New feature: terraform target by tags #685
Conversation
sbkok
left a comment
sbkok
left a comment
There was a problem hiding this comment.
Thanks for contributing this feature, would be very useful to have!
...ebase/initial_commit/bootstrap_repository/adf-build/shared/helpers/terraform/get_accounts.py
Outdated
Show resolved
Hide resolved
...ebase/initial_commit/bootstrap_repository/adf-build/shared/helpers/terraform/get_accounts.py
Outdated
Show resolved
Hide resolved
...ebase/initial_commit/bootstrap_repository/adf-build/shared/helpers/terraform/get_accounts.py
Outdated
Show resolved
Hide resolved
| All filter clauses are applied with logical AND, all values in a single clause are applied with logical OR | ||
|
|
||
| **Eg:** `TARGET_TAGS=Name=environment,Values=prd,dev;Name=cost-center,Values=ccoe` will match all | ||
| accounts tagged with `environment=prd` OR `environment=dev` AND `cost-center = ccoe` |
There was a problem hiding this comment.
| accounts tagged with `environment=prd` OR `environment=dev` AND `cost-center = ccoe` | |
| accounts tagged with (`environment=prd` OR `environment=dev`) AND `cost-center=ccoe` |
| tag_filters | ||
| ) | ||
| organization_api_region = get_organization_api_region(REGION_DEFAULT) | ||
| print(organization_api_region) |
There was a problem hiding this comment.
| print(organization_api_region) |
| tag_values = tags.split(",", 1)[1].split("=")[1].split(",") | ||
| tag_filters.append({ | ||
| "Key": tag_name, | ||
| "Values": tag_values}) |
There was a problem hiding this comment.
| "Values": tag_values}) | |
| "Values": tag_values, | |
| }) |
| 'resourcegroupstaggingapi', | ||
| ( | ||
| f'arn:{PARTITION}:sts::{MANAGEMENT_ACCOUNT_ID}:role/' | ||
| f'{CROSS_ACCOUNT_ACCESS_ROLE}-readonly' |
There was a problem hiding this comment.
This will need to be updated to the new role added in v4.
| PARTITION = get_partition(REGION_DEFAULT) | ||
| sts = boto3.client('sts') | ||
| ssm = boto3.client('ssm') | ||
| organizations = boto3.client('organizations') |
There was a problem hiding this comment.
Could you change this to include a higher retry count?
Otherwise it might run into the rate limitation of the AWS Organizations API and fail.
This would be likely if multiple Terraform pipelines would run concurrently.
An example how to change it: https://github.com/awslabs/aws-deployment-framework/pull/774/files#diff-05a19c0ecc528b81f98611295fccbb53ec8ce9f20937f67308f3bc886e4a5018R83-R89
2 participants
Why?
With this new feature, terraform helper is able to target accounts matching a tag expressed as key=value. You can define multiple tags and all accounts matching at least one of the tags will become target of the pipeline.
What?
Description of changes:
get_accounts.pyorganizations:ListTagsForResourcepermission toadf-organizations-readonly-policyso that the pipeline role is able to fetch tag informationBy submitting this pull request, I confirm that you can use, modify, copy, and
redistribute this contribution, under the terms of your choice.