tagging: tofu resource updates

johnalotoski · johnalotoski · commit 44ca98cc70ed · 2025-11-07T13:31:53.000-06:00
diff --git a/flake/cluster.nix b/flake/cluster.nix
@@ -34,6 +34,13 @@ with flake.lib; {
       function = "cardano-parts";
       repo = "https://github.com/input-output-hk/cardano-playground";
 
+      owner = "ioe";
+      environment = "testnets";
+      project = "cardano-playground";
+
+      # This is the tf var secrets name
+      costCenter = "tag_costCenter";
+
       # These options must remain true for the playground cluster as ip info is required
       abortOnMissingIpModule = true;
       warnOnMissingIpModule = true;
diff --git a/flake/colmena.nix b/flake/colmena.nix
@@ -58,7 +58,8 @@ in
 
         # Since all machines are assigned a group, this is a good place to include default aws instance tags
         aws.instance.tags = {
-          inherit (cfgGeneric) organization tribe function repo;
+          # This group environment name will override the
+          # flake.cluster.infra.generic environment name for aws instances.
           environment = config.flake.cardano-parts.cluster.groups.${name}.meta.environmentName;
           group = name;
         };
diff --git a/flake/opentofu/cluster.nix b/flake/opentofu/cluster.nix
@@ -138,6 +138,28 @@ with lib; let
   groupMultivalueDnsAttrs = mkMultivalueDnsAttrs "groupRelayMultivalueDns" groupMultivalueDnsList;
 
   mkCustomRoute53Records = import ./cluster/route53.nix-import;
+
+  sensitiveString = {
+    type = "string";
+    sensitive = true;
+    nullable = false;
+  };
+
+  defaultTags = {
+    inherit
+      (infra.generic)
+      environment
+      function
+      organization
+      owner
+      project
+      repo
+      tribe
+      ;
+
+    # costCenter is saved as a secret
+    costCenter = "\${var.${infra.generic.costCenter}}";
+  };
 in {
   flake.opentofu.cluster = inputs.cardano-parts.inputs.terranix.lib.terranixConfiguration {
     inherit system;
@@ -161,13 +183,19 @@ in {
           };
         };
 
+        variable = {
+          # costCenter tag should remain secret in public repos
+          "${infra.generic.costCenter}" = sensitiveString;
+        };
+
         provider.aws = forEach (attrNames cluster.regions) (region: {
           inherit region;
           alias = underscore region;
-          default_tags.tags = {
-            inherit (infra.generic) organization tribe function repo;
-            environment = "generic";
-          };
+
+          # Default tagging is inconsistent across aws resources, but including
+          # it may help tag some resources that might have otherwise been
+          # missed.
+          default_tags.tags = defaultTags;
         });
 
         # Common parameters:
@@ -328,6 +356,8 @@ in {
                         gateway_id = "\${data.aws_internet_gateway.${region}.id}";
                       }
                     ];
+
+                  tags = defaultTags;
                 };
               }
           );
@@ -350,6 +380,7 @@ in {
                   + " cidrsubnet(${ipv6CidrBlock}, ${toString ipv6SubnetCidrBits} - parseint(tolist(regex(\"/([0-9]+)$\", ${ipv6CidrBlock}))[0], 10), each.key)}";
 
                 availability_zone = "\${each.value.availability_zone}";
+                tags = defaultTags;
               };
             });
 
@@ -362,6 +393,7 @@ in {
                 ${region} = {
                   provider = awsProviderFor region;
                   assign_generated_ipv6_cidr_block = true;
+                  tags = defaultTags;
                 };
               }
           );
@@ -382,22 +414,22 @@ in {
                 vpc_security_group_ids = [
                   "\${aws_security_group.common_${underscore region}[0].id}"
                 ];
+
+                # Provider level `default_tags` are automatically inherited at
+                # the instance level.  Instance specific tags defined in
+                # flake/colmena.nix are merged.
                 tags = {Name = name;} // node.aws.instance.tags or {};
 
