feat(lambda): add option to define explicit lambda tags (#3934)

Introduced a new variable, lambda_tags, to both the main and submodule.
This variable will include any additional lambda function-specific tags,
enhancing the governance part of resources.

Co-authored-by: Niek Palm <[email protected]>

Author: wadherv

Diff for: main.tf

@@ -158,6 +158,7 @@ module "webhook" {
   lambda_zip                                    = var.webhook_lambda_zip
   lambda_memory_size                            = var.webhook_lambda_memory_size
   lambda_timeout                                = var.webhook_lambda_timeout
+  lambda_tags                                   = var.lambda_tags
   tracing_config                                = var.tracing_config
   logging_retention_in_days                     = var.logging_retention_in_days
   logging_kms_key_id                            = var.logging_kms_key_id
@@ -245,6 +246,7 @@ module "runners" {
   lambda_timeout_scale_down        = var.runners_scale_down_lambda_timeout
   lambda_subnet_ids                = var.lambda_subnet_ids
   lambda_security_group_ids        = var.lambda_security_group_ids
+  lambda_tags                      = var.lambda_tags
   tracing_config                   = var.tracing_config
   logging_retention_in_days        = var.logging_retention_in_days
   logging_kms_key_id               = var.logging_kms_key_id
@@ -315,6 +317,7 @@ module "runner_binaries" {
   lambda_zip                      = var.runner_binaries_syncer_lambda_zip
   lambda_memory_size              = var.runner_binaries_syncer_lambda_memory_size
   lambda_timeout                  = var.runner_binaries_syncer_lambda_timeout
+  lambda_tags                     = var.lambda_tags
   tracing_config                  = var.tracing_config
   logging_retention_in_days       = var.logging_retention_in_days
   logging_kms_key_id              = var.logging_kms_key_id
@@ -354,6 +357,7 @@ module "ami_housekeeper" {
   lambda_security_group_ids = var.lambda_security_group_ids
   lambda_subnet_ids         = var.lambda_subnet_ids
   lambda_timeout            = var.ami_housekeeper_lambda_timeout
+  lambda_tags               = var.lambda_tags
   tracing_config            = var.tracing_config
 
   logging_retention_in_days = var.logging_retention_in_days
@@ -377,6 +381,7 @@ locals {
     runtime                   = var.lambda_runtime
     security_group_ids        = var.lambda_security_group_ids
     subnet_ids                = var.lambda_subnet_ids
+    lambda_tags               = var.lambda_tags
     log_level                 = var.log_level
     logging_kms_key_id        = var.logging_kms_key_id
     logging_retention_in_days = var.logging_retention_in_days

Diff for: modules/ami-housekeeper/main.tf

@@ -37,7 +37,7 @@ resource "aws_lambda_function" "ami_housekeeper" {
     }
   }
 
-  tags = var.tags
+  tags = merge(var.tags, var.lambda_tags)
 
   dynamic "tracing_config" {
     for_each = var.tracing_config.mode != null ? [true] : []

Diff for: modules/ami-housekeeper/variables.tf

@@ -192,3 +192,9 @@ variable "state_event_rule_ami_housekeeper" {
     error_message = "`state_event_rule_ami_housekeeper` value is not valid, valid values are: `ENABLED`, `DISABLED`, `ENABLED_WITH_ALL_CLOUDTRAIL_MANAGEMENT_EVENTS`."
   }
 }
+
+variable "lambda_tags" {
+  description = "Map of tags that will be added to all the lambda function resources. Note these are additional tags to the default tags."
+  type        = map(string)
+  default     = {}
+}

Diff for: modules/lambda/main.tf

@@ -42,7 +42,7 @@ resource "aws_lambda_function" "main" {
     }
   }
 
-  tags = var.lambda.tags
+  tags = merge(var.lambda.tags, var.lambda.lambda_tags)
 
   dynamic "tracing_config" {
     for_each = var.lambda.tracing_config.mode != null ? [true] : []

Diff for: modules/lambda/variables.tf

@@ -2,17 +2,18 @@ variable "lambda" {
   description = <<-EOF
     Configuration for the lambda function.
 
