Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New feature: terraform target by tags #685

Open
wants to merge 7 commits into
base: master
Choose a base branch
from

Conversation

igordust
Copy link
Contributor

Why?

With this new feature, terraform helper is able to target accounts matching a tag expressed as key=value. You can define multiple tags and all accounts matching at least one of the tags will become target of the pipeline.

What?

Description of changes:

  • Added proper documentation for the new parameter TARGET_TAGS
  • Added the functions needed to fetch tags from accounts in AWS Organization and produce the output file in get_accounts.py
  • Added organizations:ListTagsForResourcepermission to adf-organizations-readonly-policy so that the pipeline role is able to fetch tag information
  • Added the logic in adf_terraform.sh to read the list of accounts matched by tags.

By submitting this pull request, I confirm that you can use, modify, copy, and
redistribute this contribution, under the terms of your choice.

Copy link
Collaborator

@sbkok sbkok left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for contributing this feature, would be very useful to have!

All filter clauses are applied with logical AND, all values in a single clause are applied with logical OR

**Eg:** `TARGET_TAGS=Name=environment,Values=prd,dev;Name=cost-center,Values=ccoe` will match all
accounts tagged with `environment=prd` OR `environment=dev` AND `cost-center = ccoe`
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
accounts tagged with `environment=prd` OR `environment=dev` AND `cost-center = ccoe`
accounts tagged with (`environment=prd` OR `environment=dev`) AND `cost-center=ccoe`

tag_filters
)
organization_api_region = get_organization_api_region(REGION_DEFAULT)
print(organization_api_region)
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
print(organization_api_region)

tag_values = tags.split(",", 1)[1].split("=")[1].split(",")
tag_filters.append({
"Key": tag_name,
"Values": tag_values})
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"Values": tag_values})
"Values": tag_values,
})

'resourcegroupstaggingapi',
(
f'arn:{PARTITION}:sts::{MANAGEMENT_ACCOUNT_ID}:role/'
f'{CROSS_ACCOUNT_ACCESS_ROLE}-readonly'
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will need to be updated to the new role added in v4.

REGION_DEFAULT = os.environ["AWS_REGION"]
PARTITION = get_partition(REGION_DEFAULT)
sts = boto3.client('sts')
ssm = boto3.client('ssm')
organizations = boto3.client('organizations')
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you change this to include a higher retry count?
Otherwise it might run into the rate limitation of the AWS Organizations API and fail.
This would be likely if multiple Terraform pipelines would run concurrently.

An example how to change it: https://github.com/awslabs/aws-deployment-framework/pull/774/files#diff-05a19c0ecc528b81f98611295fccbb53ec8ce9f20937f67308f3bc886e4a5018R83-R89

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants