AUT-3906: Add cost allocation tags to terraform

govuk-one-login · Dec 10, 2024 · e863426 · e863426
1 parent f569c4c
commit e863426
Show file tree

Hide file tree

Showing 14 changed files with 51 additions and 88 deletions.
diff --git a/ci/terraform/alb.tf b/ci/terraform/alb.tf
@@ -21,8 +21,6 @@ resource "aws_lb" "frontend_alb" {
       prefix  = "frontend-alb"
     }
   }
-
-  tags = local.default_tags
 }
 
 resource "aws_wafv2_web_acl_association" "alb_waf_association" {
@@ -47,8 +45,6 @@ resource "aws_alb_target_group" "frontend_alb_target_group" {
     path                = "/healthcheck/"
     unhealthy_threshold = "2"
   }
-
-  tags = local.default_tags
 }
 
 resource "aws_alb_listener" "frontend_alb_listener_https" {
@@ -67,8 +63,6 @@ resource "aws_alb_listener" "frontend_alb_listener_https" {
   depends_on = [
     aws_acm_certificate_validation.frontend_acm_alb_certificate_validation
   ]
-
-  tags = local.default_tags
 }
 
 resource "aws_alb_listener_rule" "frontend_alb_listener_https_robots" {
@@ -105,8 +99,6 @@ resource "aws_alb_listener" "frontend_alb_listener_http" {
       status_code = "HTTP_301"
     }
   }
-
-  tags = local.default_tags
 }
 
 #S3 Bucket for ElB access logs
@@ -164,8 +156,9 @@ resource "aws_alb_target_group" "frontend_service_down_alb_target_group" {
     path                = "/healthcheck/"
     unhealthy_threshold = "2"
   }
-
-  tags = local.default_tags
+  tags = {
+    Service = "service-down-page"
+  }
 }
 
 resource "aws_alb_listener_rule" "service_down_rule" {
@@ -183,4 +176,7 @@ resource "aws_alb_listener_rule" "service_down_rule" {
       values = ["/service-page-disabled/*"]
     }
   }
+  tags = {
+    Service = "service-down-page"
+  }
 }
diff --git a/ci/terraform/cloudfront.tf b/ci/terraform/cloudfront.tf
@@ -16,7 +16,6 @@ resource "aws_cloudformation_stack" "cloudfront" {
     StandardLoggingEnabled       = true
     LogDestination               = var.cloudfront_WafAcl_Logdestination
   }
-  tags = local.default_tags
 
   #ignoring below parameter as these parameter are been read via secret manager and terraform continually detects changes
   # Note : we need to remove the below lifecycle if the Header are changed in Secret manager to appy new cloainking header value
@@ -40,5 +39,4 @@ resource "aws_cloudformation_stack" "cloudfront-monitoring" {
     CloudfrontDistribution              = aws_cloudformation_stack.cloudfront.outputs["DistributionId"]
   }
   depends_on = [aws_cloudformation_stack.cloudfront]
-  tags       = local.default_tags
 }
diff --git a/ci/terraform/cloudwatch.tf b/ci/terraform/cloudwatch.tf
@@ -46,16 +46,12 @@ resource "aws_kms_key" "cloudwatch_log_encryption" {
   deletion_window_in_days = 30
   enable_key_rotation     = true
   policy                  = data.aws_iam_policy_document.cloudwatch.json
-
-  tags = local.default_tags
 }
 
 resource "aws_cloudwatch_log_group" "ecs_frontend_task_log" {
   name              = "/ecs/${var.environment}-frontend"
   kms_key_id        = aws_kms_key.cloudwatch_log_encryption.arn
   retention_in_days = var.cloudwatch_log_retention
-
-  tags = local.default_tags
 }
 
 resource "aws_cloudwatch_log_subscription_filter" "ecs_frontend_task_log_subscription" {
@@ -106,8 +102,6 @@ resource "aws_cloudwatch_log_group" "alb_waf_log" {
   name              = "aws-waf-logs-frontend-alb-${var.environment}"
   kms_key_id        = aws_kms_key.cloudwatch_log_encryption.arn
   retention_in_days = var.cloudwatch_log_retention
-
-  tags = local.default_tags
 }
 
