Use tags for UID and role parsing (#242)

* Apply tags to all applicable GCP resources

* Move GCP UID and role from VM metadata to labels

* Adjust Azure tags to be in line with GCP and AWS

* Dont rely on resource name to find resources

Signed-off-by: Daniel Weiße <dw@edgeless.systems>

cli/internal/terraform/terraform/azure/main.tf

@@ -194,7 +194,7 @@ module "scale_set_control_plane" {
   instance_type             = var.instance_type
   confidential_vm           = var.confidential_vm
   secure_boot               = var.secure_boot
-  tags                      = merge(local.tags, { role = "control-plane" })
+  tags                      = merge(local.tags, { constellation-role = "control-plane" })
   image_id                  = var.image_id
   user_assigned_identity    = var.user_assigned_identity
   network_security_group_id = azurerm_network_security_group.security_group.id
@@ -217,7 +217,7 @@ module "scale_set_worker" {
   instance_type             = var.instance_type
   confidential_vm           = var.confidential_vm
   secure_boot               = var.secure_boot
-  tags                      = merge(local.tags, { role = "worker" })
+  tags                      = merge(local.tags, { constellation-role = "worker" })
   image_id                  = var.image_id
   user_assigned_identity    = var.user_assigned_identity
   network_security_group_id = azurerm_network_security_group.security_group.id

cli/internal/terraform/terraform/gcp/main.tf

@@ -22,7 +22,7 @@ provider "google" {
 locals {
   uid                   = random_id.uid.hex
   name                  = "${var.name}-${local.uid}"
-  tag                   = "constellation-${local.uid}"
+  labels                = { constellation-uid = local.uid }
   ports_node_range      = "30000-32767"
   ports_kubernetes      = "6443"
   ports_bootstrapper    = "9000"
@@ -138,6 +138,7 @@ module "instance_group_control_plane" {
     { name = "recovery", port = local.ports_recovery },
     var.debug ? [{ name = "debugd", port = local.ports_debugd }] : [],
   ])
+  labels = local.labels
 }
 
 module "instance_group_worker" {
@@ -154,6 +155,7 @@ module "instance_group_worker" {
   subnetwork     = google_compute_subnetwork.vpc_subnetwork.id
   kube_env       = local.kube_env
   debug          = var.debug
+  labels         = local.labels
 }
 
 resource "google_compute_global_address" "loadbalancer_ip" {
@@ -168,9 +170,7 @@ module "loadbalancer_kube" {
   backend_instance_group = module.instance_group_control_plane.instance_group
   ip_address             = google_compute_global_address.loadbalancer_ip.self_link
   port                   = local.ports_kubernetes
-  frontend_labels = {
-    constellation-uid = local.uid
-  }
+  frontend_labels        = merge(local.labels, { constellation-use = "kubernetes" })
 }
 
 module "loadbalancer_boot" {
@@ -181,6 +181,7 @@ module "loadbalancer_boot" {
   backend_instance_group = module.instance_group_control_plane.instance_group
   ip_address             = google_compute_global_address.loadbalancer_ip.self_link
   port                   = local.ports_bootstrapper
+  frontend_labels        = merge(local.labels, { constellation-use = "bootstrapper" })
 }
 
 module "loadbalancer_verify" {
@@ -191,6 +192,7 @@ module "loadbalancer_verify" {
   backend_instance_group = module.instance_group_control_plane.instance_group
   ip_address             = google_compute_global_address.loadbalancer_ip.self_link
   port                   = local.ports_verify
+  frontend_labels        = merge(local.labels, { constellation-use = "verify" })
 }
 
 module "loadbalancer_konnectivity" {
@@ -201,6 +203,7 @@ module "loadbalancer_konnectivity" {
   backend_instance_group = module.instance_group_control_plane.instance_group
   ip_address             = google_compute_global_address.loadbalancer_ip.self_link
   port                   = local.ports_konnectivity
+  frontend_labels        = merge(local.labels, { constellation-use = "konnectivity" })
 }
 
 module "loadbalancer_recovery" {
@@ -211,6 +214,7 @@ module "loadbalancer_recovery" {
   backend_instance_group = module.instance_group_control_plane.instance_group
   ip_address             = google_compute_global_address.loadbalancer_ip.self_link
   port                   = local.ports_recovery
+  frontend_labels        = merge(local.labels, { constellation-use = "recovery" })
 }
 
 module "loadbalancer_debugd" {
@@ -222,4 +226,5 @@ module "loadbalancer_debugd" {
   backend_instance_group = module.instance_group_control_plane.instance_group
   ip_address             = google_compute_global_address.loadbalancer_ip.self_link
   port                   = local.ports_debugd
+  frontend_labels        = merge(local.labels, { constellation-use = "debugd" })
 }

cli/internal/terraform/terraform/gcp/modules/instance_group/main.tf

@@ -16,6 +16,7 @@ resource "google_compute_instance_template" "template" {
   name         = local.name
   machine_type = var.instance_type
   tags         = ["constellation-${var.uid}"]
+  labels       = merge(var.labels, { constellation-role = local.role_dashed })
 
   confidential_instance_config {
     enable_confidential_compute = true
@@ -41,8 +42,6 @@ resource "google_compute_instance_template" "template" {
 
   metadata = {
     kube-env           = var.kube_env
-    constellation-uid  = var.uid
-    constellation-role = var.role
     serial-port-enable = var.debug ? "TRUE" : "FALSE"
   }
 

cli/internal/terraform/terraform/gcp/modules/instance_group/variables.tf

@@ -13,6 +13,12 @@ variable "uid" {
   description = "UID of the cluster. This is used for tags."
 }
 
+variable "labels" {
+  type        = map(string)
+  default     = {}
+  description = "Labels to apply to the instance group."
+}
+
 variable "instance_type" {
   type        = string
   description = "Instance type for the nodes."