Add support to tag network interfaces

[senyberg]

Is your feature request related to a problem? Please describe. Currently you cannot tag Network Interfaces from LZA. With a shared network, where you would like to limit access to Workload accounts using policies, this is an issue.

Describe the feature you'd like Add a "tags" property to network interfaces for TGW attachments (interface type: transit_gateway)

[bo1984]

Hi Sebastian,

Thank you for contacting us and using the Landing Zone Accelerator on AWS (LZA) solution. I'd like to dig into your use case deeper to hopefully provide a better resolution and possibly an alternative path. What access are you trying to prevent? Also, our customizations layer will allow you to provision your own CloudFormation templates where you can have a custom resource add the tags to the ENI of the attachment.

[senyberg]

So this is shortly how our setup looks like:

• We have a centralized network setup, where network components (TGW included) are located in Network account
• The workloads are managed by 3rd party vendors
• TGW and TGW Attachments are deployed by LZA

We want to stop the 3rd party vendors to touch the TGW Attachment ENI's, so basically deny all on resource. I have not found a way to do this reliably without the using tags. And yes, you could create a CF template with custom resources, but this is a lot more work and things to maintain, just for tags on an ENI.