Merge pull request #4744 from consideRatio/main

consideRatio · web-flow · commit 28d58cd1c03d · 2024-09-06T20:59:15.000+02:00
terraform, aws: simplify resource tagging by using aws provider's default_tags
diff --git a/terraform/aws/aws-ce-grafana-backend-iam.tf b/terraform/aws/aws-ce-grafana-backend-iam.tf
@@ -3,7 +3,6 @@ resource "aws_iam_role" "aws_ce_grafana_backend_iam_role" {
   count = var.enable_aws_ce_grafana_backend_iam ? 1 : 0
 
   name = "aws_ce_grafana_backend_iam_role"
-  tags = var.tags
 
   assume_role_policy = jsonencode({
     Version = "2012-10-17"
diff --git a/terraform/aws/buckets.tf b/terraform/aws/buckets.tf
@@ -2,7 +2,7 @@
 resource "aws_s3_bucket" "user_buckets" {
   for_each = var.user_buckets
   bucket   = lower("${var.cluster_name}-${each.key}")
-  tags     = merge(var.tags, each.value.tags)
+  tags     = each.value.tags
 }
 
 # ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration
diff --git a/terraform/aws/cd.tf b/terraform/aws/cd.tf
@@ -5,7 +5,6 @@
 # ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user
 resource "aws_iam_user" "continuous_deployer" {
   name = "hub-continuous-deployer"
-  tags = var.tags
 }
 
 # ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key
diff --git a/terraform/aws/db.tf b/terraform/aws/db.tf
@@ -20,7 +20,6 @@ resource "aws_security_group" "db" {
   name        = "db"
   description = "Allow traffic into the db"
   vpc_id      = data.aws_eks_cluster.cluster.vpc_config[0]["vpc_id"]
-  tags        = var.tags
 
   ingress {
     to_port          = 3306
@@ -47,8 +46,6 @@ resource "aws_db_subnet_group" "db" {
   count = var.db_enabled ? 1 : 0
 
   subnet_ids = data.aws_subnets.cluster_subnets[0].ids
-
-  tags = var.tags
 }
 
 # ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance
@@ -69,16 +66,13 @@ resource "aws_db_instance" "db" {
   apply_immediately      = true
   availability_zone      = var.cluster_nodes_location
   parameter_group_name   = aws_db_parameter_group.db[0].name
-
-  tags = var.tags
 }
 
 # ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_parameter_group
 resource "aws_db_parameter_group" "db" {
   count  = var.db_enabled ? 1 : 0
   name   = var.db_instance_identifier
   family = "${var.db_engine}${var.db_engine_version}"
-  tags   = var.tags
 
   dynamic "parameter" {
     for_each = var.db_params
diff --git a/terraform/aws/efs.tf b/terraform/aws/efs.tf
@@ -47,7 +47,7 @@ data "aws_security_group" "cluster_nodes_shared_security_group" {
 # ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_file_system
 resource "aws_efs_file_system" "hub_homedirs" {
   for_each = var.filestores
-  tags = merge(var.tags, each.value.tags, {
+  tags = merge(each.value.tags, {
     Name = each.value.name_suffix == null ? "hub-homedirs" : "hub-homedirs-${each.value.name_suffix}"
   })
   encrypted = true
diff --git a/terraform/aws/grafana-athena-iam.tf b/terraform/aws/grafana-athena-iam.tf
@@ -3,7 +3,6 @@ resource "aws_iam_role" "grafana_athena_role" {
   count = var.enable_grafana_athena_iam ? 1 : 0
 
   name = "${var.cluster_name}-grafana-athena-iam-role"
-  tags = var.tags
 
   assume_role_policy = jsonencode({
     Version = "2012-10-17"
diff --git a/terraform/aws/irsa.tf b/terraform/aws/irsa.tf
@@ -63,7 +63,6 @@ data "aws_iam_policy_document" "irsa_role_assume" {
 resource "aws_iam_role" "irsa_role" {
   for_each = { for index, hr in local.hub_to_role_mapping : hr.iam_role_name => hr }
   name     = "${var.cluster_name}-${each.key}"
-  tags     = var.tags
 
