fix resource manager tag bindings in compute-vm module (#1771)

2023-10-18 11:24:00 +02:00
parent c21fa4558f
commit 02ccc576f5
5 changed files with 141 additions and 10 deletions
--- a/modules/compute-vm/README.md
+++ b/modules/compute-vm/README.md
@@ -34,6 +34,7 @@ In both modes, an optional service account can be created and assigned to either
  - [Instance group](#instance-group)
  - [Instance Schedule](#instance-schedule)
  - [Snapshot Schedules](#snapshot-schedules)
+  - [Resource Manager Tags](#resource-manager-tags)
 - [Variables](#variables)
 - [Outputs](#outputs)
 - [TODO](#todo)
@@ -677,6 +678,32 @@ module "instance" {
 }
 # tftest modules=1 resources=5 inventory=snapshot-schedule-create.yaml
 ```
+
+### Resource Manager Tags
+
+Resource manager tags (or "secure tags") bindings are supported with the following limitations:
+
+- a single `tag_bindings` variable is used for both the instance and the boot disk
+- tag bindings are not created for attached disks
+- tag bindings will not be created for the boot disk if the `use_independent_disk` flag is true
+- tag bindings are ignored for instance templates
+
+```hcl
+module "simple-vm-example" {
+  source     = "./fabric/modules/compute-vm"
+  project_id = var.project_id
+  zone       = "europe-west1-b"
+  name       = "test"
+  network_interfaces = [{
+    network    = var.vpc.self_link
+    subnetwork = var.subnet.self_link
+  }]
+  tag_bindings = {
+    "tagKeys/1234567890" = "tagValues/7890123456"
+  }
+}
+# tftest modules=1 resources=1 inventory=tag-bindings.yaml
+```
 <!-- BEGIN TFDOC -->
 ## Variables

@@ -708,7 +735,7 @@ module "instance" {
 | [service_account](variables.tf#L295) | Service account email and scopes. If email is null, the default Compute service account will be used unless auto_create is true, in which case a service account will be created. Set the variable to null to avoid attaching a service account. | <code title="object&#40;&#123;&#10;  auto_create &#61; optional&#40;bool, false&#41;&#10;  email       &#61; optional&#40;string&#41;&#10;  scopes      &#61; optional&#40;list&#40;string&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [shielded_config](variables.tf#L305) | Shielded VM configuration of the instances. | <code title="object&#40;&#123;&#10;  enable_secure_boot          &#61; bool&#10;  enable_vtpm                 &#61; bool&#10;  enable_integrity_monitoring &#61; bool&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> |  | <code>null</code> |
 | [snapshot_schedules](variables.tf#L315) | Snapshot schedule resource policies that can be attached to disks. | <code title="map&#40;object&#40;&#123;&#10;  schedule &#61; object&#40;&#123;&#10;    daily &#61; optional&#40;object&#40;&#123;&#10;      days_in_cycle &#61; number&#10;      start_time    &#61; string&#10;    &#125;&#41;&#41;&#10;    hourly &#61; optional&#40;object&#40;&#123;&#10;      hours_in_cycle &#61; number&#10;      start_time     &#61; string&#10;    &#125;&#41;&#41;&#10;    weekly &#61; optional&#40;list&#40;object&#40;&#123;&#10;      day        &#61; string&#10;      start_time &#61; string&#10;    &#125;&#41;&#41;&#41;&#10;  &#125;&#41;&#10;  description &#61; optional&#40;string&#41;&#10;  retention_policy &#61; optional&#40;object&#40;&#123;&#10;    max_retention_days         &#61; number&#10;    on_source_disk_delete_keep &#61; optional&#40;bool&#41;&#10;  &#125;&#41;&#41;&#10;  snapshot_properties &#61; optional&#40;object&#40;&#123;&#10;    chain_name        &#61; optional&#40;string&#41;&#10;    guest_flush       &#61; optional&#40;bool&#41;&#10;    labels            &#61; optional&#40;map&#40;string&#41;&#41;&#10;    storage_locations &#61; optional&#40;list&#40;string&#41;&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [tag_bindings](variables.tf#L358) | Tag bindings for this instance, in key => tag value id format. | <code>map&#40;string&#41;</code> |  | <code>null</code> |
+| [tag_bindings](variables.tf#L358) | Tag bindings for this instance, in tag key => tag value format. | <code>map&#40;string&#41;</code> |  | <code>null</code> |
 | [tags](variables.tf#L364) | Instance network tags for firewall rule targets. | <code>list&#40;string&#41;</code> |  | <code>&#91;&#93;</code> |

 ## Outputs
--- a/modules/compute-vm/main.tf
+++ b/modules/compute-vm/main.tf
@@ -216,9 +216,10 @@ resource "google_compute_instance" "default" {
        : [""]
      )
      content {
-        image = var.boot_disk.initialize_params.image
-        size  = var.boot_disk.initialize_params.size
-        type  = var.boot_disk.initialize_params.type
+        image                 = var.boot_disk.initialize_params.image
+        size                  = var.boot_disk.initialize_params.size
+        type                  = var.boot_disk.initialize_params.type
+        resource_manager_tags = var.tag_bindings
      }
    }
  }
@@ -292,6 +293,13 @@ resource "google_compute_instance" "default" {
    }
  }

+  dynamic "params" {
+    for_each = var.tag_bindings == null ? [] : [""]
+    content {
+      resource_manager_tags = var.tag_bindings
+    }
+  }
+
  # guest_accelerator
 }

--- a/modules/compute-vm/tags.tf
+++ b/modules/compute-vm/tags.tf
@@ -16,8 +16,21 @@