-    'aws_partition': Partition for the base arn if not 'aws'
+    `aws_partition`: Partition for the base arn if not 'aws'
     `architecture`: AWS Lambda architecture. Lambda functions using Graviton processors ('arm64') tend to have better price/performance than 'x86_64' functions.
     `environment_variables`: Environment variables for the lambda.
     `handler`: The entrypoint for the lambda.
     `principals`: Add extra principals to the role created for execution of the lambda, e.g. for local testing.
+    `lambda_tags`: Map of tags that will be added to created resources. By default resources will be tagged with name and environment.
     `log_level`: Logging level for lambda logging. Valid values are  'silly', 'trace', 'debug', 'info', 'warn', 'error', 'fatal'.
     `logging_kms_key_id`: Specifies the kms key id to encrypt the logs with
     `logging_retention_in_days`: Specifies the number of days you want to retain log events for the lambda log group. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653.
     `memory_size`: Memory size linit in MB of the lambda.
     `metrics_namespace`: Namespace for the metrics emitted by the lambda.
-    'name': The name of the lambda function.
+    `name`: The name of the lambda function.
     `prefix`: The prefix used for naming resources.
     `role_path`: The path that will be added to the role, if not set the environment name will be used.
     `role_permissions_boundary`: Permissions boundary that will be added to the created role for the lambda.
@@ -22,7 +23,7 @@ variable "lambda" {
     `s3_object_version`: S3 object version for syncer lambda function. Useful if S3 versioning is enabled on source bucket.
     `security_group_ids`: List of security group IDs associated with the Lambda function.
     `subnet_ids`: List of subnets in which the action runners will be launched, the subnets needs to be subnets in the `vpc_id`.
-    'tags': Map of tags that will be added to created resources. By default resources will be tagged with name and environment.
+    `tags`: Map of tags that will be added to created resources. By default resources will be tagged with name and environment.
     `timeout`: Time out of the lambda in seconds.
     `tracing_config`: Configuration for lambda tracing.
     `zip`: File location of the lambda zip file.
@@ -32,6 +33,7 @@ variable "lambda" {
     architecture              = optional(string, "arm64")
     environment_variables     = optional(map(string), {})
     handler                   = string
+    lambda_tags               = optional(map(string), {})
     log_level                 = optional(string, "info")
     logging_kms_key_id        = optional(string, null)
     logging_retention_in_days = optional(number, 180)

Diff for: modules/multi-runner/ami-housekeeper.tf

@@ -19,6 +19,7 @@ module "ami_housekeeper" {
   lambda_subnet_ids         = var.lambda_subnet_ids
   lambda_memory_size        = var.ami_housekeeper_lambda_memory_size
   lambda_timeout            = var.ami_housekeeper_lambda_timeout
+  lambda_tags               = var.lambda_tags
   tracing_config            = var.tracing_config
 
   logging_retention_in_days = var.logging_retention_in_days

Diff for: modules/multi-runner/runner-binaries.tf

@@ -18,6 +18,7 @@ module "runner_binaries" {
   lambda_zip                       = var.runner_binaries_syncer_lambda_zip
   lambda_memory_size               = var.runner_binaries_syncer_memory_size
   lambda_timeout                   = var.runner_binaries_syncer_lambda_timeout
+  lambda_tags                      = var.lambda_tags
   tracing_config                   = var.tracing_config
   logging_retention_in_days        = var.logging_retention_in_days
   logging_kms_key_id               = var.logging_kms_key_id

Diff for: modules/multi-runner/runners.tf

@@ -69,6 +69,7 @@ module "runners" {
   lambda_timeout_scale_down        = var.runners_scale_down_lambda_timeout
   lambda_subnet_ids                = var.lambda_subnet_ids
   lambda_security_group_ids        = var.lambda_security_group_ids
+  lambda_tags                      = var.lambda_tags
   tracing_config                   = var.tracing_config
   logging_retention_in_days        = var.logging_retention_in_days
   logging_kms_key_id               = var.logging_kms_key_id

Diff for: modules/multi-runner/termination-watcher.tf

@@ -16,6 +16,7 @@ locals {
     metrics_namespace         = var.metrics_namespace
     s3_bucket                 = var.lambda_s3_bucket
     tracing_config            = var.tracing_config
+    lambda_tags               = var.lambda_tags
   }
 }
 

Diff for: modules/multi-runner/variables.tf

@@ -645,6 +645,12 @@ variable "instance_termination_watcher" {
   default = {}
 }
 
+variable "lambda_tags" {
+  description = "Map of tags that will be added to all the lambda function resources. Note these are additional tags to the default tags."
+  type        = map(string)
+  default     = {}
+}
+
 variable "matcher_config_parameter_store_tier" {
   description = "The tier of the parameter store for the matcher configuration. Valid values are `Standard`, and `Advanced`."
   type        = string

