iam-user,iam-assumable-role,iam-assumable-roles,iam-assumable-roles-with-saml tags support (#26)

* iam-user tags support

* Tags support for iam-assumable-role,iam-assumable-roles,iam-assumable-roles-with-saml modules

modules/iam-assumable-role/README.md

@@ -23,6 +23,7 @@ Trusted resources can be any [IAM ARNs](https://docs.aws.amazon.com/IAM/latest/U
 | role\_path | Path of IAM role | string | `"/"` | no |
 | role\_permissions\_boundary\_arn | Permissions boundary ARN to use for IAM role | string | `""` | no |
 | role\_requires\_mfa | Whether role requires MFA | string | `"true"` | no |
+| tags | A map of tags to add to all resources. | map | `"{}"` | no |
 | trusted\_role\_arns | ARNs of AWS entities who can assume these roles | list | `[]` | no |
 
 ## Outputs

modules/iam-assumable-role/main.tf

@@ -46,6 +46,8 @@ resource "aws_iam_role" "this" {
   permissions_boundary = "${var.role_permissions_boundary_arn}"
 
   assume_role_policy = "${var.role_requires_mfa ? data.aws_iam_policy_document.assume_role_with_mfa.json : data.aws_iam_policy_document.assume_role.json}"
+
+  tags = "${var.tags}"
 }
 
 resource "aws_iam_role_policy_attachment" "custom" {

modules/iam-assumable-role/variables.tf

@@ -73,3 +73,9 @@ variable "attach_readonly_policy" {
   description = "Whether to attach a readonly policy to a role"
   default     = false
 }
+
+variable "tags" {
+  description = "A map of tags to add to all resources."
+  type        = "map"
+  default     = "{}"
+}

modules/iam-assumable-roles-with-saml/README.md

@@ -15,6 +15,7 @@ Creates single IAM role which can be assumed by trusted resources using SAML Fed
 | admin\_role\_path | Path of admin IAM role | string | `"/"` | no |
 | admin\_role\_permissions\_boundary\_arn | Permissions boundary ARN to use for admin role | string | `""` | no |
 | admin\_role\_policy\_arns | List of policy ARNs to use for admin role | list | `[ "arn:aws:iam::aws:policy/AdministratorAccess" ]` | no |
+| admin\_role\_tags | A map of tags to add to admin role resource. | map | `"{}"` | no |
 | aws\_saml\_endpoint | AWS SAML Endpoint | list | `[ "https://signin.aws.amazon.com/saml" ]` | no |
 | create\_admin\_role | Whether to create admin role | string | `"false"` | no |
 | create\_poweruser\_role | Whether to create poweruser role | string | `"false"` | no |
@@ -24,12 +25,14 @@ Creates single IAM role which can be assumed by trusted resources using SAML Fed
 | poweruser\_role\_path | Path of poweruser IAM role | string | `"/"` | no |
 | poweruser\_role\_permissions\_boundary\_arn | Permissions boundary ARN to use for poweruser role | string | `""` | no |
 | poweruser\_role\_policy\_arns | List of policy ARNs to use for poweruser role | list | `[ "arn:aws:iam::aws:policy/PowerUserAccess" ]` | no |
+| poweruser\_role\_tags | A map of tags to add to poweruser role resource. | map | `"{}"` | no |
 | provider\_id | ID of the SAML Provider | string | n/a | yes |
 | provider\_name | Name of the SAML Provider | string | n/a | yes |
 | readonly\_role\_name | IAM role with readonly access | string | `"readonly"` | no |
 | readonly\_role\_path | Path of readonly IAM role | string | `"/"` | no |
 | readonly\_role\_permissions\_boundary\_arn | Permissions boundary ARN to use for readonly role | string | `""` | no |
 | readonly\_role\_policy\_arns | List of policy ARNs to use for readonly role | list | `[ "arn:aws:iam::aws:policy/ReadOnlyAccess" ]` | no |
+| readonly\_role\_tags | A map of tags to add to readonly role resource. | map | `"{}"` | no |
 
 ## Outputs
 

modules/iam-assumable-roles-with-saml/main.tf

@@ -28,6 +28,8 @@ resource "aws_iam_role" "admin" {
   permissions_boundary = "${var.admin_role_permissions_boundary_arn}"
 
   assume_role_policy = "${data.aws_iam_policy_document.assume_role_with_saml.json}"
+
+  tags = "${var.admin_role_tags}"
 }
 
 resource "aws_iam_role_policy_attachment" "admin" {
@@ -48,6 +50,8 @@ resource "aws_iam_role" "poweruser" {
   permissions_boundary = "${var.poweruser_role_permissions_boundary_arn}"
 
   assume_role_policy = "${data.aws_iam_policy_document.assume_role_with_saml.json}"
+
+  tags = "${var.poweruser_role_tags}"
 }
 
 resource "aws_iam_role_policy_attachment" "poweruser" {
@@ -68,6 +72,8 @@ resource "aws_iam_role" "readonly" {
   permissions_boundary = "${var.readonly_role_permissions_boundary_arn}"
 
   assume_role_policy = "${data.aws_iam_policy_document.assume_role_with_saml.json}"
+
+  tags = "${var.readonly_role_tags}"
 }
 
 resource "aws_iam_role_policy_attachment" "readonly" {

modules/iam-assumable-roles-with-saml/variables.tf

@@ -39,6 +39,12 @@ variable "admin_role_permissions_boundary_arn" {
   default     = ""
 }
 
+variable "admin_role_tags" {
+  description = "A map of tags to add to admin role resource."
+  type        = "map"
+  default     = "{}"
+}
+
 # Poweruser
 variable "create_poweruser_role" {
   description = "Whether to create poweruser role"
@@ -66,6 +72,12 @@ variable "poweruser_role_permissions_boundary_arn" {
   default     = ""
 }
 
+variable "poweruser_role_tags" {
+  description = "A map of tags to add to poweruser role resource."
+  type        = "map"
+  default     = "{}"
+}
+
 # Readonly
 variable "create_readonly_role" {
   description = "Whether to create readonly role"
@@ -93,6 +105,12 @@ variable "readonly_role_permissions_boundary_arn" {
   default     = ""
 }
 
+variable "readonly_role_tags" {
+  description = "A map of tags to add to readonly role resource."
+  type        = "map"
+  default     = "{}"
+}
+
 variable "max_session_duration" {
   description = "Maximum CLI/API session duration in seconds between 3600 and 43200"
   default     = 3600

modules/iam-assumable-roles/README.md

@@ -14,6 +14,7 @@ Trusted resources can be any [IAM ARNs](https://docs.aws.amazon.com/IAM/latest/U
 | admin\_role\_permissions\_boundary\_arn | Permissions boundary ARN to use for admin role | string | `""` | no |
 | admin\_role\_policy\_arns | List of policy ARNs to use for admin role | list | `[ "arn:aws:iam::aws:policy/AdministratorAccess" ]` | no |
 | admin\_role\_requires\_mfa | Whether admin role requires MFA | string | `"true"` | no |
+| admin\_role\_tags | A map of tags to add to admin role resource. | map | `"{}"` | no |
 | create\_admin\_role | Whether to create admin role | string | `"false"` | no |
 | create\_poweruser\_role | Whether to create poweruser role | string | `"false"` | no |
 | create\_readonly\_role | Whether to create readonly role | string | `"false"` | no |
@@ -24,11 +25,13 @@ Trusted resources can be any [IAM ARNs](https://docs.aws.amazon.com/IAM/latest/U
 | poweruser\_role\_permissions\_boundary\_arn | Permissions boundary ARN to use for poweruser role | string | `""` | no |
 | poweruser\_role\_policy\_arns | List of policy ARNs to use for poweruser role | list | `[ "arn:aws:iam::aws:policy/PowerUserAccess" ]` | no |
 | poweruser\_role\_requires\_mfa | Whether poweruser role requires MFA | string | `"true"` | no |
+| poweruser\_role\_tags | A map of tags to add to power role resource. | map | `"{}"` | no |
 | readonly\_role\_name | IAM role with readonly access | string | `"readonly"` | no |
 | readonly\_role\_path | Path of readonly IAM role | string | `"/"` | no |
 | readonly\_role\_permissions\_boundary\_arn | Permissions boundary ARN to use for readonly role | string | `""` | no |
 | readonly\_role\_policy\_arns | List of policy ARNs to use for readonly role | list | `[ "arn:aws:iam::aws:policy/ReadOnlyAccess" ]` | no |
 | readonly\_role\_requires\_mfa | Whether readonly role requires MFA | string | `"true"` | no |
+| readonly\_role\_tags | A map of tags to add to readonly role resource. | map | `"{}"` | no |
 | trusted\_role\_arns | ARNs of AWS entities who can assume these roles | list | `[]` | no |
 
