From db37be8a66da5ab195cd326e80f30d86c4e15bbf Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Fri, 6 Sep 2024 20:50:03 +0200 Subject: [PATCH 1/2] terraform, aws: simplify resource tagging by using aws provider's default_tags --- terraform/aws/aws-ce-grafana-backend-iam.tf | 1 - terraform/aws/buckets.tf | 2 +- terraform/aws/cd.tf | 1 - terraform/aws/db.tf | 6 ------ terraform/aws/efs.tf | 2 +- terraform/aws/grafana-athena-iam.tf | 1 - terraform/aws/irsa.tf | 2 -- terraform/aws/main.tf | 7 +++++++ terraform/aws/projects/2i2c-aws-us.tfvars | 5 ----- .../aws/projects/catalystproject-africa.tfvars | 5 ----- terraform/aws/projects/earthscope.tfvars | 2 +- terraform/aws/projects/gridsst.tfvars | 5 ----- terraform/aws/projects/jupyter-health.tfvars | 5 ----- .../aws/projects/jupyter-meets-the-earth.tfvars | 5 ----- terraform/aws/projects/kitware.tfvars | 5 ----- terraform/aws/projects/nasa-cryo.tfvars | 5 ----- terraform/aws/projects/nasa-esdis.tfvars | 5 ----- terraform/aws/projects/nasa-ghg.tfvars | 5 ----- terraform/aws/projects/nasa-veda.tfvars | 5 ----- terraform/aws/projects/openscapes.tfvars | 5 ----- terraform/aws/projects/opensci.tfvars | 5 ----- terraform/aws/projects/projectpythia.tfvars | 5 ----- terraform/aws/projects/smithsonian.tfvars | 5 ----- terraform/aws/projects/template.tfvars | 6 ------ terraform/aws/projects/ubc-eoas.tfvars | 5 ----- terraform/aws/projects/victor.tfvars | 5 ----- terraform/aws/single-efs-setup.tf | 2 +- terraform/aws/variables.tf | 17 ++++++++++++----- 28 files changed, 23 insertions(+), 106 deletions(-) diff --git a/terraform/aws/aws-ce-grafana-backend-iam.tf b/terraform/aws/aws-ce-grafana-backend-iam.tf index f283912bbd..6209d4f8e1 100644 --- a/terraform/aws/aws-ce-grafana-backend-iam.tf +++ b/terraform/aws/aws-ce-grafana-backend-iam.tf @@ -3,7 +3,6 @@ resource "aws_iam_role" "aws_ce_grafana_backend_iam_role" { count = var.enable_aws_ce_grafana_backend_iam ? 1 : 0 name = "aws_ce_grafana_backend_iam_role" - tags = var.tags assume_role_policy = jsonencode({ Version = "2012-10-17" diff --git a/terraform/aws/buckets.tf b/terraform/aws/buckets.tf index 08bc6353c3..8734245074 100644 --- a/terraform/aws/buckets.tf +++ b/terraform/aws/buckets.tf @@ -2,7 +2,7 @@ resource "aws_s3_bucket" "user_buckets" { for_each = var.user_buckets bucket = lower("${var.cluster_name}-${each.key}") - tags = merge(var.tags, each.value.tags) + tags = each.value.tags } # ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration diff --git a/terraform/aws/cd.tf b/terraform/aws/cd.tf index dc595ac373..57ac639974 100644 --- a/terraform/aws/cd.tf +++ b/terraform/aws/cd.tf @@ -5,7 +5,6 @@ # ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user resource "aws_iam_user" "continuous_deployer" { name = "hub-continuous-deployer" - tags = var.tags } # ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_access_key diff --git a/terraform/aws/db.tf b/terraform/aws/db.tf index fd765e0f23..a7de19f453 100644 --- a/terraform/aws/db.tf +++ b/terraform/aws/db.tf @@ -20,7 +20,6 @@ resource "aws_security_group" "db" { name = "db" description = "Allow traffic into the db" vpc_id = data.aws_eks_cluster.cluster.vpc_config[0]["vpc_id"] - tags = var.tags ingress { to_port = 3306 @@ -47,8 +46,6 @@ resource "aws_db_subnet_group" "db" { count = var.db_enabled ? 