From fa2fd4db3469a7d84f382d1c2f692db6d199c56e Mon Sep 17 00:00:00 2001
From: mglotov <37855803+mglotov@users.noreply.github.com>
Date: Sat, 10 Jun 2023 11:57:42 +0600
Subject: [PATCH] enh: use default tags on an aws provider level (#336)

---
 terraform/layer1-aws/README.md                | 43 ++++++++++---------
 terraform/layer1-aws/aws-cloudtrail.tf        |  5 ---
 terraform/layer1-aws/aws-eks.tf               |  6 +--
 terraform/layer1-aws/main.tf                  | 23 +++++++++-
 terraform/layer1-aws/providers.tf             |  7 +++
 terraform/layer1-aws/variables.tf             |  5 +++
 .../aws-cost-allocation-tags/README.md        | 29 +++++++++++++
 .../modules/aws-cost-allocation-tags/main.tf  |  6 +++
 .../aws-cost-allocation-tags/variables.tf     |  7 +++
 terraform/modules/aws-pritunl/main.tf         |  2 +-
 10 files changed, 100 insertions(+), 33 deletions(-)
 create mode 100644 terraform/modules/aws-cost-allocation-tags/README.md
 create mode 100644 terraform/modules/aws-cost-allocation-tags/main.tf
 create mode 100644 terraform/modules/aws-cost-allocation-tags/variables.tf

diff --git a/terraform/layer1-aws/README.md b/terraform/layer1-aws/README.md
index c4b19e22..33b167ba 100644
--- a/terraform/layer1-aws/README.md
+++ b/terraform/layer1-aws/README.md
@@ -3,20 +3,21 @@
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | 1.4.4 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | 4.62.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | 5.1.0 |
 | <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | 2.19.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | 4.62.0 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | 5.1.0 |
 
 ## Modules
 
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_acm"></a> [acm](#module\_acm) | terraform-aws-modules/acm/aws | 4.3.2 |
+| <a name="module_aws_cost_allocation_tags"></a> [aws\_cost\_allocation\_tags](#module\_aws\_cost\_allocation\_tags) | ../modules/aws-cost-allocation-tags | n/a |
 | <a name="module_aws_ebs_csi_driver"></a> [aws\_ebs\_csi\_driver](#module\_aws\_ebs\_csi\_driver) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | 5.17.0 |
 | <a name="module_eks"></a> [eks](#module\_eks) | terraform-aws-modules/eks/aws | 19.12.0 |
 | <a name="module_eventbridge"></a> [eventbridge](#module\_eventbridge) | terraform-aws-modules/eventbridge/aws | 1.17.3 |
@@ -30,25 +31,24 @@
 