 ## Outputs

modules/iam-assumable-roles/main.tf

@@ -47,6 +47,8 @@ resource "aws_iam_role" "admin" {
   permissions_boundary = "${var.admin_role_permissions_boundary_arn}"
 
   assume_role_policy = "${var.admin_role_requires_mfa ? data.aws_iam_policy_document.assume_role_with_mfa.json : data.aws_iam_policy_document.assume_role.json}"
+
+  tags = "${var.admin_role_tags}"
 }
 
 resource "aws_iam_role_policy_attachment" "admin" {
@@ -67,6 +69,8 @@ resource "aws_iam_role" "poweruser" {
   permissions_boundary = "${var.poweruser_role_permissions_boundary_arn}"
 
   assume_role_policy = "${var.poweruser_role_requires_mfa ? data.aws_iam_policy_document.assume_role_with_mfa.json : data.aws_iam_policy_document.assume_role.json}"
+
+  tags = "${var.poweruser_role_tags}"
 }
 
 resource "aws_iam_role_policy_attachment" "poweruser" {
@@ -87,6 +91,8 @@ resource "aws_iam_role" "readonly" {
   permissions_boundary = "${var.readonly_role_permissions_boundary_arn}"
 
   assume_role_policy = "${var.readonly_role_requires_mfa ?  data.aws_iam_policy_document.assume_role_with_mfa.json : data.aws_iam_policy_document.assume_role.json}"
+
+  tags = "${var.readonly_role_tags}"
 }
 
 resource "aws_iam_role_policy_attachment" "readonly" {

modules/iam-assumable-roles/variables.tf

@@ -40,6 +40,12 @@ variable "admin_role_permissions_boundary_arn" {
   default     = ""
 }
 
+variable "admin_role_tags" {
+  description = "A map of tags to add to admin role resource."
+  type        = "map"
+  default     = "{}"
+}
+
 # Poweruser
 variable "create_poweruser_role" {
   description = "Whether to create poweruser role"
@@ -72,6 +78,12 @@ variable "poweruser_role_permissions_boundary_arn" {
   default     = ""
 }
 
+variable "poweruser_role_tags" {
+  description = "A map of tags to add to power role resource."
+  type        = "map"
+  default     = "{}"
+}
+
 # Readonly
 variable "create_readonly_role" {
   description = "Whether to create readonly role"
@@ -104,6 +116,12 @@ variable "readonly_role_permissions_boundary_arn" {
   default     = ""
 }
 
+variable "readonly_role_tags" {
+  description = "A map of tags to add to readonly role resource."
+  type        = "map"
+  default     = "{}"
+}
+
 variable "max_session_duration" {
   description = "Maximum CLI/API session duration in seconds between 3600 and 43200"
   default     = 3600

modules/iam-user/README.md

@@ -35,6 +35,7 @@ This module outputs commands and PGP messages which can be decrypted either usin
 | pgp\_key | Either a base-64 encoded PGP public key, or a keybase username in the form keybase:username. Used to encrypt password and access key. | string | `""` | no |
 | ssh\_key\_encoding | Specifies the public key encoding format to use in the response. To retrieve the public key in ssh-rsa format, use SSH. To retrieve the public key in PEM format, use PEM | string | `"SSH"` | no |
 | ssh\_public\_key | The SSH public key. The public key must be encoded in ssh-rsa format or PEM format | string | `""` | no |
+| tags | A map of tags to add to all resources. | map | `"{}"` | no |
 | upload\_iam\_user\_ssh\_key | Whether to upload a public ssh key to the IAM user | string | `"false"` | no |
 
 ## Outputs

modules/iam-user/main.tf

@@ -5,6 +5,7 @@ resource "aws_iam_user" "this" {
   path                 = "${var.path}"
   force_destroy        = "${var.force_destroy}"
   permissions_boundary = "${var.permissions_boundary}"
+  tags                 = "${var.tags}"
 }
 
 resource "aws_iam_user_login_profile" "this" {

modules/iam-user/variables.tf

@@ -57,6 +57,12 @@ variable "ssh_public_key" {
   default     = ""
 }
 
+variable "tags" {
+  description = "A map of tags to add to all resources."
+  type        = "map"
+  default     = "{}"
+}
+
 variable "permissions_boundary" {
   description = "The ARN of the policy that is used to set the permissions boundary for the user."
   default     = ""