From 46994b7ee06910fd69f9784fa2decff7261f9f5f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Wei=C3=9Fe?= <66256922+daniel-weisse@users.noreply.github.com> Date: Fri, 26 Apr 2024 11:53:25 +0200 Subject: [PATCH] terraform: simplify additional tagging logic to ensure they are always applied (#3045) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Daniel Weiße --- terraform/infrastructure/aws/main.tf | 22 +++++++++++----------- terraform/infrastructure/azure/main.tf | 24 ++++++++++++------------ terraform/infrastructure/gcp/main.tf | 17 +++++++++-------- 3 files changed, 32 insertions(+), 31 deletions(-) diff --git a/terraform/infrastructure/aws/main.tf b/terraform/infrastructure/aws/main.tf index 5f6012de3..3b9610889 100644 --- a/terraform/infrastructure/aws/main.tf +++ b/terraform/infrastructure/aws/main.tf @@ -48,9 +48,10 @@ locals { // example: given "name-1234567890.region.elb.amazonaws.com" it will return "*.region.elb.amazonaws.com" wildcard_lb_dns_name = replace(aws_lb.front_end.dns_name, "/^[^.]*\\./", "*.") - tags = { - constellation-uid = local.uid, - } + tags = merge( + var.additional_tags, + { constellation-uid = local.uid } + ) in_cluster_endpoint = aws_lb.front_end.dns_name out_of_cluster_endpoint = var.internal_load_balancer && var.debug ? module.jump_host[0].ip : local.in_cluster_endpoint @@ -68,7 +69,7 @@ resource "random_password" "init_secret" { resource "aws_vpc" "vpc" { cidr_block = "192.168.0.0/16" - tags = merge(local.tags, var.additional_tags, { Name = "${local.name}-vpc" }) + tags = merge(local.tags, { Name = "${local.name}-vpc" }) } module "public_private_subnet" { @@ -79,7 +80,7 @@ module "public_private_subnet" { cidr_vpc_subnet_internet = "192.168.0.0/20" zone = var.zone zones = local.zones - tags = merge(local.tags, var.additional_tags) + tags = local.tags } resource "aws_eip" "lb" { @@ -89,14 +90,14 @@ resource "aws_eip" "lb" { # control-plane. for_each = var.internal_load_balancer ? [] : toset([var.zone]) domain = "vpc" - tags = merge(local.tags, var.additional_tags, { "constellation-ip-endpoint" = each.key == var.zone ? "legacy-primary-zone" : "additional-zone" }) + tags = merge(local.tags, { "constellation-ip-endpoint" = each.key == var.zone ? "legacy-primary-zone" : "additional-zone" }) } resource "aws_lb" "front_end" { name = "${local.name}-loadbalancer" internal = var.internal_load_balancer load_balancer_type = "network" - tags = merge(local.tags, var.additional_tags) + tags = local.tags security_groups = [aws_security_group.security_group.id] dynamic "subnet_mapping" { @@ -123,7 +124,7 @@ resource "aws_security_group" "security_group" { name = local.name vpc_id = aws_vpc.vpc.id description = "Security group for ${local.name}" - tags = merge(local.tags, var.additional_tags) + tags = local.tags egress { from_port = 0 @@ -171,7 +172,7 @@ module "load_balancer_targets" { healthcheck_path = each.value.name == "kubernetes" ? "/readyz" : "" vpc_id = aws_vpc.vpc.id lb_arn = aws_lb.front_end.arn - tags = merge(local.tags, var.additional_tags) + tags = local.tags } module "instance_group" { @@ -194,7 +195,6 @@ module "instance_group" { enable_snp = var.enable_snp tags = merge( local.tags, - var.additional_tags, { Name = "${local.name}-${each.value.role}" }, { constellation-role = each.value.role }, { constellation-node-group = each.key }, @@ -213,5 +213,5 @@ module "jump_host" { ports = [for port in local.load_balancer_ports : port.port] security_groups = [aws_security_group.security_group.id] iam_instance_profile = var.iam_instance_profile_name_worker_nodes - additional_tags = var.additional_tags + additional_tags = local.tags } diff --git a/terraform/infrastructure/azure/main.tf b/terraform/infrastructure/azure/main.tf index 993042d5e..619a91aa8 100644 --- a/terraform/infrastructure/azure/main.tf +++ b/terraform/infrastructure/azure/main.tf @@ -23,9 +23,10 @@ locals { uid = random_id.uid.hex name = "${var.name}-${local.uid}" init_secret_hash = random_password.init_secret.bcrypt_hash - tags = { - constellation-uid = local.uid, - } + tags = merge( + var.additional_tags, + { constellation-uid = local.uid } + ) ports_node_range = "30000-32767" cidr_vpc_subnet_nodes = "10.9.0.0/16" ports = flatten([ @@ -76,7 +77,7 @@ resource "azurerm_attestation_provider" "attestation_provider" { ignore_changes = [open_enclave_policy_base64, sgx_enclave_policy_base64, tpm_policy_base64, sev_snp_policy_base64] } - tags = var.additional_tags + tags = local.tags } resource "azurerm_public_ip" "loadbalancer_ip" { @@ -87,7 +88,7 @@ resource "azurerm_public_ip" "loadbalancer_ip" { location = var.location allocation_method = "Static" sku = "Standard" - tags = merge(local.tags, var.additional_tags) + tags = local.tags lifecycle { ignore_changes = [name] @@ -113,7 +114,7 @@ resource "azurerm_public_ip" "nat_gateway_ip" { location = var.location allocation_method = "Static" sku = "Standard" - tags = merge(local.tags, var.additional_tags) + tags = local.tags } resource "azurerm_nat_gateway" "gateway" { @@ -122,7 +123,7 @@ resource "azurerm_nat_gateway" "gateway" { resource_group_name = var.resource_group sku_name = "Standard" idle_timeout_in_minutes = 10 - tags = var.additional_tags + tags = local.tags } resource "azurerm_subnet_nat_gateway_association" "example" { @@ -140,7 +141,7 @@ resource "azurerm_lb" "loadbalancer" { location = var.location resource_group_name = var.resource_group sku = "Standard" - tags = merge(local.tags, var.additional_tags) + tags = local.tags dynamic "frontend_ip_configuration" { for_each = var.internal_load_balancer ? [] : [1] @@ -188,7 +189,7 @@ resource "azurerm_virtual_network" "network" { resource_group_name = var.resource_group location = var.location address_space = ["10.0.0.0/8"] - tags = merge(local.tags, var.additional_tags) + tags = local.tags } resource "azurerm_subnet" "loadbalancer_subnet" { @@ -210,7 +211,7 @@ resource "azurerm_network_security_group" "security_group" { name = local.name location = var.location resource_group_name = var.resource_group - tags = merge(local.tags, var.additional_tags) + tags = local.tags dynamic "security_rule" { for_each = concat( @@ -240,7 +241,6 @@ module "scale_set_group" { zones = each.value.zones tags = merge( local.tags, - var.additional_tags, { constellation-init-secret-hash = local.init_secret_hash }, { constellation-maa-url = var.create_maa ? azurerm_attestation_provider.attestation_provider[0].attestation_uri : "" }, ) @@ -276,7 +276,7 @@ module "jump_host" { subnet_id = azurerm_subnet.loadbalancer_subnet[0].id ports = [for port in local.ports : port.port] lb_internal_ip = azurerm_lb.loadbalancer.frontend_ip_configuration[0].private_ip_address - tags = var.additional_tags + tags = local.tags } data "azurerm_subscription" "current" { diff --git a/terraform/infrastructure/gcp/main.tf b/terraform/infrastructure/gcp/main.tf index a98ff39e2..7ecea6b41 100644 --- a/terraform/infrastructure/gcp/main.tf +++ b/terraform/infrastructure/gcp/main.tf @@ -33,9 +33,10 @@ locals { uid = random_id.uid.hex name = "${var.name}-${local.uid}" init_secret_hash = random_password.init_secret.bcrypt_hash - labels = { - constellation-uid = local.uid, - } + labels = merge( + var.additional_labels, + { constellation-uid = local.uid } + ) ports_node_range = "30000-32767" cidr_vpc_subnet_nodes = "192.168.178.0/24" cidr_vpc_subnet_pods = "10.10.0.0/16" @@ -183,7 +184,7 @@ module "instance_group" { kube_env = local.kube_env debug = var.debug named_ports = each.value.role == "control-plane" ? local.control_plane_named_ports : [] - labels = merge(var.additional_labels, local.labels) + labels = local.labels init_secret_hash = local.init_secret_hash custom_endpoint = var.custom_endpoint cc_technology = var.cc_technology @@ -196,7 +197,7 @@ resource "google_compute_address" "loadbalancer_ip_internal" { subnetwork = google_compute_subnetwork.ilb_subnet[0].id purpose = "SHARED_LOADBALANCER_VIP" address_type = "INTERNAL" - labels = var.additional_labels + labels = local.labels } resource "google_compute_global_address" "loadbalancer_ip" { @@ -214,7 +215,7 @@ module "loadbalancer_public" { health_check = each.value.health_check backend_instance_groups = local.control_plane_instance_groups ip_address = google_compute_global_address.loadbalancer_ip[0].self_link - frontend_labels = merge(local.labels, var.additional_labels, { constellation-use = each.value.name }) + frontend_labels = merge(local.labels, { constellation-use = each.value.name }) } module "loadbalancer_internal" { @@ -226,7 +227,7 @@ module "loadbalancer_internal" { health_check = each.value.health_check backend_instance_group = local.control_plane_instance_groups[0] ip_address = google_compute_address.loadbalancer_ip_internal[0].self_link - frontend_labels = merge(local.labels, var.additional_labels, { constellation-use = each.value.name }) + frontend_labels = merge(local.labels, { constellation-use = each.value.name }) region = var.region network = google_compute_network.vpc_network.id @@ -239,7 +240,7 @@ module "jump_host" { base_name = local.name zone = var.zone subnetwork = google_compute_subnetwork.vpc_subnetwork.id - labels = merge(local.labels, var.additional_labels) + labels = local.labels lb_internal_ip = google_compute_address.loadbalancer_ip_internal[0].address ports = [for port in local.control_plane_named_ports : port.port] }