In TF Cloud I define an AWS Lambda like so
module "lambda-function" {
source = "cloudposse/lambda-function/aws"
version = "0.5.1"
environment = var.environment
function_name = "${local.service_name}-${var.environment}-restart"
description = "AWS lambda to restart ${local.service_name}-${var.environment}"
handler = "handler"
runtime = "go1.x"
filename = data.archive_file.lambda.output_path
source_code_hash = filebase64sha256(data.archive_file.lambda.output_path)
cloudwatch_logs_retention_in_days = 7
timeout = 60
vpc_config = {
security_group_ids = tolist([data.aws_vpc.selected.id]),
subnet_ids = tolist(data.aws_subnets.selected.ids)
}
}
but the corporate sentinel policy demands the following
module.lambda-function.aws_iam_role.this[0] has tags_all with value
{Owner: Backend, Repo: https://github.com/xxx Service: xxx-service, Terraform: true, Environment: xxx-service-deploy-dev}
that is missing the required items [Name] from the list: [Name, Environment, Owner, Terraform]
I can't work out how to apply this tag to this child resource. I tried something like this, but it doesn't really make sense
resource "aws_iam_role" "lambda_role_tags" {
name = module.lambda-function.role_name
# Add the desired tags here
tags = {
Name = "a tag"
}
}
Is it possible, or must I get the policy changed?
EDIT:
We already use default_tags as suggested, but I don't want to add the same Name tag to all my resources. I need to add, usually I add a unique Name tag to individual resources.
provider "aws" {
# ... other configuration ...
default_tags {
tags = {
Owner = "Backend"
Repo = "https://github.com/xxx"
Service = "xxx-service"
Terraform = true
Environment = "xxx-service-deploy-dev"
}
}
}
resource "aws_ecs_task_definition" "task" {
...
tags = {
"Name" = "${var.stage}-${local.service_name}-task"
}
}
Looking at the module documentation it looks like you can use
additional_tag_map.Or even
tagby looking at the code.