Merge pull request #8 from olhado/tagged-resources

Tagged resources
threatstack · Sep 22, 2020 · 7897c3e · 7897c3e
2 parents 52ef807 + af64ffa
commit 7897c3e
Show file tree

Hide file tree

Showing 7 changed files with 21 additions and 5 deletions.
diff --git a/README.md b/README.md
@@ -169,7 +169,8 @@ module "threatstack_aws_integration" {
     sns_topic_display_name  = string # Defaults to "Threat Stack integration topic."
     sqs_queue_name          = string # Defaults to "ThreatStackIntegration"
     s3_bucket_name          = string # Defaults to "threatstack-integration"
-    s3_force_destroy        = string # Defaults to "/"
+    s3_bucket_prefix        = string # Defaults to "/"
+    tags                    = map    # Defaults to {} (empty map)
   }
 
   #...
@@ -191,6 +192,8 @@ module "threatstack_aws_integration" {
 
 * ___aws_optional_conf.s3_bucket_prefix (optional):___ S3 prefix path for logs.  Useful is using a bucket used by other services. (Not recommended)
 
+* ___aws_optional_conf.tags(optional):___ Map of tags to apply to all resources.
+
 ##### Using existing cloudtrail infrastructure
 
 If you already have your Cloudtrail set up, with its corresponding cloudwatch log group and S3 bucket, you can configure this module to use this infrastructure by setting the following settings. The module will still set up the SQS and SNS resources required, as well as the various IAM resources to allow for the integration to talk to Threat Stack's platform.

diff --git a/aws_cloudtrail.tf b/aws_cloudtrail.tf
@@ -18,6 +18,7 @@ resource "aws_cloudwatch_log_group" "ct" {
   count = var.existing_cloudtrail != null ? 0 : 1 # Don't create this if using an existing cloudtrail
 
   name = "/aws/cloudtrail/${var.aws_optional_conf.cloudtrail_name}"
+  tags = var.aws_optional_conf.tags
 
   depends_on = [
     aws_iam_role_policy.ct,
@@ -29,6 +30,8 @@ resource "aws_iam_role" "ct" {
   count = var.existing_cloudtrail != null ? 0 : 1 # Don't create this if using an existing cloudtrail
 
   name               = "${var.aws_optional_conf.cloudtrail_name}-CloudTrailToCloudWatch"
+  tags               = var.aws_optional_conf.tags
+
   assume_role_policy = data.template_file.aws_iam_cloudtrail_to_cloudwatch_assume_role_policy.rendered
 }
 
@@ -44,6 +47,8 @@ resource "aws_cloudtrail" "ct" {
   count = var.existing_cloudtrail != null ? 0 : 1 # Don't create this if using an existing cloudtrail
 
   name                          = var.aws_optional_conf.cloudtrail_name
+  tags                          = var.aws_optional_conf.tags
+
   s3_bucket_name                = aws_s3_bucket.bucket[0].id
   enable_logging                = var.aws_flags.enable_logging
   enable_log_file_validation    = var.aws_flags.enable_log_file_validation

diff --git a/aws_iam_role.tf b/aws_iam_role.tf
@@ -22,6 +22,8 @@ data "template_file" "aws_iam_role_policy" {
 
 resource "aws_iam_role" "role" {
   name               = var.aws_optional_conf.iam_role_name
+  tags               = var.aws_optional_conf.tags
+
   assume_role_policy = data.template_file.aws_iam_assume_role_policy.rendered
 }
 

diff --git a/aws_s3_bucket.tf b/aws_s3_bucket.tf
@@ -22,10 +22,10 @@ resource "aws_s3_bucket" "bucket" {
     enabled = "false"
   }
   force_destroy = var.aws_flags.s3_force_destroy
-  tags = {
-    terraform = "true"
-  }
-  depends_on = [aws_sns_topic_subscription.sqs]
+
+  tags          = var.aws_optional_conf.tags
+
+  depends_on    = [aws_sns_topic_subscription.sqs]
 }
 
 resource "aws_s3_bucket_policy" "bucket" {

diff --git a/aws_sns_topic.tf b/aws_sns_topic.tf
@@ -6,6 +6,8 @@ data "template_file" "aws_sns_topic_policy" {
 
 resource "aws_sns_topic" "sns" {
   name         = var.aws_optional_conf.sns_topic_name
+  tags         = var.aws_optional_conf.tags
+
   display_name = var.aws_optional_conf.sns_topic_display_name
   depends_on   = [aws_iam_role.role]
 }

diff --git a/aws_sqs_queue.tf b/aws_sqs_queue.tf
@@ -9,6 +9,8 @@ data "template_file" "aws_sqs_queue_policy" {
 
 resource "aws_sqs_queue" "sqs" {
   name       = var.aws_optional_conf.sqs_queue_name
+  tags       = var.aws_optional_conf.tags
+
   depends_on = [aws_sns_topic_policy.sns]
 }
 

diff --git a/variables.tf b/variables.tf
@@ -81,6 +81,7 @@ variable "aws_optional_conf" {
     sqs_queue_name         = string
     s3_bucket_name         = string
     s3_bucket_prefix       = string
+    tags                   = map(string)
   })
 
   default = {
@@ -91,5 +92,6 @@ variable "aws_optional_conf" {
     sqs_queue_name         = "ThreatStackIntegration"
     s3_bucket_name         = "threatstack-integration"
     s3_bucket_prefix       = "/"
+    tags                   = {}
   }
 }