+                # Using volume_tags ensures all created volumes get tagged.
+                # Default tags are not inherited to the volume level automatically.
+                volume_tags = defaultTags // {Name = name;} // node.aws.instance.tags or {};
+
                 root_block_device = {
                   inherit (node.aws.instance.root_block_device) volume_size;
                   volume_type = "gp3";
                   iops = node.aws.instance.root_block_device.iops or 3000;
                   throughput = node.aws.instance.root_block_device.throughput or 125;
                   delete_on_termination = true;
-                  tags =
-                    # Root block device tags aren't applied like the other
-                    # resources since terraform-aws-provider v5.39.0.
-                    #
-                    # We need to strip the following tag attrs or tofu
-                    # constantly tries to re-apply them.
-                    {Name = name;}
-                    // removeAttrs (node.aws.instance.tags or {}) ["organization" "tribe" "function" "repo"];
                 };
 
                 metadata_options = {
@@ -437,6 +469,7 @@ in {
           aws_iam_instance_profile.ec2_profile = {
             name = "ec2Profile";
             role = "\${aws_iam_role.ec2_role.name}";
+            tags = defaultTags;
           };
 
           aws_iam_role.ec2_role = {
@@ -451,6 +484,8 @@ in {
                 }
               ];
             };
+
+            tags = defaultTags;
           };
 
           aws_iam_role_policy_attachment = let
@@ -499,6 +534,8 @@ in {
                 }
               ];
             };
+
+            tags = defaultTags;
           };
 
           tls_private_key.bootstrap.algorithm = "ED25519";
@@ -512,13 +549,16 @@ in {
               provider = awsProviderFor region;
               key_name = "bootstrap";
               public_key = "\${tls_private_key.bootstrap.public_key_openssh}";
+              tags = defaultTags;
             };
           });
 
           aws_eip = mapNodes (name: node: {
             inherit (node.aws.instance) count;
             provider = awsProviderFor node.aws.region;
             instance = "\${aws_instance.${name}[0].id}";
+
+            # Provider level `default_tags` are automatically inherited.
             tags = {Name = name;} // node.aws.instance.tags or {};
           });
 
@@ -627,6 +667,8 @@ in {
                     protocol = "-1";
                   })
                 ];
+
+                tags = defaultTags;
               };
             });
 
diff --git a/secrets/tf/cluster.tfvars b/secrets/tf/cluster.tfvars
@@ -0,0 +1,15 @@
+{
+	"data": "ENC[AES256_GCM,data:yUKRMJYqndqoso8X0fePrUAKV795AfpX2A==,iv:wX8mTXgj0l8lPI+If+GxYjvjiytkFMF+vWyXjHiwHfM=,tag:z04eAemWLBZdx5jJS3LEBg==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1rj7vaq0rsarnum2fx6zq0k3l64f6mca9t9mlhqu4nfvpqhux6uts5zud2m",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0LzR0ai9vU013MjhSdEtR\neklsWGZ0b2FIclZxMEovTWFENWhRQXQwcWgwCmlma09ESlJscG9Sb0wzVmkwQTll\nOWNNcWpXOVhObzlGckxsaVYvVDlCU0kKLS0tIEIva1pZdGkxbjRNOUFSbC9iMC9B\nUTF5QVl0aHAwRjZtR1RJTGhLdkl4OHMKlEL+knVa0NjGKDH/bqBGavjdzOMQHq4X\nHRVcIRGo4spB73zV0iBtN8jbYIjF0FSIkQEJDzLH19zeIgjr/5MWsw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-11-06T23:32:11Z",
+		"mac": "ENC[AES256_GCM,data:fwjB0ICWhWH1+MFPzwddSqGVxHS5TFbWM5vSk5EZRpEW3G09UA0gHFhqPrnlb3V16ghZRtPTvj0xL5FMu1/7Gjj+jd9L1w0Crm7jPHSVkEs+3vOH+BI97ij/QfTrYlK0UoFV2ak+ZK0uDlHMh/K2qRcdIX1414bZEnjz6KWCPZk=,iv:vjZtax9ndd+JqZBcaVTe9IJZEbFQP5YCKiFOb7mdpQY=,tag:sBgDkV3qQXNfqyv+Ep8FyA==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}