 | Name | Type |
 |------|------|
-| [aws_cloudtrail.main](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/resources/cloudtrail) | resource |
-| [aws_ebs_encryption_by_default.default](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/resources/ebs_encryption_by_default) | resource |
-| [aws_iam_account_password_policy.default](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/resources/iam_account_password_policy) | resource |
-| [aws_s3_bucket.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/resources/s3_bucket) | resource |
-| [aws_s3_bucket_acl.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/resources/s3_bucket_acl) | resource |
-| [aws_s3_bucket_lifecycle_configuration.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/resources/s3_bucket_lifecycle_configuration) | resource |
-| [aws_s3_bucket_policy.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/resources/s3_bucket_policy) | resource |
-| [aws_s3_bucket_public_access_block.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/resources/s3_bucket_public_access_block) | resource |
-| [aws_s3_bucket_server_side_encryption_configuration.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
-| [aws_sns_topic.security_alerts](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/resources/sns_topic) | resource |
-| [aws_sns_topic_policy.security_alerts](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/resources/sns_topic_policy) | resource |
-| [aws_sns_topic_subscription.security_alerts](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/resources/sns_topic_subscription) | resource |
-| [aws_acm_certificate.main](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/data-sources/acm_certificate) | data source |
-| [aws_ami.eks_default_bottlerocket](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/data-sources/ami) | data source |
-| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/data-sources/availability_zones) | data source |
-| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/data-sources/caller_identity) | data source |
-| [aws_eks_cluster_auth.main](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/data-sources/eks_cluster_auth) | data source |
-| [aws_route53_zone.main](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/data-sources/route53_zone) | data source |
-| [aws_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/4.62.0/docs/data-sources/security_group) | data source |
+| [aws_cloudtrail.main](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/resources/cloudtrail) | resource |
+| [aws_ebs_encryption_by_default.default](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/resources/ebs_encryption_by_default) | resource |
+| [aws_iam_account_password_policy.default](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/resources/iam_account_password_policy) | resource |
+| [aws_s3_bucket.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/resources/s3_bucket) | resource |
+| [aws_s3_bucket_lifecycle_configuration.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/resources/s3_bucket_lifecycle_configuration) | resource |
+| [aws_s3_bucket_policy.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/resources/s3_bucket_policy) | resource |
+| [aws_s3_bucket_public_access_block.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/resources/s3_bucket_public_access_block) | resource |
+| [aws_s3_bucket_server_side_encryption_configuration.cloudtrail](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/resources/s3_bucket_server_side_encryption_configuration) | resource |
+| [aws_sns_topic.security_alerts](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/resources/sns_topic) | resource |
+| [aws_sns_topic_policy.security_alerts](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/resources/sns_topic_policy) | resource |
+| [aws_sns_topic_subscription.security_alerts](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/resources/sns_topic_subscription) | resource |
+| [aws_acm_certificate.main](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/data-sources/acm_certificate) | data source |
+| [aws_ami.eks_default_bottlerocket](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/data-sources/ami) | data source |
+| [aws_availability_zones.available](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/data-sources/availability_zones) | data source |
+| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/data-sources/caller_identity) | data source |
+| [aws_eks_cluster_auth.main](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/data-sources/eks_cluster_auth) | data source |
+| [aws_route53_zone.main](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/data-sources/route53_zone) | data source |
+| [aws_security_group.default](https://registry.terraform.io/providers/hashicorp/aws/5.1.0/docs/data-sources/security_group) | data source |
 
