Skip to content

rhythmictech/terraform-aws-tag-policy

Repository files navigation

terraform-aws-tag-policy

Facilitate the creation of tag policies in AWS Organizations.

tflint trivy yamllint misspell pre-commit-check follow on Twitter

Example

Here's what using the module will look like

module "example" {
  name        = "require-owner-tag"

  tag_policy = {
    Owner = {
      tag_key = "Owner"
      enforced_for = [
        "*"
      ]
    }
  }
}

About

This module creates a tag policy in AWS Organizations. It can be attached to the organization or to a list of OUs. It is possible to attach multiple tag policies to an organization or OU by using this module multiple times.

This module supports inheritance of tag policies. It uses the @@assign operator by default, so the effective tag policy will be the union of all tag policies attached to an organization or OU. It is possible to use the @@append and @@remove operators to modify the tag policy, as well as to define child inheritance rules. Thus,

Rolling out a tag policy in a running environment can cause unexpected results. Be sure to test in a dedicated AWS account and roll out carefully. Consult AWS documentation:

Requirements

Name Version
terraform >= 1.1
aws >= 5

Providers

Name Version
aws 5.64.0

Modules

No modules.

Resources

Name Type
aws_organizations_policy.this resource
aws_organizations_policy_attachment.tag_policy_attachment resource
aws_organizations_policy_attachment.tag_policy_attachment_org resource
aws_organizations_organization.org data source

Inputs

Name Description Type Default Required
attach_ous List of OU IDs to attach the tag policies to list(string) [] no
attach_to_org Whether to attach the tag policy to the organization (set to false if you want to attach to OUs) bool true no
description Description of the tag policy string null no
name Moniker to apply to all resources in the module string n/a yes
tag_policy List of tag policies to create
map(object({
enforced_for = optional(list(string))
enforced_for_operator = optional(string)
enforced_for_operators_allowed_for_child_policies = optional(list(string))
tag_key = string
tag_key_operator = optional(string)
tag_key_operators_allowed_for_child_policies = optional(list(string))
values = optional(list(string))
values_operator = optional(string)
values_operators_allowed_for_child_policies = optional(list(string))
}))
{} no
tags User-Defined tags map(string) {} no

Outputs

No outputs.

Getting Started

This workflow has a few prerequisites which are installed through the ./bin/install-x.sh scripts and are linked below. The install script will also work on your local machine.

We use tfenv to manage terraform versions, so the version is defined in the versions.tf and tfenv installs the latest compliant version. pre-commit is like a package manager for scripts that integrate with git hooks. We use them to run the rest of the tools before apply. terraform-docs creates the beautiful docs (above), trivy scans for security no-nos, tflint scans for best practices.