   assume_role_policy = data.aws_iam_policy_document.irsa_role_assume[each.key].json
 }
@@ -72,7 +71,6 @@ resource "aws_iam_role" "irsa_role" {
 resource "aws_iam_policy" "extra_user_policy" {
   for_each = { for index, hr in local.hub_to_role_mapping : hr.iam_role_name => hr if hr.cloud_permissions.extra_iam_policy != "" }
   name     = "${var.cluster_name}-${each.key}-extra-user-policy"
-  tags     = var.tags
 
   description = "Extra permissions granted to users on hub ${each.key} on ${var.cluster_name}"
   policy      = each.value.cloud_permissions.extra_iam_policy
diff --git a/terraform/aws/main.tf b/terraform/aws/main.tf
@@ -32,6 +32,13 @@ provider "random" {}
 # ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs
 provider "aws" {
   region = var.region
+
+  # default_tags ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags-configuration-block
+  default_tags {
+    tags = {
+      for k, v in var.default_tags : k => replace(v, "{var_cluster_name}", var.cluster_name)
+    }
+  }
 }
 
 # ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster
diff --git a/terraform/aws/projects/2i2c-aws-us.tfvars b/terraform/aws/projects/2i2c-aws-us.tfvars
@@ -2,11 +2,6 @@ region                 = "us-west-2"
 cluster_name           = "2i2c-aws-us"
 cluster_nodes_location = "us-west-2a"
 
-tags = {
-  "2i2c.org/cluster-name" : "2i2c-aws-us",
-  "ManagedBy" : "2i2c",
-}
-
 user_buckets = {
   "scratch-staging" : {
     "delete_after" : 7
diff --git a/terraform/aws/projects/catalystproject-africa.tfvars b/terraform/aws/projects/catalystproject-africa.tfvars
@@ -2,11 +2,6 @@ region                 = "af-south-1"
 cluster_name           = "catalystproject-africa"
 cluster_nodes_location = "af-south-1a"
 
-tags = {
-  "2i2c.org/cluster-name" : "catalystproject-africa",
-  "ManagedBy" : "2i2c",
-}
-
 user_buckets = {
   "scratch-staging" : {
     "delete_after" : 7
diff --git a/terraform/aws/projects/earthscope.tfvars b/terraform/aws/projects/earthscope.tfvars
@@ -2,8 +2,8 @@ region                 = "us-east-2"
 cluster_name           = "earthscope"
 cluster_nodes_location = "us-east-2a"
 
-tags = {
-  "2i2c.org/cluster-name" : "earthscope",
+default_tags = {
+  "2i2c.org/cluster-name" : "{var_cluster_name}",
   "ManagedBy" : "2i2c",
   # Requested by the community in https://2i2c.freshdesk.com/a/tickets/1460
   "earthscope:application:name" : "geolab",
diff --git a/terraform/aws/projects/gridsst.tfvars b/terraform/aws/projects/gridsst.tfvars
@@ -2,11 +2,6 @@ region                 = "us-west-2"
 cluster_name           = "gridsst"
 cluster_nodes_location = "us-west-2a"
 
-tags = {
-  "2i2c.org/cluster-name" : "gridsst",
-  "ManagedBy" : "2i2c",
-}
-
 user_buckets = {
   "scratch-staging" : {
     "delete_after" : 7
diff --git a/terraform/aws/projects/jupyter-health.tfvars b/terraform/aws/projects/jupyter-health.tfvars
@@ -2,11 +2,6 @@ region                 = "us-east-2"
 cluster_name           = "jupyter-health"
 cluster_nodes_location = "us-east-2a"
 
-tags = {
-  "2i2c.org/cluster-name" : "jupyter-health",
-  "ManagedBy" : "2i2c",
-}
-
 user_buckets = {
   "scratch-staging" : {
     "delete_after" : 7
diff --git a/terraform/aws/projects/jupyter-meets-the-earth.tfvars b/terraform/aws/projects/jupyter-meets-the-earth.tfvars
@@ -2,11 +2,6 @@ region                 = "us-west-2"
 cluster_name           = "jupyter-meets-the-earth"
 cluster_nodes_location = "us-west-2a"
 
-
-tags = {
-  "2i2c.org/cluster-name" : "jupyter-meets-the-earth",
-  "ManagedBy" : "2i2c",
-}
 default_budget_alert = {
   "enabled" : false,
 }
diff --git a/terraform/aws/projects/kitware.tfvars b/terraform/aws/projects/kitware.tfvars
@@ -2,11 +2,6 @@ region                 = "us-west-2"
 cluster_name           = "kitware"
 cluster_nodes_location = "us-west-2a"
 
