Support for tag policies and AWS Config rules

[rohit3d2003]

Is your feature request related to a problem? Please describe. Currently we don't have a consistent tagging across AWS Accounts and this has downstream impacts with incident assignment, costing & triaging issues

Describe the feature you'd like Our intent is to leverage control tower customization package and be able to add Tag Policies & AWS Config rules along with it. This helps streamline everything from get go

Additional context

[groverlalit]

Hi @rohit3d2003 Tag Policies can be enabled via Console or CLI/SDK. CloudFormation service does not support this resource. So it seems this would require a custom resource. For Config Rule, you can consider creating CloudFormation resource (see details here).

Both of these resources can be developed as CloudFormation resource and deployed via the pipeline.

Can you please clarify if you are requesting us to develop the CloudFormation stack that deploys these resources?

[niallthomson]

I've come across this as well, I can perhaps expand.

Currently it looks like CfCT supports SCPs as a first class construct using the API call:

org_client.create_policy(...)

This API call can also be used to administer tag and backup policies via AWS Organizations.

I would like to see the manifest format extended to allow something like this:

- name: apply-tag-policy
  description: 'Apply my tag policy to this specific OU'
  resource_file: policies/tag-policy.json
  deploy_method: tag_policy
  deployment_targets:
    organizational_units:
      - Custom

Where tag-policy.json is a tag policy JSON structure as documented here.

The logic for this would be close to replicating the current SCP functionality.

[groverlalit]

@niallthomson Thanks for the clarification. We have added this to our backlog.

It's great to see supporting/thumbs-up reaction for this feature. Please continue to add your support (via emoji or comments) to help us prioritize this feature. Thanks.