diff --git a/terraform/deployments/chat/main.tf b/terraform/deployments/chat/main.tf index 783c82602..27bf8e3e3 100644 --- a/terraform/deployments/chat/main.tf +++ b/terraform/deployments/chat/main.tf @@ -16,6 +16,16 @@ terraform { provider "aws" { region = var.aws_region + default_tags { + tags = { + product = "govuk" + system = "govuk-chat" + environment = var.govuk_environment + owner = "govuk-platform-engineering@digital.cabinet-office.gov.uk" + repository = "govuk-infrastructure" + terraform-deployment = basename(abspath(path.root)) + } + } } locals { diff --git a/terraform/deployments/cloudfront/main.tf b/terraform/deployments/cloudfront/main.tf index 3023ec19c..6a3ae0435 100644 --- a/terraform/deployments/cloudfront/main.tf +++ b/terraform/deployments/cloudfront/main.tf @@ -22,12 +22,13 @@ provider "aws" { region = var.aws_region default_tags { tags = { - Product = "GOV.UK" - System = "CloudFront" - Environment = var.govuk_environment - Owner = "govuk-platform-engineering@digital.cabinet-office.gov.uk" + product = "govuk" + system = "govuk-platform-engineering" + service = "cloudfront" + environment = var.govuk_environment + owner = "govuk-platform-engineering@digital.cabinet-office.gov.uk" repository = "govuk-infrastructure" - terraform_deployment = basename(abspath(path.root)) + terraform-deployment = basename(abspath(path.root)) } } } diff --git a/terraform/deployments/cluster-infrastructure/main.tf b/terraform/deployments/cluster-infrastructure/main.tf index 9ef7ade48..dbb66863d 100644 --- a/terraform/deployments/cluster-infrastructure/main.tf +++ b/terraform/deployments/cluster-infrastructure/main.tf @@ -119,13 +119,13 @@ provider "aws" { region = "eu-west-1" default_tags { tags = { - Product = "GOV.UK" - System = "EKS cluster infrastructure" - Environment = var.govuk_environment - Owner = "govuk-platform-engineering@digital.cabinet-office.gov.uk" - cluster = var.cluster_name + product = "govuk" + system = "govuk-platform-engineering" + service = "eks" + environment = var.govuk_environment + owner = "govuk-platform-engineering@digital.cabinet-office.gov.uk" repository = "govuk-infrastructure" - terraform_deployment = basename(abspath(path.root)) + terraform-deployment = basename(abspath(path.root)) } } } diff --git a/terraform/deployments/cluster-services/main.tf b/terraform/deployments/cluster-services/main.tf index 84d17f11c..c87c5bdbb 100644 --- a/terraform/deployments/cluster-services/main.tf +++ b/terraform/deployments/cluster-services/main.tf @@ -41,13 +41,13 @@ provider "aws" { region = "eu-west-1" default_tags { tags = { - Product = "GOV.UK" - System = "EKS cluster services" - Environment = var.govuk_environment - Owner = "govuk-platform-engineering@digital.cabinet-office.gov.uk" - cluster = "govuk" + product = "govuk" + system = "govuk-platform-engineering" + service = "eks-cluster-services" + environment = var.govuk_environment + owner = "govuk-platform-engineering@digital.cabinet-office.gov.uk" repository = "govuk-infrastructure" - terraform_deployment = basename(abspath(path.root)) + terraform-deployment = basename(abspath(path.root)) } } } diff --git a/terraform/deployments/csp-reporter/main.tf b/terraform/deployments/csp-reporter/main.tf index c865bb1e9..5574c2027 100644 --- a/terraform/deployments/csp-reporter/main.tf +++ b/terraform/deployments/csp-reporter/main.tf @@ -19,13 +19,13 @@ provider "aws" { region = var.aws_region default_tags { tags = { - Product = "GOV.UK" - System = "CSP Reporter" - Environment = var.govuk_environment - Owner = "govuk-platform-engineering@digital.cabinet-office.gov.uk" + product = "govuk" + system = "govuk-csp-reporter" + environment = var.govuk_environment + owner = "govuk-platform-engineering@digital.cabinet-office.gov.uk" cluster = "govuk" repository = "govuk-infrastructure" - terraform_deployment = basename(abspath(path.root)) + terraform-deployment = basename(abspath(path.root)) } } } diff --git a/terraform/deployments/datagovuk-infrastructure/main.tf b/terraform/deployments/datagovuk-infrastructure/main.tf index be81ff953..9a41a6e8b 100644 --- a/terraform/deployments/datagovuk-infrastructure/main.tf +++ b/terraform/deployments/datagovuk-infrastructure/main.tf @@ -31,21 +31,20 @@ locals { cluster_id = data.tfe_outputs.cluster_infrastructure.nonsensitive_values.cluster_id services_ns = data.tfe_outputs.cluster_infrastructure.nonsensitive_values.cluster_services_namespace oidc_provider = data.tfe_outputs.cluster_infrastructure.nonsensitive_values.cluster_oidc_provider - - default_tags = { - Product = "DATA.GOV.UK" - System = "DATA.GOV.UK" - Environment = var.govuk_environment - Owner = "govuk-platform-engineering@digital.cabinet-office.gov.uk" - project = "replatforming" - repository = "govuk-infrastructure" - terraform_deployment = basename(abspath(path.root)) - } } provider "aws" { region = "eu-west-1" - default_tags { tags = local.default_tags } + default_tags { + tags = { + product = "govuk" + system = "govuk-dgu" + environment = var.govuk_environment + owner = "govuk-platform-engineering@digital.cabinet-office.gov.uk" + repository = "govuk-infrastructure" + terraform-deployment = basename(abspath(path.root)) + } + } } data "aws_eks_cluster_auth" "cluster_token" { diff --git a/terraform/deployments/ecr/main.tf b/terraform/deployments/ecr/main.tf index a0d16b660..2ae7edbf7 100644 --- a/terraform/deployments/ecr/main.tf +++ b/terraform/deployments/ecr/main.tf @@ -23,12 +23,13 @@ provider "aws" { region = "eu-west-1" default_tags { tags = { - Product = "GOV.UK" - System = "Elastic Container Registry" - Environment = var.govuk_environment - Owner = "govuk-platform-engineering@digital.cabinet-office.gov.uk" + product = "govuk" + system = "govuk-platform-engineering" + service = "ecr" + environment = var.govuk_environment + owner = "govuk-platform-engineering@digital.cabinet-office.gov.uk" repository = "govuk-infrastructure" - terraform_deployment = basename(abspath(path.root)) + terraform-deployment = basename(abspath(path.root)) } } } diff --git a/terraform/deployments/elasticache/main.tf b/terraform/deployments/elasticache/main.tf index 58341a7fe..78ddac914 100644 --- a/terraform/deployments/elasticache/main.tf +++ b/terraform/deployments/elasticache/main.tf @@ -22,12 +22,13 @@ provider "aws" { region = "eu-west-1" default_tags { tags = { - Product = "GOV.UK" - System = "GOVUK ElastiCache" - Environment = var.govuk_environment - Owner = "govuk-platform-engineering@digital.cabinet-office.gov.uk" + product = "govuk" + system = "govuk-platform-engineering" + service = "elasticache" + environment = var.govuk_environment + owner = "govuk-platform-engineering@digital.cabinet-office.gov.uk" repository = "govuk-infrastructure" - terraform_deployment = basename(abspath(path.root)) + terraform-deployment = basename(abspath(path.root)) } } } diff --git a/terraform/deployments/github/main.tf b/terraform/deployments/github/main.tf index 2625e191e..bfff5b987 100644 --- a/terraform/deployments/github/main.tf +++ b/terraform/deployments/github/main.tf @@ -22,11 +22,12 @@ provider "aws" { default_tags { tags = { - Product = "GOV.UK" - System = "GitHub" - Owner = "govuk-platform-engineering@digital.cabinet-office.gov.uk" + product = "govuk" + system = "github" + environment = "production" + owner = "govuk-platform-engineering@digital.cabinet-office.gov.uk" repository = "govuk-infrastructure" - terraform_deployment = basename(abspath(path.root)) + terraform-deployment = basename(abspath(path.root)) } } } diff --git a/terraform/deployments/govuk-publishing-infrastructure/main.tf b/terraform/deployments/govuk-publishing-infrastructure/main.tf