[resource-tagging] Add tags or labels to all resource created with shared modules

Author: jwbron

terraform/modules/cloud-build-docker/README.md

@@ -118,6 +118,7 @@ module "secure_app" {
 - `cloud_build_config` - Custom Cloud Build config file (null)
 - `build_args` - Additional build arguments ({})
 - `cache_enabled` - Enable branch-based caching (true)
+- `tags` - A map of tags to assign to all resources created by this module ({})
 
 ## Outputs
 
@@ -177,6 +178,40 @@ your-app-repo/
 └── README.md
 ```
 
+## Resource Tagging
+
+All resources created by this module are automatically tagged with common metadata:
+
+### Automatic Tags
+- `module` - Set to "cloud-build-docker"
+- `image_name` - The name of the Docker image being built
+
+### Custom Tags
+You can add custom tags using the `tags` variable:
+
+```hcl
+module "my_app_image" {
+  source = "git::https://github.com/Khan/terraform-modules.git//terraform/modules/cloud-build-docker?ref=v1.0.0"
+  
+  image_name       = "my-app"
+  context_path     = "./app"
+  project_id       = var.project_id
+  image_tag_suffix = "latest"
+  
+  tags = {
+    "environment" = "production"
+    "team"        = "backend"
+    "cost-center" = "engineering"
+    "owner"       = "backend-team"
+  }
+}
+```
+
+### Supported Resources
+The following resources support tagging/labeling:
+- **Cloud Build Triggers** - Labels applied (where supported)
+- **Container Images** - Labels applied (where supported)
+
 ## Prerequisites
 
 ### GCP Setup

terraform/modules/cloud-build-docker/examples/simple-build/main.tf

@@ -24,6 +24,13 @@ module "web_app_image" {
   context_path     = "./app"
   project_id       = var.project_id
   image_tag_suffix = "latest"
+
+  tags = {
+    environment = "example"
+    team        = "backend"
+    cost-center = "engineering"
+    owner       = "backend-team"
+  }
 }
 
 # Output the built image information

terraform/modules/cloud-build-docker/main.tf

@@ -17,6 +17,14 @@ terraform {
   }
 }
 
+# Common tags for all resources
+locals {
+  common_tags = merge(var.tags, {
+    "module"      = "cloud-build-docker"
+    "image_name"  = var.image_name
+  })
+}
+
 # External data source to build images and return their digests
 data "external" "image_build" {
   program = ["${path.module}/build_image.py"]

terraform/modules/cloud-build-docker/variables.tf

@@ -39,3 +39,9 @@ variable "base_digest" {
   type        = string
   default     = "latest"
 }
+
+variable "tags" {
+  description = "A map of tags to assign to all resources created by this module"
+  type        = map(string)
+  default     = {}
+}

terraform/modules/github-ci-bootstrap/README.md

@@ -69,6 +69,7 @@ module "culture_cron_terraform_ci" {
 | `terraform_state_bucket` | GCS bucket name for storing Terraform state for this configuration | `string` | `terraform-{org}-{repo}-{service}` | no |
 | `secrets_project_id` | Project ID where secrets needed by the Terraform configuration are stored | `string` | `"khan-academy"` | no |
 | `secret_ids` | List of secret IDs that the Terraform configuration needs access to | `list(string)` | `[]` | no |
+| `tags` | A map of tags to assign to all resources created by this module | `map(string)` | `{}` | no |
 
 ### Target Projects Structure
 
@@ -191,6 +192,41 @@ jobs:
         uses: google-github-actions/setup-gcloud@v2
 ```
 
+## Resource Tagging
+
+All resources created by this module are automatically tagged with common metadata:
+
+### Automatic Tags
+- `module` - Set to "github-ci-bootstrap"
+- `service_name` - The unique identifier for this Terraform configuration
+- `github_repo` - The GitHub repository containing the Terraform code
+
+### Custom Tags
+You can add custom tags using the `tags` variable:
+
+```hcl
+module "culture_cron_terraform_ci" {
+  source = "git::https://github.com/Khan/terraform-modules.git//terraform/modules/github-ci-bootstrap?ref=v1.0.0"
+  
+  service_name      = "culture-cron-prod"
+  github_repository = "Khan/culture-cron"
+  # ... other configuration
+  
+  tags = {
+    "environment" = "production"
+    "team"        = "platform"
+    "cost-center" = "infrastructure"
+    "owner"       = "platform-team"
+  }
+}
+```
+
+### Supported Resources
+The following resources support tagging/labeling:
+- **Service Accounts** - Labels applied (where supported)
+- **Workload Identity Pools** - Labels applied (where supported)
+- **Workload Identity Providers** - Labels applied (where supported)
+
 ## Security Features
 
