Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add some default tags to the AWS resources for the EKS cluster. #399

Merged
merged 2 commits into from
Aug 23, 2021
Merged

Add some default tags to the AWS resources for the EKS cluster. #399

merged 2 commits into from
Aug 23, 2021

Conversation

sengi
Copy link
Contributor

@sengi sengi commented Aug 20, 2021
edited
Loading

This adds some of the tags from the tagging guide from the previous ECS project. I've omitted chargeable_entity and environment for now because those might need a bit of a rethink in light of the switch to Kubernetes. (For example is the "environment" the same thing from an infrastructure perspective as it is from the cluster-user/developer/application perspective?)

The idea here is really just to define a place to put the common tags so that we continue to set them in the right way. Using provider default tags (relatively new feature) is now the cleanest way to do this.

Thanks to @kerin for the suggestion of using provider default tags.

One caveat is that the default tags aren't propagated to ASGs, so this doesn't currently tag the node pool ASG. Passing the same set of tags to the eks module in order to tag the ASG doesn't work, because the TF provider unhelpfully forbids individual resources from overriding provider-specific tags because of a design limitation of TF. (See issue 19204 in terraform-provider-aws.)

Trello card

Tested: tf apply -var-file=../variables/test/common.tfvars

TF plan in the test account:

  # module.eks.aws_cloudwatch_log_group.this[0] will be updated in-place
  ~ resource "aws_cloudwatch_log_group" "this" {
        id                = "/aws/eks/govuk/cluster"
        name              = "/aws/eks/govuk/cluster"
        tags              = {}
      ~ tags_all          = {
          + "project"              = "replatforming"
          + "repository"           = "govuk-infrastructure"
          + "terraform_deployment" = "cluster-infrastructure"
        }
        # (2 unchanged attributes hidden)
    }

  # module.eks.aws_eks_cluster.this[0] will be updated in-place
  ~ resource "aws_eks_cluster" "this" {
        id                        = "govuk"
        name                      = "govuk"
        tags                      = {}
      ~ tags_all                  = {
          + "project"              = "replatforming"
          + "repository"           = "govuk-infrastructure"
          + "terraform_deployment" = "cluster-infrastructure"
        }
        # (10 unchanged attributes hidden)
        # (3 unchanged blocks hidden)
    }

  # module.eks.aws_iam_instance_profile.workers[0] will be updated in-place
  ~ resource "aws_iam_instance_profile" "workers" {
        id          = "govuk20210816(redacted)"
        name        = "govuk20210816(redacted)"
        tags        = {}
      ~ tags_all    = {
          + "project"              = "replatforming"
          + "repository"           = "govuk-infrastructure"
          + "terraform_deployment" = "cluster-infrastructure"
        }
        # (6 unchanged attributes hidden)
    }

  # module.eks.aws_iam_policy.cluster_elb_sl_role_creation[0] will be updated in-place
  ~ resource "aws_iam_policy" "cluster_elb_sl_role_creation" {
        id          = "arn:aws:iam::(redacted):policy/govuk-elb-sl-role-creation20210816(redacted)"
        name        = "govuk-elb-sl-role-creation20210816(redacted)"
        tags        = {}
      ~ tags_all    = {
          + "project"              = "replatforming"
          + "repository"           = "govuk-infrastructure"
          + "terraform_deployment" = "cluster-infrastructure"
        }
        # (6 unchanged attributes hidden)
    }

  # module.eks.aws_iam_role.cluster[0] will be updated in-place
  ~ resource "aws_iam_role" "cluster" {
        id                    = "govuk20210816(redacted)"
        name                  = "govuk20210816(redacted)"
        tags                  = {}
      ~ tags_all              = {
          + "project"              = "replatforming"
          + "repository"           = "govuk-infrastructure"
          + "terraform_deployment" = "cluster-infrastructure"
        }
        # (9 unchanged attributes hidden)
        # (1 unchanged block hidden)
    }

  # module.eks.aws_iam_role.workers[0] will be updated in-place
  ~ resource "aws_iam_role" "workers" {
        id                    = "govuk20210816(redacted)"
        name                  = "govuk202108(redacted)"
        tags                  = {}
      ~ tags_all              = {
          + "project"              = "replatforming"
          + "repository"           = "govuk-infrastructure"
          + "terraform_deployment" = "cluster-infrastructure"
        }
        # (9 unchanged attributes hidden)
        # (1 unchanged block hidden)
    }

  # module.eks.aws_security_group.cluster[0] will be updated in-place
  ~ resource "aws_security_group" "cluster" {
        id                     = "sg-(redacted)"
        name                   = "govuk20210816(redacted)"
        tags                   = {
            "Name" = "govuk-eks_cluster_sg"
        }
      ~ tags_all               = {
          + "project"              = "replatforming"
          + "repository"           = "govuk-infrastructure"
          + "terraform_deployment" = "cluster-infrastructure"
            # (1 unchanged element hidden)
        }
        # (8 unchanged attributes hidden)
    }

  # module.eks.aws_security_group.workers[0] will be updated in-place
  ~ resource "aws_security_group" "workers" {
        id                     = "sg-(redacted)"
        name                   = "govuk20210816(redacted)"
        tags                   = {
            "Name"                        = "govuk-eks_worker_sg"
            "kubernetes.io/cluster/govuk" = "owned"
        }
      ~ tags_all               = {
          + "project"                     = "replatforming"
          + "repository"                  = "govuk-infrastructure"
          + "terraform_deployment"        = "cluster-infrastructure"
            # (2 unchanged elements hidden)
        }
        # (8 unchanged attributes hidden)
    }

Plan: 0 to add, 8 to change, 0 to destroy.

@sengi
Add some default tags to the AWS resources for the EKS cluster.
dfd2177 
This adds some of the tags from the [tagging guide] from the previous
ECS project. I've omitted `chargeable_entity` and `environment` because
those might need a bit of a rethink in light of the switch to
Kubernetes. (For example is the "environment" the same thing from an
infrastructure perspective as it is from the
cluster-user/developer/application perspective?)

The idea here is really just to define a place to put the common tags so
that we continue to set them in the right way. Using [provider default
tags] (relatively new feature) is now the cleanest way to do this.

Thanks to @kerin for the suggestion of using provider default tags.

One caveat is that the default tags aren't propagated to ASGs, so this
doesn't currently tag the node pool ASG. Passing the same set of tags to
the `eks` module in order to tag the ASG doesn't work, because the TF
provider unhelpfully forbids individual resources from overriding
provider-specific tags because of a design limitation of TF. (See issue
19204 at https://github.com/hashicorp/terraform-provider-aws/issues/.)

[tagging guide]: https://github.com/alphagov/govuk-infrastructure/blob/main/terraform/docs/tagging-guide.md
[provider default tags]: https://www.hashicorp.com/blog/default-tags-in-the-terraform-aws-provider
@sengi sengi mentioned this pull request Aug 20, 2021
Merged
@sengi
Copy link
Contributor Author

sengi commented Aug 23, 2021

Thanks! @kerin pointed out that there's an open issue for the eks module about the tagging problem. (His comments are on commit 954c0c9 - GH doesn't show them on the PR for some reason 🤷)

For now I'll add a TODO with a link to the bug. (I'm assuming we don't want to fork the module just for the sake of getting all the tagging 100% right now.)

@sengi sengi merged commit a9b2823 into main Aug 23, 2021
@sengi sengi deleted the sengi/aws-tags branch August 23, 2021 13:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bilbof bilbof bilbof approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sengi @bilbof