 ## Inputs
 
@@ -75,6 +75,7 @@
 | <a name="input_eks_workers_additional_policies"></a> [eks\_workers\_additional\_policies](#input\_eks\_workers\_additional\_policies) | Additional IAM policy attached to EKS worker nodes | `map(string)` | <pre>{<br>  "additional": "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"<br>}</pre> | no |
 | <a name="input_eks_write_kubeconfig"></a> [eks\_write\_kubeconfig](#input\_eks\_write\_kubeconfig) | Flag for eks module to write kubeconfig | `bool` | `false` | no |
 | <a name="input_environment"></a> [environment](#input\_environment) | Env name in case workspace wasn't used | `string` | `"demo"` | no |
+| <a name="input_is_this_payment_account"></a> [is\_this\_payment\_account](#input\_is\_this\_payment\_account) | Set it to false if a target account isn't a payer account. This variable is used to apply a configuration for cost allocation tags | `bool` | `true` | no |
 | <a name="input_name"></a> [name](#input\_name) | Project name, required to create unique resource names | `any` | n/a | yes |
 | <a name="input_node_group_br"></a> [node\_group\_br](#input\_node\_group\_br) | Bottlerocket node group configuration | <pre>object({<br>    instance_type              = string<br>    max_capacity               = number<br>    min_capacity               = number<br>    desired_capacity           = number<br>    capacity_rebalance         = bool<br>    use_mixed_instances_policy = bool<br>    mixed_instances_policy     = any<br>  })</pre> | <pre>{<br>  "capacity_rebalance": true,<br>  "desired_capacity": 0,<br>  "instance_type": "t3.medium",<br>  "max_capacity": 5,<br>  "min_capacity": 0,<br>  "mixed_instances_policy": {<br>    "instances_distribution": {<br>      "on_demand_base_capacity": 0,<br>      "on_demand_percentage_above_base_capacity": 0<br>    },<br>    "override": [<br>      {<br>        "instance_type": "t3.medium"<br>      },<br>      {<br>        "instance_type": "t3a.medium"<br>      }<br>    ]<br>  },<br>  "use_mixed_instances_policy": true<br>}</pre> | no |
 | <a name="input_node_group_ci"></a> [node\_group\_ci](#input\_node\_group\_ci) | CI node group configuration | <pre>object({<br>    instance_type              = string<br>    max_capacity               = number<br>    min_capacity               = number<br>    desired_capacity           = number<br>    capacity_rebalance         = bool<br>    use_mixed_instances_policy = bool<br>    mixed_instances_policy     = any<br>  })</pre> | <pre>{<br>  "capacity_rebalance": false,<br>  "desired_capacity": 0,<br>  "instance_type": "t3.medium",<br>  "max_capacity": 5,<br>  "min_capacity": 0,<br>  "mixed_instances_policy": {<br>    "instances_distribution": {<br>      "on_demand_base_capacity": 0,<br>      "on_demand_percentage_above_base_capacity": 0<br>    },<br>    "override": [<br>      {<br>        "instance_type": "t3.medium"<br>      },<br>      {<br>        "instance_type": "t3a.medium"<br>      }<br>    ]<br>  },<br>  "use_mixed_instances_policy": true<br>}</pre> | no |
diff --git a/terraform/layer1-aws/aws-cloudtrail.tf b/terraform/layer1-aws/aws-cloudtrail.tf
index 85390dfc..28c3f5fc 100644
--- a/terraform/layer1-aws/aws-cloudtrail.tf
+++ b/terraform/layer1-aws/aws-cloudtrail.tf
@@ -19,11 +19,6 @@ resource "aws_s3_bucket" "cloudtrail" {
   tags = local.tags
 }
 
-resource "aws_s3_bucket_acl" "cloudtrail" {
-  bucket = aws_s3_bucket.cloudtrail.id
-  acl    = "private"
-}
-
 resource "aws_s3_bucket_lifecycle_configuration" "cloudtrail" {
   bucket = aws_s3_bucket.cloudtrail.id
 
diff --git a/terraform/layer1-aws/aws-eks.tf b/terraform/layer1-aws/aws-eks.tf
index b7838130..ab790e7d 100644
--- a/terraform/layer1-aws/aws-eks.tf
+++ b/terraform/layer1-aws/aws-eks.tf
@@ -56,11 +56,6 @@ module "eks" {
   cluster_enabled_log_types              = var.eks_cluster_enabled_log_types
   cloudwatch_log_group_retention_in_days = var.eks_cloudwatch_log_group_retention_in_days
 
-  tags = {
-    ClusterName = local.name
-    Environment = local.env
-  }
-
   vpc_id = module.vpc.vpc_id
 
   cluster_endpoint_public_access       = var.eks_cluster_endpoint_public_access
@@ -185,6 +180,7 @@ module "eks" {
     }
   }
 