index 7b0a45bd2..f6b7b6410 100644 --- a/terraform/deployments/govuk-publishing-infrastructure/main.tf +++ b/terraform/deployments/govuk-publishing-infrastructure/main.tf @@ -37,11 +37,12 @@ locals { private_subnet_ids = [for name, subnet in data.tfe_outputs.vpc.nonsensitive_values.private_subnet_ids : subnet if contains(local.target_private_subnets, name)] default_tags = { - Product = "GOV.UK" - Environment = var.govuk_environment - Owner = "govuk-platform-engineering@digital.cabinet-office.gov.uk" + product = "govuk" + system = "govuk-publishing" + environment = var.govuk_environment + owner = "govuk-platform-engineering@digital.cabinet-office.gov.uk" repository = "govuk-infrastructure" - terraform_deployment = basename(abspath(path.root)) + terraform-deployment = basename(abspath(path.root)) } } diff --git a/terraform/deployments/logging/main.tf b/terraform/deployments/logging/main.tf index 0a0a54459..b9219a734 100644 --- a/terraform/deployments/logging/main.tf +++ b/terraform/deployments/logging/main.tf @@ -18,10 +18,11 @@ provider "aws" { region = "eu-west-1" default_tags { tags = { - Product = "GOV.UK" - System = "Logging" - Environment = var.govuk_environment - Owner = "govuk-platform-engineering@digital.cabinet-office.gov.uk" + product = "govuk" + system = "govuk-platform-engineering" + service = "logging" + environment = var.govuk_environment + owner = "govuk-platform-engineering@digital.cabinet-office.gov.uk" repository = "govuk-infrastructure" terraform_deployment = basename(abspath(path.root)) } @@ -30,8 +31,9 @@ provider "aws" { provider "google" { default_labels = { - product = "gov-uk" - system = "terraform-cloud" + product = "govuk" + system = "govuk-platform-engineering" + service = "logging" environment = var.govuk_environment owner = "govuk-platform-engineering" repository = "govuk-infrastructure" diff --git a/terraform/deployments/mobile-backend/main.tf b/terraform/deployments/mobile-backend/main.tf index 4541b526e..86b1e9426 100644 --- a/terraform/deployments/mobile-backend/main.tf +++ b/terraform/deployments/mobile-backend/main.tf @@ -23,12 +23,12 @@ provider "aws" { region = "eu-west-1" default_tags { tags = { - Product = "GOV.UK" - System = "GOV.UK App" - Environment = var.govuk_environment - Owner = "govuk-app-engineering@digital.cabinet-office.gov.uk" + product = "govuk" + system = "govuk-app" + environment = var.govuk_environment + owner = "govuk-app-engineering@digital.cabinet-office.gov.uk" repository = "govuk-infrastructure" - terraform_deployment = basename(abspath(path.root)) + terraform-deployment = basename(abspath(path.root)) } } } diff --git a/terraform/deployments/opensearch/main.tf b/terraform/deployments/opensearch/main.tf index 9da564ff3..f0ad2664f 100644 --- a/terraform/deployments/opensearch/main.tf +++ b/terraform/deployments/opensearch/main.tf @@ -16,6 +16,17 @@ terraform { provider "aws" { region = var.aws_region + default_tags { + tags = { + product = "govuk" + system = "govuk-chat" + service = "opensearch" + environment = var.govuk_environment + owner = "govuk-platform-engineering@digital.cabinet-office.gov.uk" + repository = "govuk-infrastructure" + terraform-deployment = basename(abspath(path.root)) + } + } } locals { diff --git a/terraform/deployments/rds/main.tf b/terraform/deployments/rds/main.tf index 46064b220..518e6e3ca 100644 --- a/terraform/deployments/rds/main.tf +++ b/terraform/deployments/rds/main.tf @@ -24,13 +24,14 @@ provider "aws" { region = var.aws_region default_tags { tags = { - Product = "GOV.UK" - System = "EKS RDS" - Environment = var.govuk_environment - Owner = "govuk-platform-engineering@digital.cabinet-office.gov.uk" + product = "govuk" + system = "govuk-platform-engineering" + service = "rds" + environment = var.govuk_environment + owner = "govuk-platform-engineering@digital.cabinet-office.gov.uk" cluster = "govuk" repository = "govuk-infrastructure" - terraform_deployment = basename(abspath(path.root)) + terraform-deployment = basename(abspath(path.root)) } } } diff --git a/terraform/deployments/rds/rds.tf b/terraform/deployments/rds/rds.tf index 559dbda22..5ad31f243 100644 --- a/terraform/deployments/rds/rds.tf +++ b/terraform/deployments/rds/rds.tf @@ -83,7 +83,15 @@ resource "aws_db_instance" "instance" { final_snapshot_identifier = "${each.value.name}-final-snapshot" skip_final_snapshot = var.skip_final_snapshot - tags = { Name = "govuk-rds-${each.value.name}-${each.value.engine}", project = lookup(each.value, "project", "GOV.UK - Other") } + tags = { + Name = "govuk-rds-${each.value.name}-${each.value.engine}" # Keep this as I'm not sure what it's used for + product = "govuk" + system = "govuk-${each.value.name}" + service = "rds-${each.value.engine}" + environment = var.govuk_environment + owner = "${each.value.name}" + repository = "govuk-infrastructure" + } lifecycle { ignore_changes = [identifier] } } @@ -140,7 +148,16 @@ resource "aws_db_instance" "replica" { skip_final_snapshot = true - tags = { Name = "govuk-rds-${each.value.name}-${each.value.engine}-replica", project = lookup(each.value, "project", "GOV.UK - Other") } + tags = { + Name = "govuk-rds-${each.value.name}-${each.value.engine}" # Keep this as I'm not sure what it's used for + product = "govuk" + system = "govuk-${each.value.name}" + service = "rds-${each.value.engine}" + environment = var.govuk_environment + owner = "${each.value.name}" + repository = "govuk-infrastructure" + } + lifecycle { ignore_changes = [identifier] } } diff --git a/terraform/deployments/release/main.tf b/terraform/deployments/release/main.tf index b9693c9ee..f8d2124c2 100644 --- a/terraform/deployments/release/main.tf +++ b/terraform/deployments/release/main.tf @@ -23,13 +23,13 @@ provider "aws" { region = "eu-west-1" default_tags { tags = { - Product = "GOV.UK" - System = "EKS release assumer" - Environment = var.govuk_environment - Owner = "govuk-platform-engineering@digital.cabinet-office.gov.uk" + product = "govuk" + system = "govuk-release" + environment = var.govuk_environment + owner = "govuk-platform-engineering@digital.cabinet-office.gov.uk" cluster = "govuk" repository = "govuk-infrastructure" - terraform_deployment = basename(abspath(path.root)) + terraform-deployment = basename(abspath(path.root)) } } } diff --git a/terraform/deployments/root-dns/main.tf b/terraform/deployments/root-dns/main.tf index 1ba34a85b..0f9b199c7 100644 --- a/terraform/deployments/root-dns/main.tf +++ b/terraform/deployments/root-dns/main.tf @@ -18,12 +18,13 @@ provider "aws" { region = var.aws_region default_tags { tags = { - Product = "GOV.UK" - System = "DNS" - Environment = var.govuk_environment - Owner = "govuk-platform-engineering@digital.cabinet-office.gov.uk" + product = "govuk" + system = "govuk-platform-engineering" + service = "dns" + environment = var.govuk_environment + owner = "govuk-platform-engineering@digital.cabinet-office.gov.uk" repository = "govuk-infrastructure" - terraform_deployment = basename(abspath(path.root)) + terraform-deployment = basename(abspath(path.root)) } } } diff --git a/terraform/deployments/security/provider.tf b/terraform/deployments/security/provider.tf index 79ea39d61..3367e0269 100644 --- a/terraform/deployments/security/provider.tf +++ b/terraform/deployments/security/provider.tf @@ -18,12 +18,13 @@ provider "aws" { region = "eu-west-1" default_tags { tags = { - Product = "GOV.UK" - System = "Security" - Environment = var.govuk_environment - Owner = "govuk-platform-engineering@digital.cabinet-office.gov.uk" + product = "govuk" + system = "govuk-platform-engineering" + service = "security" + environment = var.govuk_environment + owner = "govuk-platform-engineering@digital.cabinet-office.gov.uk" repository = "govuk-infrastructure" - terraform_deployment = basename(abspath(path.root)) + terraform-deployment = basename(abspath(path.root)) } } } diff --git a/terraform/deployments/tfc-aws-config/provider.tf b/terraform/deployments/tfc-aws-config/provider.tf index f831cac2d..d905be290 100644 --- a/terraform/deployments/tfc-aws-config/provider.tf +++ b/terraform/deployments/tfc-aws-config/provider.tf @@ -32,12 +32,13 @@ provider "aws" { region = "eu-west-1" default_tags { tags = { - Product = "GOV.UK" - System = "Terraform Cloud" - Environment = var.govuk_environment - Owner = "govuk-platform-engineering@digital.cabinet-office.gov.uk" + product = "govuk" + system = "govuk-platform-engineering" + service = "tfc-aws-config" + environment = var.govuk_environment + owner = "govuk-platform-engineering@digital.cabinet-office.gov.uk" repository = "govuk-infrastructure" - terraform_deployment = basename(abspath(path.root)) + terraform-deployment = basename(abspath(path.root)) } } } diff --git a/terraform/deployments/vpc/main.tf b/terraform/deployments/vpc/main.tf index b7218235f..6d7955ec1 100644 --- a/terraform/deployments/vpc/main.tf +++ b/terraform/deployments/vpc/main.tf @@ -18,12 +18,13 @@ provider "aws" { region = "eu-west-1" default_tags { tags = { - Product = "GOV.UK" - System = "VPC" - Environment = var.govuk_environment - Owner = "govuk-platform-engineering@digital.cabinet-office.gov.uk" + product = "govuk" + system = "govuk-platform-engineering" + service = "vpc" + environment = var.govuk_environment + owner = "govuk-platform-engineering@digital.cabinet-office.gov.uk" repository = "govuk-infrastructure" - terraform_deployment = basename(abspath(path.root)) + terraform-deployment = basename(abspath(path.root)) } } } diff --git a/terraform/docs/tagging-guide.md b/terraform/docs/tagging-guide.md index 8b51262a3..ea0fdf0d3 100644 --- a/terraform/docs/tagging-guide.md +++ b/terraform/docs/tagging-guide.md @@ -1,100 +1,32 @@ # Overview + This document will describe the tagging strategy to be used within govuk-infrastructure Terraform code which will be used to create resources in the AWS environment infrastructure. Tagging is required so that cost and resource utilisation can be processed, with an added benefit of AWS console **Tag Key** searching. # Tagging Table -The following table highlights the tags **Tag Key** that should added to the AWS resources listed in the section "AWS Resources that can be tagged". +The following table highlights the tags **Tag Key** that should added to AWS resources. The common column distinguishes between Tags that have been added as part of an default set and represented by **yes** and those which are unique per service represented by **no** | **Tag Key** | **Tag Value(s)** | **Description** | **Example** | **Common** | |--|--|--|--|--| | Name | [ServiceName]-[Environment]-[Workspace] | This is the identifiable name of the service. | publisher-test-default | no | -| chargeable_entity | govuk-publishing-platform-[Environment] | This is required for billing. | govuk-publishing-platform-test | yes | -| environment | test integration staging production | Environment area to which this belongs. | test | yes | -|project | replatforming | This is the project under which this was developed. | replatforming | yes | +| product | GOV.UK | The product this resource belongs to. | GOV.UK | yes | +| system | Authentication, Identity proofing and verification core, VPC, etc. | The name of the software system (avoid abbreviations). | VPC | yes | +| environment | production, staging, integration, development | Environment area to which this belongs. | production | yes | +| owner | Email address for resource owner | Individual email for