Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature Request: AWS tag resources on creation #488

Closed
dlouzan opened this issue Jun 10, 2024 · 3 comments
Closed

Feature Request: AWS tag resources on creation #488

dlouzan opened this issue Jun 10, 2024 · 3 comments
Labels
enhancement stage/waiting-reply

Comments

@dlouzan
Copy link

dlouzan commented Jun 10, 2024

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Please search the existing issues for relevant feature requests, and use the
reaction feature
(https://blog.github.com/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/)
to add upvotes to pre-existing requests.

Description

This is a general re-request of feature hashicorp/packer#4746. Basically support being able to provide tags to AWS resources on creation. Since the previous issue is blocked, it can't be commented on, nor upvoted.

This functionality would allow a much tighter set of IAM permissions.

Ansible 10 just recently added this capability: https://github.com/ansible-community/ansible-build-data/blob/main/10/CHANGELOG-v10.md#amazonaws. Having it on packer too would be really helpful.

Thanks!
@lbajolet-hashicorp
Copy link
Contributor

Hi @dlouzan,

Since this is an AWS request, it's better served by the packer-plugin-amazon repo, so I'll transfer your issue over there.

That being said, Packer supports tagging created AMIs, both through the tags argument, and through the run_tags (plus other attributes depending what you're trying to tag), could you provide an example of what you tried that didn't work?

Thanks

@lbajolet-hashicorp lbajolet-hashicorp transferred this issue from hashicorp/packer Jun 17, 2024
@lorengordon
Copy link
Contributor

The referenced issue hashicorp/packer#4746 was actually implemented, not just closed. See PR hashicorp/packer#5196.

@dlouzan
Copy link
Author

dlouzan commented Jul 5, 2024
edited
Loading

@lorengordon Thanks for the confirmation, using the latest plugin version I was indeed able to reconfigure our IAM user setup so that tags are only allowed on creation operations, now our packer IAM user cannot touch any other resources in the account/vpc 🎉

Simplified setup idea:

      {
        Sid    = "AllowCreateTagsOnlyOnNewEC2Resources"
        Effect = "Allow"
        Action = [
          "ec2:CreateTags"
        ]
        Resource = "*"
        Condition = {
          StringEquals = {
            "ec2:CreateAction" = [
              "CreateImage",
              "CreateKeyPair",
              "CreateSecurityGroup",
              "CreateSnapshot",
              "CreateVolume",
              "RunInstances",
            ]
          }
        }
      },
      {
        Sid    = "AllowEC2CreateActionsWhenTaggingOwner"
        Effect = "Allow"
        Action = [
          "ec2:CreateImage",
          "ec2:CreateKeyPair",
          "ec2:CreateSecurityGroup",
          "ec2:CreateSnapshot",
          "ec2:CreateVolume",
          "ec2:RunInstances",
        ]
        Resource = "*"
        Condition = {
          StringEquals = {
            "aws:RequestTag/Owner" = var.ec2-resource-tag-owner # RequestTag: tag must be provided as parameter
          }
          "ForAnyValue:StringEquals" = { # ForAnyValue: allow any other potential tags
            "aws:TagKeys" : [            # TagKeys: ensure case-sensitivity of request tag
              "Owner"
            ]
          }
        }
      },
      {
        Sid    = "AllowEC2UntaggedActions"
        Effect = "Allow"
        Action = [
          "ec2:CopyImage",
          "ec2:DescribeImageAttribute",
          ...
        ]
        Resource = "*"
      },
      {
        Sid    = "AllowEC2AllOtherActionsOnlyWhenOwnerTag"
        Effect = "Allow"
        Action = [
          "ec2:AttachVolume",
          "ec2:AuthorizeSecurityGroupEgress",
          "ec2:AuthorizeSecurityGroupIngress",
          "ec2:DeleteKeyPair",
          ...
        ]
        Resource = "*"
        Condition = {
          StringEquals = {
            "aws:ResourceTag/Owner" = var.ec2-resource-tag-owner # ResourceTag: tag must be already attached to the resources
          }
        }
      }

Just some hints for future readers:

  • Packer config tags and snapshot_tags try to overwrite the inherited run_tags on AMIs and snapshots at the end of the run (run_tags passes the tags on creation properly as tags specification on the aws API), so you need to remove those configs if present to support such a scenario, or you'll get permission denied errors
  • CloudTrail is a great helper for analyzing and fine tuning the setup when you get access denied errors

Thanks again for the project. Happy coding!

@dlouzan dlouzan closed this as completed Jul 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement stage/waiting-reply
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dlouzan @lorengordon @lbajolet-hashicorp