Cookbook version
v7.5.0
Chef-client version
14.2.0
Platform Details
Windows 2012R2. AWS
Scenario:
When you create EBS volumes/snapshots with tags using the aws_ebs_volume resource, it adds the tags in a two step process where the volume/snapshot is first created and then the tags are added in a subsequent step.
This works great but it doesn't allow to enforce IAM policies to create/attach volumes based on tags. Last year, the EC2 API introduced a feature that allows to add tags to resources at creation time as opposed to the two step process described above. This new feature allows to enforce IAM policies at resource creation time based on tags. See:
https://aws.amazon.com/blogs/aws/new-tag-ec2-instances-ebs-volumes-on-creation/
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_ec2_ebs-owner.html
Steps to Reproduce:
You can see in the code that there's a function named add_tags that add the tags after the resource is created. See:
https://github.com/chef-cookbooks/aws/blob/a306d7cfb9f18974ca9499f0c1116cc7bc3d6e05/resources/ebs_volume.rb#L365
If you create an EBS volume with the aws_ebs_volume resource, the creation fails if you try to enforce IAM policies based on tags.
Expected Result:
I would like the resource creation EC2 API calls used by aws_ebs_volume to add tags at creation so that tag based IAM policies can be enforced.
I modified the ebs_volume.rb file to implement the changes needed. See:
atoa@6165b63
I can create a pull request if this feature is desired.
Cookbook version
v7.5.0
Chef-client version
14.2.0
Platform Details
Windows 2012R2. AWS
Scenario:
When you create EBS volumes/snapshots with tags using the aws_ebs_volume resource, it adds the tags in a two step process where the volume/snapshot is first created and then the tags are added in a subsequent step.
This works great but it doesn't allow to enforce IAM policies to create/attach volumes based on tags. Last year, the EC2 API introduced a feature that allows to add tags to resources at creation time as opposed to the two step process described above. This new feature allows to enforce IAM policies at resource creation time based on tags. See:
https://aws.amazon.com/blogs/aws/new-tag-ec2-instances-ebs-volumes-on-creation/
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_ec2_ebs-owner.html
Steps to Reproduce:
You can see in the code that there's a function named
add_tagsthat add the tags after the resource is created. See:https://github.com/chef-cookbooks/aws/blob/a306d7cfb9f18974ca9499f0c1116cc7bc3d6e05/resources/ebs_volume.rb#L365
If you create an EBS volume with the aws_ebs_volume resource, the creation fails if you try to enforce IAM policies based on tags.
Expected Result:
I would like the resource creation EC2 API calls used by aws_ebs_volume to add tags at creation so that tag based IAM policies can be enforced.
I modified the ebs_volume.rb file to implement the changes needed. See:
atoa@6165b63
I can create a pull request if this feature is desired.