Add comprehensive tags support to infrastructure resources

[drernie]

This PR adds comprehensive tags support to all major infrastructure resources in the IAC modules.

Changes

Modules Updated

1. Search Module (ElasticSearch)

   • Add tags variable
   • Apply tags to aws_elasticsearch_domain resource

2. DB Module (RDS)

   • Add tags variable
   • Apply tags to RDS instance
   • Apply tags to DB security group
   • Apply tags to DB accessor security group

3. VPC Module

   • Add tags variable
   • Apply tags to VPC and all subnets (public, private, intra)
   • Apply tags to NAT gateways
   • Apply tags to user ingress security group
   • Apply tags to VPC endpoints (S3 Gateway, API Gateway)

4. Quilt Module

   • Add tags variable
   • Apply tags to S3 bucket (CloudFormation templates)
   • Pass tags to all sub-modules (search, db, vpc)

Resources Tagged

With these changes, the following AWS resources can be tagged:

• ✅ ElasticSearch domain
• ✅ RDS database instance
• ✅ VPC and subnets (public, private, intra)
• ✅ NAT gateways
• ✅ Security groups (DB, DB accessor, user ingress)
• ✅ VPC endpoints (S3 Gateway, API Gateway)
• ✅ S3 bucket (CloudFormation templates)

Benefits

• Better resource tracking across stack deployments
• Improved cost allocation and billing analysis
• Easier resource management and identification
• Support for organizational tagging policies

Example Usage

module "quilt" {
  source = "github.com/quiltdata/iac//modules/quilt?ref=stack/tags"
  
  name = "my-stack"
  # ... other parameters ...
  
  tags = {
    StackId     = "my-stack"
    Environment = "production"
    ManagedBy   = "terraform"
    CostCenter  = "engineering"
  }
}

All tags are optional and default to an empty map if not provided.

[sir-sigurd]

troposphere doesn't expose the Tags property for Elasticsearch domains.

that's not true

the main question is why default_tags is not enough?

[drernie]

why default_tags is not enough

I don't know, but whatever we are doing currently does NOT seem to tag the OpenSearch service:

[Copilot]

Pull request overview

This PR adds comprehensive tagging support to infrastructure modules (VPC, DB, Search, and Quilt) to enable better resource tracking, cost allocation, and organizational compliance.

Changes:

• Added tags variable to all infrastructure modules with default empty map
• Applied tags to AWS resources including ElasticSearch domains, RDS instances, security groups, VPCs, subnets, NAT gateways, VPC endpoints, and S3 buckets
• Configured tag propagation from the Quilt parent module to all child modules

Reviewed changes

Copilot reviewed 8 out of 9 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
modules/vpc/variables.tf	Added tags variable for VPC resources
modules/vpc/main.tf	Applied tags to VPC module, security group, and VPC endpoints
modules/search/variables.tf	Added tags variable for ElasticSearch domain
modules/search/main.tf	Applied tags to ElasticSearch domain resource
modules/quilt/variables.tf	Added tags variable at parent module level
modules/quilt/main.tf	Propagated tags to all child modules (VPC, DB, Search) and S3 bucket
modules/db/variables.tf	Added tags variable for RDS and security groups
modules/db/main.tf	Applied tags to RDS instance and security group modules

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[sir-sigurd]

don't know, but whatever we are doing currently does NOT seem to tag the OpenSearch service:

currently we do nothing 😄
so maybe try using default_tags approach in deployment first?