Diff for: modules/multi-runner/webhook.tf

@@ -25,6 +25,7 @@ module "webhook" {
   lambda_zip                                    = var.webhook_lambda_zip
   lambda_timeout                                = var.webhook_lambda_timeout
   lambda_memory_size                            = var.webhook_lambda_memory_size
+  lambda_tags                                   = var.lambda_tags
   tracing_config                                = var.tracing_config
   logging_retention_in_days                     = var.logging_retention_in_days
   logging_kms_key_id                            = var.logging_kms_key_id

Diff for: modules/runner-binaries-syncer/runner-binaries-syncer.tf

@@ -46,7 +46,7 @@ resource "aws_lambda_function" "syncer" {
     }
   }
 
-  tags = var.tags
+  tags = merge(var.tags, var.lambda_tags)
 
   dynamic "tracing_config" {
     for_each = var.tracing_config.mode != null ? [true] : []

Diff for: modules/runner-binaries-syncer/variables.tf

@@ -236,3 +236,9 @@ variable "tracing_config" {
   })
   default = {}
 }
+
+variable "lambda_tags" {
+  description = "Map of tags that will be added to all the lambda function resources. Note these are additional tags to the default tags."
+  type        = map(string)
+  default     = {}
+}

Diff for: modules/runners/pool.tf

@@ -54,6 +54,7 @@ module "pool" {
     ami_id_ssm_parameter_name            = var.ami_id_ssm_parameter_name
     ami_id_ssm_parameter_read_policy_arn = var.ami_id_ssm_parameter_name != null ? aws_iam_policy.ami_id_ssm_parameter_read[0].arn : null
     tags                                 = local.tags
+    lambda_tags                          = var.lambda_tags
     arn_ssm_parameters_path_config       = local.arn_ssm_parameters_path_config
   }
 

Diff for: modules/runners/pool/main.tf

@@ -13,7 +13,7 @@ resource "aws_lambda_function" "pool" {
   timeout                        = var.config.lambda.timeout
   reserved_concurrent_executions = var.config.lambda.reserved_concurrent_executions
   memory_size                    = var.config.lambda.memory_size
-  tags                           = var.config.tags
+  tags                           = merge(var.config.tags, var.config.lambda_tags)
 
   environment {
     variables = {

Diff for: modules/runners/pool/variables.tf

@@ -62,6 +62,7 @@ variable "config" {
     ami_id_ssm_parameter_name            = string
     ami_id_ssm_parameter_read_policy_arn = string
     arn_ssm_parameters_path_config       = string
+    lambda_tags                          = map(string)
   })
 }
 

Diff for: modules/runners/scale-down.tf

@@ -16,7 +16,7 @@ resource "aws_lambda_function" "scale_down" {
   handler           = "index.scaleDownHandler"
   runtime           = var.lambda_runtime
   timeout           = var.lambda_timeout_scale_down
-  tags              = local.tags
+  tags              = merge(local.tags, var.lambda_tags)
   memory_size       = var.lambda_scale_down_memory_size
   architectures     = [var.lambda_architecture]
 

Diff for: modules/runners/scale-up.tf

@@ -11,7 +11,7 @@ resource "aws_lambda_function" "scale_up" {
   timeout                        = var.lambda_timeout_scale_up
   reserved_concurrent_executions = var.scale_up_reserved_concurrent_executions
   memory_size                    = var.lambda_scale_up_memory_size
-  tags                           = local.tags
+  tags                           = merge(local.tags, var.lambda_tags)
   architectures                  = [var.lambda_architecture]
   environment {
     variables = {

Diff for: modules/runners/ssm-housekeeper.tf

@@ -23,7 +23,7 @@ resource "aws_lambda_function" "ssm_housekeeper" {
   handler           = "index.ssmHousekeeper"
   runtime           = var.lambda_runtime
   timeout           = local.ssm_housekeeper.lambda_timeout
-  tags              = local.tags
+  tags              = merge(local.tags, var.lambda_tags)
   memory_size       = local.ssm_housekeeper.lambda_memory_size
   architectures     = [var.lambda_architecture]
 

Diff for: modules/runners/variables.tf

@@ -661,3 +661,9 @@ variable "enable_on_demand_failover_for_errors" {
   type        = list(string)
   default     = []
 }
+
+variable "lambda_tags" {
+  description = "Map of tags that will be added to all the lambda function resources. Note these are additional tags to the default tags."
+  type        = map(string)
+  default     = {}
+}

Diff for: modules/termination-watcher/variables.tf

@@ -2,11 +2,12 @@ variable "config" {
   description = <<-EOF
     Configuration for the spot termination watcher lambda function.
 
