feat: Add support for per subnet tags

Author: voidshard

README.md

@@ -401,6 +401,7 @@ No modules.
 | <a name="input_database_subnet_private_dns_hostname_type_on_launch"></a> [database\_subnet\_private\_dns\_hostname\_type\_on\_launch](#input\_database\_subnet\_private\_dns\_hostname\_type\_on\_launch) | The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name` | `string` | `null` | no |
 | <a name="input_database_subnet_suffix"></a> [database\_subnet\_suffix](#input\_database\_subnet\_suffix) | Suffix to append to database subnets name | `string` | `"db"` | no |
 | <a name="input_database_subnet_tags"></a> [database\_subnet\_tags](#input\_database\_subnet\_tags) | Additional tags for the database subnets | `map(string)` | `{}` | no |
+| <a name="input_database_subnet_tags_by_name"></a> [database\_subnet\_tags\_by\_name](#input\_database\_subnet\_tags\_by\_name) | Additional tags for the database subnets where the primary key is the subnet name | `map(map(string))` | `{}` | no |
 | <a name="input_database_subnets"></a> [database\_subnets](#input\_database\_subnets) | A list of database subnets inside the VPC | `list(string)` | `[]` | no |
 | <a name="input_default_network_acl_egress"></a> [default\_network\_acl\_egress](#input\_default\_network\_acl\_egress) | List of maps of egress rules to set on the Default Network ACL | `list(map(string))` | <pre>[<br/>  {<br/>    "action": "allow",<br/>    "cidr_block": "0.0.0.0/0",<br/>    "from_port": 0,<br/>    "protocol": "-1",<br/>    "rule_no": 100,<br/>    "to_port": 0<br/>  },<br/>  {<br/>    "action": "allow",<br/>    "from_port": 0,<br/>    "ipv6_cidr_block": "::/0",<br/>    "protocol": "-1",<br/>    "rule_no": 101,<br/>    "to_port": 0<br/>  }<br/>]</pre> | no |
 | <a name="input_default_network_acl_ingress"></a> [default\_network\_acl\_ingress](#input\_default\_network\_acl\_ingress) | List of maps of ingress rules to set on the Default Network ACL | `list(map(string))` | <pre>[<br/>  {<br/>    "action": "allow",<br/>    "cidr_block": "0.0.0.0/0",<br/>    "from_port": 0,<br/>    "protocol": "-1",<br/>    "rule_no": 100,<br/>    "to_port": 0<br/>  },<br/>  {<br/>    "action": "allow",<br/>    "from_port": 0,<br/>    "ipv6_cidr_block": "::/0",<br/>    "protocol": "-1",<br/>    "rule_no": 101,<br/>    "to_port": 0<br/>  }<br/>]</pre> | no |
@@ -442,6 +443,7 @@ No modules.
 | <a name="input_elasticache_subnet_private_dns_hostname_type_on_launch"></a> [elasticache\_subnet\_private\_dns\_hostname\_type\_on\_launch](#input\_elasticache\_subnet\_private\_dns\_hostname\_type\_on\_launch) | The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name` | `string` | `null` | no |
 | <a name="input_elasticache_subnet_suffix"></a> [elasticache\_subnet\_suffix](#input\_elasticache\_subnet\_suffix) | Suffix to append to elasticache subnets name | `string` | `"elasticache"` | no |
 | <a name="input_elasticache_subnet_tags"></a> [elasticache\_subnet\_tags](#input\_elasticache\_subnet\_tags) | Additional tags for the elasticache subnets | `map(string)` | `{}` | no |
+| <a name="input_elasticache_subnet_tags_by_name"></a> [elasticache\_subnet\_tags\_by\_name](#input\_elasticache\_subnet\_tags\_by\_name) | Additional tags for the elasticache subnets where the primary key is the subnet name | `map(map(string))` | `{}` | no |
 | <a name="input_elasticache_subnets"></a> [elasticache\_subnets](#input\_elasticache\_subnets) | A list of elasticache subnets inside the VPC | `list(string)` | `[]` | no |
 | <a name="input_enable_dhcp_options"></a> [enable\_dhcp\_options](#input\_enable\_dhcp\_options) | Should be true if you want to specify a DHCP options set with a custom domain name, DNS servers, NTP servers, netbios servers, and/or netbios server type | `bool` | `false` | no |
