Allow custom tagging for data.all infrastructure resources

[jeffshep]

Scenario: Deploying the data.all solution into an existing account, with an enforced tagging policy. This would apply specifically to the Tooling and Deployment accounts in the architecture, and reduce the effort required to customise the deployment. Related to 179.

Possible solution Extension to the configuration provided in the cdk.json

Example below, see proposed tooling_tags

{
  "app": "python ./deploy/app.py",
  "context": {
    "@aws-cdk/aws-apigateway:usagePlanKeyOrderInsensitiveId": false,
    "@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021": false,
    "@aws-cdk/aws-rds:lowercaseDbIdentifier": false,
    "@aws-cdk/core:stackRelativeExports": false,
    "tooling_region": "string_TOOLING_REGION|DEFAULT=eu-west-1",
    "tooling_vpc_id": "string_IMPORT_AN_EXISTING_VPC_FROM_TOOLING|DEFAULT=None",
    "tooling_tags": [
        {"KEY1": "VALUE2"},
        {"KEY2": "VALUE2"},
    ],
    "git_branch": "string_GIT_BRANCH_NAME|DEFAULT=dataall",
    "git_release": "boolean_MANAGE_GIT_RELEASE|DEFAULT=false",
    "quality_gate": "boolean_MANAGE_QUALITY_GATE_STAGE|DEFAULT=true",
    "resource_prefix": "string_PREFIX_FOR_ALL_RESOURCES_CREATED_BY_THIS_APP|DEFAULT=dataall",
    "repository_source": "string_VERSION_CONTROL_SERVICE|DEFAULT=codecommit",
    "DeploymentEnvironments": [
      {
        "envname": "string_ENVIRONMENT_NAME|REQUIRED",
        "account": "string_DEPLOYMENT_ACCOUNT|REQUIRED",
        "region": "string_DEPLOYMENT_REGION|REQUIRED",
        "with_approval": "boolean_ADD_CODEPIPELINE_APPROVAL_STEP|DEFAULT=false",
        "vpc_id": "string_DEPLOY_WITHIN_AN_EXISTING_VPC|DEFAULT=None",
        "vpc_endpoints_sg": "string_DEPLOY_WITHIN_EXISTING_VPC_SG|DEFAULT=None",
        "internet_facing": "boolean_CLOUDFRONT_IF_TRUE_ELSE_ECS_BEHIND_INTERNAL_ALB|DEFAULT=true",
        "custom_domain": {
          "hosted_zone_name": "string_ROUTE_53_EXISTING_DOMAIN_NAME|DEFAULT=None, REQUIRED if internet_facing=false",
          "hosted_zone_id": "string_ROUTE_53_EXISTING_HOSTED_ZONE_ID|DEFAULT=None, REQUIRED if internet_facing=false",
          "certificate_arn": "string_AWS_CERTIFICATE_MANAGER_ARN|DEFAULT=None, REQUIRED if internet_facing=false"
        },
        "ip_ranges": "list_of_strings_IP_RANGES_TO_ALLOW_IF_NOT_INTERNET_FACING|DEFAULT=None",
        "apig_vpce": "string_USE_AN_EXISTING_VPCE_FOR_APIG_IF_NOT_INTERNET_FACING|DEFAULT=None",
        "prod_sizing": "boolean_SET_INFRA_SIZING_TO_PROD_VALUES_IF_TRUE|DEFAULT=true",
        "enable_cw_rum":  "boolean_SET_CLOUDWATCH_RUM_APP_MONITOR|DEFAULT=false",
        "enable_cw_canaries": "boolean_SET_CLOUDWATCH_CANARIES_FOR_FRONTEND_TESTING|DEFAULT=false"
      }
    ]
  }
}

I think both are implemented by iterating over the provided tags in https://github.com/awslabs/aws-dataall/blob/main/deploy/stacks/pipeline.py#L300

Initially having the same tags in the tooling and deployment account is ok, if the design could allow for separate tags in different accounts (to account for tier specific nature of deployment accounts) that would be best

[dlpzx]

Hi @jeffshep, I see your point. tooling account might have a tag {"stage"="non-prod"} while for production {"stage"="prod"} This is just an example, but I think we can find more. Are you comfortable picking up this tasks? if it is a configurable parameter in the cdk.json it is quite easy for us to merge it in the open-source version.

For the tooling tags, you are right, we only need to change the deploy/stacks/pipeline.py for the deployment environments we need to look into the different stacks that are deployed in the deployment accounts

[jeffshep]

@dlpzx, thanks for your response and apologies for the delay in mine, as the proposal is acceptable I'm comfortable picking this up

[dlpzx]

Perfect, let us know if you need any support. We can discuss here any design decisions. Once the feature is ready, open a PR and we will review it. Thank you :)

[anmolsgandhi]

Closing this issue as there has been no update, feel free to reopen if its still a requirement and you are still working on it