1 : 0 subnet_ids = data.aws_subnets.cluster_subnets[0].ids - - tags = var.tags } # ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_instance @@ -69,8 +66,6 @@ resource "aws_db_instance" "db" { apply_immediately = true availability_zone = var.cluster_nodes_location parameter_group_name = aws_db_parameter_group.db[0].name - - tags = var.tags } # ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/db_parameter_group @@ -78,7 +73,6 @@ resource "aws_db_parameter_group" "db" { count = var.db_enabled ? 1 : 0 name = var.db_instance_identifier family = "${var.db_engine}${var.db_engine_version}" - tags = var.tags dynamic "parameter" { for_each = var.db_params diff --git a/terraform/aws/efs.tf b/terraform/aws/efs.tf index 51177698bc..4e4e8575bd 100644 --- a/terraform/aws/efs.tf +++ b/terraform/aws/efs.tf @@ -47,7 +47,7 @@ data "aws_security_group" "cluster_nodes_shared_security_group" { # ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/efs_file_system resource "aws_efs_file_system" "hub_homedirs" { for_each = var.filestores - tags = merge(var.tags, each.value.tags, { + tags = merge(each.value.tags, { Name = each.value.name_suffix == null ? "hub-homedirs" : "hub-homedirs-${each.value.name_suffix}" }) encrypted = true diff --git a/terraform/aws/grafana-athena-iam.tf b/terraform/aws/grafana-athena-iam.tf index 196f830253..d008c0ca5d 100644 --- a/terraform/aws/grafana-athena-iam.tf +++ b/terraform/aws/grafana-athena-iam.tf @@ -3,7 +3,6 @@ resource "aws_iam_role" "grafana_athena_role" { count = var.enable_grafana_athena_iam ? 1 : 0 name = "${var.cluster_name}-grafana-athena-iam-role" - tags = var.tags assume_role_policy = jsonencode({ Version = "2012-10-17" diff --git a/terraform/aws/irsa.tf b/terraform/aws/irsa.tf index 986e7cdbda..986e9f7315 100644 --- a/terraform/aws/irsa.tf +++ b/terraform/aws/irsa.tf @@ -63,7 +63,6 @@ data "aws_iam_policy_document" "irsa_role_assume" { resource "aws_iam_role" "irsa_role" { for_each = { for index, hr in local.hub_to_role_mapping : hr.iam_role_name => hr } name = "${var.cluster_name}-${each.key}" - tags = var.tags assume_role_policy = data.aws_iam_policy_document.irsa_role_assume[each.key].json } @@ -72,7 +71,6 @@ resource "aws_iam_role" "irsa_role" { resource "aws_iam_policy" "extra_user_policy" { for_each = { for index, hr in local.hub_to_role_mapping : hr.iam_role_name => hr if hr.cloud_permissions.extra_iam_policy != "" } name = "${var.cluster_name}-${each.key}-extra-user-policy" - tags = var.tags description = "Extra permissions granted to users on hub ${each.key} on ${var.cluster_name}" policy = each.value.cloud_permissions.extra_iam_policy diff --git a/terraform/aws/main.tf b/terraform/aws/main.tf index 4828b48b33..146371cccd 100644 --- a/terraform/aws/main.tf +++ b/terraform/aws/main.tf @@ -32,6 +32,13 @@ provider "random" {} # ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs provider "aws" { region = var.region + + # default_tags ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags-configuration-block + default_tags { + tags = { + for k, v in var.tags : k => replace(v, "{var_cluster_name}", var.cluster_name) + } + } } # ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eks_cluster diff --git a/terraform/aws/projects/2i2c-aws-us.tfvars b/terraform/aws/projects/2i2c-aws-us.tfvars index ea10658257..6e7f0aa7bb 100644 --- a/terraform/aws/projects/2i2c-aws-us.tfvars +++ b/terraform/aws/projects/2i2c-aws-us.tfvars @@ -2,11 +2,6 @@ region = "us-west-2" cluster_name = "2i2c-aws-us" cluster_nodes_location = "us-west-2a" -tags = { - "2i2c.org/cluster-name" : "2i2c-aws-us", - "ManagedBy" : "2i2c", -} - user_buckets = { "scratch-staging" : { "delete_after" : 7 diff --git a/terraform/aws/projects/catalystproject-africa.tfvars b/terraform/aws/projects/catalystproject-africa.tfvars index 7897dbaf7f..32651d91cf 100644 --- a/terraform/aws/projects/catalystproject-africa.tfvars +++ b/terraform/aws/projects/catalystproject-africa.tfvars @@ -2,11 +2,6 @@ region = "af-south-1" cluster_name = "catalystproject-africa" cluster_nodes_location = "af-south-1a" -tags = { - "2i2c.org/cluster-name" : "catalystproject-africa", - "ManagedBy" : "2i2c", -} - user_buckets = { "scratch-staging" : { "delete_after" : 7 diff --git a/terraform/aws/projects/earthscope.tfvars b/terraform/aws/projects/earthscope.tfvars index 3020cd39f9..53a0039220 100644 --- a/terraform/aws/projects/earthscope.tfvars +++ b/terraform/aws/projects/earthscope.tfvars @@ -3,7 +3,7 @@ cluster_name = "earthscope" cluster_nodes_location = "us-east-2a" tags = { - "2i2c.org/cluster-name" : "earthscope", + "2i2c.org/cluster-name" : "{var_cluster_name}", "ManagedBy" : "2i2c", # Requested by the community in https://2i2c.freshdesk.com/a/tickets/1460 "earthscope:application:name" : "geolab", diff --git a/terraform/aws/projects/gridsst.tfvars b/terraform/aws/projects/gridsst.tfvars index 2e10e6eb70..ea6721acce 100644 --- a/terraform/aws/projects/gridsst.tfvars +++ b/terraform/aws/projects/gridsst.tfvars @@ -2,11 +2,6 @@ region = "us-west-2" cluster_name = "gridsst" cluster_nodes_location = "us-west-2a" -tags = { - "2i2c.org/cluster-name" : "gridsst", - "ManagedBy" : "2i2c", -} - user_buckets = { "scratch-staging" : { "delete_after" : 7 diff --git a/terraform/aws/projects/jupyter-health.tfvars b/terraform/aws/projects/jupyter-health.tfvars index 83b4dd53cd..43b0246d33 100644 --- a/terraform/aws/projects/jupyter-health.tfvars +++ b/terraform/aws/projects/jupyter-health.tfvars @@ -2,11 +2,6 @@ region = "us-east-2" cluster_name = "jupyter-health" cluster_nodes_location = "us-east-2a" -tags = { - "2i2c.org/cluster-name" : "jupyter-health", - "ManagedBy" : "2i2c", -} - user_buckets = { "scratch-staging" : { "delete_after" : 7 diff --git a/terraform/aws/projects/jupyter-meets-the-earth.tfvars b/terraform/aws/projects/jupyter-meets-the-earth.tfvars index 031752093b..c05a59092b 100644 --- a/terraform/aws/projects/jupyter-meets-the-earth.tfvars +++ b/terraform/aws/projects/jupyter-meets-the-earth.tfvars @@ -2,11 +2,6 @@ region = "us-west-2" cluster_name = "jupyter-meets-the-earth" cluster_nodes_location = "us-west-2a" - -tags = { - "2i2c.org/cluster-name" : "jupyter-meets-the-earth", - "ManagedBy" : "2i2c", -} default_budget_alert = { "enabled" : false, } diff --git a/terraform/aws/projects/kitware.tfvars b/terraform/aws/projects/kitware.tfvars index e4ff15054f..47a89e6c4f 100644 --- a/terraform/aws/projects/kitware.tfvars +++ b/terraform/aws/projects/kitware.tfvars @@ -2,11 +2,6 @@ region = "us-west-2" cluster_name = "kitware" cluster_nodes_location = "us-west-2a" -tags = { - "2i2c.org/cluster-name" : "kitware", - "ManagedBy" : "2i2c", -} - user_buckets = { "scratch-staging" : { "delete_after" : 7 diff --git a/terraform/aws/projects/nasa-cryo.tfvars b/terraform/aws/projects/nasa-cryo.tfvars index 73042bcea6..4fc106154e 100644 --- a/terraform/aws/projects/nasa-cryo.tfvars +++ b/terraform/aws/projects/nasa-cryo.tfvars @@ -2,11 +2,6 @@ region = "us-west-2" cluster_name = "nasa-cryo" cluster_nodes_location = "us-west-2a" -tags = { - "2i2c.org/cluster-name" : "nasa-cryo", - "ManagedBy" : "2i2c", -} - user_buckets = { "scratch-staging" : { "delete_after" : 7 diff --git a/terraform/aws/projects/nasa-esdis.tfvars b/terraform/aws/projects/nasa-esdis.tfvars index 2c6c577ea2..23b3508568 100644 --- a/terraform/aws/projects/nasa-esdis.tfvars +++ b/terraform/aws/projects/nasa-esdis.tfvars @@ -2,11 +2,6 @@ region = "us-west-2" cluster_name = "nasa-esdis" cluster_nodes_location = "us-west-2a" -tags = { - "2i2c.org/cluster-name" : "nasa-esdis", - "ManagedBy" : "2i2c", -} - default_budget_alert = { "enabled" : false, } diff --git a/terraform/aws/projects/nasa-ghg.tfvars b/terraform/aws/projects/nasa-ghg.tfvars index 5ff70663fa..121bea86dc 100644 --- a/terraform/aws/projects/nasa-ghg.tfvars +++ b/terraform/aws/projects/nasa-ghg.tfvars @@ -2,11 +2,6 @@ region = "us-west-2" cluster_name = "nasa-ghg-hub" cluster_nodes_location = "us-west-2a" -tags = { - "2i2c.org/cluster-name" : "nasa-ghg-hub", - "ManagedBy" : "2i2c", -} - default_budget_alert = { "enabled" : false, } diff --git a/terraform/aws/projects/nasa-veda.tfvars b/terraform/aws/projects/nasa-veda.tfvars index d8b777132d..8183816d41 100644 --- a/terraform/aws/projects/nasa-veda.tfvars +++ b/terraform/aws/projects/nasa-veda.tfvars @@ -2,11 +2,6 @@ region = "us-west-2" cluster_name = "nasa-veda" cluster_nodes_location = "us-west-2a" -tags = { - "2i2c.org/cluster-name" : "nasa-veda", - "ManagedBy" : "2i2c", -} - default_budget_alert = { "enabled" : false, } diff --git a/terraform/aws/projects/openscapes.tfvars b/terraform/aws/projects/openscapes.tfvars index f2346dd8e9..0d93aeb087 100644 --- a/terraform/aws/projects/openscapes.tfvars +++ b/terraform/aws/projects/openscapes.tfvars @@ -2,11 +2,6 @@ region = "us-west-2" cluster_name = "openscapeshub" cluster_nodes_location = "us-west-2b" -tags = { - "2i2c.org/cluster-name" : "openscapeshub", - "ManagedBy" : "2i2c", -} - default_budget_alert = { "enabled" : false, } diff --git a/terraform/aws/projects/opensci.tfvars b/terraform/aws/projects/opensci.tfvars index 33a6fcc2bf..db6fa3729f 100644 --- a/terraform/aws/projects/opensci.tfvars +++ b/terraform/aws/projects/opensci.tfvars @@ -2,11 +2,6 @@ region = "us-west-2" cluster_name = "opensci" cluster_nodes_location = "us-west-2a" -tags = { - "2i2c.org/cluster-name" : "opensci", - "ManagedBy" : "2i2c", -} - user_buckets = { "scratch-staging" : { "delete_after" : 7 diff --git a/terraform/aws/projects/projectpythia.tfvars b/terraform/aws/projects/projectpythia.tfvars index ddcb4417f1..c8bf468dd3 100644 --- a/terraform/aws/projects/projectpythia.tfvars +++ b/terraform/aws/projects/projectpythia.tfvars @@ -2,11 +2,6 @@ region = "us-west-2" cluster_name = "projectpythia" cluster_nodes_location = "us-west-2a" -tags = { - "2i2c.org/cluster-name" : "projectpythia", - "ManagedBy" : "2i2c", -} - default_budget_alert = { "enabled" : false, } diff --git a/terraform/aws/projects/smithsonian.tfvars b/terraform/aws/projects/smithsonian.tfvars index 8a1ad98a21..28edc972f6 100644 --- a/terraform/aws/projects/smithsonian.tfvars +++ b/terraform/aws/projects/smithsonian.tfvars @@ -2,11 +2,6 @@ region = "us-east-2" cluster_name = "smithsonian" cluster_nodes_location = "us-east-2b" -tags = { - "2i2c.org/cluster-name" : "smithsonian", - "ManagedBy" : "2i2c", -} - user_buckets = { "scratch-staging" : { "delete_after" : 7 diff --git a/terraform/aws/projects/template.tfvars b/terraform/aws/projects/template.tfvars index 02e2ec2b0e..801bef1aae 100644 --- a/terraform/aws/projects/template.tfvars +++ b/terraform/aws/projects/template.tfvars @@ -3,16 +3,10 @@ - location of the nodes of the kubernetes cluster will be a - no default scratch buckets support */ - region = "{{ cluster_region }}" cluster_name = "{{ cluster_name }}" cluster_nodes_location = "{{ cluster_region }}a" -tags = { - "ManagedBy" : "2i2c", - "2i2c.org/cluster-name" : "{{ cluster_name }}", -} - # Tip: uncomment and fill the missing info in the lines below if you want # to setup scratch buckets for the hubs on this cluster. # diff --git a/terraform/aws/projects/ubc-eoas.tfvars b/terraform/aws/projects/ubc-eoas.tfvars index caeb7fb7f0..207cd38a95 100644 --- a/terraform/aws/projects/ubc-eoas.tfvars +++ b/terraform/aws/projects/ubc-eoas.tfvars @@ -2,11 +2,6 @@ region = "ca-central-1" cluster_name = "ubc-eoas" cluster_nodes_location = "ca-central-1a" -tags = { - "2i2c.org/cluster-name" : "ubc-eoas", - "ManagedBy" : "2i2c", -} - user_buckets = { "scratch-staging" : { "delete_after" : 7 diff --git a/terraform/aws/projects/victor.tfvars b/terraform/aws/projects/victor.tfvars index 00d7bce2d2..3282c67c6b 100644 --- a/terraform/aws/projects/victor.tfvars +++ b/terraform/aws/projects/victor.tfvars @@ -2,11 +2,6 @@ region = "us-west-2" cluster_name = "victor" cluster_nodes_location = "us-west-2a" -tags = { - "2i2c.org/cluster-name" : "victor", - "ManagedBy" : "2i2c", -} - user_buckets = { "scratch-staging" : { "delete_after" : 7 diff --git a/terraform/aws/single-efs-setup.tf b/terraform/aws/single-efs-setup.tf index 2e46ee3f0e..73d714835e 100644 --- a/terraform/aws/single-efs-setup.tf +++ b/terraform/aws/single-efs-setup.tf @@ -5,7 +5,7 @@ resource "aws_efs_file_system" "homedirs" { count = var.disable_cluster_wide_filestore ? 