+  tags = { "ClusterName" = local.name }
 }
 
 module "vpc_cni_irsa" {
diff --git a/terraform/layer1-aws/main.tf b/terraform/layer1-aws/main.tf
index f4ce095a..14de12e5 100644
--- a/terraform/layer1-aws/main.tf
+++ b/terraform/layer1-aws/main.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "4.62.0"
+      version = "5.1.0"
     }
     kubernetes = {
       source  = "hashicorp/kubernetes"
@@ -33,3 +33,24 @@ resource "aws_iam_account_password_policy" "default" {
   allow_users_to_change_password = var.aws_account_password_policy.allow_users_to_change_password
   max_password_age               = var.aws_account_password_policy.max_password_age
 }
+
+
+module "aws_cost_allocation_tags" {
+  count = var.is_this_payment_account ? 1 : 0
+
+  source = "../modules/aws-cost-allocation-tags"
+  tags = [
+    {
+      tag_key = "Environment"
+      status  = "Active"
+    },
+    {
+      tag_key = "Terraform"
+      status  = "Active"
+    },
+    {
+      tag_key = "aws:autoscaling:groupName"
+      status  = "Active"
+    }
+  ]
+}
diff --git a/terraform/layer1-aws/providers.tf b/terraform/layer1-aws/providers.tf
index 449e183b..2e4d1306 100644
--- a/terraform/layer1-aws/providers.tf
+++ b/terraform/layer1-aws/providers.tf
@@ -1,6 +1,13 @@
 provider "aws" {
   region              = var.region
   allowed_account_ids = var.allowed_account_ids
+  default_tags {
+    tags = {
+      Name        = local.name
+      Environment = local.env
+      Terraform   = "true"
+    }
+  }
 }
 
 provider "kubernetes" {
diff --git a/terraform/layer1-aws/variables.tf b/terraform/layer1-aws/variables.tf
index 7df7332e..3d98e246 100644
--- a/terraform/layer1-aws/variables.tf
+++ b/terraform/layer1-aws/variables.tf
@@ -21,6 +21,11 @@ variable "aws_account_password_policy" {
   }
 }
 
+variable "is_this_payment_account" {
+  default     = true
+  description = "Set it to false if a target account isn't a payer account. This variable is used to apply a configuration for cost allocation tags"
+}
+
 variable "name" {
   description = "Project name, required to create unique resource names"
 }
diff --git a/terraform/modules/aws-cost-allocation-tags/README.md b/terraform/modules/aws-cost-allocation-tags/README.md
new file mode 100644
index 00000000..89dc123f
--- /dev/null
+++ b/terraform/modules/aws-cost-allocation-tags/README.md
@@ -0,0 +1,29 @@
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_ce_cost_allocation_tag.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ce_cost_allocation_tag) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_tags"></a> [tags](#input\_tags) | A list of tags to use for cost allocation tags | <pre>list(object({<br>    tag_key = string<br>    status  = string<br>  }))</pre> | n/a | yes |
+
+## Outputs
+
+No outputs.
diff --git a/terraform/modules/aws-cost-allocation-tags/main.tf b/terraform/modules/aws-cost-allocation-tags/main.tf
new file mode 100644
index 00000000..4f0aabb9
--- /dev/null
+++ b/terraform/modules/aws-cost-allocation-tags/main.tf
@@ -0,0 +1,6 @@
+resource "aws_ce_cost_allocation_tag" "this" {
+  for_each = { for item in var.tags : item.tag_key => item }
+
+  tag_key = each.value.tag_key
+  status  = each.value.status
+}
diff --git a/terraform/modules/aws-cost-allocation-tags/variables.tf b/terraform/modules/aws-cost-allocation-tags/variables.tf
new file mode 100644
index 00000000..16720007
--- /dev/null
+++ b/terraform/modules/aws-cost-allocation-tags/variables.tf
@@ -0,0 +1,7 @@
+variable "tags" {
+  type = list(object({
+    tag_key = string
+    status  = string
+  }))
+  description = "A list of tags to use for cost allocation tags"
+}
diff --git a/terraform/modules/aws-pritunl/main.tf b/terraform/modules/aws-pritunl/main.tf
index 1326e105..77446c18 100644
--- a/terraform/modules/aws-pritunl/main.tf
+++ b/terraform/modules/aws-pritunl/main.tf
@@ -1,6 +1,6 @@
 data "aws_region" "current" {}
 resource "aws_eip" "this" {
-  vpc = true
+  domain = "vpc"
   tags = {
     Name        = var.name
     Environment = var.environment