-    'aws_partition': Partition for the base arn if not 'aws'
+    `aws_partition`: Partition for the base arn if not 'aws'
     `architecture`: AWS Lambda architecture. Lambda functions using Graviton processors ('arm64') tend to have better price/performance than 'x86_64' functions.
     `environment_variables`: Environment variables for the lambda.
-    'enable_metric': Enable metric for the lambda. If `spot_warning` is set to true, the lambda will emit a metric when it detects a spot termination warning.
+    `enable_metric`: Enable metric for the lambda. If `spot_warning` is set to true, the lambda will emit a metric when it detects a spot termination warning.
     `lambda_principals`: Add extra principals to the role created for execution of the lambda, e.g. for local testing.
+    `lambda_tags`: Map of tags that will be added to created resources. By default resources will be tagged with name and environment.
     `log_level`: Logging level for lambda logging. Valid values are  'silly', 'trace', 'debug', 'info', 'warn', 'error', 'fatal'.
     `logging_kms_key_id`: Specifies the kms key id to encrypt the logs with
     `logging_retention_in_days`: Specifies the number of days you want to retain log events for the lambda log group. Possible values are: 0, 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, and 3653.
@@ -22,7 +23,7 @@ variable "config" {
     `security_group_ids`: List of security group IDs associated with the Lambda function.
     `subnet_ids`: List of subnets in which the action runners will be launched, the subnets needs to be subnets in the `vpc_id`.
     `tag_filters`: Map of tags that will be used to filter the resources to be tracked. Only for which all tags are present and starting with the same value as the value in the map will be tracked.
-    'tags': Map of tags that will be added to created resources. By default resources will be tagged with name and environment.
+    `tags`: Map of tags that will be added to created resources. By default resources will be tagged with name and environment.
     `timeout`: Time out of the lambda in seconds.
     `tracing_config`: Configuration for lambda tracing.
     `zip`: File location of the lambda zip file.
@@ -34,6 +35,7 @@ variable "config" {
       spot_warning = optional(bool, false)
     }))
     environment_variables     = optional(map(string), {})
+    lambda_tags               = optional(map(string), {})
     log_level                 = optional(string, null)
     logging_kms_key_id        = optional(string, null)
     logging_retention_in_days = optional(number, null)

Diff for: modules/webhook/variables.tf

@@ -195,6 +195,12 @@ variable "ssm_paths" {
   })
 }
 
+variable "lambda_tags" {
+  description = "Map of tags that will be added to all the lambda function resources. Note these are additional tags to the default tags."
+  type        = map(string)
+  default     = {}
+}
+
 variable "matcher_config_parameter_store_tier" {
   description = "The tier of the parameter store for the matcher configuration. Valid values are `Standard`, and `Advanced`."
   type        = string

Diff for: modules/webhook/webhook.tf

@@ -45,7 +45,7 @@ resource "aws_lambda_function" "webhook" {
     }
   }
 
-  tags = var.tags
+  tags = merge(var.tags, var.lambda_tags)
 
   dynamic "tracing_config" {
     for_each = var.tracing_config.mode != null ? [true] : []

Diff for: variables.tf

@@ -872,7 +872,7 @@ variable "instance_termination_watcher" {
     Configuration for the instance termination watcher. This feature is Beta, changes will not trigger a major release as long in beta.
 
     `enable`: Enable or disable the spot termination watcher.
-    'enable_metrics': Enable or disable the metrics for the spot termination watcher.
+    `enable_metrics`: Enable or disable the metrics for the spot termination watcher.
     `memory_size`: Memory size linit in MB of the lambda.
     `s3_key`: S3 key for syncer lambda function. Required if using S3 bucket to specify lambdas.
     `s3_object_version`: S3 object version for syncer lambda function. Useful if S3 versioning is enabled on source bucket.
@@ -899,3 +899,9 @@ variable "runners_ebs_optimized" {
   type        = bool
   default     = false
 }
+
+variable "lambda_tags" {
+  description = "Map of tags that will be added to all the lambda function resources. Note these are additional tags to the default tags."
+  type        = map(string)
+  default     = {}
+}