Tagging?

[Woolersuk]

Describe the bug I noticed that when I run a plan in terraform against AWS resources, I need to be able to create or update tags. When I run a pike scan, it does not tell me that I need to update tags.

To Reproduce So for instance, if you create an Autoscaling Group & have something like this in the repo:

locals { standard_tags = { Repo = "my-asg-repo" CreatedBy = "Terraform" Environment = "${var.namespace}-${var.stage}" } }

Expected behavior when I run pike scanner I get this output:

policy = jsonencode({ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "autoscaling:CreateAutoScalingGroup", "autoscaling:DeleteAutoScalingGroup", "autoscaling:DeletePolicy", "autoscaling:DescribeAdjustmentTypes", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeScalingActivities", "autoscaling:DescribeTerminationPolicyTypes", "autoscaling:ExecutePolicy", "autoscaling:PutScalingPolicy", "autoscaling:UpdateAutoScalingGroup" ], "Resource": [ "*" ] },

however, if I run a plan/apply, I get permission denied on this: "autoscaling:CreateOrUpdateTags"

So I have to add this to the IAM Policy manually, then my apply will work.

Desktop (please complete the following information):

• OS: linux or windows so far..

Add any other context about the problem here. this may not be limited to autoscaling, for instance I have an S3 repo where I need to tag the buckets too, but that doesn't show up.

I saw this in another comment, is this a bug or an enhancement request?

Thanks

[JamesWoolfenden]

thanks for logging this, sounds like a bug is it on the creation of the aws_autoscaling_group resource? I may have missed a permission.

[JamesWoolfenden]

@Woolersuk that permission exists if it detects any tags, must be something to do with the resource code, would it be possible to get a sample of the offending code so i can replicate? thanks

[Woolersuk]

@JamesWoolfenden - Sure, well here is a snippet. - I usually use default_tags in TF repos but autoscaling groups don't use default_tags (https://developer.hashicorp.com/terraform/tutorials/aws/aws-default-tags)

Is this enough to get you started?

locals {
  standard_tags = {
    Repo        = "my-asg-repo"
    CreatedBy   = "Terraform"
    Environment = "${var.namespace}-${var.stage}"
  }
}

#####################################################
# ASG Groups
#####################################################
resource "aws_autoscaling_group" "azbuildgroup_win" {
  count                     = var.azure_windows_asg_count
  name                      = var.azure_windows_asg_name
  min_size                  = 1
  max_size                  = var.azure_windows_asg_max_instances_day
  desired_capacity          = var.azure_windows_asg_max_instances_day
  health_check_grace_period = 30
  health_check_type         = "EC2"
  force_delete              = true
  termination_policies      = ["OldestInstance"]
  vpc_zone_identifier       = data.terraform_remote_state.vpc.outputs.private_subnets
  wait_for_capacity_timeout = "2m"
  metrics_granularity       = "1Minute"
  launch_template {
    id      = aws_launch_template.azure_win_template[0].id
    version = "$Latest"
  }
  depends_on = [
    aws_launch_template.azure_win_template[0]
  ]
  dynamic "tag" {
    for_each = local.standard_tags

    content {
      key                 = tag.key
      value               = tag.value
      propagate_at_launch = false
    }
  }
}

[JamesWoolfenden]

@Woolersuk i've made a fix PTAL and ill merge it

[Woolersuk]

Magic! - thanks @JamesWoolfenden