From e34c7f21667f4f48225f54ab786682aef2033871 Mon Sep 17 00:00:00 2001
From: Damian Rekosz <damian.rekosz@lcloud.pl>
Date: Fri, 17 Oct 2025 10:32:25 +0200
Subject: [PATCH] feat(runner-binaries-syncer): add s3_tags variable for
 additional S3 bucket tagging

---
 main.tf                                     | 1 +
 modules/multi-runner/main.tf                | 9 +++++++++
 modules/multi-runner/runner-binaries.tf     | 1 +
 modules/multi-runner/variables.tf           | 8 ++++++++
 modules/runner-binaries-syncer/main.tf      | 2 +-
 modules/runner-binaries-syncer/variables.tf | 6 ++++++
 variables.tf                                | 6 ++++++
 7 files changed, 32 insertions(+), 1 deletion(-)

diff --git a/main.tf b/main.tf
index 9c72614808..e079c8f83e 100644
--- a/main.tf
+++ b/main.tf
@@ -308,6 +308,7 @@ module "runner_binaries" {
 
   state_event_rule_binaries_syncer     = var.state_event_rule_binaries_syncer
   server_side_encryption_configuration = var.runner_binaries_s3_sse_configuration
+  s3_tags                              = var.runner_binaries_s3_tags
   s3_versioning                        = var.runner_binaries_s3_versioning
 
   role_path                 = var.role_path
diff --git a/modules/multi-runner/main.tf b/modules/multi-runner/main.tf
index 905cc7f793..908d8e8deb 100644
--- a/modules/multi-runner/main.tf
+++ b/modules/multi-runner/main.tf
@@ -16,6 +16,15 @@ locals {
   tmp_distinct_list_unique_os_and_arch = distinct([for i, config in local.runner_config : { "os_type" : config.runner_config.runner_os, "architecture" : config.runner_config.runner_architecture } if config.runner_config.enable_runner_binaries_syncer])
   unique_os_and_arch                   = { for i, v in local.tmp_distinct_list_unique_os_and_arch : "${v.os_type}_${v.architecture}" => v }
 
+  s3_tags = {
+    for os_arch, tags_lists in {
+      for i, config in local.runner_config :
+      "${config.runner_config.runner_os}_${config.runner_config.runner_architecture}" => [config.runner_config.runner_binaries_s3_tags]...
+      if config.runner_config.enable_runner_binaries_syncer
+    } :
+    os_arch => merge(var.runner_binaries_s3_tags, merge(flatten(tags_lists)...))
+  }
+
   ssm_root_path = "/${var.ssm_paths.root}/${var.prefix}"
 }
 
diff --git a/modules/multi-runner/runner-binaries.tf b/modules/multi-runner/runner-binaries.tf
index 3e20beea5a..7eb9166320 100644
--- a/modules/multi-runner/runner-binaries.tf
+++ b/modules/multi-runner/runner-binaries.tf
@@ -25,6 +25,7 @@ module "runner_binaries" {
   state_event_rule_binaries_syncer = var.state_event_rule_binaries_syncer
 
   server_side_encryption_configuration = var.runner_binaries_s3_sse_configuration
+  s3_tags                              = local.s3_tags[each.key]
   s3_versioning                        = var.runner_binaries_s3_versioning
 
   role_path                 = var.role_path
diff --git a/modules/multi-runner/variables.tf b/modules/multi-runner/variables.tf
index edbdb33059..f23259c916 100644
--- a/modules/multi-runner/variables.tf
+++ b/modules/multi-runner/variables.tf
@@ -114,6 +114,7 @@ variable "multi_runner_config" {
       cloudwatch_config                       = optional(string, null)
       userdata_pre_install                    = optional(string, "")
       userdata_post_install                   = optional(string, "")
+      runner_binaries_s3_tags                 = optional(map(string), {})
       runner_hook_job_started                 = optional(string, "")
       runner_hook_job_completed               = optional(string, "")
       runner_ec2_tags                         = optional(map(string), {})
@@ -222,6 +223,7 @@ variable "multi_runner_config" {
         cloudwatch_config: "(optional) Replaces the module default cloudwatch log config. See https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-Agent-Configuration-File-Details.html for details."
         userdata_pre_install: "Script to be ran before the GitHub Actions runner is installed on the EC2 instances"
         userdata_post_install: "Script to be ran after the GitHub Actions runner is installed on the EC2 instances"
+        runner_binaries_s3_tags: "Map of tags that will be added to the S3 bucket used by the runner binaries syncer for this runner configuration. Note these are additional tags to the default tags."
         runner_hook_job_started: "Script to be ran in the runner environment at the beginning of every job"
         runner_hook_job_completed: "Script to be ran in the runner environment at the end of every job"
         runner_ec2_tags: "Map of tags that will be added to the launch template instance tag specifications."
@@ -404,6 +406,12 @@ variable "runner_binaries_s3_sse_configuration" {
   }
 }
 
+variable "runner_binaries_s3_tags" {
+  description = "Map of tags that will be added to the S3 bucket. Note these are additional tags to the default tags."
+  type        = map(string)
+  default     = {}
+}
+
 variable "runner_binaries_s3_versioning" {
   description = "Status of S3 versioning for runner-binaries S3 bucket. Once set to Enabled the change cannot be reverted via Terraform!"
   type        = string
diff --git a/modules/runner-binaries-syncer/main.tf b/modules/runner-binaries-syncer/main.tf
index da783a063c..c1cbf382af 100644
--- a/modules/runner-binaries-syncer/main.tf
+++ b/modules/runner-binaries-syncer/main.tf
@@ -5,7 +5,7 @@ locals {
 resource "aws_s3_bucket" "action_dist" {
   bucket        = var.distribution_bucket_name
   force_destroy = true
-  tags          = var.tags
+  tags          = merge(var.tags, var.s3_tags)
 }
 
 resource "aws_s3_bucket_ownership_controls" "this" {
diff --git a/modules/runner-binaries-syncer/variables.tf b/modules/runner-binaries-syncer/variables.tf
index d9b004cb4c..4a38fb24b0 100644
--- a/modules/runner-binaries-syncer/variables.tf
+++ b/modules/runner-binaries-syncer/variables.tf
@@ -45,6 +45,12 @@ variable "s3_logging_bucket_prefix" {
   }
 }
 
+variable "s3_tags" {
+  description = "Map of tags that will be added to the S3 bucket. Note these are additional tags to the default tags."
+  type        = map(string)
+  default     = {}
+}
+
 variable "state_event_rule_binaries_syncer" {
   type        = string
   description = "Option to disable EventBridge Lambda trigger for the binary syncer, useful to stop automatic updates of binary distribution"
diff --git a/variables.tf b/variables.tf
index f412d2a486..e5f5e23357 100644
--- a/variables.tf
+++ b/variables.tf
@@ -192,6 +192,12 @@ variable "runner_binaries_s3_sse_configuration" {
   }
 }
 
+variable "runner_binaries_s3_tags" {
+  description = "Map of tags that will be added to the S3 bucket. Note these are additional tags to the default tags."
+  type        = map(string)
+  default     = {}
+}
+
 variable "runner_binaries_s3_versioning" {
   description = "Status of S3 versioning for runner-binaries S3 bucket. Once set to Enabled the change cannot be reverted via Terraform!"
   type        = string