terraform: simplify additional tagging logic to ensure they are always applied (#3045)

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2025-09-27 20:10:51 -04:00 · 2024-04-26 11:53:25 +02:00 · 2024-04-26 11:53:25 +02:00 · 46994b7ee0
commit 46994b7ee0
parent 680d3318af
3 changed files with 32 additions and 31 deletions
--- a/terraform/infrastructure/azure/main.tf
+++ b/terraform/infrastructure/azure/main.tf
@ -23,9 +23,10 @@ locals {
  uid              = random_id.uid.hex
  name             = "${var.name}-${local.uid}"
  init_secret_hash = random_password.init_secret.bcrypt_hash
-  tags = {
-    constellation-uid = local.uid,
-  }
+  tags = merge(
+    var.additional_tags,
+    { constellation-uid = local.uid }
+  )
  ports_node_range      = "30000-32767"
  cidr_vpc_subnet_nodes = "10.9.0.0/16"
  ports = flatten([
@ -76,7 +77,7 @@ resource "azurerm_attestation_provider" "attestation_provider" {
    ignore_changes = [open_enclave_policy_base64, sgx_enclave_policy_base64, tpm_policy_base64, sev_snp_policy_base64]
  }

-  tags = var.additional_tags
+  tags = local.tags
 }

 resource "azurerm_public_ip" "loadbalancer_ip" {
@ -87,7 +88,7 @@ resource "azurerm_public_ip" "loadbalancer_ip" {
  location            = var.location
  allocation_method   = "Static"
  sku                 = "Standard"
-  tags                = merge(local.tags, var.additional_tags)
+  tags                = local.tags

  lifecycle {
    ignore_changes = [name]
@ -113,7 +114,7 @@ resource "azurerm_public_ip" "nat_gateway_ip" {
  location            = var.location
  allocation_method   = "Static"
  sku                 = "Standard"
-  tags                = merge(local.tags, var.additional_tags)
+  tags                = local.tags
 }

 resource "azurerm_nat_gateway" "gateway" {
@ -122,7 +123,7 @@ resource "azurerm_nat_gateway" "gateway" {
  resource_group_name     = var.resource_group
  sku_name                = "Standard"
  idle_timeout_in_minutes = 10
-  tags                    = var.additional_tags
+  tags                    = local.tags
 }

 resource "azurerm_subnet_nat_gateway_association" "example" {
@ -140,7 +141,7 @@ resource "azurerm_lb" "loadbalancer" {
  location            = var.location
  resource_group_name = var.resource_group
  sku                 = "Standard"
-  tags                = merge(local.tags, var.additional_tags)
+  tags                = local.tags

  dynamic "frontend_ip_configuration" {
    for_each = var.internal_load_balancer ? [] : [1]
@ -188,7 +189,7 @@ resource "azurerm_virtual_network" "network" {
  resource_group_name = var.resource_group
  location            = var.location
  address_space       = ["10.0.0.0/8"]
-  tags                = merge(local.tags, var.additional_tags)
+  tags                = local.tags
 }

 resource "azurerm_subnet" "loadbalancer_subnet" {
@ -210,7 +211,7 @@ resource "azurerm_network_security_group" "security_group" {
  name                = local.name
  location            = var.location
  resource_group_name = var.resource_group
-  tags                = merge(local.tags, var.additional_tags)
+  tags                = local.tags

  dynamic "security_rule" {
    for_each = concat(
@ -240,7 +241,6 @@ module "scale_set_group" {
  zones           = each.value.zones
  tags = merge(
    local.tags,
-    var.additional_tags,
    { constellation-init-secret-hash = local.init_secret_hash },
    { constellation-maa-url = var.create_maa ? azurerm_attestation_provider.attestation_provider[0].attestation_uri : "" },
  )
@ -276,7 +276,7 @@ module "jump_host" {
  subnet_id      = azurerm_subnet.loadbalancer_subnet[0].id
  ports          = [for port in local.ports : port.port]
  lb_internal_ip = azurerm_lb.loadbalancer.frontend_ip_configuration[0].private_ip_address
-  tags           = var.additional_tags
+  tags           = local.tags
 }

 data "azurerm_subscription" "current" {