ministryofjustice · markgov · Mar 11, 2025 · Mar 11, 2025 · Mar 11, 2025 · Mar 11, 2025
@@ -205,6 +205,7 @@ data "archive_file" "lambda_zip" {
 resource "aws_kms_key" "athena_logging" {
   enable_key_rotation = true
   policy              = data.aws_iam_policy_document.athena_logging.json
+  tags                = { Name = "${local.application_name}-athena-kms" }
 }
 
 resource "aws_kms_alias" "athena_logging" {

@@ -128,14 +128,14 @@ resource "aws_sns_topic" "cortex_sqs_sns_topic" {
   for_each          = { for topic in local.cortex_topic_names : topic.name => topic }
   name              = "${each.value.name}-sqs-sns-topic"
   kms_master_key_id = aws_kms_key.sns_kms_key.id
-  tags              = local.tags
+  tags              = merge(local.tags, try(each.value.tags, {}))
 }
 
 module "mp-sqs-sns-chatbot" {
   for_each         = { for topic in local.cortex_topic_names : topic.name => topic }
   source           = "github.com/ministryofjustice/modernisation-platform-terraform-aws-chatbot?ref=73280f80ce8a4557cec3a76ee56eb913452ca9aa" // v2.0.0
   slack_channel_id = each.value.channel_id
   sns_topic_arns   = [aws_sns_topic.cortex_sqs_sns_topic[each.key].arn]
-  tags             = local.tags
+  tags             = merge(local.tags, try(each.value.tags, {}))
   application_name = "${each.value.name}-sqs-alarm-chatbot"
 }
@@ -4,12 +4,14 @@ provider "aws" {
   assume_role {
     role_arn = "arn:aws:iam::${local.environment_management.account_ids[terraform.workspace]}:role/ModernisationPlatformAccess"
   }
+  default_tags { tags = local.tags }
 }
 
 # AWS provider for the Modernisation Platform, to get things from there if required
 provider "aws" {
   alias  = "modernisation-platform"
   region = "eu-west-2"
+  default_tags { tags = local.tags }
 }
 
 provider "aws" {
@@ -18,6 +20,7 @@ provider "aws" {
   assume_role {
     role_arn = "arn:aws:iam::${local.environment_management.account_ids["core-logging-production"]}:role/ModernisationPlatformAccess"
   }
+  default_tags { tags = local.tags }
 }
 
 # AWS provider for core-network-services to get the Transit Gateway attachment
@@ -27,13 +30,19 @@ provider "aws" {
   assume_role {
     role_arn = "arn:aws:iam::${local.environment_management.account_ids["core-network-services-production"]}:role/ModernisationPlatformAccess"
   }
+
+  default_tags { tags = local.tags }
 }
 
+
+
 # AWS provider (modernisation-secrets-read): Required for assuming a role into modernisation platform account to read secrets
 provider "aws" {
   alias  = "modernisation-secrets-read"
   region = "eu-west-2"
   assume_role {
     role_arn = "arn:aws:iam::${data.aws_ssm_parameter.modernisation_platform_account_id.value}:role/modernisation-account-limited-read-member-access"
   }
+  default_tags { tags = local.tags }
 }
+
@@ -126,7 +126,7 @@ resource "aws_kms_key" "r53_dns_firewall" {
   description         = "KMS key for DNS Firewall SNS Topic Encryption"
   enable_key_rotation = true
   policy              = data.aws_iam_policy_document.r53_dns_firewall_kms_policy.json
-  tags                = local.tags
+  tags                = merge(local.tags, { Name = "${local.application_name}-r53-kms" })
 }
 
 resource "aws_kms_alias" "r53_dns_firewall" {

@@ -120,6 +120,7 @@ resource "aws_kms_key" "s3_logging_cloudtrail_eu-west-1_replication" {
   policy                  = data.aws_iam_policy_document.kms_logging_cloudtrail_replication.json
   enable_key_rotation     = true
   deletion_window_in_days = 30
+  tags                    = { Name = "${local.application_name}-s3-logging-cloudtrail-kms" }
 }
 resource "aws_kms_alias" "s3_logging_cloudtrail_eu-west-1_replication" {
   provider = aws.modernisation-platform-eu-west-1