dev environments, group email elsewhere. | | yes | +| service | account management, session storage, front end, etc. | Function of the particular resource (optional). | session storage | no | | repository | govuk-aws govuk-infrastructure | This is the Git repo where this service resides. | govuk-infrastructure | yes | -| terraform_deployment | cluster-infrastructure cluster-services ecr govuk-publishing-infrastructure | The source directory where the resource's Terraform code resides. | cluster-infrastructure | yes | -|terraform_workspace | default bill chris fred karl nadeem steve roch towers | This should be the name of the terraform workspace that created the service. | default | yes | - - - -# Tag Policy -- Below example of a correct local tag definition for the non common **Tag Key** Name. -``` -tags = merge( - local.additional_tags, - { - Name = "publisher-${var.environment}-${local.workspace}" - } -``` -- Below example of a correct module tag definition for the non common **Tag Key** Name -``` -tags = merge( - var.additional_tags, - { - Name = "publisher-${var.environment}-${var.workspace}" - } -``` - -- Below example of local common tags defined in the main.tf file -``` -locals { - additional_tags = { - chargeable_entity = "govuk-publishing-platform-${var.govuk_environment}" - environment = var.govuk_environment - project = "replatforming" - repository = "govuk-infrastructure" - terraform_deployment = "govuk-publishing-platform" - terraform_workspace = terraform.workspace - } -} -``` - -**IMPORTANT :-** -- The **Key** attribute **Name** should start with an Uppercase letter and the rest should be lowercase with no spaces. -- The **Value** attribute should be lowercase and no spaces however hyphens can be used. +| terraform-deployment | cluster-infrastructure cluster-services ecr govuk-publishing-infrastructure | The source directory where the resource's Terraform code resides. | cluster-infrastructure | yes | **NOTES :-** -- All listed resources from below should be made compliant. -- Common Tags have been added as **locals** with in the deployment terraform **main** file. -- This tagging strategy should ideally be replicated to other and new yet to be deployed environments such as **integration** - -# AWS Resources -## Can be tagged -The following lists the resources that **should** be tagged:- - -- AWS::EC2::SecurityGroup -- AWS::EC2::Subnet -- AWS::ECR::Repository -- AWS::ECS::Cluster -- AWS::ECS::Service -- AWS::ECS::TaskDefinition -- AWS::ElastiCache::ReplicationGroup -- AWS::ElasticLoadBalancingV2::TargetGroup -- AWS::ElasticLoadBalancing::LoadBalancer -- AWS::ElasticLoadBalancingV2::LoadBalancer -- AWS::Lambda::Function -- AWS::S3::Bucket -- AWS::ACM::Certificate -## Can NOT be tagged -The following is a list of AWS resources that do NOT support tags :- - -- AWS::CloudWatch::Alarm -- AWS::EC2::SecurityGroupIngress -- AWS::EC2::SubnetRouteTableAssociation -- AWS::ElasticLoadBalancingV2::Listener -- AWS::IAM::Policy -- AWS::IAM::Role -- AWS::IAM::ManagedPolicy -- AWS::Logs::LogStream -- AWS::Route53::HostedZone -- AWS::Route53::RecordSet -- AWS::S3::BucketPolicy -- AWS::WAFRegional::IPSet -- AWS::WAFRegional::WebACL +- Common Tags are implemented via AWS provider **default_tags** in the deployment terraform **main** file. +- Additional resource-specific tags should use the merge pattern with locals when needed. +- This tagging strategy applies to all environments (production, staging, integration). # Reference content + - For the definitive list of AWS resources that support tagging see [here](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/supported-resources.html) +- The tagging strategy is also defined in the [GDS Ways](https://gds-way.digital.cabinet-office.gov.uk/manuals/aws-tagging.html#alerting-and-enforcement)