 | <a name="input_enable_dns_hostnames"></a> [enable\_dns\_hostnames](#input\_enable\_dns\_hostnames) | Should be true to enable DNS hostnames in the VPC | `bool` | `true` | no |
@@ -488,6 +490,7 @@ No modules.
 | <a name="input_intra_subnet_private_dns_hostname_type_on_launch"></a> [intra\_subnet\_private\_dns\_hostname\_type\_on\_launch](#input\_intra\_subnet\_private\_dns\_hostname\_type\_on\_launch) | The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name` | `string` | `null` | no |
 | <a name="input_intra_subnet_suffix"></a> [intra\_subnet\_suffix](#input\_intra\_subnet\_suffix) | Suffix to append to intra subnets name | `string` | `"intra"` | no |
 | <a name="input_intra_subnet_tags"></a> [intra\_subnet\_tags](#input\_intra\_subnet\_tags) | Additional tags for the intra subnets | `map(string)` | `{}` | no |
+| <a name="input_intra_subnet_tags_by_name"></a> [intra\_subnet\_tags\_by\_name](#input\_intra\_subnet\_tags\_by\_name) | Additional tags for the intra subnets where the primary key is the subnet name | `map(map(string))` | `{}` | no |
 | <a name="input_intra_subnets"></a> [intra\_subnets](#input\_intra\_subnets) | A list of intra subnets inside the VPC | `list(string)` | `[]` | no |
 | <a name="input_ipv4_ipam_pool_id"></a> [ipv4\_ipam\_pool\_id](#input\_ipv4\_ipam\_pool\_id) | (Optional) The ID of an IPv4 IPAM pool you want to use for allocating this VPC's CIDR | `string` | `null` | no |
 | <a name="input_ipv4_netmask_length"></a> [ipv4\_netmask\_length](#input\_ipv4\_netmask\_length) | (Optional) The netmask length of the IPv4 CIDR you want to allocate to this VPC. Requires specifying a ipv4\_ipam\_pool\_id | `number` | `null` | no |
@@ -522,6 +525,7 @@ No modules.
 | <a name="input_outpost_subnet_private_dns_hostname_type_on_launch"></a> [outpost\_subnet\_private\_dns\_hostname\_type\_on\_launch](#input\_outpost\_subnet\_private\_dns\_hostname\_type\_on\_launch) | The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name` | `string` | `null` | no |
 | <a name="input_outpost_subnet_suffix"></a> [outpost\_subnet\_suffix](#input\_outpost\_subnet\_suffix) | Suffix to append to outpost subnets name | `string` | `"outpost"` | no |
 | <a name="input_outpost_subnet_tags"></a> [outpost\_subnet\_tags](#input\_outpost\_subnet\_tags) | Additional tags for the outpost subnets | `map(string)` | `{}` | no |
+| <a name="input_outpost_subnet_tags_by_name"></a> [outpost\_subnet\_tags\_by\_name](#input\_outpost\_subnet\_tags\_by\_name) | Additional tags for the outpost subnets where the primary key is the subnet name | `map(map(string))` | `{}` | no |
 | <a name="input_outpost_subnets"></a> [outpost\_subnets](#input\_outpost\_subnets) | A list of outpost subnets inside the VPC | `list(string)` | `[]` | no |
 | <a name="input_private_acl_tags"></a> [private\_acl\_tags](#input\_private\_acl\_tags) | Additional tags for the private subnets network ACL | `map(string)` | `{}` | no |
 | <a name="input_private_dedicated_network_acl"></a> [private\_dedicated\_network\_acl](#input\_private\_dedicated\_network\_acl) | Whether to use dedicated network ACL (not default) and custom rules for private subnets | `bool` | `false` | no |
@@ -538,6 +542,7 @@ No modules.
 | <a name="input_private_subnet_private_dns_hostname_type_on_launch"></a> [private\_subnet\_private\_dns\_hostname\_type\_on\_launch](#input\_private\_subnet\_private\_dns\_hostname\_type\_on\_launch) | The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name` | `string` | `null` | no |
 | <a name="input_private_subnet_suffix"></a> [private\_subnet\_suffix](#input\_private\_subnet\_suffix) | Suffix to append to private subnets name | `string` | `"private"` | no |
 | <a name="input_private_subnet_tags"></a> [private\_subnet\_tags](#input\_private\_subnet\_tags) | Additional tags for the private subnets | `map(string)` | `{}` | no |
