generate_provider.sh
@@ -33,7 +33,10 @@ provider \"aws\" {
   region = \"${AWS_DEFAULT_REGION}\"
   profile = \"default\"
   default_tags {
-    tags = local.aws_tags
+    tags = merge(
+      local.aws_tags,
+      var.aws_extra_tags
+    )
   }
 }
 " > "${GITHUB_ACTION_PATH}/operations/deployment/terraform/provider.tf"
diff --git a/operations/_scripts/generate/generate_tf_vars.sh b/operations/_scripts/generate/generate_tf_vars.sh
@@ -84,5 +84,7 @@ region = \"${AWS_DEFAULT_REGION}\"
 # Route53
 route53_zone_id = \"${ROUTE53_ZONE_ID}\"
 
+aws_additional_tags = ${AWS_ADDITIONAL_TAGS}
+
 
 " > "${GITHUB_ACTION_PATH}/operations/deployment/terraform/terraform.tfvars"
diff --git a/operations/deployment/terraform/locals.tf b/operations/deployment/terraform/locals.tf
@@ -1,12 +1,12 @@
 locals {
   aws_tags = {
-    OperationsRepo = "bitovi/github-actions-node-app-to-aws-vm/operations/${var.ops_repo_environment}"
-    AWSResourceIdentifier = "${var.aws_resource_identifier}"
-    GitHubOrgName = "${var.app_org_name}"
-    GitHubRepoName = "${var.app_repo_name}"
-    GitHubBranchName = "${var.app_branch_name}"
-    GitHubAction = "bitovi/github-actions-node-app-to-aws-vm"
+    OperationsRepo            = "bitovi/github-actions-deploy-stackstorm/operations/${var.ops_repo_environment}"
+    AWSResourceIdentifier     = "${var.aws_resource_identifier}"
+    GitHubOrgName             = "${var.app_org_name}"
+    GitHubRepoName            = "${var.app_repo_name}"
+    GitHubBranchName          = "${var.app_branch_name}"
+    GitHubAction              = "bitovi/github-actions-deploy-stackstorm"
     OperationsRepoEnvironment = "deployment"
-    CreatedWith = "terraform"
+    CreatedWith               = "terraform"
   }
-}
+}
diff --git a/operations/deployment/terraform/modules/02_networking.tf b/operations/deployment/terraform/modules/02_networking.tf
@@ -59,62 +59,52 @@ resource "aws_route_table_association" "public" {
 }
 
 
+resource "aws_security_group" "ec2_security_group" {
+  name        = "${var.aws_resource_identifier_supershort}-SG"
+  description = "SG for ${var.aws_resource_identifier}"
+  vpc_id      = var.create_vpc == "true" ? aws_vpc.main[0].id : null
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  tags = {
+    Name = "${var.aws_resource_identifier}-instance-sg"
+  }
+}
 
+data "aws_security_group" "ec2_security_group" {
+  count = var.create_vpc == "true" ? 1 : 0
+  id = aws_security_group.ec2_security_group.id
+}
 
-
-resource "aws_security_group" "allow_http" {
- name = "${var.aws_resource_identifier_supershort}-http"
- description = "Allow HTTP traffic"
- vpc_id      = var.create_vpc == "true" ? aws_vpc.main[0].id : null
- ingress {
-   description = "HTTP"
-   from_port   = 80
-   to_port     = 80
-   protocol    = "tcp"
-   cidr_blocks = ["0.0.0.0/0"]
- }
- egress {
-   from_port   = 0
-   to_port     = 0
-   protocol    = "-1"
-   cidr_blocks = ["0.0.0.0/0"]
- }
+resource "aws_security_group_rule" "ingress_http" {
+  type              = "ingress"
+  description       = "Allow HTTP"
+  from_port         = 80
+  to_port           = 80
+  protocol          = "tcp"
+  cidr_blocks       = ["0.0.0.0/0"]
+  security_group_id = aws_security_group.ec2_security_group.id
 }
- 
-resource "aws_security_group" "allow_https" {
- name = "${var.aws_resource_identifier_supershort}-https"
- description = "Allow HTTPS traffic"
- vpc_id      = var.create_vpc == "true" ? aws_vpc.main[0].id : null
- ingress {
-   description = "HTTPS"
-   from_port   = 443
-   to_port     = 443
-   protocol    = "tcp"
-   cidr_blocks = ["0.0.0.0/0"]
- }
- egress {
-   from_port   = 0
-   to_port     = 0
-   protocol    = "-1"
-   cidr_blocks = ["0.0.0.0/0"]
- }
+
+resource "aws_security_group_rule" "ingress_https" {
+  type              = "ingress"
+  description       = "Allow HTTPS"
+  from_port         = 443
+  to_port           = 443
+  protocol          = "tcp"
+  cidr_blocks       = ["0.0.0.0/0"]
+  security_group_id = aws_security_group.ec2_security_group.id
 }
 
