quiltdata · drernie · Apr 23, 2025 · Apr 23, 2025 · Apr 23, 2025 · Apr 23, 2025
diff --git a/.gitignore b/.gitignore
@@ -1,3 +1,6 @@
 .DS_Store
 .terraform
 tfplan
+modules/db/main.tf
+tests/.terraform.tfstate.lock.info
+tests/terraform.tfstate.backup
diff --git a/modules/db/main.tf b/modules/db/main.tf
@@ -1,10 +1,12 @@
+
 module "db_accessor_security_group" {
   source = "terraform-aws-modules/security-group/aws"
 
   name        = "${var.identifier}-db-accessor"
   description = "For resources that need access to DB"
   vpc_id      = var.vpc_id
 
+
   egress_with_source_security_group_id = [
     {
       rule                     = "postgresql-tcp"
@@ -20,6 +22,8 @@ module "db_security_group" {
   description = "For DB resources"
   vpc_id      = var.vpc_id
 
+  tags = var.tags
+
   ingress_with_source_security_group_id = [
     {
       rule                     = "postgresql-tcp"
@@ -62,4 +66,5 @@ module "db" {
 
   backup_retention_period = 7
   deletion_protection     = var.deletion_protection
+  tags                   = var.tags
 }
diff --git a/modules/db/variables.tf b/modules/db/variables.tf
@@ -41,3 +41,9 @@ variable "deletion_protection" {
   type     = bool
   nullable = false
 }
+
+variable "tags" {
+  description = "Tags to apply to resources"
+  type        = map(string)
+  default     = {}
+}
diff --git a/modules/quilt/locals.tf b/modules/quilt/locals.tf
@@ -0,0 +1,13 @@
+locals {
+  # Common tags to be applied to all resources
+  common_tags = {
+    "quilt:stack-name" = var.name
+    # Stack ID will be added after stack creation for resources that depend on the stack
+  }
+
+  # Tags that include the stack ID, for resources created after the CloudFormation stack
+  stack_dependent_tags = {
+    "quilt:stack-name" = var.name
+    "quilt:stack-id"   = aws_cloudformation_stack.stack.id
+  }
+}
diff --git a/modules/quilt/main.tf b/modules/quilt/main.tf
@@ -70,6 +70,8 @@ resource "aws_s3_bucket" "cft_bucket" {
 
   # Nothing valuable in this bucket, so make the cleanup easier.
   force_destroy = true
+
+  tags = local.common_tags
 }
 
 resource "aws_s3_bucket_versioning" "cft_bucket_versioning" {
@@ -89,6 +91,8 @@ resource "aws_s3_object" "cft" {
 resource "aws_cloudformation_stack" "stack" {
   name         = var.name
   template_url = local.template_url
+
+  tags = local.common_tags
   depends_on = [
     aws_s3_object.cft,
     /* Prevent races between module.vpc and module.quilt resources. For example:

diff --git a/modules/quilt/outputs.tf b/modules/quilt/outputs.tf
@@ -19,3 +19,18 @@ output "stack" {
   description = "CloudFormation outputs"
   value       = aws_cloudformation_stack.stack
 }
+
+output "common_tags" {
+  description = "Common tags applied to resources"
+  value       = local.common_tags
+}
+
+output "stack_dependent_tags" {
+  description = "Tags that include the stack ID"
+  value       = local.stack_dependent_tags
+}
+
+output "stack_id" {
+  description = "CloudFormation stack ID"
+  value       = aws_cloudformation_stack.stack.id
+}
diff --git a/modules/quilt/variables.tf b/modules/quilt/variables.tf
@@ -59,7 +59,7 @@ variable "db_network_type" {
 variable "db_deletion_protection" {
   type        = bool
   nullable    = false
-  default     = true
+  default     = false
   description = "Set to true for production environments to prevent accidental deletion of stack database."
 }
 

diff --git a/modules/search/main.tf b/modules/search/main.tf
@@ -1,10 +1,12 @@
+
 module "search_accessor_security_group" {
   source = "terraform-aws-modules/security-group/aws"
 
   name        = "${var.domain_name}-search-accessor"
   description = "For resources that need access to search cluster"
   vpc_id      = var.vpc_id
 
+
   egress_with_source_security_group_id = [
     {
       rule                     = "https-443-tcp"
@@ -20,6 +22,8 @@ module "search_security_group" {
   description = "For search cluster resources"
   vpc_id      = var.vpc_id
 
+  tags = var.tags
+
   ingress_with_source_security_group_id = [
     {
       rule                     = "https-443-tcp"
@@ -32,6 +36,8 @@ resource "aws_elasticsearch_domain" "search" {
   domain_name           = var.domain_name
   elasticsearch_version = "6.8"
 
+  tags = var.tags
+
   cluster_config {
     instance_count           = var.instance_count
     instance_type            = var.instance_type

diff --git a/modules/search/variables.tf b/modules/search/variables.tf
@@ -71,3 +71,9 @@ variable "volume_type" {
   type     = string
   nullable = false
 }
+
+variable "tags" {
+  description = "Tags to apply to resources"
+  type        = map(string)
+  default     = {}
+}
diff --git a/modules/vpc/main.tf b/modules/vpc/main.tf
@@ -45,6 +45,11 @@ module "vpc" {
   cidr = var.cidr
 
   azs = local.azs
+
+  # Enable force destroy for testing
+  manage_default_security_group = true
+  default_security_group_ingress = []
+  default_security_group_egress = []
   # 1/2 of address space for each AZ
   # within AZ:
   # 1/2 for private

diff --git a/tests/.terraform.lock.hcl b/tests/.terraform.lock.hcl
diff --git a/tests/README.md b/tests/README.md
@@ -0,0 +1,72 @@
+# Quilt Stack Tag Tests
+
+These tests verify that the Quilt module correctly sets tags on AWS resources.
+
+## Prerequisites
+
+1. AWS credentials configured with appropriate permissions
+2. Terraform >= 1.5.0 installed
+3. AWS provider ~> 5.0
+
+## Finding the Test Stack
+
+When running with `terraform apply`, the test stack will be created in your AWS account with:
+- CloudFormation stack name: "test-stack"
+- All resources will be tagged with "quilt:stack-name = test-stack"
+
+You can find the stack:
+1. In the AWS CloudFormation console under the stack name "test-stack"
+2. By searching for resources with the tag "quilt:stack-name = test-stack"
+3. Using AWS CLI: `aws cloudformation describe-stacks --stack-name test-stack`
+
+## Running the Tests
+
+From any directory:
+
+```bash
+# First initialize the test environment
+terraform -chdir=tests init
+
+# Then plan to verify the configuration
+terraform -chdir=tests plan
+
+# Finally check the test outputs
+terraform -chdir=tests output
+```
+
+The test will:
+1. Show the planned creation of a test stack with minimal configuration
+2. Display the planned common_tags containing just the stack name
+3. Display the planned stack_dependent_tags containing both stack name and stack ID
+4. Show the planned test result outputs as boolean values
+
+### Test Outputs
+
+The test is successful if both outputs are `true`:
+
+```
+test_common_tags = true
+test_stack_dependent_tags = true
+```
+
+You can check the outputs with:
+```bash
+terraform -chdir=tests output
+```
+
+If any output is `false`, the test has failed, indicating the tags are not set correctly.
+
+### Cleanup
+
+If you ran apply, clean up with:
+
+```bash
+cd tests && terraform destroy
+```
+
+Note: No cleanup needed if you only ran plan!
+
+## Test Files
+
+- `test_tags.tf`: Main test configuration
+- `test.yml`: Minimal CloudFormation template for testing