+| <a name="input_private_subnet_tags_by_name"></a> [private\_subnet\_tags\_by\_name](#input\_private\_subnet\_tags\_by\_name) | Additional tags for the private subnets where the primary key is the subnet name | `map(map(string))` | `{}` | no |
 | <a name="input_private_subnet_tags_per_az"></a> [private\_subnet\_tags\_per\_az](#input\_private\_subnet\_tags\_per\_az) | Additional tags for the private subnets where the primary key is the AZ | `map(map(string))` | `{}` | no |
 | <a name="input_private_subnets"></a> [private\_subnets](#input\_private\_subnets) | A list of private subnets inside the VPC | `list(string)` | `[]` | no |
 | <a name="input_propagate_intra_route_tables_vgw"></a> [propagate\_intra\_route\_tables\_vgw](#input\_propagate\_intra\_route\_tables\_vgw) | Should be true if you want route table propagation | `bool` | `false` | no |
@@ -559,6 +564,7 @@ No modules.
 | <a name="input_public_subnet_suffix"></a> [public\_subnet\_suffix](#input\_public\_subnet\_suffix) | Suffix to append to public subnets name | `string` | `"public"` | no |
 | <a name="input_public_subnet_tags"></a> [public\_subnet\_tags](#input\_public\_subnet\_tags) | Additional tags for the public subnets | `map(string)` | `{}` | no |
 | <a name="input_public_subnet_tags_per_az"></a> [public\_subnet\_tags\_per\_az](#input\_public\_subnet\_tags\_per\_az) | Additional tags for the public subnets where the primary key is the AZ | `map(map(string))` | `{}` | no |
+| <a name="input_public_subnet_tags_by_name"></a> [public\_subnet\_tags\_by\_name](#input\_public\_subnet\_tags\_by\_name) | Additional tags for the public subnets where the primary key is the subnet name | `map(map(string))` | `{}` | no |
 | <a name="input_public_subnets"></a> [public\_subnets](#input\_public\_subnets) | A list of public subnets inside the VPC | `list(string)` | `[]` | no |
 | <a name="input_putin_khuylo"></a> [putin\_khuylo](#input\_putin\_khuylo) | Do you agree that Putin doesn't respect Ukrainian sovereignty and territorial integrity? More info: https://en.wikipedia.org/wiki/Putin_khuylo! | `bool` | `true` | no |
 | <a name="input_redshift_acl_tags"></a> [redshift\_acl\_tags](#input\_redshift\_acl\_tags) | Additional tags for the redshift subnets network ACL | `map(string)` | `{}` | no |
@@ -578,6 +584,7 @@ No modules.
 | <a name="input_redshift_subnet_private_dns_hostname_type_on_launch"></a> [redshift\_subnet\_private\_dns\_hostname\_type\_on\_launch](#input\_redshift\_subnet\_private\_dns\_hostname\_type\_on\_launch) | The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: `ip-name`, `resource-name` | `string` | `null` | no |
 | <a name="input_redshift_subnet_suffix"></a> [redshift\_subnet\_suffix](#input\_redshift\_subnet\_suffix) | Suffix to append to redshift subnets name | `string` | `"redshift"` | no |
 | <a name="input_redshift_subnet_tags"></a> [redshift\_subnet\_tags](#input\_redshift\_subnet\_tags) | Additional tags for the redshift subnets | `map(string)` | `{}` | no |
+| <a name="input_redshift_subnet_tags_by_name"></a> [redshift\_subnet\_tags\_by\_name](#input\_redshift\_subnet\_tags\_by\_name) | Additional tags for the redshift subnets where the primary key is the subnet name | `map(map(string))` | `{}` | no |
 | <a name="input_redshift_subnets"></a> [redshift\_subnets](#input\_redshift\_subnets) | A list of redshift subnets inside the VPC | `list(string)` | `[]` | no |
 | <a name="input_reuse_nat_ips"></a> [reuse\_nat\_ips](#input\_reuse\_nat\_ips) | Should be true if you don't want EIPs to be created for your NAT Gateways and will instead pass them in via the 'external\_nat\_ip\_ids' variable | `bool` | `false` | no |
 | <a name="input_secondary_cidr_blocks"></a> [secondary\_cidr\_blocks](#input\_secondary\_cidr\_blocks) | List of secondary CIDR blocks to associate with the VPC to extend the IP Address pool | `list(string)` | `[]` | no |

