feat: Additional tags to wide open security groups

[nitrocode]

Description

Adds a new variable var.tags_sgs_additional to merge with the tags supplied on the security group resources that are open to the world. This is to add tags to those wide open security groups to pass our audits.

Motivation and Context

For auditing purposes

Closes #141

Breaking Changes

None

How Has This Been Tested?

Locally

[bryantbiggs]

thanks @nitrocode - could you split this up to 3 tags since there are 3 security groups and name them:

• alb_https_security_group_tags
• alb_http_security_group_tags
• atlantis_security_group_tags

and the variables can be defined similar to what has been done on the vpc module here

[nitrocode]

Hi @bryantbiggs .

• alb_https_security_group_tags
• alb_http_security_group_tags
• atlantis_security_group_tags

The way these are named, are you advocating to not do a merge on those resources' tags' regarding the tags variable and instead supplant var.tags for those resources ?

and the variables can be defined similar to what has been done on the vpc module here

If I used the example you linked to, the variable in this PR would be var.sgs_tags and would apply to all of the open-to-the-world security groups. Is that correct?

[bryantbiggs]

no no, I think merging is good. its common across the modules here, there is a default tags group and then individual tags per "resource". so if you look at like the VPC module as an example, you'll see they merge the default tags as well as tags for the specific resource like:

	tags = merge(var.tags, var.dhcp_options_tags)

so here with your PR I think it would be good to have something like:

# for alb_https security group
tags = merge(local.tags, var.alb_https_security_group_tags)
...
# for alb_http security group
tags = merge(local.tags, var.alb_http_security_group_tags)
...
# for atlantis security group
tags = merge(local.tags, var.atlantis_security_group_tags)

that way the each get the default tags with local.tags but then you can add/override with the specific tag variable provided at the end. what do you think about that?

[nitrocode]

@bryantbiggs makes sense to me. I updated the changes to reflect your suggestions.

From previous comments by @antonbabenko, it looks like these PRs won't get any love until August #128 (comment).

[bryantbiggs]

@nitrocode would you mind updating your branch with master - @antonbabenko 👍

[nitrocode]

All set!

[antonbabenko]

Thanks, @nitrocode !

v2.22.0 has been just released.

[github-actions]

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.