Merge pull request #17 from mbevc1/20210105_tags

Add resource tags
trussworks · Jan 5, 2021 · f69d245 · f69d245
2 parents 63e7473 + b9e1748
commit f69d245
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -2,7 +2,7 @@
 
 Supports two main use cases:
 
-* Combines multiple Service Control Policy (SCP) statements based on the policies defined in [`terraform-aws-org-scp`](https://github.com/trussworks/terraform-aws-org-scp). Combining multiple policy statements into a single policy allows more than 5 policies to be be applied to a single Organizational Unit (OU).
+* Combines multiple Service Control Policy (SCP) statements - based on the module [`terraform-aws-org-scp`](https://github.com/trussworks/terraform-aws-org-scp) (_deprecated_). Combining multiple policy statements into a single policy allows more than 5 policies to be be applied to a single Organizational Unit (OU).
 * Alternatively, creates a "Deny All Access" Service Control Policy.
 
  Alternatively, enables creation of a "Deny All Access" Service Control Policy.
@@ -69,6 +69,11 @@ module "github_terraform_aws_ou_scp" {
 
   # require s3 objects be encrypted
   require_s3_encryption = true
+
+  # SCP policy tags
+  tags = {
+    managed_by = "terraform"
+  }
 }
 ```
 
@@ -119,6 +124,7 @@ module "github_terraform_aws_ou_scp" {
 | protect\_s3\_buckets | ProtectS3Buckets in the OU policy. | `bool` | `false` | no |
 | require\_s3\_encryption | DenyIncorrectEncryptionHeader and DenyUnEncryptedObjectUploads in the OU policy | `bool` | `false` | no |
 | target | OU resource to attach SCP | <pre>object({<br>    name = string<br>    id   = string<br>  })</pre> | n/a | yes |
+| tags | Tags to attach to the SCP policy resource | `map(string)` | <pre>[]</pre> | no |
 
 ## Outputs
 

diff --git a/main.tf b/main.tf
@@ -279,9 +279,11 @@ resource "aws_organizations_policy" "generated" {
   name        = "${var.target.name}-generated-ou-scp"
   description = "${var.target.name} SCP generated by ou-scp module"
   content     = var.deny_all ? data.aws_iam_policy_document.deny_all_access.json : data.aws_iam_policy_document.combined_policy_block.json
+
+  tags = var.tags
 }
 
 resource "aws_organizations_policy_attachment" "generated" {
   policy_id = aws_organizations_policy.generated.id
   target_id = var.target.id
-}
+}
diff --git a/variables.tf b/variables.tf
@@ -104,4 +104,10 @@ variable "allowed_regions" {
   description = "AWS Regions allowed for use (for use with the restrict regions SCP)"
   type        = list(string)
   default     = [""]
-}
+}
+
+variable "tags" {
+  description = "Tags applied to the SCP policy"
+  type        = map(string)
+  default     = []
+}