examples/per-subnet-tags/main.tf

@@ -0,0 +1,94 @@
+provider "aws" {
+  region = local.region
+}
+
+data "aws_availability_zones" "available" {}
+
+locals {
+  name   = "ex-${basename(path.cwd)}"
+  region = "eu-west-1"
+
+  vpc_cidr = "10.0.0.0/16"
+  azs      = slice(data.aws_availability_zones.available.names, 0, 3)
+
+  public_subnet_names = [
+    "puba", "pubb", "pubc",
+  ]
+  public_subnet_tags_by_name = {
+    "puba" = { "test" = "puba", "custom" = "foobar" },
+    "pubb" = { "test" = "pubb" },
+    "pubc" = { "test" = "pubc" },
+  }
+
+  private_subnet_names = [
+    "priva", "privb", "privc",
+    "privd", "prive", "privf",
+  ]
+  private_subnet_tags_by_name = {
+    "priva" = { "test" = "priva" },
+    "privb" = { "test" = "privb", "custom" = "private-b-tag" },
+    "privc" = { "test" = "privc" },
+  }
+
+  database_subnet_names = ["dba", "dbb", "dbc"]
+  database_subnet_tags_by_name = {
+    "dba" = { "test" = "dba" }
+    "dbb" = { "test" = "dbb" }
+    "dbc" = { "test" = "dbc", "custom" = "more-tests" }
+  }
+
+  elasticache_subnet_names = ["eca", "ecb", "ecc", "ecd", "ece", "ecf"]
+  elasticache_subnet_tags_by_name = {
+    "eca" = { "test" = "eca" },
+    "ecb" = { "test" = "ecb" },
+    "ecc" = { "test" = "ecc", "custom" = "elasticache-test" },
+  }
+
+  intra_subnet_names = ["inta", "intb", "intc"]
+  intra_subnet_tags_by_name = {
+    "inta" = { "test" = "inta", "custom" = "intra-subnet-tag" },
+    "intb" = { "test" = "intb" },
+    "intc" = { "test" = "intc" },
+  }
+
+  tags = {
+    Example    = local.name
+    GithubRepo = "terraform-aws-vpc"
+    GithubOrg  = "terraform-aws-modules"
+  }
+}
+
+################################################################################
+# VPC Module
+################################################################################
+
+module "vpc" {
+  source = "../../"
+
+  name = local.name
+  cidr = local.vpc_cidr
+
+  azs = local.azs
+
+  private_subnet_names        = local.private_subnet_names
+  private_subnets             = [for k, v in local.private_subnet_names : cidrsubnet(local.vpc_cidr, 4, k)]
+  private_subnet_tags_by_name = local.private_subnet_tags_by_name
+
+  public_subnet_names        = local.public_subnet_names
+  public_subnets             = [for k, v in local.public_subnet_names : cidrsubnet(local.vpc_cidr, 4, k)]
+  public_subnet_tags_by_name = local.public_subnet_tags_by_name
+
+  database_subnet_names        = local.database_subnet_names
+  database_subnets             = [for k, v in local.database_subnet_names : cidrsubnet(local.vpc_cidr, 4, k)]
+  database_subnet_tags_by_name = local.database_subnet_tags_by_name
+
+  elasticache_subnet_names        = local.elasticache_subnet_names
+  elasticache_subnets             = [for k, v in local.elasticache_subnet_names : cidrsubnet(local.vpc_cidr, 4, k)]
+  elasticache_subnet_tags_by_name = local.elasticache_subnet_tags_by_name
+
+  intra_subnet_names        = local.intra_subnet_names
+  intra_subnets             = [for k, v in local.intra_subnet_names : cidrsubnet(local.vpc_cidr, 4, k)]
+  intra_subnet_tags_by_name = local.intra_subnet_tags_by_name
+
+  tags = local.tags
+}

examples/per-subnet-tags/versions.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 6.0"
+    }
+  }
+}

