Add aws_ssm_tags resource for tagging SSM resources

[tomelliff]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Similarly to https://github.com/hashicorp/terraform-provider-aws/pull/8457 it is sometimes useful to manage the tags on resources that are not fully managed by Terraform.

In this particular case it's useful for managing the tags on hybrid (or on-premise) SSM managed instances that can currently only be tagged by Terraform from the initial tags on the SSM activation using the aws_ssm_activation resource. If you want to change the tags of the instance after this an update to the tags on the activation will recreate the activation but it would then require an out of band action to reregister the managed instance with the new activation ID and code. Instead it would be preferable to set ignore_changes on the tags and then have a separate aws_ssm_tag resource linked to the instance to tag them.

New or Affected Resource(s)

• aws_ssm_tags

Potential Terraform Configuration

local {
  tags = {
    Host       = "foo.example.org"
    Location   = "foo"
    On-Premise = true
  }
}

resource "aws_ssm_activation" "example" {
  name               = "example"
  registration_limit = 1

  tags = local.tags

  lifecycle {
    # Don't replace previous activations if we change the tags because it would
    # require us to reregister for it to propagate to the managed instance.
    ignore_changes = [tags]
  }
}

data "aws_ssm_instances" "activated" {
  filter {
    name   = "ActivationIds"
    values = [aws_ssm_activation.example.id]
  }
}

resource "aws_ssm_tags" "example" {
  resource_type = "ManagedInstance"
  resource_id   = data.aws_ssm_instances.activated.ids[0]
  tags          = local.tags
}

References

• 8457

[tdekoning93]

Would highly appreciate this too. Currently the way it works is really stupid. Also setting the name tag on the activation doesn't change the name of the node in fleet manager, while setting the tag directly does. That which is currently not supported through Terraform.