feat: add access tags support (#537)

Author: MatthewLemmond

README.md

@@ -67,6 +67,12 @@ You need the following permissions to run this module.
         - **Resource Group** \<your resource group>
         - `Viewer` resource group access
 
+To attach access management tags to resources in this module, you need the following permissions.
+
+- IAM Services
+    - **Tagging** service
+        - `Administrator` platform access
+
 <!-- BEGIN EXAMPLES HOOK -->
 ## Examples
 
@@ -114,6 +120,7 @@ You need the following permissions to run this module.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_access_tags"></a> [access\_tags](#input\_access\_tags) | A list of access tags to apply to the VPC resources created by the module. For more information, see https://cloud.ibm.com/docs/account?topic=account-access-tags-tutorial. | `list(string)` | `[]` | no |
 | <a name="input_address_prefixes"></a> [address\_prefixes](#input\_address\_prefixes) | OPTIONAL - IP range that will be defined for the VPC for a certain location. Use only with manual address prefixes | <pre>object({<br>    zone-1 = optional(list(string))<br>    zone-2 = optional(list(string))<br>    zone-3 = optional(list(string))<br>  })</pre> | <pre>{<br>  "zone-1": null,<br>  "zone-2": null,<br>  "zone-3": null<br>}</pre> | no |
 | <a name="input_classic_access"></a> [classic\_access](#input\_classic\_access) | OPTIONAL - Classic Access to the VPC | `bool` | `false` | no |
 | <a name="input_clean_default_acl"></a> [clean\_default\_acl](#input\_clean\_default\_acl) | Remove all rules from the default VPC ACL (less permissive) | `bool` | `false` | no |

examples/default/main.tf

@@ -48,6 +48,7 @@ module "slz_vpc" {
   name                                   = var.name
   prefix                                 = var.prefix
   tags                                   = var.resource_tags
+  access_tags                            = var.access_tags
   enable_vpc_flow_logs                   = var.enable_vpc_flow_logs
   create_authorization_policy_vpc_to_cos = var.create_authorization_policy_vpc_to_cos
   existing_cos_instance_guid             = ibm_resource_instance.cos_instance[0].guid

examples/default/variables.tf

@@ -34,6 +34,12 @@ variable "resource_tags" {
   default     = null
 }
 
+variable "access_tags" {
+  type        = list(string)
+  description = "Optional list of access tags to add to the VPC resources that are created"
+  default     = []
+}
+
 variable "enable_vpc_flow_logs" {
   type        = bool
   description = "Enable VPC Flow Logs, it will create Flow logs collector if set to true"

examples/landing_zone/main.tf

@@ -36,6 +36,7 @@ module "workload_vpc" {
   region                                 = var.region
   prefix                                 = var.prefix
   tags                                   = var.resource_tags
+  access_tags                            = var.access_tags
   enable_vpc_flow_logs                   = var.enable_vpc_flow_logs
   create_authorization_policy_vpc_to_cos = var.create_authorization_policy_vpc_to_cos
   existing_cos_instance_guid             = module.cos_bucket[0].cos_instance_guid

examples/landing_zone/variables.tf

@@ -28,6 +28,11 @@ variable "resource_tags" {
   default     = null
 }
 
+variable "access_tags" {
+  type        = list(string)
+  description = "Optional list of access tags to add to the VPC resources that are created"
+  default     = []
+}
 
 ##############################################################################
 # VPC flow logs variables

landing-zone-submodule/management-vpc/README.md

@@ -27,6 +27,7 @@ No resources.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_access_tags"></a> [access\_tags](#input\_access\_tags) | Optional list of access tags to add to the VPC resources that are created | `list(string)` | `[]` | no |
 | <a name="input_address_prefixes"></a> [address\_prefixes](#input\_address\_prefixes) | Use `address_prefixes` only if `use_manual_address_prefixes` is true otherwise prefixes will not be created. Use only if you need to manage prefixes manually. | <pre>object({<br>    zone-1 = optional(list(string))<br>    zone-2 = optional(list(string))<br>    zone-3 = optional(list(string))<br>  })</pre> | `null` | no |
 | <a name="input_classic_access"></a> [classic\_access](#input\_classic\_access) | Optionally allow VPC to access classic infrastructure network | `bool` | `null` | no |
 | <a name="input_clean_default_acl"></a> [clean\_default\_acl](#input\_clean\_default\_acl) | Remove all rules from the default VPC ACL (less permissive) | `bool` | `false` | no |

landing-zone-submodule/management-vpc/main.tf

@@ -6,6 +6,7 @@ module "management_vpc" {
   source                                 = "../../"
   name                                   = "management"
   tags                                   = var.tags
+  access_tags                            = var.access_tags
   resource_group_id                      = var.resource_group_id
   region                                 = var.region
   prefix                                 = var.prefix

landing-zone-submodule/management-vpc/variables.tf

@@ -21,6 +21,11 @@ variable "tags" {
   default     = []
 }
 
+variable "access_tags" {
+  type        = list(string)
+  description = "Optional list of access tags to add to the VPC resources that are created"
+  default     = []
+}
 
 #############################################################################
 # VPC variables

landing-zone-submodule/workload-vpc/README.md

@@ -28,6 +28,7 @@ No resources.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_access_tags"></a> [access\_tags](#input\_access\_tags) | Optional list of access tags to add to the VPC resources that are created | `list(string)` | `[]` | no |
 | <a name="input_address_prefixes"></a> [address\_prefixes](#input\_address\_prefixes) | Use `address_prefixes` only if `use_manual_address_prefixes` is true otherwise prefixes will not be created. Use only if you need to manage prefixes manually. | <pre>object({<br>    zone-1 = optional(list(string))<br>    zone-2 = optional(list(string))<br>    zone-3 = optional(list(string))<br>  })</pre> | `null` | no |
 | <a name="input_classic_access"></a> [classic\_access](#input\_classic\_access) | Optionally allow VPC to access classic infrastructure network | `bool` | `null` | no |
 | <a name="input_clean_default_acl"></a> [clean\_default\_acl](#input\_clean\_default\_acl) | Remove all rules from the default VPC ACL (less permissive) | `bool` | `false` | no |

landing-zone-submodule/workload-vpc/main.tf

@@ -6,6 +6,7 @@ module "workload_vpc" {
   source                                 = "../../"
   name                                   = "workload"
   tags                                   = var.tags
+  access_tags                            = var.access_tags
   resource_group_id                      = var.resource_group_id
   region                                 = var.region
   prefix                                 = var.prefix