main.tf

@@ -153,7 +153,19 @@ resource "aws_subnet" "public" {
     },
     var.tags,
     var.public_subnet_tags,
-    lookup(var.public_subnet_tags_per_az, element(var.azs, count.index), {})
+    lookup(var.public_subnet_tags_per_az, element(var.azs, count.index), {}),
+    try(
+      # lookup any tags we have configured for subnet
+      var.public_subnet_tags_by_name[
+        # determine the name of this subnet (same as above Name = try(..) block)
+        try(
+          var.public_subnet_names[count.index],
+          format("${var.name}-${var.public_subnet_suffix}-%s", element(var.azs, count.index))
+        )
+      ],
+      # default to {} if none are found
+      {}
+    )
   )
 }
 
@@ -288,7 +300,19 @@ resource "aws_subnet" "private" {
     },
     var.tags,
     var.private_subnet_tags,
-    lookup(var.private_subnet_tags_per_az, element(var.azs, count.index), {})
+    lookup(var.private_subnet_tags_per_az, element(var.azs, count.index), {}),
+    try(
+      # lookup any tags we have configured for subnet
+      var.private_subnet_tags_by_name[
+        # determine the name of this subnet (same as above Name = try(..) block)
+        try(
+          var.private_subnet_names[count.index],
+          format("${var.name}-${var.private_subnet_suffix}-%s", element(var.azs, count.index))
+        )
+      ],
+      # default to {} if none are found
+      {}
+    )
   )
 }
 
@@ -408,6 +432,18 @@ resource "aws_subnet" "database" {
     },
     var.tags,
     var.database_subnet_tags,
+    try(
+      # lookup any tags we have configured for subnet
+      var.database_subnet_tags_by_name[
+        # determine the name of this subnet (same as above Name = try(..) block)
+        try(
+          var.database_subnet_names[count.index],
+          format("${var.name}-${var.database_subnet_suffix}-%s", element(var.azs, count.index))
+        )
+      ],
+      # default to {} if none are found
+      {}
+    )
   )
 }
 
@@ -590,6 +626,18 @@ resource "aws_subnet" "redshift" {
     },
     var.tags,
     var.redshift_subnet_tags,
+    try(
+      # lookup any tags we have configured for subnet
+      var.redshift_subnet_tags_by_name[
+        # determine the name of this subnet (same as above Name = try(..) block)
+        try(
+          var.redshift_subnet_names[count.index],
+          format("${var.name}-${var.redshift_subnet_suffix}-%s", element(var.azs, count.index))
+        )
+      ],
+      # default to {} if none are found
+      {}
+    )
   )
 }
 
@@ -727,6 +775,18 @@ resource "aws_subnet" "elasticache" {
     },
     var.tags,
     var.elasticache_subnet_tags,
+    try(
+      # lookup any tags we have configured for subnet
+      var.elasticache_subnet_tags_by_name[
+        # determine the name of this subnet (same as above Name = try(..) block)
+        try(
+          var.elasticache_subnet_names[count.index],
+          format("${var.name}-${var.elasticache_subnet_suffix}-%s", element(var.azs, count.index))
+        )
+      ],
+      # default to {} if none are found
+      {}
+    )
   )
 }
 
@@ -856,6 +916,18 @@ resource "aws_subnet" "intra" {
     },
     var.tags,
     var.intra_subnet_tags,
+    try(
+      # lookup any tags we have configured for subnet
+      var.intra_subnet_tags_by_name[
+        # determine the name of this subnet (same as above Name = try(..) block)
+        try(
+          var.intra_subnet_names[count.index],
+          format("${var.name}-${var.intra_subnet_suffix}-%s", element(var.azs, count.index))
+        )
+      ],
+      # default to {} if none are found
+      {}
+    )
   )
 }
 
@@ -976,6 +1048,18 @@ resource "aws_subnet" "outpost" {
     },
     var.tags,
     var.outpost_subnet_tags,
+    try(
+      # lookup any tags we have configured for subnet
+      var.outpost_subnet_tags_by_name[
+        # determine the name of this subnet (same as above Name = try(..) block)
+        try(
+          var.outpost_subnet_names[count.index],
+          format("${var.name}-${var.outpost_subnet_suffix}-%s", element(var.azs, count.index))
+        )
+      ],
+      # default to {} if none are found
+      {}
+    )
   )
 }