added resource created tag, fixed formatting

terraform/modules/aurora/main.tf

@@ -1,44 +1,51 @@
 locals {
-  db_port = var.db_engine_type == "aurora-postgresql" ? 5432 : 3306
+  db_port  = var.db_engine_type == "aurora-postgresql" ? 5432 : 3306
   protocol = "tcp"
   all_ips  = ["0.0.0.0/0"]
-  any = "-1"
+  any      = "-1"
   rds_master_password = {
     password = random_password.master_password.result
   }
   snapshot_name = "${var.resource_prefix}-${random_id.snapshot.hex}"
 }
 
 resource "aws_rds_cluster" "rds" {
-  cluster_identifier = "${var.resource_prefix}-aurora"
-  engine                              =  var.db_engine_type
-  engine_version                      =  var.db_engine_version
-  engine_mode                         =  var.db_engine_mode
-  database_name                       =   var.database_name
-  master_username                     =  var.master_username
-  master_password                     =  random_password.master_password.result
-  final_snapshot_identifier           =  local.snapshot_name
-  skip_final_snapshot                 =  var.skip_final_snapshot
-  backup_retention_period             =  var.backup_retention_period
-  preferred_backup_window             =  var.backup_window
-  preferred_maintenance_window        =  var.maintenance_window
-  port                                =  local.db_port
-  storage_encrypted                   =  var.storage_encrypted
-  allow_major_version_upgrade         =  var.allow_major_version_upgrade
-  enabled_cloudwatch_logs_exports     =  var.enabled_cloudwatch_logs_exports
-  deletion_protection                 =  var.deletion_protection
-  db_subnet_group_name                =  aws_db_subnet_group.subnet_group.name
-  vpc_security_group_ids              =  [aws_security_group.rds.id]
-  kms_key_id                          =  data.aws_kms_alias.kms.id
+  cluster_identifier              = "${var.resource_prefix}-aurora"
+  engine                          = var.db_engine_type
+  engine_version                  = var.db_engine_version
+  engine_mode                     = var.db_engine_mode
+  database_name                   = var.database_name
+  master_username                 = var.master_username
+  master_password                 = random_password.master_password.result
+  final_snapshot_identifier       = local.snapshot_name
+  skip_final_snapshot             = var.skip_final_snapshot
+  backup_retention_period         = var.backup_retention_period
+  preferred_backup_window         = var.backup_window
+  preferred_maintenance_window    = var.maintenance_window
+  port                            = local.db_port
+  storage_encrypted               = var.storage_encrypted
+  allow_major_version_upgrade     = var.allow_major_version_upgrade
+  enabled_cloudwatch_logs_exports = var.enabled_cloudwatch_logs_exports
+  deletion_protection             = var.deletion_protection
+  db_subnet_group_name            = aws_db_subnet_group.subnet_group.name
+  vpc_security_group_ids          = [aws_security_group.rds.id]
+  kms_key_id                      = data.aws_kms_alias.kms.id
   serverlessv2_scaling_configuration {
-    max_capacity =  var.max_capacity
-    min_capacity =  var.min_capacity
+    max_capacity = var.max_capacity
+    min_capacity = var.min_capacity
   }
-  tags = var.tags
+
+  tags = merge(
+    {
+      "CreateDate" = timestamp()
+    },
+    var.tags,
+  )
 
   lifecycle {
     ignore_changes = [
-      kms_key_id
+      kms_key_id,
+      tags["CreateDate"],
     ]
   }
 
@@ -57,31 +64,31 @@ resource "random_password" "master_password" {
   length  = var.master_password_length
   special = false
   keepers = {
-    Name =  var.master_username
+    Name = var.master_username
   }
 }
 
 resource "aws_db_subnet_group" "subnet_group" {
   name       = "${var.resource_prefix}-rds-aurora-subnet-group"
   subnet_ids = var.db_subnet_ids
-  tags = var.tags
+  tags       = var.tags
 }
 
 resource "aws_security_group" "rds" {
-  name  =  "${var.resource_prefix}-rds-aurora-sg"
+  name        = "${var.resource_prefix}-rds-aurora-sg"
   vpc_id      = var.vpc_id
   description = "Allow traffic to/from RDS Aurora"
-  tags = var.tags
+  tags        = var.tags
 }
 
 resource "aws_security_group_rule" "rds_inbound" {
-  description = "From allowed SGs"
-  type                     = "ingress"
-  from_port                = local.db_port
-  to_port                  = local.db_port
-  protocol                 = local.protocol
-  cidr_blocks              = var.allowed_ip_blocks
-  security_group_id        = aws_security_group.rds.id
+  description       = "From allowed SGs"
+  type              = "ingress"
+  from_port         = local.db_port
+  to_port           = local.db_port
+  protocol          = local.protocol
+  cidr_blocks       = var.allowed_ip_blocks
+  security_group_id = aws_security_group.rds.id
 }
 
