[Enhancement]: AWS CloudWAN attachment tagging process is decoupled from `aws_networkmanager_vpc_attachment` resource

[Dlozitskiy]

Description

With CloudWAN in multi-account AWS setup, VPC attachments, association and propagations is managed via policy based on tags.

Currently aws_networkmanager_vpc_attachment creates the attachment and tags it as part of the same resource. If Attachment association to a routing segment requires manual approval, the process of further VPC creation such as adding routing and all dependencies, won't be able to continue until attachment is accepted.

If process of tagging the attachment is decoupled from creating the attachment, it would allow to create a non-associated attachment first, which will be referenceable in VPC route tables. This allows to complete the build first without attachment being associated to a desired routing segment.

Once infrastructure is fully provisioned, the attachment tag then can be applied as the last step of the process which will initiate a manual approval process.

Currently aws_ec2_tag doesn't support tagging CWAN attachments and there is no separate resource for aws_networkmanager_vpc_attachment tagging.

There are two options for this enhancement:

1. Add ability to call networkmanager tag-resource API as part of the aws_ec2_tag resource
2. Create a separate resources similar to aws_networkmanager_vpc_attachment_tag that will perform tagging of CWAN attachment.

Until one of those options available, the workaround with local-exec can be used instead.

resource "null_resource" "tag_cwan_attachment" {
  triggers = {
    attachment_arn = aws_networkmanager_vpc_attachment.cloud_wan_attachment.arn
  }

  provisioner "local-exec" {
    command = "aws networkmanager tag-resource --resource-arn ${aws_networkmanager_vpc_attachment.cloud_wan_attachment.arn} --tags Key=${var.cwan_attachment_tag_key},Value=${var.cwan_attachment_tag_value}"
    environment = {
      AWS_REGION      = data.aws_region.current.name
    }
  }

  depends_on = [aws_networkmanager_vpc_attachment.cloud_wan_attachment]
}

Affected Resource(s) and/or Data Source(s)

• aws_ec2_tag
• aws_networkmanager_vpc_attachment

Potential Terraform Configuration

resource "aws_ec2_tag" "tag_cwan_attachment" {
  resource_id = aws_networkmanager_vpc_attachment.cloud_wan_attachment.arn
  key         = var.cwan_attachment_tag_key
  value       = var.cwan_attachment_tag_value
}

References

No response

Would you like to implement a fix?

None

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please see our prioritization guide for information on how we prioritize.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.