-tags = {
-  "2i2c.org/cluster-name" : "kitware",
-  "ManagedBy" : "2i2c",
-}
-
 user_buckets = {
   "scratch-staging" : {
     "delete_after" : 7
diff --git a/terraform/aws/projects/nasa-cryo.tfvars b/terraform/aws/projects/nasa-cryo.tfvars
@@ -2,11 +2,6 @@ region                 = "us-west-2"
 cluster_name           = "nasa-cryo"
 cluster_nodes_location = "us-west-2a"
 
-tags = {
-  "2i2c.org/cluster-name" : "nasa-cryo",
-  "ManagedBy" : "2i2c",
-}
-
 user_buckets = {
   "scratch-staging" : {
     "delete_after" : 7
diff --git a/terraform/aws/projects/nasa-esdis.tfvars b/terraform/aws/projects/nasa-esdis.tfvars
@@ -2,11 +2,6 @@ region                 = "us-west-2"
 cluster_name           = "nasa-esdis"
 cluster_nodes_location = "us-west-2a"
 
-tags = {
-  "2i2c.org/cluster-name" : "nasa-esdis",
-  "ManagedBy" : "2i2c",
-}
-
 default_budget_alert = {
   "enabled" : false,
 }
diff --git a/terraform/aws/projects/nasa-ghg.tfvars b/terraform/aws/projects/nasa-ghg.tfvars
@@ -2,11 +2,6 @@ region                 = "us-west-2"
 cluster_name           = "nasa-ghg-hub"
 cluster_nodes_location = "us-west-2a"
 
-tags = {
-  "2i2c.org/cluster-name" : "nasa-ghg-hub",
-  "ManagedBy" : "2i2c",
-}
-
 default_budget_alert = {
   "enabled" : false,
 }
diff --git a/terraform/aws/projects/nasa-veda.tfvars b/terraform/aws/projects/nasa-veda.tfvars
@@ -2,11 +2,6 @@ region                 = "us-west-2"
 cluster_name           = "nasa-veda"
 cluster_nodes_location = "us-west-2a"
 
-tags = {
-  "2i2c.org/cluster-name" : "nasa-veda",
-  "ManagedBy" : "2i2c",
-}
-
 default_budget_alert = {
   "enabled" : false,
 }
diff --git a/terraform/aws/projects/openscapes.tfvars b/terraform/aws/projects/openscapes.tfvars
@@ -2,11 +2,6 @@ region                 = "us-west-2"
 cluster_name           = "openscapeshub"
 cluster_nodes_location = "us-west-2b"
 
-tags = {
-  "2i2c.org/cluster-name" : "openscapeshub",
-  "ManagedBy" : "2i2c",
-}
-
 default_budget_alert = {
   "enabled" : false,
 }
diff --git a/terraform/aws/projects/opensci.tfvars b/terraform/aws/projects/opensci.tfvars
@@ -2,11 +2,6 @@ region                 = "us-west-2"
 cluster_name           = "opensci"
 cluster_nodes_location = "us-west-2a"
 
-tags = {
-  "2i2c.org/cluster-name" : "opensci",
-  "ManagedBy" : "2i2c",
-}
-
 user_buckets = {
   "scratch-staging" : {
     "delete_after" : 7
diff --git a/terraform/aws/projects/projectpythia.tfvars b/terraform/aws/projects/projectpythia.tfvars
@@ -2,11 +2,6 @@ region                 = "us-west-2"
 cluster_name           = "projectpythia"
 cluster_nodes_location = "us-west-2a"
 
-tags = {
-  "2i2c.org/cluster-name" : "projectpythia",
-  "ManagedBy" : "2i2c",
-}
-
 default_budget_alert = {
   "enabled" : false,
 }
diff --git a/terraform/aws/projects/smithsonian.tfvars b/terraform/aws/projects/smithsonian.tfvars
@@ -2,11 +2,6 @@ region                 = "us-east-2"
 cluster_name           = "smithsonian"
 cluster_nodes_location = "us-east-2b"
 
