Tag EKS cluster security group, route tables, network interfaces and …

…ACLs (#445) * Tag EKS cluster security group * Tag route tables, network interfaces and acls --------- Co-authored-by: Yevhen Ivantsov <[email protected]>
atlassian-labs · Jan 21, 2025 · aaf0bff · aaf0bff
1 parent 8ff080a
commit aaf0bff
Show file tree

Hide file tree

Showing 9 changed files with 107 additions and 1 deletion.
diff --git a/.github/workflows/unit-test.yaml b/.github/workflows/unit-test.yaml
@@ -25,6 +25,16 @@ jobs:
         with:
           go-version: '1.18'
 
+      - name: Install the latest Terraform
+        run: |
+          terraform -version || true
+          # download the latest
+          URL=$(curl -fsSL https://api.releases.hashicorp.com/v1/releases/terraform/latest | jq -r '.builds[] | select((.arch=="amd64") and (.os=="linux")).url')
+          curl -s -o /tmp/terraform.zip ${URL}
+          echo A | unzip /tmp/terraform.zip -d /usr/local/bin/
+          rm /tmp/terraform.zip          
+          terraform -version
+
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v2
         with:

diff --git a/dc-infrastructure.tf b/dc-infrastructure.tf
@@ -358,3 +358,19 @@ module "crowd" {
   # If local Helm charts path is provided, Terraform will then install using local charts and ignores remote registry
   local_crowd_chart_path = local.local_crowd_chart_path
 }
+
+module discovery {
+  source = "./modules/discovery"
+  vpc    = module.base-infrastructure.vpc
+  tags   = var.resource_tags
+  depends_on = [
+    module.base-infrastructure,
+    module.database,
+    module.nfs,
+    module.bamboo,
+    module.jira,
+    module.confluence,
+    module.bitbucket,
+    module.crowd
+  ]
+}
diff --git a/install.sh b/install.sh
@@ -507,6 +507,25 @@ enable_ssh_tcp_protocol_on_lb_listener() {
   fi
 }
 
+# tag various EC2 resources that are implicitly created without custom tags
+#resource IDs are retrieved in discovery module and added to Terraform outputs
+tag_aws_resources() {
+  RESOURCE_IDS=(
+    $(terraform output -json route_table_ids | jq -r '.[]')
+    $(terraform output -json network_interface_ids | jq -r '.[]')
+    $(terraform output -json network_acl_ids | jq -r '.[]')
+  )
+
+  TAGS=$(terraform output -json tags | jq -c 'to_entries | map({Key: .key, Value: .value})')
+  REGION=$(get_variable 'region' "${CONFIG_ABS_PATH}")
+
+  # Apply tags to all resources in a single loop
+  for RESOURCE_ID in "${RESOURCE_IDS[@]}"; do
+    log "Tagging Resource: $RESOURCE_ID"
+    aws ec2 create-tags --resources "$RESOURCE_ID" --tags "$TAGS" --region="${REGION}"
+  done
+}
+
 # Check for prerequisite tooling
 check_for_prerequisites
 
@@ -533,6 +552,9 @@ scale_down | tee -a "${LOG_FILE}"
 # Deploy the infrastructure
 create_update_infrastructure
 
+# tag AWS resources that are missing custom tags
+tag_aws_resources 2>&1 | tee -a "${LOG_FILE}"
+
 # Resume bamboo server if the credential is provided
 resume_bamboo_server | tee -a "${LOG_FILE}"
 

diff --git a/modules/AWS/eks/main.tf b/modules/AWS/eks/main.tf
@@ -110,6 +110,14 @@ resource "aws_autoscaling_group_tag" "this" {
   ]
 }
 
+# we need to tag this security group because it's not created by Terraform
+resource "aws_ec2_tag" "cluster_primary_security_group" {
+  for_each    = { for k, v in var.tags : k => v if k != "Name" }
+  key         = each.key
+  value       = each.value
+  resource_id = module.eks.cluster_primary_security_group_id
+}
+
 resource "aws_autoscaling_schedule" "downtime" {
   count                  = local.use_downtime ? 1 : 0
   scheduled_action_name  = "downtime"

diff --git a/modules/discovery/main.tf b/modules/discovery/main.tf
@@ -0,0 +1,14 @@
+data "aws_route_tables" "vpc_route_tables" {
+  vpc_id = var.vpc.vpc_id
+}
+
+data "aws_network_acls" "vpc_network_acls" {
+  vpc_id = var.vpc.vpc_id
+}
+
+data "aws_network_interfaces" "vpc_network_interfaces" {
+  filter {
+    name   = "vpc-id"
+    values = [var.vpc.vpc_id]
+  }
+}
diff --git a/modules/discovery/outputs.tf b/modules/discovery/outputs.tf
@@ -0,0 +1,11 @@
+output "route_table_ids" {
+  value = data.aws_route_tables.vpc_route_tables.ids
+}
+
+output "network_interface_ids" {
+  value = data.aws_network_interfaces.vpc_network_interfaces.ids
+}
+
+output "network_acl_ids" {
+  value = data.aws_network_acls.vpc_network_acls.ids
+}
diff --git a/modules/discovery/variables.tf b/modules/discovery/variables.tf
@@ -0,0 +1,9 @@
+variable "vpc" {
+  description = "VPC module that hosts the product."
+  type        = any
+}
+
+variable "tags" {
+  description = "Additional tags for all resources to be created."
+  type        = map(string)
+}
diff --git a/outputs.tf b/outputs.tf
@@ -159,3 +159,19 @@ output "crowd_ebs_snapshot" {
 output "crowd_db_snapshot_build_number" {
   value = local.crowd_db_snapshot_build_number
 }
+
+output "route_table_ids" {
+  value = tolist(module.discovery.route_table_ids)
+}
+
+output "network_interface_ids" {
+  value = tolist(module.discovery.network_interface_ids)
+}
+
+output "network_acl_ids" {
+  value = tolist(module.discovery.network_acl_ids)
+}
+
+output "tags" {
+  value = var.resource_tags
+}
diff --git a/variables.tf b/variables.tf
@@ -1678,4 +1678,4 @@ variable "test_deployment_image_tag" {
   description = "Image tag of DCAPT Jmeter and Selenium deployment"
   type        = string
   default     = "24.0.7-dind"
-}
+}