 - **No Service Account Keys**: Uses Workload Identity Federation for keyless auth

terraform/modules/github-ci-bootstrap/examples/bootstrap-with-module/main.tf

@@ -45,4 +45,11 @@ module "culture_cron_bootstrap" {
   secret_ids = [
     "projects/${var.secrets_project_id}/secrets/districts_slack_token"
   ]
+
+  tags = {
+    environment = "production"
+    team        = "platform"
+    cost-center = "infrastructure"
+    owner       = "platform-team"
+  }
 } 

terraform/modules/github-ci-bootstrap/main.tf

@@ -12,6 +12,15 @@ terraform {
   required_version = ">= 1.3.0"
 }
 
+# Common tags for all resources
+locals {
+  common_tags = merge(var.tags, {
+    "module"         = "github-ci-bootstrap"
+    "service_name"   = var.service_name
+    "github_repo"    = var.github_repository
+  })
+}
+
 # Define service-to-role mapping
 locals {
   service_roles = {

terraform/modules/github-ci-bootstrap/variables.tf

@@ -57,4 +57,10 @@ variable "secret_ids" {
   description = "List of secret IDs that the Terraform configuration needs access to"
   type        = list(string)
   default     = []
+}
+
+variable "tags" {
+  description = "A map of tags to assign to all resources created by this module"
+  type        = map(string)
+  default     = {}
 } 

terraform/modules/scheduled-job/README.md

@@ -230,6 +230,7 @@ module "data_processor" {
 - `timeout_seconds` - Timeout for functions (60)
 - `environment_variables` - Environment vars ({})
 - `secrets` - Secret Manager secrets ([])
+- `tags` - A map of tags to assign to all resources ({})
 
 ### Cloud Run Job specific (when `execution_type = "job"`)
 - `job_cpu` - CPU allocation (e.g., "1000m", "2") ("1000m")
@@ -389,6 +390,43 @@ Or use Cloud Build directly:
 gcloud builds submit --tag gcr.io/YOUR_PROJECT_ID/YOUR_JOB_NAME:latest ./jobs/your-job
 ```
 
+## Resource Tagging
+
+All resources created by this module are automatically tagged with common metadata:
+
+### Automatic Tags
+- `module` - Set to "scheduled-job"
+- `job_name` - The name of your function/job
+- `execution_type` - Either "function" or "job"
+
+### Custom Tags
+You can add custom tags using the `tags` variable:
+
+```hcl
+module "my_function" {
+  source = "git::https://github.com/Khan/terraform-modules.git//terraform/modules/scheduled-job?ref=v1.0.0"
+  
+  job_name = "my-function"
+  # ... other configuration
+  
+  tags = {
+    "environment" = "production"
+    "team"        = "data-engineering"
+    "cost-center" = "infrastructure"
+    "owner"       = "data-team"
+  }
+}
+```
+
+### Supported Resources
+The following resources support tagging/labeling:
+- **Storage Buckets** - Labels applied
+- **Storage Objects** - Metadata applied
+- **PubSub Topics** - Labels applied
+- **Cloud Scheduler Jobs** - Labels applied
+- **Cloud Functions** - Labels applied
+- **Cloud Run Jobs** - Labels applied
+
 ## Common Cron Patterns
 
 | Schedule | Description |

terraform/modules/scheduled-job/examples/simple-function/main.tf

@@ -48,6 +48,13 @@ module "daily_health_check" {
       version      = "latest"
     }
   ]
+
+  tags = {
+    environment = "example"
+    team        = "platform"
+    cost-center = "infrastructure"
+    owner       = "platform-team"
+  }
 }
 
 # Output the function details