openshift · lahinson · Aug 1, 2025 · Jun 3, 2025
diff --git a/hosted_control_planes/hcp-manage/hcp-manage-aws.adoc b/hosted_control_planes/hcp-manage/hcp-manage-aws.adoc
@@ -8,7 +8,6 @@ toc::[]
 
 When you use {hcp} for {product-title} on {aws-first}, the infrastructure requirements vary based on your setup.
 
-
 include::modules/hcp-manage-aws-prereq.adoc[leveloffset=+1]
 
 include::modules/hcp-manage-aws-infra-req.adoc[leveloffset=+2]
@@ -36,3 +35,5 @@ include::modules/hcp-managed-aws-hc-separate.adoc[leveloffset=+2]
 include::modules/hcp-migrate-aws-single-to-multiarch.adoc[leveloffset=+1]
 
 include::modules/hcp-migrate-aws-multiarch-nodepools.adoc[leveloffset=+1]
+
+include::modules/hcp-aws-tags.adoc[leveloffset=+1]
diff --git a/modules/hcp-aws-tags.adoc b/modules/hcp-aws-tags.adoc
@@ -0,0 +1,86 @@
+//Module included in the following assemblies:
+// hosted_control_planes/hcp-manage/hcp-manage-aws.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="hcp-aws-tags_{context}"]
+= Adding or updating {aws-short} tags for a hosted cluster
+
+As a cluster instance administrator, you can add or update {aws-first} tags without needing to re-create your hosted cluster. _Tags_ are key-value pairs that are attached to {aws-short} resources for management and automation.
+
+You might want to use tags for the following purposes:
+
+* Managing access controls.
+* Tracking chargeback or showback.
+* Managing cloud IAM conditional permissions.
+* Aggregating resources based on tags. For example, you can query tags to calculate resource usage and billing costs.
+
+You can add or update tags for several different types of resources, including EFS access points, load balancer resources, Amazon EBS volumes, IAM users, and {aws-short} S3.
+
+[IMPORTANT]
+====
+On network load balancers, tags cannot be added or updated. The {aws-short} load balancer reconciles whatever tags are in the `HostedCluster` resource. If you try to add or update a tag, the load balancer overwrites the tag.
+
+In addition, tags cannot be updated on the default security group resource that is created directly by {hcp}.
+====
+
+.Prerequisites
+
+* You must have cluster administrator permissions for your hosted cluster on {aws-short}.
+
+.Procedure
+
+. If you want to add or update tags for EFS access points, complete steps 1 and 2. If you are adding or updating tags for other types of resources, complete only step 2.
+
+.. In the `aws-efs-csi-driver-operator` service account, add two annotations, as shown in the following example. These annotations are required so that the {aws-short} EKS pod identity webhook that runs on the cluster can correctly assign {aws-short} roles to the pods that the EFS Operator uses.
++
+[source,yaml]
+----
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: <service_account_name>
+  namespace: <project_name>
+  annotations:
+    eks.amazonaws.com/role-arn:<role_arn>
+    eks.amazonaws.com/audience:sts.amazonaws.com
+----
+
+.. Delete the Operator pod or roll out a restart of the `aws-efs-csi-driver-operator` deployment.
+
+. In the `HostedCluster` resource, enter information in the `resourceTags` fields, as shown in the following example:
++
+.Example `HostedCluster` resource
+[source,yaml]
+----
+apiVersion: hypershift.openshift.io/v1beta1
+kind: HostedCluster
+metadata:
+  #...
+spec:
+  autoscaling: {}
+  clusterID: <cluster_id>
+  configuration: {}
+  controllerAvailabilityPolicy: SingleReplica
+  dns:
+    #...
+  etcd:
+    #...
+  fips: false
+  infraID: <infra_id>
+  infrastructureAvailabilityPolicy: SingleReplica
+  issuerURL: https://<issuer_url>.s3.<region>.amazonaws.com
+  networking:
+    #...
+  olmCatalogPlacement: management
+  platform:
+    aws:
+      #...
+      resourceTags:
+      - key: kubernetes.io/cluster/<tag> #<1>
+        value: owned
+      rolesRef:
+        #...
+    type: AWS
+----
+
+<1> Specify the tag that you want to add to your resource.