This blog gives a high level overview of the newly launched terraform-tag-module module. Apart from this we will show some examples of usage of the module.
Introduction
Tags provide a way to create annotations for resources, and in some cases conditionally allow or deny policies based on whether a resource has a specific tag. You can use tags and conditional enforcement of policies for fine-grained control across your resource hierarchy. Please checkout the official documentation to get more details about Tags.
Some services, such as Identity and Access Management (IAM), are policy engines that support references by tags. If you can attach a tag to a service resource, and the policy engine service supports that resource, you can then leverage the conditional enforcement of policies to better control your resource hierarchy. Each policy engine service lists the resources it supports in the Policy engine services section. Please checkout the Supported service resources before getting started.
Pre Requisites
- Basic Understanding of Terraform
- Access to Google Cloud Platform
- Support for tag for specific service resources
- [Click Here] To enable Resource Manager and Identity and Access Management (IAM) API
Terraform Module Details
Refer this tutorial which shows how to use a terraform module in your terraform code.
Terraform variable schema to configure the Tag module is shown below.
|
Name
|
Description
|
Type
|
|
key
|
Key for Tags. The user-friendly name for a TagKey. The short name should be unique for TagKeys within the same tag namespace. This is a required input.
|
string
|
|
key_description
|
User-assigned description of the TagKey. Must not exceed 256 characters.
|
string
|
|
key_purpose
|
A purpose denotes that this Tag is intended for use in policies of a specific policy engine, and will involve that policy engine in management operations involving this Tag.
|
string
|
|
key_purpose_data
|
Purpose data corresponds to the policy system that the tag is intended for.
|
map(string)
|
|
org_id
|
Organization ID
|
string
|
|
project_number
|
Project Number
|
string
|
|
tag_for
|
Is Tags created for an entire organization or project.
Possible values : “organization” or “project”
Default value : “organization”
|
string
|
|
value_specs
|
Value specifications
|
list(object({
value = string
description = string
tag_binding = map(list(string))
}))
|
Example
Below is an example to create a tag key with multiple values and bind it to a project and a cloud storage bucket.
Step1: Create a Cloud Storage Bucket
module "cloud-storage_example_simple_bucket" {
source = "terraform-google-modules/cloud-storage/google//examples/simple_bucket"
version = "5.0.0"
project_id = <PROJECT_ID>
}
Step2: Create a tag key to bind values to Cloud Storage Bucket along with the Project
module "tags" {
source = "GoogleCloudPlatform/tags/google"
version = "0.1.0"
tag_for = "project"
project_number = "<PROJECT-NUMBER>"
key = "key1"
key_description = "first key"
value_specs = [{
value = "value1"
description = "first value"
tag_binding = { "global" : ["//cloudresourcemanager.googleapis.com/projects/<PROJECT-NUMBER>"],
"us" : ["//storage.googleapis.com/projects/_/buckets/<PROJECT-ID>-bucket"] }
}, {
value = "value3"
description = "third value"
tag_binding = {}
}
]
}
IAM Binding
For Tag IAM Binding, use TAGs IAM modules tag_keys and tag_values for IAM bindings.
Conclusion
In conclusion users can use Tag Module to create tags and bind them with google cloud services. Examples shown above should help users implement the tag bindings.
If there are any concerns or issues with the terraform-google-tag module, kindly raise an issue here.
LinkedIn
Twitter
