(Repost of https://serverfault.com/questions/970586/how-to-configure-optional-tags-for-terraform-aws-inspector-resource-group since I did not receive a response there. Slightly abbreviated)
I am trying to develop a reusable module to be used in our multi account setup to enable AWS Inspector setup. Some accounts would like to scan only tagged instances (and probably define multiple resource groups based on tags) whereas others would like to scan all instances (and they aren’t tagged).
How do I define a
tags property in
aws_inspector_resource_group that uses tags passed into the module, or leaves out the tags property altogether if no tags are specified? I tried an empty value for
tags property but TF did not like it, and I don’t suppose
* is an option.
I haven’t used the
aws_inspector_resource_group resource before but I dug through some of the code in the Terraform AWS provider. The short summary is that the AWS SDK for Inspector does not seem to support empty values or wildcard values for target tags.
I started by digging into the Terraform Provider code to determine if it was Terraform related. I found that the resource passes the tags as they are to the AWS SDK. When I looked at the AWS SDK documentation, the AWS request syntax seems to require at minimum one tag. I could not find a reference to pass tags as regular expressions or otherwise in the AWS SDK. If you do find something, I’d be curious to know!
I am waiting to try out nullable tags with TF 0.12 - we were on 0.11.14 thus far. Will let you know if that helps.
Another item missing was the ability to schedule scans, not just start/stop a run. I had a chance to speak to some AWS folks at re:Inforce and they were surprised that there is no scheduling API.
Seems like not all services get the same API love at AWS.