Blog

How to tag AWS Elastic IP addresses using CloudFormation

15 Aug, 2019
Xebia Background Header Wave

Sometimes a resource, such as AWS::EC2::EIP, does support tags but not in CloudFormation. The request for tagging support in CloudFormation
has been outstanding at AWS for quite some time now. So in this blog, we will show you how to add tags to any resource using a CloudFormation custom provider.

How does it work?

Very simply, add a Custom::Tag to your CloudFormation template:

EIPBastionPoolTags:
  Type: Custom::Tag
  Properties:
    ResourceARN:
      - !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:eip/${EIP1.AllocationId}'
      - !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:eip/${EIP2.AllocationId}'
      - !Sub 'arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:eip/${EIP3.AllocationId}'
    Tags:
      asg-elastic-ip-manager-pool: eip-bastion-pool

    ServiceToken: !Sub 'arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:cfn-tag-provider'

This places a single tag on a group of elastic IPs, but you can add multiple tags and tag any set of resources. Just add the appropriate Amazon Resource Names (ARN) to the list.

Deploy the provider

To deploy the provider, type:

git clone https://github.com/binxio/cfn-tag-provider.git
cd cfn-tag-provider
aws cloudformation create-stack \
        --capabilities CAPABILITY_IAM \
        --stack-name cfn-tag-provider \
        --template-body file://./cloudformation/cfn-resource-provider.yaml

aws cloudformation wait stack-create-complete  --stack-name cfn-tag-provider

Deploy the demo

In order to deploy the demo, type:

aws cloudformation create-stack \
        --capabilities CAPABILITY_NAMED_IAM \
        --stack-name cfn-tag-provider-demo \
        --template-body file://./cloudformation/demo.yaml

aws cloudformation wait stack-create-complete  --stack-name cfn-tag-provider-demo

The demo creates three elastic IP addresses, and tags them.

Permissions

The tag and untag resources operation requires query, tag and untag permissions on the tagged resources too. Currently, these IAM permissions are generated and added to the security policy of the provider using the script add-allow-tag-actions-statement.

Conclusion

With this simple CloudFormation provider, you can tag any resources you create with CloudFormation.

Mark van Holsteijn
Mark van Holsteijn is a senior software systems architect at Xebia Cloud-native solutions. He is passionate about removing waste in the software delivery process and keeping things clear and simple.
Questions?

Get in touch with us to learn more about the subject and related solutions

Explore related posts