Adding tags created to child resources created by terraform

0
votes

Terraform v0.11.9 + provider.aws v1.41.0

I want to know if there is a way to update a resource that is not directly created in the plan but by a resource in the plan. The example is creating a managed Active Directory by using aws_directory_service_directory This process creates a security group and I want to add tags to the security group. Here is the snippet I'm using to create the resource

resource "aws_directory_service_directory" "NewDS" {
  name       = "${local.DSFQDN}"
  password   = "${var.ADPassword}"
  size       = "Large"
  type       = "MicrosoftAD"
  short_name = "${local.DSShortName}"

  vpc_settings {
    vpc_id = "${aws_vpc.this.id}"
    subnet_ids = ["${aws_subnet.private.0.id}",
      "${aws_subnet.private.1.id}",
    ]
  }
 tags = "${merge(var.tags, var.ds_tags, map("Name", format("%s", local.VPCname)))}"
}

I can reference the newly created security group using

"${aws_directory_service_directory.NewDS.security_group_id}"

I can't use that to update the resource. I want to add all of the tags I have on the directory to the security, as well as updating the Name tag. I've tried using a local-exec provisioner, but the results have not been consistent and getting the map of tags to the command without hard coding it has not worked.

Thanks

4
terraformterraform-provider-aws
that's a tough one! TF can't set the tags directly since it's not creating the resource itself. I feel like using the local-exec provisioner still has hope; can you expand on what you've tried there?KJH
So I tried the local provider and that now appears to be working. I moved the local provider out of the directory service resource and into a dummy resource. [code] resource "null_resource" "ManagedADTags" { provisioner "local-exec" { command = "aws --profile ${var.profile} --region ${var.region} ec2 create-tags --resources ${aws_directory_service_directory.NewDS.security_group_id} --tags Key=Name,Value=${format("${local.security_group_prefix}-%s","ManagedAD")}" } } [code] Using the format command allowed me to send the entire list of tags to the resource.Drew K
Great! If that solution worked for you, you could post it as the answer and even accept it after 48 hrs.KJH

4 Answers

1
votes

You can then leverage the aws_ec2_tag resource, which works on non-ec2 resources as well, on conjunction with the provider attribute ignore_tags. Please refer to another answer I made on the topic for more detail.

0
votes

I moved the local provider out of the directory service resource and into a dummy resource. 

resource "null_resource" "ManagedADTags" 
{
provisioner "local-exec" 
{
command = "aws --profile ${var.profile} --region ${var.region} ec2 create-tags -- 
resources ${aws_directory_service_directory.NewDS.security_group_id} --tags 
Key=Name,Value=${format("${local.security_group_prefix}-%s","ManagedAD")}"
} 
}

(The command = is a single line) Using the format command allowed me to send the entire list of tags to the resource. Terraform doesn't "manage" it, but it does allow me to update it as part of the plan.

0
votes

aws already exposes api for that where you can tag resources not just a resource. not sure why terraform is not implementing that

-1
votes

Just hit this as well. Turns out the tags propagate from the directory service. So if you tag your directory appropriately, the name tag from your directory service will be applied to the security group.