Terraform-provider-aws: Tags for AWS resources created implicitly by other resources
Community Note
- Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Description
When AWS EC2/VPC (and maybe other service) resources are shared with another account via RAM the tags from the creating account are not copied to the accepting account and so for example a shared subnet has no Name in the accepting account's AWS Console.
We decouple much of our Terraform code by creating for example all subnet resources in one module (with a predefined set of tags) and then using a data source in another module (specifying those predefined tags) to find a specific subnet ID (for an ASG or whatever).
This won't work when a subnet is shared into an account as those predefined tags are missing.
Doing a terraform import for those shared resources won't really work as the accepting account doesn't own the resource's lifecycle and can only change tags on the resource.
My thinking is to have a Terraform resource in the accepting account that can manage just the tags on these shared VPC resources.
New or Affected Resource(s)
- aws_subnet
- Others TBD
References
https://github.com/terraform-providers/terraform-provider-aws/pull/8457 seems to be a solution to a similar problem.
Related:
ewbankkit
All 16 comments
Look also at shared Route 53 Resolver Forwarding Rules which can have tags.
ewbankkit
on 21 Jun 2019
Another use case is for tagging EC2 resources implicitly created by other resources such as the transit gateway attachment created by associating a Direct Connect gateway.
ewbankkit
on 25 Jun 2019
Another similar thing for Route 53 Hosted Zones created via Servicediscovery: https://github.com/terraform-providers/terraform-provider-aws/issues/7840
ewbankkit
on 9 Jul 2019
This feature is very much appreciated! Looks like it is not supported by AWS yet though, so we should probably wait for them. Really annoying that the tags that you set on an object - for example the TGW - are not automatically shared; this prevents you pretty much from doing more robust setups.
erikkn
on 12 Jul 2019
@erikkn AWS does allow you to tag resource by ID. My PR #8457 allows for decoupling of resource creation from tagging.
joestump
on 12 Sep 2019
Another use case is for the EC2 resources created as part of an EKS Managed Node Group - https://github.com/terraform-providers/terraform-provider-aws/issues/10915.
The tags set on the aws_eks_node_group resource are not applied to the managed EC2 resources.
ewbankkit
on 19 Nov 2019
Another use case is for the EC2 instance that satisfies an aws_spot_instance_request - See https://github.com/terraform-providers/terraform-provider-aws/issues/32, https://github.com/terraform-providers/terraform-provider-aws/pull/3481, https://github.com/terraform-providers/terraform-provider-aws/issues/13229.
ewbankkit
on 23 Nov 2019
Another one - tagging DynamoDB resources: https://github.com/terraform-providers/terraform-provider-aws/issues/6859.
ewbankkit
on 1 Dec 2019
Another one - tagging ECS cluster created for Batch: https://github.com/terraform-providers/terraform-provider-aws/issues/11951.
ewbankkit
on 7 Feb 2020
Another one - Tagging EC2 Transit Gateway Route Tables created in cross account. They will be unnamed in the account holding the Transit Gateway itself..
n3ph
on 22 Feb 2020
Another use case - when resource aws_vpn_connection creates connection - the attachment on the transit gateway is not/cannot be tagged.
Details here: https://github.com/terraform-providers/terraform-provider-aws/issues/12535
david-wells-1
on 26 Mar 2020
And another bunch, the COIP and Local Gateway resources created when setting up an AWS Outpost - https://github.com/terraform-providers/terraform-provider-aws/issues/12302.
ewbankkit
on 1 May 2020
ewbankkit
on 26 May 2020
Would be lovely to have a generic pass_tags or created_resource_tags for this use case. We currently don't have tags on the EC2 instances created from EKS managed node group Autoscaling groups (https://github.com/terraform-providers/terraform-provider-aws/issues/9061#issuecomment-555497826), so that would be nice to have. Thanks for the issue @ewbankkit !
sc250024
on 3 Jun 2020
ewbankkit
on 12 Jun 2020
A new aws_ec2_tag resource for managing individual EC2 resource tags has been merged and will release with version 2.67.0 of the Terraform AWS Provider, later next week. This resource should only be used in cases where EC2 resources are created outside Terraform (e.g. AMIs), being shared via Resource Access Manager (RAM), or implicitly created by other means (e.g. Transit Gateway VPN Attachments).
# Example configuration in Terraform 0.12 and later syntax
resource "aws_ec2_transit_gateway" "example" {}
resource "aws_customer_gateway" "example" {
bgp_asn = 65000
ip_address = "172.0.0.1"
type = "ipsec.1"
}
resource "aws_vpn_connection" "example" {
customer_gateway_id = aws_customer_gateway.example.id
transit_gateway_id = aws_ec2_transit_gateway.example.id
type = aws_customer_gateway.example.type
}
resource "aws_ec2_tag" "example" {
resource_id = aws_vpn_connection.example.transit_gateway_attachment_id
key = "Name"
value = "Hello World"
}
As with any Terraform 0.12.6 or later configuration, this resource can be combined with for_each support to manage multiple resource tags, if necessary.
Thanks to @joestump and others who made the implementation possible. 馃憤
While the above covers EC2 resources, we would highly suggest creating individual GitHub feature requests for other AWS services since these types of general issues lack a definition of done.
Here's what I see above so far:
- Autoscaling Tag Resource (propagate EKS Node Group tags): https://github.com/terraform-providers/terraform-provider-aws/issues/13643
- DynamoDB Tag Resource (support DynamoDB Global Table v2 replica tags): https://github.com/terraform-providers/terraform-provider-aws/issues/13725 / (support Kinesis client library created table tags): https://github.com/terraform-providers/terraform-provider-aws/issues/6859
- ECS Tag Resource (propagate Batch Compute tags): https://github.com/terraform-providers/terraform-provider-aws/issues/11951
I will however keep this open for a short while longer since we will likely want to implement a few general enhancements to make creating these service tag resources easier, which will be the definition of done for this particular issue:
- Implementing a "get tag" function generator within the internal/keyvaluetags package to make the resource implementations consistent
- Switching the
aws_ec2_tagresource to the above implementation - Documenting the process for creating these resources
- (Optionally) Creating a generator for the tagging resources or resource functions
bflad
on 13 Jun 2020
Related issues
hashibot
路
3Comments
joelittlejohn
路
3Comments
hashibot
路
3Comments
hashibot
路
3Comments
hazmeister
路
3Comments
Most helpful comment
Another use case is for the EC2 resources created as part of an EKS Managed Node Group - https://github.com/terraform-providers/terraform-provider-aws/issues/10915.
The
tagsset on theaws_eks_node_groupresource are not applied to the managed EC2 resources.