feat(m365): Add support for tags (#9)

* feat(m365): add policy for applying tags to all scuba resources

* docs(m365): add tags variable to readme

* fix push attempt during build when a pr

Author: jacdavi

.github/workflows/m365_image_build.yaml

@@ -98,7 +98,7 @@ jobs:
 
           docker build $docker_args m365/image
           echo "digest=$(docker images --no-trunc --quiet $Env:IMAGE.ToLower())" >> $Env:GITHUB_OUTPUT
-          if ($Env:PUSH) {
+          if ($Env:PUSH -eq "true") {
             docker push $Env:IMAGE.ToLower() --all-tags
           }
           exit $LASTEXITCODE

m365/README.adoc

@@ -88,6 +88,7 @@ Optional::
 `app_multi_tenant` (bool) [default=False]::: If true, the app will be able to be installed in multiple tenants. By default, it is only available in this tenant
 `vnet` (object) [default=None]::: Configuration for the vnet, including the address space, ACI subnet, and a list of allowed IP ranges. All strings in CIDR format
 `firewall` (object) [default=None]::: Configuration for an Azure Firewall; if not null, traffic will be routed through this firewall
+`tags` (map(string)) [default={}]::: Tags to apply to all resources created. Application is done via policies
 `serial_number` (string) [default=01]::: Increment by 1 when re-provisioning with the same resource group name
 `image_path` (string) [default=./cisa_logo.png]::: Path to image used for app logo. Displayed in Azure console on installed tenants
 Advanced::

m365/terraform/env/example/main.tf

@@ -15,5 +15,5 @@ module "scuba_connect" {
   input_storage_container_id       = var.input_storage_container_id
   output_storage_container_id      = var.output_storage_container_id
   certificate_rotation_period_days = var.certificate_rotation_period_days
+  tags                             = var.tags
 }
-

m365/terraform/env/example/variables.tf

@@ -61,6 +61,12 @@ variable "firewall" {
   description = "Configuration for an Azure Firewall; if not null, traffic will be routed through this firewall"
 }
 
+variable "tags" {
+  type        = map(string)
+  description = "Tags to apply to all resources created. Application is done via policies"
+  default     = {}
+}
+
 variable "serial_number" {
   default     = "01"
   type        = string
@@ -121,7 +127,7 @@ variable "container_registry" {
     username = string
     password = string
   })
-  default = null
+  default     = null
   description = "Credentials for logging into registry with container image"
 }
 

m365/terraform/main.tf

@@ -2,6 +2,10 @@
 resource "azurerm_resource_group" "rg" {
   name     = "${var.resource_group_name}-${var.serial_number}"
   location = var.location
+
+  lifecycle {
+    ignore_changes = [tags]
+  }
 }
 
 data "azuread_client_config" "current" {}
@@ -21,6 +25,7 @@ resource "azurerm_log_analytics_workspace" "monitor_law" {
   lifecycle {
     ignore_changes = [tags]
   }
+  depends_on = [ azurerm_resource_group_policy_assignment.tagging_assignments ]
 }
 
 # Creates the app registration, or reads an existing one, which is used by the ScubaGear container
@@ -36,6 +41,7 @@ module "app" {
   allowed_access_ips               = try(var.vnet.allowed_access_ip_list, null)
   certificate_rotation_period_days = var.certificate_rotation_period_days
   app_multi_tenant                 = var.app_multi_tenant
+  depends_on                       = [azurerm_resource_group_policy_assignment.tagging_assignments]
 }
 
 module "networking" {
@@ -46,6 +52,7 @@ module "networking" {
   resource_prefix     = local.name
   firewall            = var.firewall
   vnet                = var.vnet
+  depends_on          = [azurerm_resource_group_policy_assignment.tagging_assignments]
 }
 
 
@@ -66,4 +73,5 @@ module "container" {
   contact_emails              = var.contact_emails
   log_analytics_workspace     = azurerm_log_analytics_workspace.monitor_law
   container_memory_gb         = var.container_memory_gb
+  depends_on                  = [azurerm_resource_group_policy_assignment.tagging_assignments]
 }

m365/terraform/tagging.tf

@@ -0,0 +1,37 @@
+data "azurerm_policy_definition_built_in" "tagging_policy" {
+  display_name = "Add a tag to resources"
+}
+
+# Tagging policy for all resources in the main resource group
+resource "azurerm_resource_group_policy_assignment" "tagging_assignments" {
+  for_each             = var.tags
+  name                 = "add-tags-${azurerm_resource_group.rg.name}-${each.key}"
+  resource_group_id    = azurerm_resource_group.rg.id
+  policy_definition_id = data.azurerm_policy_definition_built_in.tagging_policy.id
+
+  parameters = jsonencode({
+    tagName  = { value = each.key },
+    tagValue = { value = each.value }
+  })
+
+  identity {
+    type = "SystemAssigned"
+  }
+  location = var.location
+}
+
+resource "azurerm_role_assignment" "tag_contributor" {
+  for_each = var.tags
+  scope                = azurerm_resource_group.rg.id
+  role_definition_name = "Tag Contributor"
+  principal_id         = azurerm_resource_group_policy_assignment.tagging_assignments[each.key].identity[0].principal_id
+}
+
+resource "azurerm_resource_group_policy_remediation" "remediation" {
+  for_each = var.tags
+  name                 = "add-tags-policy-remediation-${each.key}"
+  resource_group_id    = azurerm_resource_group.rg.id
+  policy_assignment_id = azurerm_resource_group_policy_assignment.tagging_assignments[each.key].id
+  resource_discovery_mode = "ReEvaluateCompliance"
+  depends_on = [ azurerm_role_assignment.tag_contributor, module.app, module.container, module.networking ]
+}

m365/terraform/variables.tf

@@ -61,6 +61,12 @@ variable "firewall" {
   description = "Configuration for an Azure Firewall; if not null, traffic will be routed through this firewall"
 }
 
+variable "tags" {
+  type        = map(string)
+  description = "Tags to apply to all resources created. Application is done via policies"
+  default     = {}
+}
+
 variable "serial_number" {
   default     = "01"
   type        = string
@@ -121,7 +127,7 @@ variable "container_registry" {
     username = string
     password = string
   })
-  default = null
+  default     = null
   description = "Credentials for logging into registry with container image"
 }