 resource "aws_cloudwatch_log_subscription_filter" "alb_waf_log_subscription" {

diff --git a/ci/terraform/dynatrace.tf b/ci/terraform/dynatrace.tf
@@ -28,6 +28,4 @@ resource "aws_iam_policy" "dynatrace_policy" {
   policy      = data.aws_iam_policy_document.dynatrace_policy.json
   path        = "/${var.environment}/"
   name_prefix = "dynatrace-secret-policy"
-
-  tags = local.default_tags
 }
diff --git a/ci/terraform/ecs-roles.tf b/ci/terraform/ecs-roles.tf
@@ -13,8 +13,6 @@ data "aws_iam_policy_document" "ecs_assume_role_policy" {
 resource "aws_iam_role" "ecs_task_execution_role" {
   name               = "${var.environment}-frontend-ecs-task-execution-role"
   assume_role_policy = data.aws_iam_policy_document.ecs_assume_role_policy.json
-
-  tags = local.default_tags
 }
 
 resource "aws_iam_role_policy_attachment" "ecs_task_execution_role_policy_attachment" {
@@ -30,8 +28,6 @@ resource "aws_iam_role_policy_attachment" "ecs_task_execution_role_policy_attach
 resource "aws_iam_role" "ecs_task_role" {
   name               = "${var.environment}-frontend-ecs-task-role"
   assume_role_policy = data.aws_iam_policy_document.ecs_assume_role_policy.json
-
-  tags = local.default_tags
 }
 
 resource "aws_iam_role_policy_attachment" "account_management_ecs_task_role_ssm_policy_attachment" {
@@ -59,7 +55,9 @@ resource "aws_iam_role" "service_down_ecs_task_execution_role" {
   name_prefix        = "${var.environment}-service-down-page-exec-"
   assume_role_policy = data.aws_iam_policy_document.service_down_ecs_assume_role_policy[0].json
 
-  tags = local.default_tags
+  tags = {
+    Service = "service-down-page"
+  }
 }
 
 resource "aws_iam_role_policy_attachment" "service_down_ecs_task_execution_role_policy_attachment" {

diff --git a/ci/terraform/ecs.tf b/ci/terraform/ecs.tf
@@ -309,8 +309,6 @@ resource "aws_ecs_service" "frontend_ecs_service" {
     container_name   = var.basic_auth_password == "" ? local.frontend_container_definition.name : local.sidecar_container_definition.name
     container_port   = local.application_port
   }
-
-  tags = local.default_tags
 }
 
 resource "aws_ecs_task_definition" "frontend_task_definition" {
@@ -327,8 +325,6 @@ resource "aws_ecs_task_definition" "frontend_task_definition" {
     local.frontend_container_definition,
     local.sidecar_container_definition,
   ])
-
-  tags = local.default_tags
 }
 
 
@@ -367,7 +363,9 @@ resource "aws_ecs_service" "service_down_ecs_service" {
     container_port   = local.service_down_page_app_port
   }
 
-  tags = local.default_tags
+  tags = {
+    Service = "service-down-page"
+  }
 
   depends_on = [
     aws_alb_listener_rule.service_down_rule[0],
@@ -403,12 +401,18 @@ resource "aws_ecs_task_definition" "service_down_page_task_definition" {
       }]
   }])
 
-  tags = local.default_tags
+  tags = {
+    Service = "service-down-page"
+  }
 }
 
 resource "aws_cloudwatch_log_group" "service_down_page" {
   count = var.service_down_page ? 1 : 0
   name  = "/ecs/${var.environment}-service-down-page"
 
   retention_in_days = 1
+
+  tags = {
+    Service = "service-down-page"
+  }
 }
diff --git a/ci/terraform/kms.tf b/ci/terraform/kms.tf
@@ -3,8 +3,6 @@ resource "aws_kms_key" "authentication_encryption_key" {
   deletion_window_in_days  = 30
   key_usage                = "ENCRYPT_DECRYPT"
   customer_master_key_spec = "RSA_2048"
-
-  tags = local.default_tags
 }
 
 resource "aws_kms_key_policy" "authentication_encryption_key_access_policy" {

diff --git a/ci/terraform/redis.tf b/ci/terraform/redis.tf
@@ -5,8 +5,6 @@ locals {
 resource "aws_elasticache_subnet_group" "frontend_redis_session_store" {
   name       = "${var.environment}-frontend-redis-subnet"
   subnet_ids = local.private_subnet_ids
-
-  tags = local.default_tags
 }
 
 
@@ -51,6 +49,4 @@ resource "aws_elasticache_replication_group" "frontend_sessions_store" {
       engine_version
     ]
   }
-
-  tags = local.default_tags
 }
diff --git a/ci/terraform/route53.tf b/ci/terraform/route53.tf
@@ -34,8 +34,6 @@ resource "aws_acm_certificate" "frontend_alb_certificate" {
   domain_name       = aws_route53_record.frontend.name
   validation_method = "DNS"
 