0 : 1 - tags = merge(var.tags, var.original_single_efs_tags, { Name = "hub-homedirs" }) + tags = merge(var.original_single_efs_tags, { Name = "hub-homedirs" }) lifecycle_policy { transition_to_primary_storage_class = "AFTER_1_ACCESS" diff --git a/terraform/aws/variables.tf b/terraform/aws/variables.tf index 91695dcc2d..fb72e66f21 100644 --- a/terraform/aws/variables.tf +++ b/terraform/aws/variables.tf @@ -184,17 +184,24 @@ variable "db_user_password_special_chars" { } variable "tags" { - type = map(string) - default = { "ManagedBy" : "2i2c" } + type = map(string) + default = { + "2i2c.org/cluster-name" = "{var_cluster_name}" + "ManagedBy" = "2i2c" + } description = <<-EOT - Tags to apply to resources that we manage. The value is an object as we may - wish to apply multiple tags. We use CamelCase for tag names to match AWS's - tagging style. Current tags are: + Default tags to apply to all resources created. The value is an object as we may + wish to apply multiple tags. + + Current tags are: 1. ManagedBy: This tag will indicate who manages the deployed resource. By default, this will be set to "2i2c". This helps communities who bring their own billing account distinguish between resources 2i2c manages, and those they deploy and manage themselves. + 2. 2i2c.org/cluster-name: helps clarify that a resource is associated with the + creation of a specific cluster, which can help if a cluster is re-created or + multiple clusters would be deployed. EOT } From e2da4fb82b320229cae6b0d8592973d16472a3cd Mon Sep 17 00:00:00 2001 From: Erik Sundell Date: Fri, 6 Sep 2024 20:56:29 +0200 Subject: [PATCH 2/2] terraform, aws: rename tags variable to default_tags --- terraform/aws/main.tf | 2 +- terraform/aws/projects/earthscope.tfvars | 2 +- terraform/aws/variables.tf | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/terraform/aws/main.tf b/terraform/aws/main.tf index 146371cccd..e8e5f7f4af 100644 --- a/terraform/aws/main.tf +++ b/terraform/aws/main.tf @@ -36,7 +36,7 @@ provider "aws" { # default_tags ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs#default_tags-configuration-block default_tags { tags = { - for k, v in var.tags : k => replace(v, "{var_cluster_name}", var.cluster_name) + for k, v in var.default_tags : k => replace(v, "{var_cluster_name}", var.cluster_name) } } } diff --git a/terraform/aws/projects/earthscope.tfvars b/terraform/aws/projects/earthscope.tfvars index 53a0039220..e9f8336f09 100644 --- a/terraform/aws/projects/earthscope.tfvars +++ b/terraform/aws/projects/earthscope.tfvars @@ -2,7 +2,7 @@ region = "us-east-2" cluster_name = "earthscope" cluster_nodes_location = "us-east-2a" -tags = { +default_tags = { "2i2c.org/cluster-name" : "{var_cluster_name}", "ManagedBy" : "2i2c", # Requested by the community in https://2i2c.freshdesk.com/a/tickets/1460 diff --git a/terraform/aws/variables.tf b/terraform/aws/variables.tf index fb72e66f21..d27d628682 100644 --- a/terraform/aws/variables.tf +++ b/terraform/aws/variables.tf @@ -183,7 +183,7 @@ variable "db_user_password_special_chars" { EOT } -variable "tags" { +variable "default_tags" { type = map(string) default = { "2i2c.org/cluster-name" = "{var_cluster_name}"