 resource "random_id" "snapshot" {
@@ -97,15 +104,15 @@ resource "aws_security_group_rule" "egress" {
   to_port           = 0
   protocol          = local.any
   cidr_blocks       = local.all_ips
-  security_group_id =  aws_security_group.rds.id
+  security_group_id = aws_security_group.rds.id
 }
 
 resource "aws_secretsmanager_secret" "db_secret" {
-  name = "${var.stack_name}/rds/aurora/${var.env}"
+  name                    = "${var.stack_name}/rds/aurora/${var.env}"
   recovery_window_in_days = var.secret_recovery_window_in_days
 }
 
 resource "aws_secretsmanager_secret_version" "secret_version" {
-  secret_id = aws_secretsmanager_secret.db_secret.id
+  secret_id     = aws_secretsmanager_secret.db_secret.id
   secret_string = jsonencode(local.rds_master_password)
 }

terraform/modules/aurora/outputs.tf

@@ -2,6 +2,6 @@ output "cluster_endpoint" {
   value = aws_rds_cluster.rds.endpoint
 }
 output "db_password" {
-  value = random_password.master_password.result
+  value     = random_password.master_password.result
   sensitive = false
 }

terraform/modules/aurora/variables.tf

@@ -5,11 +5,11 @@ variable "resource_prefix" {
 
 variable "tags" {
   description = "tags to associate with this instance"
-  type = map(string)
+  type        = map(string)
 }
 variable "stack_name" {
   description = "name of the project"
-  type = string
+  type        = string
 }
 
 variable "env" {
@@ -91,8 +91,8 @@ variable "db_engine_version" {
 }
 variable "lifecycle_policy_name" {
   description = "name of resource lifecycle policy"
-  default = "ignore_changes"
-  type = string
+  default     = "ignore_changes"
+  type        = string
 }
 
 variable "db_engine_mode" {
@@ -139,8 +139,8 @@ variable "max_capacity" {
 }
 variable "master_password_length" {
   description = "length of master user password"
-  type = number
-  default = 15
+  type        = number
+  default     = 15
 }
 variable "vpc_id" {
   type        = string
@@ -149,16 +149,16 @@ variable "vpc_id" {
 
 variable "secret_recovery_window_in_days" {
   description = "number of days to keep secret after deletion"
-  type = number
-  default = 0
+  type        = number
+  default     = 0
 }
 variable "allowed_ip_blocks" {
   description = "allowed ip block for the rds ingress"
-  type = list(string)
-  default = []
+  type        = list(string)
+  default     = []
 }
 variable "database_name" {
   description = "name of the database"
-  type = string
-  default = "bento"
+  type        = string
+  default     = "bento"
 }

terraform/modules/cloudfront/cloudwatch.tf

@@ -1,5 +1,5 @@
 resource "aws_cloudwatch_metric_alarm" "cloudfront_alarm" {
-  for_each = var.alarms
+  for_each                  = var.alarms
   alarm_name                = "${var.resource_prefix}-${each.key}-cloudfront-alarm"
   comparison_operator       = "GreaterThanOrEqualToThreshold"
   evaluation_periods        = "5"
@@ -14,14 +14,38 @@ resource "aws_cloudwatch_metric_alarm" "cloudfront_alarm" {
     DistributionId = aws_cloudfront_distribution.distribution.id
     Region         = "Global"
   }
-  alarm_actions       = [aws_sns_topic.cloudfront_alarm_topic.arn]
-  ok_actions          = [aws_sns_topic.cloudfront_alarm_topic.arn]
-  tags = var.tags
+  alarm_actions = [aws_sns_topic.cloudfront_alarm_topic.arn]
+  ok_actions    = [aws_sns_topic.cloudfront_alarm_topic.arn]
+
+  tags = merge(
+    {
+      "CreateDate" = timestamp()
+    },
+    var.tags,
+  )
+
+  lifecycle {
+    ignore_changes = [
+      tags["CreateDate"],
+    ]
+  }
 }
 
 resource "aws_sns_topic" "cloudfront_alarm_topic" {
   name = "${var.resource_prefix}-cloudfront-4xx-5xx-errors"
-  tags = var.tags
+
+  tags = merge(
+    {
+      "CreateDate" = timestamp()
+    },
+    var.tags,
+  )
+
+  lifecycle {
+    ignore_changes = [
+      tags["CreateDate"],
+    ]
+  }
 }
 
