-
Notifications
You must be signed in to change notification settings - Fork 9.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
error when default_tags are identical to resource tags #19204
Comments
Hi @devopsrick, thank you raising this issue. As you found in the code, the error message was by design as having identical provider-level and resource-level For additional context for the reason for the error messaging/preventing a perpetual diff, we can see here in the VPC resource that when we set the resource One thing we don't guard against, and important to note as well, is duplicate key/value pairs defined in the provider and resource tags. In the example below, this will apply without error but a perpetual diff will appear, such that terraform suggests an provider "aws" {
default_tags {
tags = {
Name = "Example"
}
}
}
resource "aws_vpc" "example" {
tags = {
Name = "Example"
Owner = "Other"
}
} |
Ok I see the distinction now. Thank you! |
@anGie44 So it's kind of by design that applying the same tags with the same values on provider and on resource level triggers a perpetual diff? |
Can we re-open this issue for discussion/tracking? While the explanation makes sense, this does really limit the usefulness of this new feature. Specifically for a company with a large module registry and configuration templates that currently define the org mandated default tags within locals, taking advantage of provider level tags would be nearly impossible unless they can be overwritten at the resource level. |
Hi @yermulnik 👋 , at the moment, I'm not aware of a workaround that allows for this without ending in a cycle of perpetual diffs. But as per @scarbeau's suggestion, I'm happy to reopen this for more discussion/comments related to how this behavior may be impacting the usefulness of the feature. |
Hi @scarbeau , thank you for commenting here! Just wanted to double-check with your statement above, do you mean "overwritten" in the sense that you cannot exclude a provider-level tag from a resource but only "overwrite" the tag key's value? |
@anGie44 I'd imagine resource level tags to be merged on top of provider level tags so that those which are the same get overwritten by resource level tags w/o having a perpetual diff. This will definitely ease transition from resource level tags to provider level tags w/o a need to modify existing resource level tags along with an option of having mandatory tags forcibly applied on resource level even if these are supplied by TF module caller via AWS provider configuration block. Thanks for re-opening this issue for further discussion. |
oy, I wish I had known this before applying the default tags |
Oof, just hit this, trying to use the feature for the first time. The I second the idea that resource-level tags should be merged and override tag keys from |
I'm hitting the "perpetual diff" problem too, making "default_tags" difficult to use effectively. I also agree that the resource-level tags should override tag keys from default_tags. |
CDK has some interesting ideas about merging / overriding tags: https://docs.aws.amazon.com/cdk/latest/guide/tagging.html |
I found a workaround which can be used in modules where default_tags may or may not be set on the AWS provider. In the module, fetch the default tags using a data source and then set a local variable for the tags:
So we set common_tags to an empty hash if default tags exist, so the default tags will be applied. If there are no default_tags, then we set them here in common_tags. To use in a resource, just set the tags to local.common_tags, and we can also merge in additional tags:
I tested this with and without default_tags on the provider. In both cases the desired tags are set and there is no perpetual diff problem. |
The above workaround looked very promising but I ended up with |
As a side note, if any AWS engineers are watching this issue, it would be nice if the cloud itself supported better methods of organizing tags. It would be nice to be able to create a tagged "container" and associate arbitrary AWS resources with that "container" and have those resource automatically inherit the tags. Managing tags in AWS is still a complete nuisance, even with tools like Terraform or CDK or whatever |
This adds some of the tags from the [tagging guide] from the previous ECS project. I've omitted `chargeable_entity` and `environment` because those might need a bit of a rethink in light of the switch to Kubernetes. (For example is the "environment" the same thing from an infrastructure perspective as it is from the cluster-user/developer/application perspective?) The idea here is really just to define a place to put the common tags so that we continue to set them in the right way. Using [provider default tags] (relatively new feature) is now the cleanest way to do this. Thanks to @kerin for the suggestion of using provider default tags. One caveat is that the default tags aren't propagated to ASGs, so this doesn't currently tag the node pool ASG. Passing the same set of tags to the `eks` module in order to tag the ASG doesn't work, because the TF provider unhelpfully forbids individual resources from overriding provider-specific tags because of a design limitation of TF. (See hashicorp/terraform-provider-aws#19204.) [tagging guide]: https://github.com/alphagov/govuk-infrastructure/blob/main/terraform/docs/tagging-guide.md [provider default tags]: https://www.hashicorp.com/blog/default-tags-in-the-terraform-aws-provider
Here's another work-around to avoid adding identical tags at the resource level if they are defined at the provider level:
Edit: the use of the |
I find the error text baffling...
I parse that as saying all the tags in "tags" are identical to all the tags in "default_tags". Maybe some confusion can be avoided by changing the error text. I know it would have helped me!
|
How about |
would there be any resolution of this in future? Any timelines? |
Any update on this? Would be good to get a fix as it's impacting downstream modules as well |
This functionality has been released in v5.0.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you! |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
I am confused why this condition causes an error.
Error: "tags" are identical to those in the "default_tags" configuration block of the provider: please de-duplicate and try again
terraform-provider-aws/aws/tags.go
Line 108 in ac06ced
We have many situations where a useful tag value can be set in the provider default_tags and then be overridden in the majority of resources, but be explicitly the same in a small subset. These situations are generally in modules rather than top level resources, so it is very difficult to selectively remove identical tag key/value pairs.
If the default tag values are overridden by resource tags anyway why does it matter if they are identical?
Community Note
Terraform CLI and Terraform AWS Provider Version
Terraform v0.14.7
Affected Resource(s)
all
Related: #7926.
The text was updated successfully, but these errors were encountered: