cli: allow tagging cloud resources with custom tags (#3033)

terraform/infrastructure/aws/main.tf

@@ -68,7 +68,7 @@ resource "random_password" "init_secret" {
 
 resource "aws_vpc" "vpc" {
   cidr_block = "192.168.0.0/16"
-  tags       = merge(local.tags, { Name = "${local.name}-vpc" })
+  tags       = merge(local.tags, var.additional_tags, { Name = "${local.name}-vpc" })
 }
 
 module "public_private_subnet" {
@@ -79,7 +79,7 @@ module "public_private_subnet" {
   cidr_vpc_subnet_internet = "192.168.0.0/20"
   zone                     = var.zone
   zones                    = local.zones
-  tags                     = local.tags
+  tags                     = merge(local.tags, var.additional_tags)
 }
 
 resource "aws_eip" "lb" {
@@ -89,14 +89,14 @@ resource "aws_eip" "lb" {
   # control-plane.
   for_each = var.internal_load_balancer ? [] : toset([var.zone])
   domain   = "vpc"
-  tags     = merge(local.tags, { "constellation-ip-endpoint" = each.key == var.zone ? "legacy-primary-zone" : "additional-zone" })
+  tags     = merge(local.tags, var.additional_tags, { "constellation-ip-endpoint" = each.key == var.zone ? "legacy-primary-zone" : "additional-zone" })
 }
 
 resource "aws_lb" "front_end" {
   name               = "${local.name}-loadbalancer"
   internal           = var.internal_load_balancer
   load_balancer_type = "network"
-  tags               = local.tags
+  tags               = merge(local.tags, var.additional_tags)
   security_groups    = [aws_security_group.security_group.id]
 
   dynamic "subnet_mapping" {
@@ -123,7 +123,7 @@ resource "aws_security_group" "security_group" {
   name        = local.name
   vpc_id      = aws_vpc.vpc.id
   description = "Security group for ${local.name}"
-  tags        = local.tags
+  tags        = merge(local.tags, var.additional_tags)
 
   egress {
     from_port   = 0
@@ -171,7 +171,7 @@ module "load_balancer_targets" {
   healthcheck_path     = each.value.name == "kubernetes" ? "/readyz" : ""
   vpc_id               = aws_vpc.vpc.id
   lb_arn               = aws_lb.front_end.arn
-  tags                 = local.tags
+  tags                 = merge(local.tags, var.additional_tags)
 }
 
 module "instance_group" {
@@ -194,6 +194,7 @@ module "instance_group" {
   enable_snp           = var.enable_snp
   tags = merge(
     local.tags,
+    var.additional_tags,
     { Name = "${local.name}-${each.value.role}" },
     { constellation-role = each.value.role },
     { constellation-node-group = each.key },
@@ -212,4 +213,5 @@ module "jump_host" {
   ports                = [for port in local.load_balancer_ports : port.port]
   security_groups      = [aws_security_group.security_group.id]
   iam_instance_profile = var.iam_instance_profile_name_worker_nodes
+  additional_tags      = var.additional_tags
 }

terraform/infrastructure/aws/modules/jump_host/main.tf

@@ -26,9 +26,9 @@ resource "aws_instance" "jump_host" {
   subnet_id              = var.subnet_id
   vpc_security_group_ids = var.security_groups
 
-  tags = {
+  tags = merge(var.additional_tags, {
     "Name" = "${var.base_name}-jump-host"
-  }
+  })
 
   user_data = <<EOF
 #!/bin/bash

terraform/infrastructure/aws/modules/jump_host/variables.tf

@@ -27,3 +27,8 @@ variable "security_groups" {
   type        = list(string)
   description = "List of IDs of the security groups for an instance."
 }
+
+variable "additional_tags" {
+  type        = map(any)
+  description = "Additional tags for the jump host."
+}

terraform/infrastructure/aws/variables.tf

@@ -79,3 +79,8 @@ variable "enable_snp" {
   default     = true
   description = "Enable AMD SEV SNP. Setting this to true sets the cpu-option AmdSevSnp to enable."
 }
+
+variable "additional_tags" {
+  type        = map(any)
+  description = "Additional tags that should be applied to created resources."
+}

terraform/infrastructure/azure/main.tf

@@ -75,6 +75,8 @@ resource "azurerm_attestation_provider" "attestation_provider" {
     # Related issue: https://github.com/hashicorp/terraform-provider-azurerm/issues/21998
     ignore_changes = [open_enclave_policy_base64, sgx_enclave_policy_base64, tpm_policy_base64, sev_snp_policy_base64]
   }
+
+  tags = var.additional_tags
 }
 
 resource "azurerm_public_ip" "loadbalancer_ip" {
@@ -85,7 +87,7 @@ resource "azurerm_public_ip" "loadbalancer_ip" {
   location            = var.location
   allocation_method   = "Static"
   sku                 = "Standard"
-  tags                = local.tags
+  tags                = merge(local.tags, var.additional_tags)
 
   lifecycle {
     ignore_changes = [name]
@@ -111,7 +113,7 @@ resource "azurerm_public_ip" "nat_gateway_ip" {
   location            = var.location
   allocation_method   = "Static"
   sku                 = "Standard"
-  tags                = local.tags
+  tags                = merge(local.tags, var.additional_tags)
 }
 
 resource "azurerm_nat_gateway" "gateway" {
@@ -120,6 +122,7 @@ resource "azurerm_nat_gateway" "gateway" {
   resource_group_name     = var.resource_group
   sku_name                = "Standard"
   idle_timeout_in_minutes = 10
+  tags                    = var.additional_tags
 }
 
 resource "azurerm_subnet_nat_gateway_association" "example" {
@@ -137,7 +140,7 @@ resource "azurerm_lb" "loadbalancer" {
   location            = var.location
   resource_group_name = var.resource_group
   sku                 = "Standard"
-  tags                = local.tags
+  tags                = merge(local.tags, var.additional_tags)
 
   dynamic "frontend_ip_configuration" {
     for_each = var.internal_load_balancer ? [] : [1]
@@ -185,7 +188,7 @@ resource "azurerm_virtual_network" "network" {
   resource_group_name = var.resource_group
   location            = var.location
   address_space       = ["10.0.0.0/8"]
-  tags                = local.tags
+  tags                = merge(local.tags, var.additional_tags)
 }
 
 resource "azurerm_subnet" "loadbalancer_subnet" {
@@ -207,7 +210,7 @@ resource "azurerm_network_security_group" "security_group" {
   name                = local.name
   location            = var.location
   resource_group_name = var.resource_group
-  tags                = local.tags
+  tags                = merge(local.tags, var.additional_tags)
 
   dynamic "security_rule" {
     for_each = concat(
@@ -237,6 +240,7 @@ module "scale_set_group" {
   zones           = each.value.zones
   tags = merge(
     local.tags,
+    var.additional_tags,
     { constellation-init-secret-hash = local.init_secret_hash },
     { constellation-maa-url = var.create_maa ? azurerm_attestation_provider.attestation_provider[0].attestation_uri : "" },
   )
@@ -272,6 +276,7 @@ module "jump_host" {
   subnet_id      = azurerm_subnet.loadbalancer_subnet[0].id
   ports          = [for port in local.ports : port.port]
   lb_internal_ip = azurerm_lb.loadbalancer.frontend_ip_configuration[0].private_ip_address
+  tags           = var.additional_tags
 }
 
 data "azurerm_subscription" "current" {

terraform/infrastructure/azure/modules/jump_host/main.tf

@@ -3,6 +3,7 @@ resource "azurerm_linux_virtual_machine" "jump_host" {
   resource_group_name = var.resource_group
   location            = var.location
   size                = "Standard_D2as_v5"
+  tags                = var.tags
 
   network_interface_ids = [
     azurerm_network_interface.jump_host.id,
@@ -63,6 +64,7 @@ resource "azurerm_network_interface" "jump_host" {
   name                = "${var.base_name}-jump-host"
   resource_group_name = var.resource_group
   location            = var.location
+  tags                = var.tags
 
   ip_configuration {
     name                          = "public"
@@ -77,6 +79,7 @@ resource "azurerm_public_ip" "jump_host" {
   resource_group_name = var.resource_group
   location            = var.location
   allocation_method   = "Dynamic"
+  tags                = var.tags
 }
 
 resource "tls_private_key" "ssh_key" {

terraform/infrastructure/azure/modules/jump_host/variables.tf

@@ -27,3 +27,8 @@ variable "location" {
   description = "Location to deploy the jump host into."
   type        = string
 }
+
+variable "tags" {
+  description = "Tags of the jump host."
+  type        = map(any)
+}

terraform/infrastructure/azure/modules/load_balancer_backend/variables.tf

@@ -23,3 +23,4 @@ variable "ports" {
   }))
   description = "Ports to add to the backend. Healtch check protocol can be either 'Tcp' or 'Https'. Path is only used for the 'Https' protocol and can otherwise be null."
 }
+

terraform/infrastructure/azure/variables.tf

@@ -89,3 +89,8 @@ variable "marketplace_image" {
   default     = null
   description = "Marketplace image for the cluster's nodes."
 }
+
+variable "additional_tags" {
+  type        = map(any)
+  description = "Additional tags that should be applied to created resources."
+}

terraform/infrastructure/gcp/main.tf

@@ -183,7 +183,7 @@ module "instance_group" {
   kube_env            = local.kube_env
   debug               = var.debug
   named_ports         = each.value.role == "control-plane" ? local.control_plane_named_ports : []
-  labels              = local.labels
+  labels              = merge(var.additional_labels, local.labels)
   init_secret_hash    = local.init_secret_hash
   custom_endpoint     = var.custom_endpoint
   cc_technology       = var.cc_technology
@@ -196,6 +196,7 @@ resource "google_compute_address" "loadbalancer_ip_internal" {
   subnetwork   = google_compute_subnetwork.ilb_subnet[0].id
   purpose      = "SHARED_LOADBALANCER_VIP"
   address_type = "INTERNAL"
+  labels       = var.additional_labels
 }
 
 resource "google_compute_global_address" "loadbalancer_ip" {
@@ -213,7 +214,7 @@ module "loadbalancer_public" {
   health_check            = each.value.health_check
   backend_instance_groups = local.control_plane_instance_groups
   ip_address              = google_compute_global_address.loadbalancer_ip[0].self_link
-  frontend_labels         = merge(local.labels, { constellation-use = each.value.name })
+  frontend_labels         = merge(local.labels, var.additional_labels, { constellation-use = each.value.name })
 }
 
 module "loadbalancer_internal" {
@@ -225,7 +226,7 @@ module "loadbalancer_internal" {
   health_check           = each.value.health_check
   backend_instance_group = local.control_plane_instance_groups[0]
   ip_address             = google_compute_address.loadbalancer_ip_internal[0].self_link
-  frontend_labels        = merge(local.labels, { constellation-use = each.value.name })
+  frontend_labels        = merge(local.labels, var.additional_labels, { constellation-use = each.value.name })
 
   region         = var.region
   network        = google_compute_network.vpc_network.id
@@ -238,7 +239,7 @@ module "jump_host" {
   base_name      = local.name
   zone           = var.zone
   subnetwork     = google_compute_subnetwork.vpc_subnetwork.id
-  labels         = local.labels
+  labels         = merge(local.labels, var.additional_labels)
   lb_internal_ip = google_compute_address.loadbalancer_ip_internal[0].address
   ports          = [for port in local.control_plane_named_ports : port.port]
 }