 resource "aws_sns_topic_subscription" "subscribe_slack_endpoint" {
@@ -34,11 +58,35 @@ resource "aws_sns_topic_subscription" "subscribe_slack_endpoint" {
 resource "aws_cloudwatch_log_group" "log_group_waf" {
   name              = "/aws/lambda/${aws_lambda_function.slack_waf.function_name}"
   retention_in_days = 30
-  tags = var.tags
+
+  tags = merge(
+    {
+      "CreateDate" = timestamp()
+    },
+    var.tags,
+  )
+
+  lifecycle {
+    ignore_changes = [
+      tags["CreateDate"],
+    ]
+  }
 }
 
 resource "aws_cloudwatch_log_group" "log_group_slack" {
   name              = "/aws/lambda/${aws_lambda_function.slack_lambda.function_name}"
   retention_in_days = 30
-  tags = var.tags
+
+  tags = merge(
+    {
+      "CreateDate" = timestamp()
+    },
+    var.tags,
+  )
+
+  lifecycle {
+    ignore_changes = [
+      tags["CreateDate"],
+    ]
+  }
 }

terraform/modules/cloudfront/data.tf

@@ -1,14 +1,14 @@
 data "aws_region" "current" {}
 data "aws_caller_identity" "current" {}
 data "aws_s3_bucket" "files_bucket" {
-  count = var.create_files_bucket ? 0 : 1
+  count  = var.create_files_bucket ? 0 : 1
   bucket = var.cloudfront_distribution_bucket_name
 }
 
 data "aws_iam_policy_document" "s3_policy" {
   statement {
     actions   = ["s3:GetObject"]
-    resources = [var.create_files_bucket ?  "arn:aws:s3:::${local.files_bucket_name}/*" : "${data.aws_s3_bucket.files_bucket[0].arn}/*"]
+    resources = [var.create_files_bucket ? "arn:aws:s3:::${local.files_bucket_name}/*" : "${data.aws_s3_bucket.files_bucket[0].arn}/*"]
 
     principals {
       type        = "AWS"
@@ -30,18 +30,18 @@ data "aws_cloudfront_cache_policy" "managed_cache" {
 data "aws_iam_policy_document" "kinesis_assume_role_policy" {
   statement {
     actions = ["sts:AssumeRole"]
-    effect = "Allow"
-    sid = ""
+    effect  = "Allow"
+    sid     = ""
     principals {
       identifiers = ["firehose.amazonaws.com"]
-      type = "Service"
+      type        = "Service"
     }
   }
 }
 
 data "aws_iam_policy_document" "firehose_policy" {
   statement {
-    sid = ""
+    sid    = ""
     effect = "Allow"
     actions = [
       "s3:AbortMultipartUpload",
@@ -57,9 +57,9 @@ data "aws_iam_policy_document" "firehose_policy" {
     ]
   }
   statement {
-    effect = "Allow"
-    sid = ""
-    actions = ["iam:CreateServiceLinkedRole"]
+    effect    = "Allow"
+    sid       = ""
+    actions   = ["iam:CreateServiceLinkedRole"]
     resources = ["arn:aws:iam::*:role/aws-service-role/wafv2.amazonaws.com/AWSServiceRoleForWAFV2Logging"]
   }
 }
@@ -72,21 +72,21 @@ data "aws_secretsmanager_secret_version" "cloudfront" {
 
 data "aws_iam_policy_document" "lambda_assume_policy" {
   statement {
-    sid = ""
+    sid    = ""
     effect = "Allow"
     actions = [
       "sts:AssumeRole"
     ]
     principals {
       identifiers = ["lambda.amazonaws.com"]
-      type = "Service"
+      type        = "Service"
     }
   }
 }
 
 data "aws_iam_policy_document" "lambda_s3_policy" {
   statement {
-    sid = ""
+    sid    = ""
     effect = "Allow"
     actions = [
       "s3:GetObject",
@@ -96,7 +96,7 @@ data "aws_iam_policy_document" "lambda_s3_policy" {
     resources = ["arn:aws:s3:::${aws_s3_bucket.kinesis_log.bucket}/*"]
   }
   statement {
-    sid = ""
+    sid    = ""
     effect = "Allow"
     actions = [
       "s3:ListBucket"
@@ -106,7 +106,7 @@ data "aws_iam_policy_document" "lambda_s3_policy" {
     ]
   }
   statement {
-    sid = ""
+    sid    = ""
     effect = "Allow"
     actions = [
       "wafv2:ListIPSets",