{"id":1086,"date":"2023-08-28T15:29:21","date_gmt":"2023-08-28T15:29:21","guid":{"rendered":"https:\/\/blog.ngocha.biz\/?p=1086"},"modified":"2023-08-28T15:29:21","modified_gmt":"2023-08-28T15:29:21","slug":"aws-tag-policy-terraform","status":"publish","type":"post","link":"https:\/\/blog.ngocha.biz\/?p=1086","title":{"rendered":"AWS Tag Policy Configuration Using Terraform"},"content":{"rendered":"

In this blog, you will learn to configure AWS Tag Policies<\/a> using Terraform. I have added step-by-step guides for the whole setup.<\/p>\n

Terraform Tag Policy Deployment Workflow<\/h2>\n

Here is the workflow explanation<\/p>\n

    \n
  1. Download the Terraform code from the GitHub repository into your system where you have installed Terraform and AWS CLI.<\/li>\n
  2. Run the specific script which contains tag-policy<\/code> module by passing proper variables in the variable file.<\/li>\n
  3. Terraform will execute the tag-policy<\/code> module to create a policy to enforce compliance for specific resources such as EC2 Instances, Security Groups, AWS Lambda, etc.<\/li>\n
  4. The newly created policy will be associated with the account that we have mentioned in the variables file.<\/li>\n
  5. The policy ID will be shown in the output as part of the Terraform configuration.<\/li>\n
  6. Terraform will automatically save the state file in the S3 bucket in your AWS account.<\/li>\n<\/ol>\n

    Terraform Tag Policy Code Repository<\/strong><\/h2>\n

    The Tag Policy Terraform code is included in the Terraform AWS<\/a> repository. To follow the guide, clone the repository to your workstation.<\/p>\n