terraform/infrastructure/gcp/variables.tf

@@ -69,3 +69,8 @@ variable "cc_technology" {
     error_message = "The confidential computing technology has to be 'SEV' or 'SEV_SNP'."
   }
 }
+
+variable "additional_labels" {
+  type        = map(any)
+  description = "Additional labels that should be given to created recources."
+}

terraform/infrastructure/openstack/main.tf

@@ -46,7 +46,7 @@ locals {
   ])
   cidr_vpc_subnet_nodes = "192.168.178.0/24"
   cidr_vpc_subnet_lbs   = "192.168.177.0/24"
-  tags                  = ["constellation-uid-${local.uid}"]
+  tags                  = concat(["constellation-uid-${local.uid}"], var.additional_tags)
   identity_service = [
     for entry in data.openstack_identity_auth_scope_v3.scope.service_catalog :
     entry if entry.type == "identity"

terraform/infrastructure/openstack/variables.tf

@@ -59,6 +59,11 @@ variable "floating_ip_pool_id" {
   description = "Pool (network name) to use for floating IPs."
 }
 
+variable "additional_tags" {
+  type        = list(any)
+  description = "Additional tags that should be applied to created resources."
+}
+
 # STACKIT-specific variables
 
 variable "stackit_project_id" {

terraform/legacy-module/aws-constellation/main.tf

@@ -40,6 +40,7 @@ module "aws" {
   debug                                   = var.debug
   enable_snp                              = var.enable_snp
   custom_endpoint                         = var.custom_endpoint
+  additional_tags                         = var.additional_tags
 }
 
 module "constellation" {

terraform/legacy-module/aws-constellation/variables.tf

@@ -70,3 +70,8 @@ variable "name_prefix" {
   type        = string
   description = "Prefix for all resources."
 }
+
+variable "additional_tags" {
+  type        = map(any)
+  description = "Additional tags that should be applied to created resources."
+}

terraform/legacy-module/azure-constellation/main.tf

@@ -34,6 +34,7 @@ module "azure" {
   debug                  = var.debug
   resource_group         = module.azure_iam.base_resource_group
   create_maa             = var.create_maa
+  additional_tags        = var.additional_tags
 }
 
 module "constellation" {

terraform/legacy-module/azure-constellation/variables.tf

@@ -87,3 +87,8 @@ variable "create_maa" {
   default     = true
   description = "Create an MAA for attestation."
 }
+
+variable "additional_tags" {
+  type        = map(any)
+  description = "Additional tags that should be applied to created resources."
+}

terraform/legacy-module/gcp-constellation/main.tf

@@ -32,16 +32,17 @@ module "fetch_image" {
 
 
 module "gcp" {
-  source          = "../../infrastructure/gcp"
-  project         = var.project
-  image_id        = module.fetch_image.image
-  name            = var.name
-  node_groups     = var.node_groups
-  region          = local.region
-  zone            = var.zone
-  debug           = var.debug
-  custom_endpoint = var.custom_endpoint
-  cc_technology   = var.cc_technology
+  source            = "../../infrastructure/gcp"
+  project           = var.project
+  image_id          = module.fetch_image.image
+  name              = var.name
+  node_groups       = var.node_groups
+  region            = local.region
+  zone              = var.zone
+  debug             = var.debug
+  custom_endpoint   = var.custom_endpoint
+  cc_technology     = var.cc_technology
+  additional_labels = var.additional_labels
 }
 
 module "constellation" {

terraform/legacy-module/gcp-constellation/variables.tf

@@ -79,3 +79,8 @@ variable "cc_technology" {
     error_message = "The confidential computing technology has to be 'SEV' or 'SEV_SNP'."
   }
 }
+
+variable "additional_labels" {
+  type        = map(any)
+  description = "Additional labels that should be given to created recources."
+}