-tags = {
-  "2i2c.org/cluster-name" : "smithsonian",
-  "ManagedBy" : "2i2c",
-}
-
 user_buckets = {
   "scratch-staging" : {
     "delete_after" : 7
diff --git a/terraform/aws/projects/template.tfvars b/terraform/aws/projects/template.tfvars
@@ -3,16 +3,10 @@
    - location of the nodes of the kubernetes cluster will be <region>a
    - no default scratch buckets support
 */
-
 region                 = "{{ cluster_region }}"
 cluster_name           = "{{ cluster_name }}"
 cluster_nodes_location = "{{ cluster_region }}a"
 
-tags = {
-  "ManagedBy" : "2i2c",
-  "2i2c.org/cluster-name" : "{{ cluster_name }}",
-}
-
 # Tip: uncomment and fill the missing info in the lines below if you want
 #       to setup scratch buckets for the hubs on this cluster.
 #
diff --git a/terraform/aws/projects/ubc-eoas.tfvars b/terraform/aws/projects/ubc-eoas.tfvars
@@ -2,11 +2,6 @@ region                 = "ca-central-1"
 cluster_name           = "ubc-eoas"
 cluster_nodes_location = "ca-central-1a"
 
-tags = {
-  "2i2c.org/cluster-name" : "ubc-eoas",
-  "ManagedBy" : "2i2c",
-}
-
 user_buckets = {
   "scratch-staging" : {
     "delete_after" : 7
diff --git a/terraform/aws/projects/victor.tfvars b/terraform/aws/projects/victor.tfvars
@@ -2,11 +2,6 @@ region                 = "us-west-2"
 cluster_name           = "victor"
 cluster_nodes_location = "us-west-2a"
 
-tags = {
-  "2i2c.org/cluster-name" : "victor",
-  "ManagedBy" : "2i2c",
-}
-
 user_buckets = {
   "scratch-staging" : {
     "delete_after" : 7
diff --git a/terraform/aws/single-efs-setup.tf b/terraform/aws/single-efs-setup.tf
@@ -5,7 +5,7 @@
 resource "aws_efs_file_system" "homedirs" {
   count = var.disable_cluster_wide_filestore ? 0 : 1
 
-  tags = merge(var.tags, var.original_single_efs_tags, { Name = "hub-homedirs" })
+  tags = merge(var.original_single_efs_tags, { Name = "hub-homedirs" })
 
   lifecycle_policy {
     transition_to_primary_storage_class = "AFTER_1_ACCESS"
diff --git a/terraform/aws/variables.tf b/terraform/aws/variables.tf
@@ -183,18 +183,25 @@ variable "db_user_password_special_chars" {
   EOT
 }
 
-variable "tags" {
-  type        = map(string)
-  default     = { "ManagedBy" : "2i2c" }
+variable "default_tags" {
+  type = map(string)
+  default = {
+    "2i2c.org/cluster-name" = "{var_cluster_name}"
+    "ManagedBy"             = "2i2c"
+  }
   description = <<-EOT
-  Tags to apply to resources that we manage. The value is an object as we may
-  wish to apply multiple tags. We use CamelCase for tag names to match AWS's
-  tagging style. Current tags are:
+  Default tags to apply to all resources created. The value is an object as we may
+  wish to apply multiple tags.
+
+  Current tags are:
 
   1. ManagedBy: This tag will indicate who manages the deployed resource. By
      default, this will be set to "2i2c". This helps communities who bring their
      own billing account distinguish between resources 2i2c manages, and those
      they deploy and manage themselves.
+  2. 2i2c.org/cluster-name: helps clarify that a resource is associated with the
+     creation of a specific cluster, which can help if a cluster is re-created or
+     multiple clusters would be deployed.
   EOT
 }
 

Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,7 @@`
`2`	`2`	`resource "aws_s3_bucket" "user_buckets" {`
`3`	`3`	`for_each = var.user_buckets`
`4`	`4`	`bucket = lower("${var.cluster_name}-${each.key}")`
`5`		`- tags = merge(var.tags, each.value.tags)`
	`5`	`+ tags = each.value.tags`
`6`	`6`	`}`
`7`	`7`
`8`	`8`	`# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration`
Original file line number	Diff line number	Diff line change
`@@ -5,7 +5,6 @@`
`5`	`5`	`# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user`
`6`	`6`	`resource "aws_iam_user" "continuous_deployer" {`
`7`	`7`	`name = "hub-continuous-deployer"`
`8`		`- tags = var.tags`
`9`	`8`	`}`
`10`	`9`
`11`	`10`	`# ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key`