-resource "aws_security_group" "allow_ssh" {
- name = "${var.aws_resource_identifier_supershort}-ssh"
- description = "Allow SSH traffic"
- vpc_id      = var.create_vpc == "true" ? aws_vpc.main[0].id : null
- ingress {
-   description = "SSH"
-   from_port   = 22
-   to_port     = 22
-   protocol    = "tcp"
-   cidr_blocks = ["0.0.0.0/0"]
- }
- egress {
-   from_port   = 0
-   to_port     = 0
-   protocol    = "-1"
-   cidr_blocks = ["0.0.0.0/0"]
- }
+resource "aws_security_group_rule" "ingress_ssh" {
+  type              = "ingress"
+  description       = "Allow SSH"
+  from_port         = 22
+  to_port           = 22
+  protocol          = "tcp"
+  cidr_blocks       = ["0.0.0.0/0"]
+  security_group_id = aws_security_group.ec2_security_group.id
 }
diff --git a/operations/deployment/terraform/modules/03_ec2.tf b/operations/deployment/terraform/modules/03_ec2.tf
@@ -5,7 +5,7 @@ resource "aws_instance" "server" {
  associate_public_ip_address = true
  
  subnet_id                   = var.create_vpc == "true" ? aws_subnet.public.*.id[0] : null
- vpc_security_group_ids      = [aws_security_group.allow_http.id, aws_security_group.allow_https.id, aws_security_group.allow_ssh.id]
+ vpc_security_group_ids      = [aws_security_group.ec2_security_group.id]
  user_data = <<EOF
 #!/bin/bash
 echo "symlink for python3 -> python"
diff --git a/operations/deployment/terraform/modules/04_elb.tf b/operations/deployment/terraform/modules/04_elb.tf
@@ -3,7 +3,7 @@ resource "aws_elb" "vm" {
   subnets            = var.create_vpc == "true" ? aws_subnet.public.*.id : null
   availability_zones = var.create_vpc == "true" ? null : [aws_instance.server.availability_zone]
 
-  security_groups = [aws_security_group.allow_http.id, aws_security_group.allow_https.id]
+  security_groups = [aws_security_group.ec2_security_group.id]
 
   listener {
     instance_port      = 443
diff --git a/operations/deployment/terraform/variables.tf b/operations/deployment/terraform/variables.tf
@@ -138,6 +138,13 @@ variable "route53_zone_id" {
   type        = string
 }
 
+variable "aws_extra_tags" {
+  type        = map(string)
+  description = "A list of tags that will be added to created resources"
+  default     = {}
+
+}
+
 # variable "common_tags" {
 #   default     = {}
 #   description = "Common resource tags"

Original file line number	Diff line number	Diff line change
`@@ -33,7 +33,10 @@ provider \"aws\" {`
`33`	`33`	`region = \"${AWS_DEFAULT_REGION}\"`
`34`	`34`	`profile = \"default\"`
`35`	`35`	`default_tags {`
`36`		`- tags = local.aws_tags`
	`36`	`+ tags = merge(`
	`37`	`+ local.aws_tags,`
	`38`	`+ var.aws_extra_tags`
	`39`	`+ )`
`37`	`40`	`}`
`38`	`41`	`}`
`39`	`42`	`" > "${GITHUB_ACTION_PATH}/operations/deployment/terraform/provider.tf"`