CA-10 Tag based authorization

CHANGELOG.md

@@ -1,5 +1,10 @@
 # Tamr Terraform Template Repo
 
+## v2.1.0 - July 12nd 2021
+* Adds tags for RDS Subnet Group.
+* Adds new variable `tags` to set tags for all resources
+* Deprecates `additional_tags` in favor of `tags`
+
 ## v2.0.0 - June 30th 2021
 * Accepts a list of security groups
 * Returns a list of ports used by RDS

README.md

@@ -54,7 +54,7 @@ This terraform module will create:
 | subnet\_group\_name | The name of the subnet group to add the RDS instance to | `string` | n/a | yes |
 | vpc\_id | VPC ID for the rds security group | `string` | n/a | yes |
 | additional\_cidrs | Additional CIDR to connect to RDS Postgres instance | `list(string)` | `[]` | no |
-| additional\_tags | Additional tags to set on the RDS instance | `map(string)` | `{}` | no |
+| additional\_tags | [DEPRECATED: Use `tags` instead] Additional tags to set on the RDS instance. | `map(string)` | `{}` | no |
 | allocated\_storage | Allocate storage | `number` | `20` | no |
 | apply\_immediately | Apply immediately, do not set this to true for production | `bool` | `false` | no |
 | backup\_retention\_period | Backup retention period in days | `number` | `14` | no |
@@ -72,6 +72,7 @@ This terraform module will create:
 | security\_group\_name | Name for the security group for the rds instance | `string` | `"tamr_rds_sg"` | no |
 | skip\_final\_snapshot | Skip final snapshot | `bool` | `true` | no |
 | storage\_type | Storage type (e.g. gp2, io1) | `string` | `"gp2"` | no |
+| tags | A map of tags to add to all resources. Replaces `additional_tags`. | `map(string)` | `{}` | no |
 | username | The username for the master DB user. | `string` | `"tamr"` | no |
 
 ## Outputs

VERSION

@@ -1 +1 @@
-2.0.0
+2.1.0

examples/minimal/README.md

@@ -17,6 +17,7 @@ No provider.
 | subnet\_ids | List of at least 2 subnets in different AZs for DB subnet group | `list(string)` | n/a | yes |
 | vpc\_id | VPC ID of network. | `string` | n/a | yes |
 | egress\_cidr\_blocks | CIDR blocks to attach to security groups for egress | `list(string)` | <pre>[<br>  "0.0.0.0/0"<br>]</pre> | no |
+| tags | A map of tags to add to all resources created by this example. | `map(string)` | <pre>{<br>  "Author": "Tamr",<br>  "Environment": "Example"<br>}</pre> | no |
 
 ## Outputs
 

examples/minimal/main.tf

@@ -8,11 +8,12 @@ module "rds_postgres" {
   username             = "exampleUsername"
   password             = "examplePassword" #tfsec:ignore:GEN003
 
-  vpc_id            = var.vpc_id
-  subnet_group_name = "example_subnet_group"
+  vpc_id             = var.vpc_id
+  subnet_group_name  = "example_subnet_group"
   # Network requirement: DB subnet group needs a subnet in at least two Availability Zones
   rds_subnet_ids = var.subnet_ids
   security_group_ids = module.rds-postgres-sg.security_group_ids
+  tags               = var.tags
 }
 
 module "sg-ports" {
@@ -29,4 +30,5 @@ module "rds-postgres-sg" {
   sg_name_prefix = var.name_prefix
   egress_protocol = "all"
   ingress_protocol = "tcp"
+  tags = var.tags
 }

examples/minimal/variables.tf

@@ -27,3 +27,13 @@ variable "egress_cidr_blocks" {
   type = list(string)
   default = ["0.0.0.0/0"]
 }
+
+variable "tags" {
+  type        = map(string)
+  description = "A map of tags to add to all resources created by this example."
+  default     = { 
+    Author = "Tamr"
+    Environment = "Example"
+  }
+}
+

main.tf

@@ -1,13 +1,18 @@
+locals {
+  effective_tags = length(var.tags) > 0 ? var.tags : var.additional_tags
+}
+
 resource "aws_db_parameter_group" "rds_postgres_pg" {
   name        = var.parameter_group_name
   family      = var.parameter_group_family
   description = "TAMR RDS parameter group"
-  tags        = var.additional_tags
+  tags        = local.effective_tags
 }
 
 resource "aws_db_subnet_group" "rds_postgres_subnet_group" {
   name       = var.subnet_group_name
   subnet_ids = var.rds_subnet_ids
+  tags       = local.effective_tags
 }
 
 resource "aws_db_instance" "rds_postgres" {
@@ -41,7 +46,7 @@ resource "aws_db_instance" "rds_postgres" {
   apply_immediately = var.apply_immediately
 
   copy_tags_to_snapshot = var.copy_tags_to_snapshot
-  tags                  = var.additional_tags
+  tags                  = local.effective_tags
 
   lifecycle {
     ignore_changes = [password]

variables.tf

@@ -104,8 +104,14 @@ variable "copy_tags_to_snapshot" {
 }
 
 variable "additional_tags" {
-  description = "Additional tags to set on the RDS instance"
   type        = map(string)
+  description = "[DEPRECATED: Use `tags` instead] Additional tags to set on the RDS instance."
+  default     = {}
+}
+
+variable "tags" {
+  type        = map(string)
+  description = "A map of tags to add to all resources. Replaces `additional_tags`."
   default     = {}
 }