From a9afd38b29c5ab7fc1f5796dd5808a8225eede52 Mon Sep 17 00:00:00 2001
From: Derek Graeber <dgraeber@amazon.com>
Date: Thu, 16 May 2024 11:53:17 -0400
Subject: [PATCH] adding tags to seedfarmer roles

---
 CHANGELOG.md                                  |  1 +
 seedfarmer/commands/_bootstrap_commands.py    | 11 ++++++++---
 seedfarmer/resources/deployment_role.template |  3 +++
 seedfarmer/resources/toolchain_role.template  |  3 +++
 4 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0ca42a2a..ad9f9f20 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,7 @@ This project adheres to [Semantic Versioning](http://semver.org/) and [Keep a Ch
 
 ### New
 - adding support for S3 to store bundles
+- adding seedfarmer version tag to toolchain and deployment roles 
 
 ### Changes
 - adding local path of manifests that fail to load to the actual final string printed
diff --git a/seedfarmer/commands/_bootstrap_commands.py b/seedfarmer/commands/_bootstrap_commands.py
index eb380910..44bcc507 100644
--- a/seedfarmer/commands/_bootstrap_commands.py
+++ b/seedfarmer/commands/_bootstrap_commands.py
@@ -25,7 +25,7 @@
 from jinja2 import Template
 
 import seedfarmer.errors
-from seedfarmer import CLI_ROOT
+from seedfarmer import CLI_ROOT, __version__
 from seedfarmer.services import create_new_session, get_region, get_sts_identity_info
 from seedfarmer.services._iam import get_role
 from seedfarmer.utils import get_deployment_role_name, get_toolchain_role_arn, get_toolchain_role_name, valid_qualifier
@@ -48,7 +48,7 @@ def get_toolchain_template(
     if permissions_boundary_arn:
         role["Resources"]["ToolchainRole"]["Properties"]["PermissionsBoundary"] = permissions_boundary_arn
     template = Template(json.dumps(role))
-    t = template.render({"project_name": project_name, "role_name": role_name})
+    t = template.render({"project_name": project_name, "role_name": role_name, "seedfarmer_version": __version__})
     return dict(json.loads(t))
 
 
@@ -67,7 +67,12 @@ def get_deployment_template(
         role["Resources"]["DeploymentRole"]["Properties"]["ManagedPolicyArns"] = policy_arns
     template = Template(json.dumps(role))
     t = template.render(
-        {"toolchain_role_arn": toolchain_role_arn, "project_name": project_name, "role_name": role_name}
+        {
+            "toolchain_role_arn": toolchain_role_arn,
+            "project_name": project_name,
+            "role_name": role_name,
+            "seedfarmer_version": __version__,
+        }
     )
     return dict(json.loads(t))
 
diff --git a/seedfarmer/resources/deployment_role.template b/seedfarmer/resources/deployment_role.template
index 2f72b7f1..bbbc8ce0 100644
--- a/seedfarmer/resources/deployment_role.template
+++ b/seedfarmer/resources/deployment_role.template
@@ -154,4 +154,7 @@ Resources:
                 - Fn::Sub: "arn:${AWS::Partition}:codeartifact:*:${AWS::AccountId}:domain/aws-codeseeder-{{ project_name }}"
                 - Fn::Sub: "arn:${AWS::Partition}:codeartifact:*:${AWS::AccountId}:repository/aws-codeseeder-{{ project_name }}*"
       RoleName: "{{ role_name }}"
+      Tags:
+        - Key: "seedfarmer"
+          Value: "{{ seedfarmer_version }}"
     Type: AWS::IAM::Role
diff --git a/seedfarmer/resources/toolchain_role.template b/seedfarmer/resources/toolchain_role.template
index 74369440..08fe1566 100644
--- a/seedfarmer/resources/toolchain_role.template
+++ b/seedfarmer/resources/toolchain_role.template
@@ -44,4 +44,7 @@ Resources:
               Resource:
                 Fn::Sub: "arn:${AWS::Partition}:ssm:*:${AWS::AccountId}:*"
       RoleName: "{{ role_name }}"
+      Tags:
+        - Key: "seedfarmer"
+          Value: "{{ seedfarmer_version }}"
     Type: AWS::IAM::Role