CloudFormation: Fix missing tags in cloud-security account

This is a temporary fix that tags required resources for the build to
succeed. We can revert it after the QA cycle to find a more elegant
solution.

.github/workflows/test-environment.yml

@@ -311,9 +311,3 @@ jobs:
         if: github.event.inputs.cleanup-env == 'true'
         run: |
           just delete-cloud-env ${{ env.DEPLOYMENT_NAME }} '' "false"
-
-      - name: Tag CNVM Instance
-        if: github.event.inputs.cleanup-env == 'false'
-        env:
-          STACK_NAME: "${{ env.CNVM_STACK_NAME}}"
-        run: just create-cnvm-stack-tags ${{ env.AWS_REGION}} ${{ env.STACK_NAME }} '${{ env.AWS_DEFAULT_TAGS }} Key=owner,Value=${{ github.actor }}'

deploy/cloudformation/elastic-agent-ec2-cnvm.yml

@@ -33,6 +33,11 @@ Parameters:
     Description: The version of elastic-agent to install
     Type: String
 
+Conditions:
+  UseElasticTags: !Equals
+    - !Ref "AWS::AccountId"
+    - 704479110758
+
 Resources:
 
   # Security Group for EC2 instance
@@ -134,6 +139,26 @@ Resources:
                   - !Ref "AWS::StackId"
         - Key: Task
           Value: Vulnerability Management Scanner
+        - Key: division
+          Value: !If
+            - UseElasticTags
+            - engineering
+            - AWS::NoValue
+        - Key: org
+          Value: !If
+            - UseElasticTags
+            - security
+            - AWS::NoValue
+        - Key: team
+          Value: !If
+            - UseElasticTags
+            - cloud-security
+            - AWS::NoValue
+        - Key: project
+          Value: !If
+            - UseElasticTags
+            - cloudformation
+            - AWS::NoValue
       ImageId: !Ref LatestAmiId
       InstanceType: !Ref InstanceType
       IamInstanceProfile: !Ref ElasticAgentInstanceProfile

deploy/cloudformation/elastic-agent-ec2-cspm.yml

@@ -33,6 +33,11 @@ Parameters:
     Description: The version of elastic-agent to install
     Type: String
 
+Conditions:
+  UseElasticTags: !Equals
+    - !Ref "AWS::AccountId"
+    - 704479110758
+
 Resources:
 
   # Security Group for EC2 instance
@@ -102,6 +107,26 @@ Resources:
                   - !Ref "AWS::StackId"
         - Key: Task
           Value: Cloud Security Posture Management Scanner
+        - Key: division
+          Value: !If
+            - UseElasticTags
+            - engineering
+            - AWS::NoValue
+        - Key: org
+          Value: !If
+            - UseElasticTags
+            - security
+            - AWS::NoValue
+        - Key: team
+          Value: !If
+            - UseElasticTags
+            - cloud-security
+            - AWS::NoValue
+        - Key: project
+          Value: !If
+            - UseElasticTags
+            - cloudformation
+            - AWS::NoValue
       ImageId: !Ref LatestAmiId
       InstanceType: !Ref InstanceType
       IamInstanceProfile: !Ref ElasticAgentInstanceProfile

justfile

@@ -6,7 +6,6 @@ kustomizeEksOverlay := "deploy/kustomize/overlays/cloudbeat-eks"
 kustomizeAwsOverlay := "deploy/kustomize/overlays/cloudbeat-aws"
 cspPoliciesPkg := "github.com/elastic/csp-security-policies"
 hermitActivationScript := "bin/activate-hermit"
-AWS_DEFAULT_TAGS := 'Key=division,Value=engineering Key=org,Value=security Key=team,Value=cloud-security-posture Key=project,Value=test-environments'
 
 # use env var if available
 export LOCAL_GOARCH := `go env GOARCH`
@@ -130,9 +129,6 @@ deploy-dm:
 delete-dm name:
   gcloud deployment-manager deployments delete {{name}} -q
 
-create-cnvm-stack-tags region stack_name tags=(AWS_DEFAULT_TAGS):
-  ./scripts/add_cnvm_tags.sh {{region}} {{stack_name}} '{{tags}}'
-
 build-kibana-docker:
   node scripts/build --docker-images --skip-docker-ubi --skip-docker-centos -v