 # tfdoc:file:description Tag bindings.

-resource "google_tags_tag_binding" "binding" {
-  for_each  = var.create_template ? {} : coalesce(var.tag_bindings, {})
-  parent    = "//compute.googleapis.com/${google_compute_instance.default.0.id}"
-  tag_value = each.value
-}
+# TODO: re-implement once
+# - the provider accepts a project id in the parent without a permadiff
+# - the disk resource exposes an id that can be used to build the parent
+
+# locals {
+#   tag_parent_base = (
+#     "//compute.googleapis.com/projects/${var.project_id}/zones/${var.zone}"
+#   )
+# }
+
+# resource "google_tags_location_tag_binding" "instance" {
+#   for_each = var.create_template ? {} : coalesce(var.tag_bindings, {})
+#   parent = (
+#     "${local.tag_parent_base}/instances/${google_compute_instance.default.0.instance_id}"
+#   )
+#   tag_value = each.value
+#   location  = var.zone
+# }
--- a/modules/compute-vm/variables.tf
+++ b/modules/compute-vm/variables.tf
@@ -356,7 +356,7 @@ variable "snapshot_schedules" {
 }

 variable "tag_bindings" {
-  description = "Tag bindings for this instance, in key => tag value id format."
+  description = "Tag bindings for this instance, in tag key => tag value format."
  type        = map(string)
  default     = null
 }
--- a/tests/modules/compute_vm/examples/tag-bindings.yaml
+++ b/tests/modules/compute_vm/examples/tag-bindings.yaml
@@ -0,0 +1,83 @@
+# Copyright 2023 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+values:
+  module.simple-vm-example.google_compute_instance.default[0]:
+    advanced_machine_features: []
+    allow_stopping_for_update: true
+    attached_disk: []
+    boot_disk:
+    - auto_delete: true
+      disk_encryption_key_raw: null
+      initialize_params:
+      - image: projects/debian-cloud/global/images/family/debian-11
+        resource_manager_tags:
+          tagKeys/1234567890: tagValues/7890123456
+        size: 10
+        type: pd-balanced
+      mode: READ_WRITE
+    can_ip_forward: false
+    deletion_protection: false
+    description: Managed by the compute-vm Terraform module.
+    desired_status: null
+    enable_display: false
+    hostname: null
+    labels: null
+    machine_type: f1-micro
+    metadata: null
+    metadata_startup_script: null
+    name: test
+    network_interface:
+    - access_config: []
+      alias_ip_range: []
+      ipv6_access_config: []
+      network: projects/xxx/global/networks/aaa
+      nic_type: null
+      queue_count: null
+      security_policy: null
+      subnetwork: subnet_self_link
+    network_performance_config: []
+    params:
+    - resource_manager_tags:
+        tagKeys/1234567890: tagValues/7890123456
+    project: project-id
+    resource_policies: null
+    scheduling:
+    - automatic_restart: true
+      instance_termination_action: null
+      local_ssd_recovery_timeout: []
+      maintenance_interval: null
+      max_run_duration: []
+      min_node_cpus: null
+      node_affinities: []
+      on_host_maintenance: MIGRATE
+      preemptible: false
+      provisioning_model: STANDARD
+    scratch_disk: []
+    service_account:
+    - scopes:
+      - https://www.googleapis.com/auth/devstorage.read_only
+      - https://www.googleapis.com/auth/logging.write
+      - https://www.googleapis.com/auth/monitoring.write
+    shielded_instance_config: []
+    tags: null
+    timeouts: null
+    zone: europe-west1-b
+
+counts:
+  google_compute_instance: 1
+  modules: 1
+  resources: 1
+
+outputs: {}