-  tags = local.default_tags
-
   lifecycle {
     create_before_destroy = true
   }
@@ -103,8 +101,6 @@ resource "aws_acm_certificate" "cloudfront_frontend_certificate" {
   domain_name       = local.frontend_fqdn
   validation_method = "DNS"
 
-  tags = local.default_tags
-
   lifecycle {
     create_before_destroy = true
   }

diff --git a/ci/terraform/security-groups.tf b/ci/terraform/security-groups.tf
@@ -6,8 +6,6 @@ resource "aws_security_group" "frontend_redis_security_group" {
   lifecycle {
     create_before_destroy = true
   }
-
-  tags = local.default_tags
 }
 
 resource "aws_security_group_rule" "allow_incoming_frontend_redis_from_private_subnet" {
@@ -41,8 +39,6 @@ resource "aws_security_group" "allow_access_to_frontend_redis" {
   lifecycle {
     create_before_destroy = true
   }
-
-  tags = local.default_tags
 }
 
 resource "aws_security_group_rule" "allow_connection_to_frontend_redis" {
@@ -62,8 +58,6 @@ resource "aws_security_group" "frontend_alb_sg" {
   lifecycle {
     create_before_destroy = true
   }
-
-  tags = local.default_tags
 }
 
 resource "aws_security_group_rule" "allow_alb_http_ingress_from_anywhere" {
@@ -106,8 +100,6 @@ resource "aws_security_group" "frontend_ecs_tasks_sg" {
   lifecycle {
     create_before_destroy = true
   }
-
-  tags = local.default_tags
 }
 
 resource "aws_security_group_rule" "allow_ecs_task_ingress_from_alb" {
@@ -132,6 +124,9 @@ resource "aws_security_group" "service_down_page" {
   lifecycle {
     create_before_destroy = true
   }
+  tags = {
+    Service = "service-down-page"
+  }
 }
 
 resource "aws_security_group_rule" "allow_incoming_http_from_frontend_alb" {

diff --git a/ci/terraform/site.tf b/ci/terraform/site.tf
@@ -16,11 +16,29 @@ terraform {
   }
 }
 
+locals {
+  provider_default_tags = {
+    Environment = var.environment
+    Owner       = "[email protected]"
+    Product     = "GOV.UK Sign In"
+    System      = "Authentication"
+    Service     = "frontend"
+    application = "auth-frontend"
+  }
+}
+
 provider "aws" {
   region = var.aws_region
 
-  assume_role {
-    role_arn = var.deployer_role_arn
+  dynamic "assume_role" {
+    for_each = var.deployer_role_arn != null ? [var.deployer_role_arn] : []
+    content {
+      role_arn = assume_role.value
+    }
+  }
+
+  default_tags {
+    tags = local.provider_default_tags
   }
 }
 
@@ -29,8 +47,15 @@ provider "aws" {
 
   region = "us-east-1"
 
-  assume_role {
-    role_arn = var.deployer_role_arn
+  dynamic "assume_role" {
+    for_each = var.deployer_role_arn != null ? [var.deployer_role_arn] : []
+    content {
+      role_arn = assume_role.value
+    }
+  }
+
+  default_tags {
+    tags = local.provider_default_tags
   }
 }
 
@@ -41,10 +66,3 @@ data "aws_caller_identity" "current" {}
 data "aws_region" "current" {}
 
 data "aws_partition" "current" {}
-
-locals {
-  default_tags = {
-    environment = var.environment
-    application = "auth-frontend"
-  }
-}
diff --git a/ci/terraform/sns.tf b/ci/terraform/sns.tf
@@ -4,8 +4,6 @@ resource "aws_sns_topic" "slack_events" {
   provider                         = aws.cloudfront
   name                             = "${var.environment}-cloudfront-alerts"
   lambda_failure_feedback_role_arn = aws_iam_role.sns_logging_iam_role.arn
-
-  tags = local.default_tags
 }
 
 data "aws_iam_policy_document" "sns_topic_policy" {
@@ -56,8 +54,6 @@ resource "aws_iam_role" "sns_logging_iam_role" {
   name_prefix        = "sns-failed-slack-alerts-role"
   path               = "/${var.environment}/"
   assume_role_policy = data.aws_iam_policy_document.sns_can_assume_policy.json
-
-  tags = local.default_tags
 }
 
 data "aws_iam_policy_document" "sns_can_assume_policy" {
@@ -112,8 +108,6 @@ resource "aws_iam_policy" "api_gateway_logging_policy" {
   lifecycle {
     create_before_destroy = true
   }
-
-  tags = local.default_tags
 }
 
 resource "aws_iam_role_policy_attachment" "api_gateway_logging_logs" {