×
Fork me on GitHub

How to tag AWS Elastic IP addresses using CloudFormation

Sometimes a resource, such as AWS::EC2::EIP, does support tags but not in CloudFormation. The request for tagging support in CloudFormation has been outstanding at AWS for quite some time now. So in this blog, we will show you how to add tags to any resource using a CloudFormation custom provider.

How does it work?

Very simply, add a Custom::Tag to your CloudFormation template:

EIPBastionPoolTags:
  Type: Custom::Tag
  Properties:
    ResourceARN:
      - !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:eip/${EIP1.AllocationId}'
      - !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:eip/${EIP2.AllocationId}'
      - !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:eip/${EIP3.AllocationId}'
    Tags:
      asg-elastic-ip-manager-pool: eip-bastion-pool

    ServiceToken: !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:cfn-tag-provider'

This places a single tag on a group of elastic IPs, but you can add multiple tags and tag any set of resources. Just add the appropriate Amazon Resource Names (ARN) to the list.

Deploy the provider

To deploy the provider, type:

git clone https://github.com/binxio/cfn-tag-provider.git
cd cfn-tag-provider
aws cloudformation create-stack \
        --capabilities CAPABILITY_IAM \
        --stack-name cfn-tag-provider \
        --template-body file://./cloudformation/cfn-resource-provider.yaml

aws cloudformation wait stack-create-complete  --stack-name cfn-tag-provider

Deploy the demo

In order to deploy the demo, type:

aws cloudformation create-stack \
        --capabilities CAPABILITY_NAMED_IAM \
        --stack-name cfn-tag-provider-demo \
        --template-body file://./cloudformation/demo.yaml

aws cloudformation wait stack-create-complete  --stack-name cfn-tag-provider-demo

The demo creates three elastic IP addresses, and tags them.

Permissions

The tag and untag resources operation requires query, tag and untag permissions on the tagged resources too. Currently, these IAM permissions are generated and added to the security policy of the provider using the script add-allow-tag-actions-statement.

Conclusion

With this simple CloudFormation provider, you can tag any resources you create with CloudFormation.

Picture of Mark van Holsteijn
Mark van Holsteijn
CTO