    git clone https:\/\/github.com\/techiescamp\/terraform-aws.git<\/code><\/pre>\n
    Fork and clone the repository if you intend to reuse and make changes as per your requirements.<\/p>\n
    Terraform AWS Organization\u2019s Tag Policy Provisioning Workflow<\/strong><\/h2>\n
    The Terraform script for Tag Policy is structured in the following way.<\/p>\n
    \u251c\u2500\u2500infra\n\u2502   \u251c\u2500\u2500 tag-policy\n\u2502   \u2502   \u251c\u2500\u2500 main.tf\n|   |   \u251c\u2500\u2500 outputs.tf\n\u2502   \u2502   \u2514\u2500\u2500 variables.tf\n\u251c\u2500\u2500modules\n\u2502   \u251c\u2500\u2500 tag-policy\n\u2502   \u2502   \u251c\u2500\u2500 main.tf\n\u2502   \u2502   \u251c\u2500\u2500 outputs.tf\n\u2502   \u2502   \u2514\u2500\u2500 variables.tf\n\u2514\u2500\u2500vars\n    \u2514\u2500\u2500 dev\n        \u2514\u2500\u2500 tag-policy.tfvars\n<\/code><\/pre>\n
    vars<\/code><\/strong> folder contains the variables file named tag-policy.tfvars<\/code><\/p>\n
    infra<\/strong>\/tag-policy<\/strong> folder contains the terraform code (main.tf<\/code>) that calls the Tag Policy module from the modules directory.<\/p>\n
    The modules directory contains the following resources:<\/p>\n
    tag-policy<\/code> Module<\/strong>: The tag-policy<\/code> module contains an AWS Organizations policy creation block with JSON code to create tags with specified tag keys, tag values, and enforcement for values.<\/p>\n
    The policy attachment block is used to attach the created policy to a related account using the account ID.<\/p>\n
    Implementing Tag Policy Using Terraform<\/h2>\n
    Follow the steps provided in this section to implement a tag policy in an AWS account.<\/p>\n
    Assuming the “terraform-aws<\/strong>” folder as the root directory for this guide.<\/p>\n
    Step 1:<\/strong> Adjust the variables for the tag-policy module.<\/h3>\n
    Open the vars\/dev\/tag-policy.tfvars<\/code> file and edit the variables based on your requirements. Primarily, you may want to change target_id<\/code> and enforce_for_values<\/code>.<\/p>\n
    Additionally, you can change tag_value<\/code> and region<\/code> if you want.<\/p>\n
    # Tag Policy Vars\nregion      = \"eu-north-1\"\npolicy_name = \"Techiescamp\"\npolicy_type = \"TAG_POLICY\"\ntarget_id   = \"814200988517\"\n\nname_tag_key         = \"Name\"\nenvironment_tag_key  = \"Environment\"\nowner_tag_key        = \"Owner\"\nowner_tag_value      = [\"techiescamp\"]\ncostcenter_tag_key   = \"CostCenter\"\ncostcenter_tag_value = [\"techiescamp-commerce\"]\napplication_tag_key  = \"Application\"\nenforce_for_values   = [\"dynamodb:*\", \"ec2:dhcp-options\", \"ec2:elastic-ip\", \"ec2:fpga-image\", \"ec2:instance\",\n                        \"ec2:internet-gateway\", \"ec2:launch-template\", \"ec2:natgateway\", \"ec2:network-acl\",\n                        \"ec2:network-interface\", \"ec2:route-table\", \"ec2:security-group\", \"ec2:snapshot\",\n                        \"ec2:subnet\", \"ec2:volume\", \"ec2:vpc\", \"ec2:vpc-endpoint\", \"ec2:vpc-endpoint-service\",\n                        \"ec2:vpc-peering-connection\", \"ec2:vpn-connection\", \"ec2:vpn-gateway\", \"elasticfilesystem:*\",\n                        \"elasticloadbalancing:*\", \"iam:instance-profile\", \"iam:mfa\", \"iam:policy\", \"kms:*\",\n                        \"lambda:*\", \"rds:cluster-pg\", \"rds:cluster-endpoint\", \"rds:es\", \"rds:og\", \"rds:pg\", \"rds:db-proxy\",\n                        \"rds:db-proxy-endpoint\", \"rds:ri\", \"rds:secgrp\", \"rds:subgrp\", \"rds:target-group\", \"resource-groups:*\",\n                        \"route53:hostedzone\", \"s3:bucket\", \"s3:bucket\"]                \n\n<\/code><\/pre>\n
    Step 2:<\/strong> Initialize Terraform Configuration:<\/h3>\n
    Once the modifications are completed, save the code.<\/p>\n
    Open the parent directory.<\/p>\n
    cd infra\/tag-policy<\/code><\/pre>\n
    Inside the “tag-policy<\/strong>” folder, you will find the “main.tf<\/strong>” file, which contains the configurations of the tag-policy<\/code> module.<\/p>\n
    provider \"aws\" {\n  region = var.region\n}\n\nmodule \"tag-policy\" {\n  source      = \"..\/..\/modules\/tag-policy\"\n  region      = var.region\n  policy_name = var.policy_name\n  policy_type = var.policy_type\n  target_id   = var.target_id\n\n  name_tag_key         = var.name_tag_key\n  environment_tag_key  = var.environment_tag_key\n  owner_tag_key        = var.owner_tag_key\n  owner_tag_value      = var.owner_tag_value\n  costcenter_tag_key   = var.costcenter_tag_key\n  costcenter_tag_value = var.costcenter_tag_value\n  application_tag_key  = var.application_tag_key\n  enforce_for_values   = var.enforce_for_values\n}<\/code><\/pre>\n
    Step 3<\/strong>: Verify Terraform Plan<\/h3>\n
    Assuming you are in the infra\/tag-policy<\/code> directory, and to preview the changes, use the Terraform plan command.<\/p>\n
    terraform plan -var-file=..\/..\/vars\/dev\/tag-polcy.tfvars<\/code><\/pre>\n
    Step <\/strong>4: Apply Terraform Changes<\/h3>\n
    Apply the Terraform configuration to create the AWS resources by using the following command.<\/p>\n
    terraform apply -var-file=..\/..\/vars\/dev\/tag-policy.tfvars<\/code><\/pre>\n
    Confirm the action by typing “yes” when prompted.<\/p>\n
    Terraform will now implement the tag policy based on your customized configuration.<\/p>\n
    Step 5:<\/strong> Validate the Output<\/h3>\n
    After applying the Terraform configuration, use the Terraform output command to retrieve essential details<\/p>\n
    The output.tf<\/code> file is configured to show the Policy ID as the output.<\/p>\n
    Verify the output to ensure that the tag policy has been successfully implemented in your AWS account.<\/p>\n
    Step <\/strong>6: Clean Up Setup<\/h3>\n
    If you plan to remove the tag policy across your AWS account, you can destroy the configuration using the Terraform destroy command.<\/p>\n
    terraform destroy -var-file=..\/..\/vars\/dev\/tag-policy.tfvars<\/code><\/pre>\n
    Confirm the action by typing “yes” when prompted. Terraform will remove all the resources created in the previous steps.<\/p>\n
    Conclusion<\/h2>\n
    Using a Tag Policy will improve the organization’s tagging strategy and prevent users from creating resources with non-compliant tags.<\/p>\n
    With AWS Resource Groups & Tag Editor<\/strong>, resources and their related tags can be effectively managed. This service allows for filtering AWS Resources based on tags, making resource management more efficient and organized.<\/p>\n
    You can also check out the AWS autoscaling terraform<\/a> guide to deploy autoscaling groups and AWS load balancers<\/a> using Terraform.<\/p>\n
    \n
    Ngu\u1ed3n:<\/strong> AWS Tag Policy Configuration Using Terraform \u2014 DevOpsCube<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
    Source: https:\/\/devopscube.com\/aws-tag-policy-terraform\/<\/p>\n","protected":false},"author":1,"featured_media":1087,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1086","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-devops"],"_links":{"self":[{"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=\/wp\/v2\/posts\/1086","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1086"}],"version-history":[{"count":0,"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=\/wp\/v2\/posts\/1086\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=\/wp\/v2\/media\/1087"}],"wp:attachment":[{"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1086"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1086"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1086"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}